Versions Compared

Version Old Version 40 New Version Current
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Single-sign-on is a key feature of the WSO2 Identity Server that enables users to access multiple applications using the same set of credentials. Additionally, the user can access all these applications without having to log into each and every one of them individually. For instance, if users log into application A, they would automatically have access to application B as well for the duration of that session without having to re-enter their credentials.

...

Tip

Tip: If you wish to change properties like the issuer ID, consumer URL and IdP URL, you can edit the travelocity.properties file found inside the travelocity.com/WEB-INF/classes directory. This sample uses the following default values.

PropertiesDescription
SAML2.SPEntityId=travelocity.com
A unique identifier for this SAML 2.0 Service Provider application

SAML2.AssertionConsumerURL=http://localhost:8080/travelocity.com/home.jsp

The URL of the SAML 2.0 Assertion Consumer
SAML2.IdPEntityId=localhost

The unique identifier for this SAML 2.0 Service Provider application.

Note: If you are updating the value, make sure to define the same value for the Identity Provider Entity Id of the Resident IdP. Follow the steps given below:

  1. Sign in to the management console.
  2. Click Resident under Identity Providers.
  3. Expand Inbound Authentication Configurations and expand SAML2 Web SSO Configurations.
  4. Enter the same value you defined for SAML2.SPEntityIdIdPEntityId as the value for Identity Provider Entity ID.

SAML2.IdPURL=https://localhost:9443/samlsso 

The URL of the SAML 2.0 Identity Provider

If you edit the travelocity.properties file, you must restart the Apache Tomcat server for the changes to take effect.

...

  1. Click Configure. The following form appears. The values entered in the screen below are configurations for the sample. 

  2. Register the new service provider by providing the following values. See Configuring Inbound Authentication for a Service Provider for more information on the fields available in this form.

    FieldDescriptionSample Value
    Issuer

    This is the entity ID for the SAML2 service provider

    Info

    This value should be same as the SAML2.SPEntityId value specified inside the travelocity.com/WEB-INF/classes/travelocity.properties file.

    		travelocity.com
    Assertion Consumer URLs

    This is the Assertion Consumer Service (ACS) URL of the service provider. The identity provider redirects the SAML2 response to this ACS URL. However, if the SAML2 request is signed and SAML2 request contains the ACS URL, the Identity Server will honor the ACS URL of the SAML2 request. 

    Info

    This value should be same as the SAML2.AssertionConsumerURL value mentioned inside the travelocity.com/WEB-INF/classes/travelocity.properties file.

    		Enter this value: http://localhost:8080/travelocity.com/home.jsp and click Add.
    Default Assertion Consumer URLThis must be the same value defined above. If you have defined multiple Assertion Consumer URLs, this value must be the same as the SAML2.AssertionConsumerURL value mentioned inside the  travelocity.com/WEB-INF/classes/travelocity.properties  file as that is the default.
    NameID formatThe service provider and identity provider usually communicate with each other regarding a specific subject. That subject should be identified through a Name-Identifier (NameID) , which should be in some format so that It is easy for the other party to identify it based on the format. There are some formats that are defined by SAML2 specification. Enter the default value of this format (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress  )urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    Certificate AliasThis is used to validate the signature of SAML2 requests and is used to generate encryption.Select wso2carbon
    Response Signing AlgorithmSpecifies the ‘SignatureMethod’ algorithm to be used in the ‘Signature’ element in POST binding. The default value can be configured in the<IS_HOME>/repository/conf/identity/identity.xml file, in the SSOService element with SAMLDefaultSigningAlgorithmURI tag. If it is not provided, the default algorithm is RSA­SHA 1, at URI ‘http://www.w3.org/2000/09/xmldsig#rsa­sha1.http://www.w3.org/2000/09/xmldsig#rsa­-sha1
    Response Digest AlgorithmSpecifies the ‘DigestMethod’ algorithm to be used in the ‘Signature’ element in POST binding. The default value can be configured in the<IS_HOME>/repository/conf/identity/identity.xml file, in the SSOService element with SAMLDefaultDigestAlgorithmURI tag. If it is not provided the default algorithm is SHA 1, at URI ‘http://www.w3.org/2000/09/xmldsig#sha1.http://www.w3.org/2000/09/xmldsig#sha1
    Enable Response Signing

    This is used to sign the SAML2 Responses returned after the authentication process is complete.


    		Set as true by selecting the checkbox
    Enable Signature Validation in Authentication Requests and Logout RequestsThis specifies whether the identity provider must validate the signature of the SAML2 authentication request and the SAML2 logout request that are sent by the service provider. Set as true by selecting the checkbox
    Enable Assertion EncryptionThis defines whether the SAML2 assertion must be encrypted or not. 
    Enable Single LogoutEnable this to ensure that all sessions are terminated once the user signs out from one server.Set this as true by selecting the checkbox
    Enable Attribute ProfileThe Identity Server supports a basic attribute profile where the identity provider can include the user’s attributes in the SAML Assertions as an attribute statement. You can define the claims that must be included under service provider claim configurations. Also, once you select the “Include Attributes in the Response Always” checkbox, the identity provider always includes the attribute values related to selected claims in the SAML Attribute statement.
    Enable Audience RestrictionYou can define multiple audiences in the SAML Assertion. Configured audiences would be added into the SAML2 Assertion.
    Enable Recipient Validation

    The recipient attribute of a SAML assertion contains the service provider's Assertion Consumer Service (ACS) URL, and the Identity Server, by default, sends the registered service provider's ACS URL as the recipient.

    Tip

    TipThere can be situations where the same SAML assertion can be consumed by multiple service providers. A scenario where we use SAML2 Bearer Grant is one such example. In such a scenario the assertion consumer endpoints of all those intended service providers should be added as recipients. Enabling recipient validation allows you to do just that.



    Enable IdP Initiated SSO
    The service provider is not required to send the SAML2 request when this is enabled. Do a GET request following this pattern:

    https://{Hostname}:{Port}/samlsso?spEntityID={SAML2 SSO Issuer name}

    Note

    If your SAML2 SSO issuer has been configured in any other separate tenant other than super tenant, then you need to append thetenantDomain parameter as well.

    If the tenant domain is soasecurity.org, the GET request would be as follows:

    https://localhost:9443/samlsso?spEntityID=travelocity.com&tenantDomain=soasecurity.org

    https://localhost:9443/samlsso?spEntityID=travelocity.com
    Enable IdP initiated SLO

    The Identity Server facilitates IdP initiated SAML2 single log out requests. The following parameters can be used with the IdP initiated SLO request:

    • slo (mandatory parameter) - Must have the value “true” to mark the request as an IdP initiated log out request
    • spEntityID (optional) - Value of the parameter should be the SAML issuer name as in “Issuer” field in the SAML service provider configuration UI.

    • returnTo (optional) - Value of the parameter should be the URL which needs to be redirected to, after the log out.

      Note

      If this parameter is present in the request, then the ‘spEntityID’ parameter must also be present.
      Since this needs to be a trusted location, the value that comes with the request must match with one of the assertion consumer URLs or returnTo ULRs of the service provider.

    		returnTo URL: https://localhost:8080/avs.com/slo

...