This page provides instructions on how to configure the Amazon authenticator and the WSO2 Identity Server using a sample app to demonstrate authentication. You can find more information in the following sections.
Amazon Authenticator is supported by WSO2 Identity Server versions 5.1.0, 5.2.0 and 5.3.0.
Step 1 - Configure the Amazon App
Place the authenticator .jar file into the
<IS_HOME>/repository/components/dropins
directory. You can download the .jar (org.wso2.carbon.extension.identity.authenticator.amazon.connector-1.x.x.jar
) file from wso2 store.If you want to upgrade the Amazon Authenticator (.jar) in your existing IS pack, please refer upgrade instructions.
Navigate to http://login.amazon.com/, click App Console.
Click Sign in to App Console and sign in.
Click Register new application to register a new app. For more information, see Amazon Services documentation.
Enter the following information and click Save.
Name - AmazonWSO2
- Description - An app to test authentication using Amazon
- Privacy Notice URL - The privacy policy URL for your application. Ex: http://wso2.com/privacy-policy
You have now finished configuring Amazon.- Expand the Web Settings section. Copy the Client ID and Client Secret, you will need these values when configuring the identity provider.
- Click Edit and enter the redirect URL as https://localhost:9443/commonauth in the window that appears and save it.
Step 2 - Deploy travelocity.com sample app
The next step is to deploy the travelocity.com sample app in order to use it in this scenario. See deploying travelocity.com sample app.
Step 3 - Configure the identity provider (IdP)
Now you must configure the WSO2 Identity Server by adding a new identity provider.
- Download the WSO2 Identity Server from here and run it.
- Log in to the Management Console as an administrator.
- In the Identity Providers section under the Main tab of the management console, click Add.
Give a suitable name for Identity Provider Name (e.g., Amazon) and click Register.
- Navigate to the Amazon Configurations under Federated Authenticators
- In IS 5.1.0 or 5.2.0, go to AmazonAuthenticator Configuration under Federated Authenticators.
In IS 5.3.0, go to Amazon Configuration under Federated Authenticators.
- Enter the IdP related details.
Client Id: Enter the client ID of the app that you created in Amazon.
- Client Secret: Enter the client secret of the app that you created in Amazon.
- Callback URL: Service Provider's URL where the code needs to be sent (e.g., https://localhost:9443/commonauth)
Select both checkboxes Enable and Default to enable the Amazon Authenticator and to make it the default authenticator.
Click Update.
You have now added the identity provider.
Step 4 - Configure the service provider
The next step is to configure the service provider based on the WSO2 Identity Server version that you are working on.
- Configuring a service provider with IS 5.3.0
- Configuring a service provider with IS 5.1.0 or IS 5.2.0
Configuring a service provider with IS 5.3.0
- Return to the management console.
- In the Service Providers section under the Main tab, click Add.
- As you are using travelocity as the sample, enter travelocity.com in the Service Provider Name text box and click Register.
- In the Inbound Authentication Configuration section, click SAML2 Web SSO Configuration, and then click Configure.
- Add the service provider details as follows:
- Select Mode: Manual Configuration
For more information on the SAML2 Web Single-Sign-On Configuration methods, see Configuring SAML2 Web Single-Sign-On in the WSO2 IS 5.3.0 guide. - Issuer: travelocity.com
- Assertion Consumer URL: Enter http://localhost:8080/travelocity.com/home.jsp and click Add.
- Select the following check-boxes:
- Enable Response Signing.
- Enable Single Logout.
- Enable Attribute Profile.
- Include Attributes in the Response Always.
- Select Mode: Manual Configuration
- Click Register to save the changes. Now you will be sent back to the Service Providers page.
- Go to the Local and Outbound Authentication Configuration section.
- Configure the Local and Outbound Authentication for Amazon.
For more information, see Configuring Local and Outbound Authentication for a Service Provider in the WSO2 IS 5.3.0 guide.- Click on the Federated Authentication radio button.
- Select the identity provider you created from the drop-down list under Federated Authentication.
- Select the following options:
Use tenant domain in local subject identifier.
Use user store domain in local subject identifier.
- Click Update to save the changes.
Configuring a service provider with IS 5.1.0 or IS 5.2.0
- Return to the management console.
- In the Service Providers section under the Main tab, click Add.
- Since you are using travelocity as the sample, enter travelocity.com in the Service Provider Name text box and click Register.
- In the Inbound Authentication Configuration section, click Configure under the SAML2 Web SSO Configuration section.
- Now set the configuration as follows:
- Issuer: travelocity.com
- Assertion Consumer URL: http://localhost:8080/travelocity.com/home.jsp
- Select the following check-boxes:
- Enable Response Signing.
- Enable Single Logout.
- Enable Attribute Profile.
- Include Attributes in the Response Always.
- Click Update to save the changes. Now you will be sent back to the Service Providers page.
- Go to the Local and Outbound Authentication Configuration section.
- Select the identity provider you created from the drop-down list under Federated Authentication.
- Ensure that the Federated Authentication radio button is selected and click Update to save the changes.
You have now added and configured the service provider.
Step 5 - Configure claims
Add a new claim mapping for various user attributes related to Amazon based on the WSO2 Identity Server version that you are working on.
Configuring claims with IS 5.3.0
For more information, see Adding Claim Mapping in WSO2 IS guide.
- Sign in to the Management Console by entering your username and password.
- In the Main menu, click Add under Claims.
- Click Add Claim Dialect to create the Amazon authenticator specific claim dialect.
- Specify the Dialect URI as http://wso2.org/amazon/claims and click Add to create the claim dialect.
- Map a new external claim to an existing local claim dialect.
You need to map at least one claim under this new dialect. Therefore, let's map the claim for the Amazon user ID.- In the Main menu, click Add under Claims.
- Click Add External Claim to add a new claim to the Amazon claim dialect.
- Select the Dialect URI as - http://wso2.org/amazon/claims
- Enter the External Claim URI based on the following claim mapping information.
Select the Mapped Local Claim based on the following claim mapping information.
Claim mapping for ID
Dialect URI http://wso2.org/amazon/claims External Claim URI http://wso2.org/amazon/claims/user_id
Mapped Local Claim http://wso2.org/claims/username Click Add to add the new external claim.
Similarly, you can create claims for all the public information of the Amazon user by repeating step 5 with the following claim mapping information.
Claim mapping for email
Dialect URI http://wso2.org/amazon/claims External Claim URI http://wso2.org/amazon/claims/email
Mapped Local Claim http://wso2.org/claims/emailaddress Claim mapping for name
Dialect URI http://wso2.org/amazon/claims
External Claim URI http://wso2.org/amazon/claims/name
Mapped Local Claim
http://wso2.org/claims/givenname
Click Update.
Configuring claims with IS 5.1.0 or IS 5.2.0
- Sign into the Management Console by entering your username and password.
- In the Main menu, click Add under Claims.
Click Add New Claim Dialect to create the Amazon authenticator specific claim dialect.
- Use the Dialect Uri as -
http://wso2.org/amazon/claims
Enter the values for mandatory fields. It will create the claim for the given user field under the Amazon claim dialect.
Display Name User ID Description Claim to user ID Mapped Attribute uid
Claim URL http://wso2.org/amazon/claims/user_id Supported by Default selected
- Use the Dialect Uri as -
- Click Add New Claim.
- Select the Dialect from the dropdown provided and enter the required information.
Add the following claims under the dialect http://wso2.org/amazon/claims.
Display Name Email Address Description Claim to Email Address Mapped Attribute mail Claim URL http://wso2.org/amazon/claims/email Supported by Default selected Display Name Name Description Claim to Name Mapped Attribute givenName
Claim URL http://wso2.org/amazon/claims/name Supported by Default selected
Similarly, you can create the claims for all the public information of the Amazon user.
Step 6 - Configure requested claims for travelocity.com
- In the Identity section under the Main tab, click List under Service Providers.
- Click Edit to edit the travelocity.com service provider.
- Expand the Claim Configuration section.
Click on Add Claim URI under Requested Claims to add the requested claims as indicated in the image below.
Select the Subject Claim URI as http://wso2.org/claims/emailaddress to define the authenticated user identifier that will return with the authentication response to the service provider.
Click Update to save your service provider changes.
Step 7 - Test the sample
- To test the sample, go to the following URL:
http://<TOMCAT_HOST>:<TOMCAT_PORT>/travelocity.com/index.jsp
.
E.g., http://localhost:8080/travelocity.com - Click the link to log in with SAML from WSO2 Identity Server. You can use either the Rediect Biniding or the Post Binding option.
- You are redirected to the Amazon login page. Enter your Amazon credentials.
- Allow user to authenticate and click Continue.
- You are taken to the home page of the travelocity.com app.