This section lists out some sample configurations that can be used when configuring an Identity Provider.
Federated authenticator configuration samples
A federated authenticator is used to authenticate a user through an external system (e.g. Yahoo, MSN, OpenIDConnect). To write your own custom federated authenticator, see Writing a Custom Federated Authenticator.
The <federatedAuthenticatorConfigs> and <defaultAuthenticatorConfig> tags have similar attributes. To configure a federated authenticator as the default authenticator, use the desired configuration found below with the <defaultAuthenticatorConfig> tag instead of the <federatedAuthenticatorConfigs> tag. Note that there can be only one <defaultAuthenticatorConfig> while there can be multiple <federatedAuthenticatorConfigs>.
OpenID Configuration
<federatedAuthenticatorConfigs
xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<displayName>openid</displayName>
<enabled>true</enabled>
<name>OpenIDAuthenticator</name>
<properties>
<name>OpenIdUrl</name>
<value>https://localhost:9443/openid/</value>
</properties>
<properties>
<name>RealmId</name>
<value
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="1">
</value>
</properties>
<properties>
<name>IsUserIdInClaims</name>
<value>false</value>
</properties>
<properties>
<name>commonAuthQueryParams</name>
<value>
<value>paramName1=value1¶mName2=value2</value>
</value>
</properties>
</federatedAuthenticatorConfigs>
Property Name | Description |
|---|---|
OpenIdUrl | OpenID Server URL |
RealmId | - |
IsUserIdInClaims | OpenID User ID Location |
commonAuthQueryParams | Additional Query Parameters |
SAML2 Web SSO configuration
<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<displayName>samlsso</displayName>
<enabled>true</enabled>
<name>SAMLSSOAuthenticator</name>
<properties>
<name>IdPEntityId</name>
<value>Identity Provider Entity Id</value>
</properties>
<properties>
<name>SPEntityId</name>
<value>Service Provider Entity Id</value>
</properties>
<properties>
<name>SSOUrl</name>
<value>https://localhost:9443/samlsso/</value>
</properties>
<properties>
<name>ISAuthnReqSigned</name>
<value>true</value>
</properties>
<properties>
<name>IsLogoutEnabled</name>
<value>true</value>
</properties>
<properties>
<name>LogoutReqUrl</name>
<value>https://example.com/logout/url</value>
</properties>
<properties>
<name>IsLogoutReqSigned</name>
<value>true</value>
</properties>
<properties>
<name>IsAuthnRespSigned</name>
<value>true</value>
</properties>
<properties>
<name>IsUserIdInClaims</name>
<value>false</value>
</properties>
<properties>
<name>IsAssertionEncrypted</name>
<value>true</value>
</properties>
<properties>
<name>isAssertionSigned</name>
<value>true</value>
</properties>
<properties>
<name>commonAuthQueryParams</name>
<value>paramName1=value1¶mName2=value2</value>
</properties>
</federatedAuthenticatorConfigs>
Property Name | Description |
|---|---|
IdPEntityId | Identity Provider Entity Id |
SPEntityId | Service Provider Entity Id |
SSOUrl | SSO URL |
ISAuthnReqSigned | Enable Authentication Request Signing |
IsLogoutEnabled | Enable Logout |
LogoutReqUrl | Logout Url |
IsLogoutReqSigned | Enable Logout Request Signing |
IsAuthnRespSigned | Enable Authentication Response Signing |
IsUserIdInClaims | SAML2 Web SSO User ID Location |
IsAssertionEncrypted | Enable Assertion Encryption |
isAssertionSigned | Enable Assertion Signing |
commonAuthQueryParams | Additional Query Parameters |
OAuth2/OpenID Connect configuration
<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<displayName>openidconnect</displayName>
<enabled>true</enabled>
<name>OpenIDConnectAuthenticator</name>
<properties>
<name>ClientId</name>
<value>ClientID</value>
</properties>
<properties>
<name>OAuth2AuthzUrl</name>
<value>https://localhost:9443/oauth2/authorize/</value>
</properties>
<properties>
<name>OAUTH2TokenUrl</name>
<value>https://localhost:9443/oauth2/token/</value>
</properties>
<properties>
<confidential>true</confidential>
<name>ClientSecret</name>
<value>ClientSecret</value>
</properties>
<properties>
<name>IsUserIdInClaims</name>
<value>false</value>
</properties>
<properties>
<name>commonAuthQueryParams</name>
<value>paramName1=value1¶mName2=value2</value>
</properties>
</federatedAuthenticatorConfigs>
Property Name | Description |
|---|---|
ClientId | Client Id |
OAuth2AuthzUrl | Authorization Endpoint URL |
OAUTH2TokenUrl | Token Endpoint URL |
ClientSecret | Client Secret |
IsUserIdInClaims | OpenID Connect User ID Location |
commonAuthQueryParams | Additional Query Parameters |
WS-Federation (Passive) configuration
<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<displayName>passivests</displayName>
<enabled>true</enabled>
<name>PassiveSTSAuthenticator</name>
<properties>
<name>RealmId</name>
<value>Passive STS Realm</value>
</properties>
<properties>
<name>PassiveSTSUrl</name>
<value>https://localhost:9443/passivests/</value>
</properties>
<properties>
<name>IsUserIdInClaims</name>
<value>false</value>
</properties>
<properties>
<name>commonAuthQueryParams</name>
<value>paramName1=value1</value>
</properties>
</federatedAuthenticatorConfigs>
Property Name | Description |
|---|---|
RealmId | Passive STS Realm |
PassiveSTSUrl | Passive STS URL |
IsUserIdInClaims | Passive STS User ID Location |
commonAuthQueryParams | Additional Query Parameters |
Facebook configuration
<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<displayName>facebook</displayName>
<enabled>true</enabled>
<name>FacebookAuthenticator</name>
<properties>
<name>ClientId</name>
<value>clientID</value>
</properties>
<properties>
<confidential>true</confidential>
<name>ClientSecret</name>
<value>secret</value>
</properties>
</federatedAuthenticatorConfigs>
Property Name | Description |
|---|---|
ClientId | Client Id |
ClientSecret | Client Secret |
Yahoo configuration
<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<displayName>yahoo</displayName>
<enabled>true</enabled>
<name>YahooOpenIDAuthenticator</name>
</federatedAuthenticatorConfigs>
Google configuration
<federatedAuthenticatorConfigs
xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<displayName>google</displayName>
<enabled>true</enabled>
<name>GoogleOpenIDAuthenticator</name>
</federatedAuthenticatorConfigs>
Microsoft (Hotmail,MSN,Live) configuration
<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<displayName>microsoft(hotmail,</displayName>
<enabled>true</enabled>
<name>MicrosoftWindowsLive</name>
<properties>
<name>ClientSecret</name>
<value>clientsecret</value>
</properties>
<properties>
<name>windows-live-callback-url</name>
<value>https://example.com/callback/url</value>
</properties>
<properties>
<name>ClientId</name>
<value>clientID</value>
</properties>
</federatedAuthenticatorConfigs>
Property Name | Description |
|---|---|
ClientSecret | Client Secret |
windows-live-callback-url | Callback Url |
ClientId | Client Id |
Outbound provisioning connector configuration samples
An outbound provisioning connector is used to provision users to external systems (e.g. Google, SalesForce). To write your own custom outbound provisioning connector, see Writing an Outbound Provisioning Connector.
The <provisioningConnectorConfigs> and <defaultProvisioningConnectorConfig> tags have similar attributes. To configure an outbound provisioning connector as the default provisioning connector, use the desired configuration found below with the <defaultProvisioningConnectorConfig> tag instead of the <provisioningConnectorConfigs> tag. There can be only one <defaultProvisioningConnectorConfig> while there can be multiple <provisioningConnectorConfigs>.
SalesForce provisioning configuration
<provisioningConnectorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<enabled>true</enabled>
<name>salesforce</name>
<provisioningProperties>
<name>sf-username</name>
<value>testuser</value>
</provisioningProperties>
<provisioningProperties>
<confidential>true</confidential>
<name>sf-password</name>
<value>testpw</value>
</provisioningProperties>
<provisioningProperties>
<name>sf-clientid</name>
<value>clientID</value>
</provisioningProperties>
<provisioningProperties>
<confidential>true</confidential>
<name>sf-client-secret</name>
<value>clientsecret</value>
</provisioningProperties>
<provisioningProperties>
<name>sf-api-version</name>
<value>1.0.0</value>
</provisioningProperties>
<provisioningProperties>
<name>sf-domain-name</name>
<value>example.com</value>
</provisioningProperties>
</provisioningConnectorConfigs>
Property Name | Description |
|---|---|
sf-username | Username |
sf-password | Password |
sf-clientid | Client ID |
sf-client-secret | Client Secret |
sf-api-version | API version |
sf-domain-name | Domain Name |
Google provisioning configuration
<provisioningConnectorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<enabled>true</enabled>
<name>googleapps</name>
<provisioningProperties>
<name>google_prov_application_name</name>
<value>TestApp</value>
</provisioningProperties>
<provisioningProperties>
<name>google_prov_admin_email</name>
<value>test@mygoogledomain.com</value>
</provisioningProperties>
<provisioningProperties>
<name>google_prov_service_acc_email</name>
<value>test@developer.gserviceaccount.com</value>
</provisioningProperties>
<provisioningProperties>
<name>google_prov_familyname_claim_dropdown</name>
<value>ClaimB</value>
</provisioningProperties>
<provisioningProperties>
<name>google_prov_givenname_claim_dropdown</name>
<value>ClaimB</value>
</provisioningProperties>
<provisioningProperties>
<name>google_prov_email_claim_dropdown</name>
<value>ClaimA</value>
</provisioningProperties>
<provisioningProperties>
<name>google_prov_domain_name</name>
<value>mygoogledomain.com</value>
</provisioningProperties>
</provisioningConnectorConfigs>
Property Name | Description |
|---|---|
google_prov_application_name | Application Name |
google_prov_admin_email | Administrator's Email |
google_prov_service_acc_email | Service Account Email |
google_prov_familyname_claim_dropdown | Family Name |
google_prov_givenname_claim_dropdown | Given Name |
google_prov_email_claim_dropdown | Primary Email |
google_prov_domain_name | Google Domain |
SCIM provisioning configuration
<provisioningConnectorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<enabled>true</enabled>
<name>scim</name>
<provisioningProperties>
<name>scim-username</name>
<value>testuser</value>
</provisioningProperties>
<provisioningProperties>
<confidential>true</confidential>
<name>scim-password</name>
<value>testpw</value>
</provisioningProperties>
<provisioningProperties>
<name>scim-user-ep</name>
<value>example.com</value>
</provisioningProperties>
<provisioningProperties>
<name>scim-group-ep</name>
<value>example.com</value>
</provisioningProperties>
<provisioningProperties>
<name>scim-user-store-domain</name>
<value>example.com</value>
</provisioningProperties>
</provisioningConnectorConfigs>
Property Name | Description |
|---|---|
scim-username | Username |
scim-password | Password |
scim-user-ep | User Endpoint |
scim-group-ep | Group Endpoint |
scim-user-store-domain | User Store Domain |
SPML provisioning configuration
<provisioningConnectorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<enabled>true</enabled>
<name>spml</name>
<provisioningProperties>
<name>spml-username</name>
<value>testuser</value>
</provisioningProperties>
<provisioningProperties>
<confidential>true</confidential>
<name>spml-password</name>
<value>testpw</value>
</provisioningProperties>
<provisioningProperties>
<name>spml-ep</name>
<value>example.com</value>
</provisioningProperties>
<provisioningProperties>
<name>spml-oc</name>
<value>spml2person</value>
</provisioningProperties>
</provisioningConnectorConfigs>
Property Name | Description |
|---|---|
spml-username | Username |
spml-password | Password |
spml-ep | SPML Endpoint |
spml-oc | SPML ObjectClass |