This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

This topic demonstrates a scenario where two WSO2 Identity Server instances with different user stores can be used for federated authentication. The scenario uses the following software.

Setting up the WSO2 Identity Server instances

  1. Download the WSO2 Identity Server from here.
  2. Extract the file to a dedicated directory. For the purposes of this scenario, this is referred to as <IS_HOME_PRIMARY> in this topic.
  3. Make a copy of this folder in the same location and rename it. For the purposes of this scenario, this is referred to as <IS_HOME_SECONDARY> in this topic.
  4. By default, the HTTPS port of the primary IS instance is 9443. Let this be left as it is. Go to the <IS_HOME_SECONDARY>/repository/conf directory and open the carbon.xml file. Change the <Offset> value under the <Ports> configuration to 1. This changes the HTTPS port in the secondary IS instance to 9444 to avoid conflicts with the primary IS instance.
  5. Install and run the two Identity Server instances.
    • Go to <IS_HOME_PRIMARY> and <IS_HOME_SECONDARY> in your command line and type the following command for each instance.
      • On Windows: wso2server.bat --run
      • On Linux/Solaris: sh wso2server.sh
  6. The management console for the primary Identity Server can be accessed using the following URL: https://localhost:9443/carbon
  7. The management console for the secondary Identity Server can be accessed using the following URL: https://localhost:9444/carbon

Configuring the secondary IS as IdP in the primary IS

The next step in this scenario is to configure the secondary Identity Server as an identity provider in the primary Identity Server.

  1. Go to the management console of the primary IS.
  2. Navigate to the Identity Providers section in the Main menu and click Add.
  3. Enter “Secondary" as the Identity Provider Name for this scenario.

  4. Expand the Federated Authenticators section and then expand the SAML2 Web SSO Configuration section.

  5. Make the following changes.
    1. Select the Enable SAML2 Web SSO checkbox.
    2. Enter “Secondary IDP” as Identity Provider Entity Id.
    3. Enter “Primary'” as the Service Provider Entity Id.

    4. Enter 'https://localhost:9444/samlsso/' as the SSO URL. This is the SAML2 SSO URL of the secondary IS.

    5. Select the Enable Logout checkbox.

  6. Click Register. The new identity provider named 'Secondary' is listed under List (go to Main menu and click List under Identity Providers).

  7. Now that the secondary Identity Server is added as an IdP in the primary Identity Server, this primary IS should be added as service provider in the Secondary IS instance.

  8. Go to management console of the Secondary IS instance using the following URL: https://localhost:9444/carbon

  9. Navigate to the Main menu and click Add under Service Providers. Enter service provider name as 'PrimaryIDP' for this sample scenario.

  10. Click Register

  11. In the form that appears, expand the Inbound Authentication Configuration and SAML2 Web SSO Configuration sections. 

  12. Click Configure.

  13. Enter the following in the form that appears.

    1. Enter “Primary” as the Issuer, this is the same value as Service Provider Entity Id in step 5c.

    2. Enter value https://localhost:9443/commonauth as Assertion Consumer URL.

    3. Enable the following checkboxes.

      1. Use fully qualified username in the NameID

      2. Enable Response Signing

      3. Enable Assertion Signing

      4. Enable Single Logout

  14. Click Update and then click Register. The primary Identity Server instance is added as the service provider in the secondary Identity Server instance.
  • No labels