Configuring Single Sign-On for WSO2 DAS

SSO (Single Sign-On) allows you to be authenticated to access one application, and gain access to multiple other applications without having to repeatedly provide your credentials for authentication purposes.

Follow the instructions below to configure SSO for the WSO2 DAS Portal and the WSO2 DAS Management Console.

Prerequisites

In order to configure SSO for WSO2 DAS, WSO2 IS should be downloaded and installed.

To download this product, go to the WSO2 Identity Server home page.

For detailed instructions, see WSO2 Identity Server Documentation - Installation Prerequisites.

Step 1: Share a user store between WSO2 DAS and WSO2 IS

Follow the procedure below to share a user store between WSO2 DAS and WSO2 IS.

Create new database named DAS_UM_DB in MYSQL server.
Create tables inside the created database by executing the script in the <DAS_HOME>/dbscripts/mysql.sql.

Define a datasource as follows in the <DAS_HOME>/repository/conf/datasources/master-datasources.xml file. This allows you to connect to the DAS_UM_DB in order to share the user store.

   <datasource>  
      <name>WSO2UM_DB</name>  
      <description>The datasource used for user manager database</description>  
      <jndiConfig>  
        <name>jdbc/WSO2UM_DB</name>  
      </jndiConfig>  
       <definition type="RDBMS">  
         <configuration>  
           <url>jdbc:mysql://localhost:3306/APPM_UM_DB</url>  
            <username>username</username>  
            <password>password</password>  
            <driverClassName>com.mysql.jdbc.Driver</driverClassName>  
            <maxActive>50</maxActive>  
            <maxWait>60000</maxWait>  
            <testOnBorrow>true</testOnBorrow>  
            <validationQuery>SELECT 1</validationQuery>  
            <validationInterval>30000</validationInterval>  
         </configuration>  
     </definition>  
   </datasource>

Add the same datasource configuration given in the previous step to the <IS_HOME>/repository/conf/datasources/master-datasources.xml file.
Download the MySQL database driver from here and copy it to both <IS_HOME>/repository/components/lib and <DAS_HOME>/repository/components/lib directories.
Update the <DAS_HOME>/repository/conf/user-mgt.xml file with the the jndiConfig name added in step3 (i.e., jdbc/WSO2UM_DB) as shown below. Do the same update in the <IS_HOME>/repository/conf/user-mgt.xml file.
```
 <configuration>   
     ...  
     <Property name="dataSource">jdbc/WSO2UM_DB</Property>  
   </configuration>  
```

Copy the following JDBC user store configuration that can be found in the <DAS_HOME>/repository/conf/user-mgt.xml file to the <IS_HOME>/repository/conf/user-mgt.xml file. Remove the LDAP user store configuration available by default in the <IS_HOME>/repository/conf/user-mgt.xml file.

        <UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
            <Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property>
            <Property name="ReadOnly">false</Property>
            <Property name="ReadGroups">true</Property>
            <Property name="WriteGroups">true</Property>
            <Property name="UsernameJavaRegEx">^[\S]{3,30}$</Property>
            <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
            <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
            <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
            <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
            <Property name="RolenameJavaRegEx">^[\S]{3,30}$</Property>
            <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name="CaseInsensitiveUsername">true</Property>
            <Property name="SCIMEnabled">false</Property>
            <Property name="IsBulkImportSupported">true</Property>
            <Property name="PasswordDigest">SHA-256</Property>
            <Property name="StoreSaltedPassword">true</Property>
            <Property name="MultiAttributeSeparator">,</Property>
            <Property name="MaxUserNameListLength">100</Property>
            <Property name="MaxRoleNameListLength">100</Property>
            <Property name="UserRolesCacheEnabled">true</Property>
            <Property name="UserNameUniqueAcrossTenants">false</Property>
        </UserStoreManage

Restart both WSO2 DAS and WSO2 IS servers.

Step 2: Mount and share a registry between WSO2 DAS and WSO2 IS

Follow the procedure below to share a registry between WSO2 DAS and WSO2 IS.

Create a new database named DAS_REG_DB in the MySQL server.
Create tables in the database you created by executing the script in the <DAS_HOME>/dbscripts/mysql.sql directory.

Define a datasource as follows in the <DAS_HOME>/repository/conf/datasources/master-datasources.xml file. This allows you to connect to the DAS_REG_DB that you previously created.

 <datasource>   
     <name>WSO2REG_DB</name>   
     <description>The datasource used for registry database</description>   
     <jndiConfig>   
       <name>jdbc/WSO2REG_DB</name>   
     </jndiConfig>   
     <definition type="RDBMS">   
       <configuration>   
         <url>jdbc:mysql://localhost:3306/APPM_REG_DB</url>   
         <username>username</username>   
         <password>password</password>   
         <driverClassName>com.mysql.jdbc.Driver</driverClassName>   
         <maxActive>50</maxActive>   
         <maxWait>60000</maxWait>   
         <testOnBorrow>true</testOnBorrow>   
         <validationQuery>SELECT 1</validationQuery>   
         <validationInterval>30000</validationInterval>   
       </configuration>   
     </definition>   
   </datasource>

Add the same datasource configuration provided in the above step to the <IS_HOME>/repository/conf/datasources/master-datasources.xml file.
Download the MySQL database driver from here and copy it to both <IS_HOME>/repository/components/lib and <DAS_HOME>/repository/components/lib directories.
Create the registry mounts by adding the following configuration to both the <DAS_HOME>/repository/conf/registry.xml file and the <IS_HOME>/repository/conf/registry.xml file.
Restart both the WSO2 DAS server and the WSO2 IS server.

Step 3: Create a service provider for WSO2 DAS Management Console

Access the WSO2 IS Management Console using the following URL, and log in using your credentials.
https://<IS_HOST>:<IS_PORT>/carbon/
Click Main => Service Providers => Add to open the Add New Service Provider page. Enter the following details, and click Register to register a new service provider.
Parameter Value
Service Provider Name DAS_SSO_CARBON_SERVER
Description Single Sign-On for DAS Management Console.
In the Service Providers page, expand the Inbound Authentication Configuration section. Then expand the SAML2 Web SSO Configuration section and click Configure. This opens the Register New Service Provider page.
Enter information as follows.
Parameter Value
Issuer carbonServer
Assertion Consumer URL https://<DAS_URL>:<DAS_PORT>/acs
Enable Response Signing Select this check box.
Enable Single Logout Select this check box.
Click Update to save these changes. A message appears to confirm that the service provider is successfully added.

Step 4: Create a service provider for WSO2 DAS Portal

Log into the WSO2 IS Management Console if you are not already logged in.
Click Main => Service Providers => Add to open the Add New Service Provider page. Enter the following details, and click Register to register a new service provider.
Parameter Value
Service Provider Name DAS_SSO_PORTAL
Description Single Sign-On for DAS Portal.
In the Service Providers page, expand the Inbound Authentication Configuration section. Then expand the SAML2 Web SSO Configuration section and click Configure. This opens the Register New Service Provider page.

Enter information as follows.

Parameter	Value
Issuer	`portal`
Assertion Consumer URL	`https://<DAS_URL>:<DAS_PORT>/acs`
Enable Response Signing	Select this check box.
Enable Single Logout	Select this check box.
Enable Audience Restriction	Select this check box and add the following two audiences. Token endpoint url (eg: `https://<IDP_URL>:<IDP_PORT>/oauth2/token)` Management console issuer name (i.e. `carbonServer`)
Enable Recipient Validation	Select this check box and add the token endpoint URL as a recipient (e.g., `https://<IDP_URL>:<IDP_PORT>/oauth2/token`).

Click Update to save these changes. A message appears to confirm that the service provider is successfully added.

Step 5: Update the SAML2SSOAuthenticator configuration

Open the <DAS_HOME>/repository/conf/security/authenticators.xml file.
Enable the required authenticator by setting disabled="false" as shown in the example below.
```
<Authenticator name="SAML2SSOAuthenticator" disabled="true">
```

Configure the following parameters for the same authenticator that you enabled in the previous step.

Parameter	Value
`ServiceProviderID`	`carbonServer` This should be the ID of the service provider you created in Step 3.
`IdentityProviderSSOServiceURL`	`https://<IDP_URL>:<IDP_PORT>/samlsso`
`AssertionConsumerServiceURL`	`https://<DAS_URL>:<DAS_PORT>/acs`

Save the changes.

Parameter	Value
Service Provider Name	DAS_SSO_CARBON_SERVER
Description	Single Sign-On for DAS Management Console.

Parameter	Value
Issuer	`carbonServer`
Assertion Consumer URL	`https://<DAS_URL>:<DAS_PORT>/acs`
Enable Response Signing	Select this check box.
Enable Single Logout	Select this check box.

Parameter	Value
Service Provider Name	DAS_SSO_PORTAL
Description	Single Sign-On for DAS Portal.