This sample is a demonstration on how to configure SAML2 SSO using a sample service provider.
Configuring the web app
Check out the source from the repository location which contains the samples.
svn co https://svn.wso2.org/repos/wso2/carbon/platform/branches/4.2.0/products/is/4.5.0/modules/samples/sso/
Go to
<HOME>/sso/SSOAgentSamplein the checked out folder and build the sample with following command.mvn clean install
- After successfully building the sample, a .war file named
travelocity.comcan be found inside the<HOME>/sso/SSOAgentSample/targetfolder. Deploy this sample web app on a web container. To do this, use the Apache Tomcat server.
Since this sample is written based on Servlet 3.0 it needs to be deployed on Tomcat 7.x.
Use the following steps to deploy the web app in the web container:
- Stop the Apache Tomcat server if it is already running.
- Copy the
travelocity.warfile to the<TOMCAT_HOME>/webappsfolder. - Start the Apache Tomcat server.
The travelocity.properties file, which is found inside the travelocity.com/WEB-INF/classes folder, can be used to change the properties like issuerID, consumer url and IdP url. This sample uses default values.
- A unique identifier for this SAML 2.0 Service Provider application:
SAML.IssuerID=travelocity.com - The URL of the SAML 2.0 Assertion Consumer:
SAML.ConsumerUrl=http://localhost:8080/travelocity.com/samlsso-home.jsp - The URL of the SAML 2.0 Identity Provider:
SAML.IdPUrl=https://localhost:9443/samlsso
Now that the web app is successfully deployed on a web container; the next step is to configure WSO2 Identity Server as the identity provider.
Configuring WSO2 Identity Server as an identity provider
- Start Identity Server and access management console using https://localhost:9443/carbon/
- Login to management console using default administrator credentials (the username and password are both "admin").
- In the management console found on the left of your screen, navigate to Main > Manage > SAML SSO.
- Click on Register New Service Provider.
- A form appears. Register the new service provider by providing the following values.
Issuer: travelocity.com
This value should be same as the
SAML.IssuerIDvalue specified inside thetravelocity.com/WEB-INF/classes/travelocity.propertiesfile.Assertion Consumer URL:
http://localhost:8080/travelocity.com/samlsso-home.jspThis value should be same as the
SAML.ConsumerUrlvalue mentioned inside thetravelocity.com/WEB-INF/classes/travelocity.propertiesfile.- NameID format: Enter the default value here (i.e.,
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) - Use fully qualified username in the NameID: Set this as true by selecting the checkbox
- Enable Response Signing: Set this as true by selecting the checkbox
- Enable Assertion Signing: Set this as true by selecting the checkbox
- Enable Signature Validation in Authentication Requests and Logout Requests: Set this as true (Certificate alias = wso2carbon)
- Enable Single Logout: Set this as true by selecting the checkbox
- After providing above values click Register.
After successfully registering the service provider, logout from management console. You have now configuring Identity Server as the identity provider. The next step is to run the sample.
Running the sample
- Visit
http://localhost:8080/travelocity.com. You are directed to the following page: - Since we're going to use SAML2, click the first link (Click here to login with SAML from Identity Server). You'll be redirected to IS for authentication.
- Enter default admin credentials (admin/admin).
- Now you are logged in and you can see the home page of travelocity.com app
Special note :
1) If you need to view the SAML request and response, please add following debug log to log4j.properties file found inside wso2is-4.5.0/repository/conf
log4j.logger.org.wso2.carbon.identity=DEBUG
2) Since single log out is enabled, if you click logout button in travelocity.com home page, you'll be successfully logged out.