Introduction
An Identity Provider (IdP) is responsible for authenticating users and issuing identification information by using security tokens like SAML 2.0, OpenID Connect, OAuth 2.0 and WS-Trust. This is a favourable alternative to explicitly authenticating a user within a security realm.
The responsibility of the identity provider configuration is to represent external identity providers. These external identity providers can be Facebook, Yahoo, Google, Salesforce, Microsoft Windows Live, etc. If you want to authenticate users against these identity providers, then you must associate one or more federated authenticators with the WSO2 Identity Server. These identity providers support for different authentication protocols. For example, if you want to authenticate users against Salesforce, then you must associate the SAML 2.0 authenticator with the Salesforce identity provider, if you want to authenticate users against Yahoo, then you must associate the OpenID Connect authenticator with it. To make this process much easier, the Identity Server also comes with a set of more specific federated authenticators. For example, if you want to authenticate against Facebook, you do not need to configure OAuth 2.0 authenticator. Instead, you can directly use the Facebook federated authenticator.
Each identity provider configuration can also maintain a claim mapping. This is to map the identity provider's own set of claims to the Identity Server's claims. When the response from an external identity provider is received by the response processor component of the federated authenticator, before it hands over the control to the authentication framework, the response processor will create a name/value pair of user claims received in the response from the identity provider. These claims are specific to the external identity provider. Then it is the responsibility of the authentication framework to read the claim mapping configuration from the identity provider component and do the conversion. So, while inside the framework, all the user claim values will be in a common format.
So, in short, the WSO2 Identity Server allows you to add identity providers and specify various details that help you to link the identity provider to the Identity Server. So you must specify all information required to send the authentication requests and get a response back from the identity provider. This topic contains the following sections.
Adding an identity provider
Follow the instructions below to add a new identity provider.
- Sign in. Enter your username and password to log on to the Management Console.
- Navigate to the Main menu to access the Identity menu. Click Add under Identity Providers.
Fill in the details in the Basic Information section.
Note the following when filling the above form.Field Description Sample Value Identity Provider Name The Identity Provider Name must be unique as it is used as the primary identifier of the identity provider.
FacebookIdP Display Name The Display Name is used to identify the identity provider. If this is left blank, the Identity Provider Name is used. This is used in the login page when selecting the identity provider that you wish to use to log in to the service provider.
Facebook Description The Description is added in the list of identity providers to provide more information on what the identity provider is. This is particularly useful in situations where there are many identity providers configured and a description is required to differentiate and identify them. This is the identity provider configuration for Facebook. Federation Hub Identity Provider Select the Federation Hub Identity Provider check-box to indicate if this points to an identity provider that acts as a federation hub. A federation hub is an identity provider that has multiple identity providers configured to it and can redirect users to the correct identity provider depending on their Home Realm identifier or their Identity Provider Name. When we have this check-box selected additional window will pop-up in the multi-option page in the first identity server to get the home realm identifier for the desired identity provider in the identity provider hub.
Selected Home Realm Identifier The Home Realm Identifier value can be specified in each federated IDP and can send the Home Realm Identifier value as the “fidp” query parameter (e.g., fidp=googleIdp) in the authentication request by the service provider. Then WSO2 Identity Server finds the IDP related to the “fidp” value and redirects the end user to the IDP directly rather than showing the SSO login page. By using this, you can avoid multi-option, in a multi-option scenario without redirecting to the multi-option page.
FB Identity Provider Public Certificate The Identity Provider Public Certificate is the public certificate belonging to the identity provider. Uploading this is necessary to authenticate the response from the identity provider. See Using Asymmetric Encryption in the WSO2 Product Administration Guide for more information on how public keys work and how to sign these keys by a certification authority.
This can be any certificate. If the identity provider is another Identity Server, this can be a wso2.crt file.
Note: To create the Identity Provider Certificate, open your Command Line interface, traverse to the
<IS_HOME>/repository/resources/security/
directory. Next you must execute the following command.keytool -export -alias wso2carbon -file wso2.crt -keystore wso2carbon.jks -storepass wso2carbon
Once this command is run, the wso2.crt file is generated and can be found in the
<IS_HOME>/repository/resources/security/
directory. Click Choose File and navigate to this location in order to obtain and upload this file.See Using Asymmetric Encryption in the WSO2 Product Administration Guide for more information.Alias The Alias is a value that has an equivalent value specified in the identity provider that we are configuring. This is required for authentication in some scenarios.
http://localhost:9443/oauth2/token - Enter the Identity Provider Name and provide a brief Description of the identity provider. Only Identity Provider Name is a required field.
Fill in the remaining details where applicable. Click the arrow buttons to expand the forms available to update.
- Click Register to add the Identity Provider.
Configuring a resident identity provider
WSO2 Identity Server can mediate authentication requests between service providers and identity providers. At the same time, the Identity Server itself can act as a service provider and an identity provider. When it acts as an identity provider it is known as the resident identity provider.
The resident identity provider configuration is very relevant for you if you are a service provider and want to send an authentication request or a provisioning request to the Identity Server (say via SAML, OpenID Connect, SCIM, and WS-Trust). See Configuring WS-Trust Security Token Service for an example of how resident identity provider is used to implement security token service.
Resident identity provider configuration is a one time configuration for a given tenant. It basically shows you the Identity Server's metadata, like the endpoints. In addition to the metadata, you can configure this if you want to secure the WS-Trust endpoint with a security policy.
Follow the instructions below to configure a resident identity provider.
- Sign in. Enter your username and password to log on to the Management Console.
In the Main menu under the Identity section, click Resident under Identity Providers.
The Resident Identity Provider page appears.
Enter a Home Realm Identifier for the resident identity provider. You can enter multiple identifiers as a comma separated list.
This value is essentially the domain name of the identity provider. If you do not enter a value here, when an authentication request comes to the Identity Server, a page is displayed prompting the user to specify a domain.
Idle Session Time Out : This represents the idle session time out for SSO sessions. The default value is set to 15min which means that if Identity Server does not receive any SSO authentication request for 15min for a given user SSO session would be timeout. You can configure the idle time out value.
Remember Me Period : You can tick on the Remember Me option in Identity Server login page if you need to make remember the SSO session. You can define an expiry time for this remembrance period by configuring Remember Me Period . This is configurable and the default time is 2 weeks.
- Configure inbound authentication if required. This is not mandatory for creating a resident identity provider.
Set the Identity Provider Entity Id under SAML2 Web SSO Configuration. Specifying this gives the tenant identification, so any users provisioned through this tenant can be identified as such.
Configure the Security Token Service (STS). You can configure this if you want to secure the WS-Trust endpoint with a security policy.
- Click Update.
- Click Ok to the confirmation message that appears.
Note the following information regarding the URLs on this screen.
You can modify the host nameoftheseURLs by changing the value in the <IS_HOME>/repository/conf/carbon.xml
file using the following configuration.
<HostName>localhost</HostName>
Once you update the host nameinthecarbon.xml file, change the URL to reflect the new hostname in the <IS_HOME>/repository/conf/identity/identity.xml
file.
<IdentityProviderURL>https://localhost:9443/samlsso</IdentityProviderURL>
The above URL is used for destination validation of the SAML request. The Identity Server compares the value of the "destination" inside the SAML request with the URL in the above configuration. This is done to ensure that the correct application is communicating with the right identity provider.
You can add multiple destination URLs for Identity Server using the Resident Identity Provider UI under "SAML2 Web SSO Configuration". This feature is useful when some SPs directly connect to the IS and some SPs connect through a proxy server.
- SSO URL:
https://localhost:9443/samlsso
The SAML SSO endpoint of the IdentityProfivder. - Logout URL:
https://localhost:9443/samlsso
Theend point of theIdentityPorvider that accepts SAML log out requests. - Authorization Endpoint URL:
https://localhost:9443/oauth2/authz
The Identity Provider's OAuth2/OpenID Connect authorization endpoint URL. - Token Endpoint URL:
https://localhost:9443/oauth2/token
The Identity Providers token endpoint URL. - User Info Endpoint URL:
https://localhost:9443/oauth2/token
Theend point of the Identity Provider that is used to get the information of the users. Theinformation is gathered by passing an access token. - SCIM User Endpoint:
https://localhost:9443/wso2/scim/Users
The Identity Provider's endpoint for SCIM user operations, such as creating and managing users - SCIM Group Endpoint:
https://localhost:9443/wso2/scim/Groups
- The Identity Provider's endpoint for the SCIM user role operations, such as creating roles, assigning users to roles and managing roles.
Exporting SAML2 metadata of the resident IdP
To configure WSO2 Identity Server as a trusted identity provider in a service provider application, export the SAML2 metadata of the resident identity provider of WSO2 IS and import the metadata to the relevant service provider.
Use one of the following approaches to do this.
- Start the server and download the SAML2 metadata by accessing this URL: https://localhost:9443/identity/metadata/saml2.
- Alternatively, access the management console and follow the steps given below to download the metadata.
- Expand the Inbound Authentication Configuration section and then expand SAML2 Web SSO Configuration.
- Click Download SAML2 metadata. A
metadata.xml
file will be downloaded on to your machine. Import the
metadata.xml
file to the relevant service provider to configure WSO2 Identity Server as a trusted identity provider for your application.
Managing identity providers
This section provides instructions on how to manage identity providers once they are created.
Viewing identity providers
Follow the instructions below to view the list of identity providers added in the WSO2 Identity Server.
- Sign in. Enter your username and password to log on to the Management Console.
- In the Main menu under the Identity section, click List under Identity Providers. The list of identity providers you added appears.
Editing identity providers
Follow the instructions below to edit an identity provider's details.
- Sign in. Enter your username and password to log on to the Management Console.
- In the Main menu under the Identity section, click List under Identity Providers. The list of identity providers you added appears.
- Locate the identity provider you want to edit and click on the corresponding Edit link.
- You are directed to the edit screen where you can modify the details you configured for the identity provider.
Deleting identity providers
Follow the instructions below to delete an identity provider.
- Sign in. Enter your username and password to log on to the Management Console.
- In the Main menu under the Identity section, click List under Identity Providers. The list of identity providers you added appears.
- Locate the identity provider you want to delete and click on the corresponding Delete link.
- Confirm your request in the WSO2 Carbon window. Click the Yes button.
Disabling/Enabling identity providers
Follow the instructions below to disable or enable an identity provider.
- Sign in. Enter your username and password to log on to the Management Console.
- In the Main menu under the Identity section, click List under Identity Providers. The list of identity providers you added appears.
- Locate the identity provider you want to delete and click on the corresponding Disable link to disable the identity provider. Clicking this link will change the link to Enable. To enable the identity provider again, click the Enable link.
- Click Ok on the confirmation form that appears when clicking Disable/Enable.
See the following topics for information on configuring service providers using different specifications.
- See Identity Federation for information on configuring federated authenticators.
See the following topics to configure different applications as service providers in Identity Server.