This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Service Provider Configurations used with APIs

 This section guides you through the configurations you can include in a service provider application. 

Configuring SAML2 web SSO 

To add a Service Provider with SAML2 Web SSO capability, you have to first add SAML2 Web SSO configuration. This is done through the IdentitySAMLSSOConfigService exposed at https://<IS_HOST>:<IS_PORT>/services/IdentitySAMLSSOConfigService?wsdl. The following sample request shows how to add SAML SSO issuer.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.saml.sso.identity.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:addRPServiceProvider>
         <!--Optional:-->
         <xsd:spDto>
            <!--Optional:-->
<xsd1:assertionConsumerUrl>http://localhost:8080/travelocity.com/home.jsp</xsd1:assertionConsumerUrl>
            <!--Optional:-->
            <xsd1:doSignAssertions>true</xsd1:doSignAssertions>
            <!--Optional:-->
            <xsd1:doSignResponse>true</xsd1:doSignResponse>
            <!--Optional:-->
            <xsd1:doSingleLogout>true</xsd1:doSingleLogout> 
            <!--Optional:-->
            <xsd1:issuer>travelocity.com</xsd1:issuer>
            <!--Optional:-->            <xsd1:nameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</xsd1:nameIDFormat>
            <xsd1:useFullyQualifiedUsername>true</xsd1:useFullyQualifiedUsername>
         </xsd:spDto>
      </xsd:addRPServiceProvider>
   </soapenv:Body>
</soapenv:Envelope>

Once the SAML SSO issuer is added, the issuer details should be included in inbound authentication configurations.

<xsd1:inboundAuthenticationConfig>
    <!--Zero or more repetitions:-->
    <xsd1:inboundAuthenticationRequestConfigs>
        <!--Optional:-->
        <xsd1:inboundAuthKey>issuer.1</xsd1:inboundAuthKey>
        <!--Optional:-->
        <xsd1:inboundAuthType>samlsso</xsd1:inboundAuthType>
        <!--Zero or more repetitions:-->
        <xsd1:properties>
            <!--Optional:-->
            <xsd1:name>attrConsumServiceIndex</xsd1:name>
            <!--Optional:-->
            <xsd1:value>354785936</xsd1:value>
        </xsd1:properties>
    </xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>

Parameter

Type

Description

inboundAuthKey

String

Specify the issuer here, which is the unique identifier of the service provider. This is also the issuer value specified in the SAML Authentication Request issued by the service provider.

inboundAuthType

String

For SAML 2.0 authentication type should be ‘samlsso’



Property Name

Property Value

attrConsumServiceIndex

This is the consumer service index.  The service provider should send this in the SAML request to get attributes of the authenticated subject.  


Configuring OAuth/OpenID Connect 

To add a Service Provider with OAuth capability, add an OAuth application through the OAuthAdminServiceexposed at https://<IS_HOST>:<IS_PORT>/services/ OAuthAdminService ?wsdl. The following sample request shows how to add the OAuth service. The registerOAuthApplicationData function is used to add the OAuth service to the application. 


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.oauth.identity.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:registerOAuthApplicationData>
         <!--Optional:-->
         <xsd:application>
            <!--Optional:-->
            <xsd1:OAuthVersion>Oauth-2.0</xsd1:OAuthVersion>
            <!--Optional:-->
            <xsd1:applicationName>TestApp</xsd1:applicationName>
            <!--Optional:-->
            <xsd1:callbackUrl>http://localhost:8080/oauth2client</xsd1:callbackUrl>
            <!--Optional:-->
            <xsd1:grantTypes>authorization_code implicit password client_credentials refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer iwa:ntlm</xsd1:grantTypes>
         </xsd:application>
      </xsd:registerOAuthApplicationData>
   </soapenv:Body>
</soapenv:Envelope>


Once the OAuth application data is added, include the issuer details in the inbound authentication configurations. The  inboundAuthKey and oauthConsumerSecret can be obtained by calling the getOAuthApplicationDataByAppName function given in the  OAuthAdminService as seen in the request below. 


<soapenv:Envelope
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsd="http://org.apache.axis2/xsd">
    <soapenv:Header/>
    <soapenv:Body>
        <xsd:getOAuthApplicationDataByAppName>
            <!--Optional:-->
            <xsd:appName>TestApp</xsd:appName>
        </xsd:getOAuthApplicationDataByAppName>
    </soapenv:Body>
</soapenv:Envelope>

The response of getOAuthApplicationDataByAppName will contain the oauthConsumerKey and oauthConsumerSecret which is required to configure OAuth for the service provider.


Parameter

Type

Description

inboundAuthKey

String

OAuth Client Key

inboundAuthType

String

For OAuth authentication type should be ‘oauth2



Property Name

Property Value

oauthConsumerSecret

OAuth client secret

<xsd1:inboundAuthenticationConfig>
    <!--Zero or more repetitions:-->
    <xsd1:inboundAuthenticationRequestConfigs>
        <!--Optional:-->
        <xsd1:inboundAuthKey>XhFbH1qEarpg0bqcGG_utaRa2wka</xsd1:inboundAuthKey>
        <!--Optional:-->
        <xsd1:inboundAuthType>oauth</xsd1:inboundAuthType>
        <!--Zero or more repetitions:-->
        <xsd1:properties>
            <!--Optional:-->
            <xsd1:name>oauthConsumerSecret</xsd1:name>
            <!--Optional:-->
            <xsd1:value>D3AARDfI6BRqls7k6eqiZk4J8QYa</xsd1:value>
        </xsd1:properties>
    </xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>


Configuring WS-Trust Security Token service

To configure a service provider with the WS-Trust Security Token Service (STS), add a trusted service through the OAuthAdminService exposed at https://<IS_HOST>:<IS_PORT>/services/STSAdminService?wsdl. The following sample request shows how to add the STS service using the addTrustedService function.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.sts.security.carbon.wso2.org">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:addTrustedService>
         <!--Optional:-->
         <ser:serviceAddress>https://example.com</ser:serviceAddress>
         <!--Optional:-->
         <ser:certAlias>wso2carbon.cert</ser:certAlias>
      </ser:addTrustedService>
   </soapenv:Body>
</soapenv:Envelope>

Once the trusted service is registered, the service address can be included in the <inboundAuthenticationConfig> element as the <inboundAuthKey>.

<xsd1:inboundAuthenticationConfig>
    <!--Zero or more repetitions:-->
    <xsd1:inboundAuthenticationRequestConfigs>
        <!--Optional:-->
        <xsd1:inboundAuthKey>https://example.com</xsd1:inboundAuthKey>
        <!--Optional:-->
        <xsd1:inboundAuthType>wstrust</xsd1:inboundAuthType>
    </xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>



Parameter

Type

Description

inboundAuthKey

String

The endpoint address of the trusted service.

inboundAuthType

String

For WS-Trust Security Token Service, the authentication type should be ‘wstrust’

Properties

Property

No specific properties to define

Configuring WS-Federation (passive)

<xsd1:inboundAuthenticationConfig>
    <!--Zero or more repetitions:-->
    <xsd1:inboundAuthenticationRequestConfigs>
        <!--Optional:-->
        <xsd1:inboundAuthKey>TestSP</xsd1:inboundAuthKey>
        <!--Optional:-->
        <xsd1:inboundAuthType>passivests</xsd1:inboundAuthType>
    </xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>



Parameter

Type

Description

inboundAuthKey

String

Passive STS realm identifier

inboundAuthType

String

For WS-Federation (Passive) Configuration, authentication type should be ‘passivests’

Properties

Property

No specific properties to define


Configuring OpenID

<xsd1:inboundAuthenticationConfig>
    <!--Zero or more repetitions:-->
    <xsd1:inboundAuthenticationRequestConfigs>
        <!--Optional:-->
        <xsd1:inboundAuthKey>TestSP</xsd1:inboundAuthKey>
        <!--Optional:-->
        <xsd1:inboundAuthType>openid</xsd1:inboundAuthType>
    </xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>

Parameter

Type

Description

inboundAuthKey

String

OpenID realm identifier

inboundAuthType

String

For OpenID Configuration, the authentication type should be openid

Properties

Property

No specific properties to define