Managing Trusted Identity Providers

Trusted identity providers are the identity providers that are trusted by that tenant. These identity providers can be configured by tenant admins.

These trusted identity providers can be used for many different use cases. One of its use cases is for the development and deployment of SSO enabled SaaS applications. This use case is a special use case in the WSO2 Application Server compared to other application servers due to the fact that WSO2 Application Server supports multi tenancy out of the box. A SaaS application is an application deployed in the super tenant space, but accessed by all the tenants. Each tenant can have its own set of trusted identity providers (such as, the users of the tenant do not have to physically exist in the WSO2 Application Server but reside elsewhere). Authentication for the SaaS webapp will be performed for the trusted identity provider at the request of the SaaS application and the user's identity information would be transported using a SAML assertion. The SAML assertion could then be verified and validated using the APIs exposed by the IdPMetadataService class found in the WSO2 Application Server. In case the webapp is running on any other application server you still could use this capability using the web service APIs exposed from the IdPMetadataService.

The roles that exist for the tenant at the identity provider can be defined and mapped to roles that exist in the WSO2 Application Server. The APIs provide operations to map the identity provider roles to tenant roles, so that the SaaS applications can perform authorization on the tenant roles. The shared roles feature also goes hand in hand with the trusted identity providers management feature. The shared roles feature allows users of any tenant to be assigned to those shared roles. This way the SaaS application could be written against shared roles, without worrying about tenant specific roles and authorization could be performed on shared roles.

Another use case for this feature is in the WSO2 Identity Server. The SAML2 Assertion Profile for OAuth2 uses these registered identity providers of the tenant to verify the SAML2 assertion.

Adding a trusted identity provider

1. Log in to the product's management console.
2. On the Configure menu, click Trusted Identity Providers.
3. Click on  Add New Trusted Identity Provider .
4. Enter the i dentity provider's name. This should be a unique name of this identity provider across this tenant.
5. Enter the issuer name of this identity provider. This will be used for validating the issuer name of the SAML token when using the validation APIs.
6. If this is the primary identity provider for this tenant, select the Primary Identity Provider option.
   The first identity provider registered would be the primary identity provider by default.
7. Enter the identity provider's URL.
8. Upload the public certificate of the identity provider. This will be used for validating SAML token signatures when using the validation APIs.
9. Click Add Role and add an identity provider Role. These will be the roles that are registered for this tenant at the identity provider.
10. Upload the role mappings file. This file will map the identity provider roles to tenant roles in the Identity Server.
11. Click  Add Audience and add the m andatory audience restriction elements that need to be present in the SAML token when it is to be used by this tenant for any purpose.
    This will be used for validating SAML token Audience Restriction when using the validation APIs.
12. Enter the OAuth2 Token Endpoint URL or any alias used to refer to it uniquely within the tenant. This will be used when validating the audience restriction of the SAML token under the SAML2 Assertion Profile for OAuth2.
13. Click Register. The newly added Identity provider will appear in the registered identity provider list.