com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links' is unknown.

Configuring Single Sign-On for WSO2 DAS

SSO (Single Sign-On) allows you to be authenticated to access one application, and gain access to multiple other applications without having to repeatedly provide your credentials for authentication purposes.

Follow the instructions below to configure SSO for the WSO2 DAS Portal and the WSO2 DAS Management Console.

Prerequisites

In order to configure SSO for WSO2 DAS, WSO2 IS should be downloaded and installed.

To download this product, go to the WSO2 Identity Server home page.

For detailed instructions, see WSO2 Identity Server Documentation - Ā Installation Prerequisites.

Step 1: Share a user store between WSO2 DAS and WSO2 IS

Follow the procedure below to share a user store between WSO2 DAS and WSO2 IS.

  1. Create aĀ new database named DAS_UM_DBĀ inĀ the MYSQL server.Ā 
  2. Create tables inside the created database by executing the script in the <DAS_HOME>/dbscripts/mysql.sql.
  3. Define a datasource as follows in the <DAS_HOME>/repository/conf/datasources/master-datasources.xml file. This allows you to connect to theĀ DAS_UM_DB in order to share the user store.

       <datasource>  
          <name>WSO2UM_DB</name>  
          <description>The datasource used for user manager database</description>  
          <jndiConfig>  
            <name>jdbc/WSO2UM_DB</name>  
          </jndiConfig>  
           <definition type="RDBMS">  
             <configuration>  
               <url>jdbc:mysql://localhost:3306/DAS_UM_DB</url>  
                <username>username</username>  
                <password>password</password>  
                <driverClassName>com.mysql.jdbc.Driver</driverClassName>  
                <maxActive>50</maxActive>  
                <maxWait>60000</maxWait>  
                <testOnBorrow>true</testOnBorrow>  
                <validationQuery>SELECT 1</validationQuery>  
                <validationInterval>30000</validationInterval>  
             </configuration>  
         </definition>  
       </datasource>
  4. Add the same datasource configuration given in the previous step to theĀ <IS_HOME>/repository/conf/datasources/master-datasources.xml file.
  5. Download the MySQL database driver from hereĀ and copy it to bothĀ <IS_HOME>/repository/components/lib andĀ <DAS_HOME>/repository/components/lib directories.
  6. Update the <DAS_HOME>/repository/conf/user-mgt.xml file with the jndiConfig name added in step3 (i.e.,Ā Ā jdbc/WSO2UM_DB) as shown below. Do the same update in theĀ <IS_HOME>/repository/conf/user-mgt.xmlĀ file.

     <configuration>   
         ...  
         <Property name="dataSource">jdbc/WSO2UM_DB</Property>  
       </configuration>  
  7. Copy the following JDBC user store configuration that can be found in theĀ <DAS_HOME>/repository/conf/user-mgt.xml file to theĀ <IS_HOME>/repository/conf/user-mgt.xml file. Remove the LDAP user store configuration available by default in theĀ Ā <IS_HOME>/repository/conf/user-mgt.xml file.

            <UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
                <Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property>
                <Property name="ReadOnly">false</Property>
                <Property name="ReadGroups">true</Property>
                <Property name="WriteGroups">true</Property>
                <Property name="UsernameJavaRegEx">^[\S]{3,30}$</Property>
                <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
                <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
                <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
                <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
                <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
                <Property name="RolenameJavaRegEx">^[\S]{3,30}$</Property>
                <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
                <Property name="CaseInsensitiveUsername">true</Property>
                <Property name="SCIMEnabled">false</Property>
                <Property name="IsBulkImportSupported">true</Property>
                <Property name="PasswordDigest">SHA-256</Property>
                <Property name="StoreSaltedPassword">true</Property>
                <Property name="MultiAttributeSeparator">,</Property>
                <Property name="MaxUserNameListLength">100</Property>
                <Property name="MaxRoleNameListLength">100</Property>
                <Property name="UserRolesCacheEnabled">true</Property>
                <Property name="UserNameUniqueAcrossTenants">false</Property>
            </UserStoreManage
  8. Restart both WSO2 DAS and WSO2 IS servers.

Step 2: Mount and share a registry between WSO2 DAS and WSO2 IS

Follow the procedure below to share a registry between WSO2 DAS and WSO2 IS.

  1. Create a new database namedĀ DAS_REG_DB in the MySQL server.
  2. Create tables in the database you created by executing the script in the <DAS_HOME>/dbscripts/mysql.sql directory.
  3. Define a datasource as follows in theĀ <DAS_HOME>/repository/conf/datasources/master-datasources.xmlĀ file. This allows you to connect to theĀ DAS_REG_DBĀ that you previously created.

     <datasource>   
         <name>WSO2REG_DB</name>   
         <description>The datasource used for registry database</description>   
         <jndiConfig>   
           <name>jdbc/WSO2REG_DB</name>   
         </jndiConfig>   
         <definition type="RDBMS">   
           <configuration>   
             <url>jdbc:mysql://localhost:3306/DAS_REG_DB</url>   
             <username>username</username>   
             <password>password</password>   
             <driverClassName>com.mysql.jdbc.Driver</driverClassName>   
             <maxActive>50</maxActive>   
             <maxWait>60000</maxWait>   
             <testOnBorrow>true</testOnBorrow>   
             <validationQuery>SELECT 1</validationQuery>   
             <validationInterval>30000</validationInterval>   
           </configuration>   
         </definition>   
       </datasource>  
  4. Add the same datasource configuration provided in the above step to theĀ <IS_HOME>/repository/conf/datasources/master-datasources.xmlĀ file.
  5. Download the MySQL database driver from hereĀ and copy it to bothĀ <IS_HOME>/repository/components/libĀ andĀ <DAS_HOME>/repository/components/libĀ directories.
  6. Create the registry mounts by adding the following configuration to both theĀ <DAS_HOME>/repository/conf/registry.xml file and theĀ <IS_HOME>/repository/conf/registry.xml file.

    <dbConfig name="govregistry">
       <dataSource>jdbc/WSO2REG_DB</dataSource>
    </dbConfig>
      
    <remoteInstance url="https://localhost">
       <id>gov</id>
       <dbConfig>govregistry</dbConfig>
       <readOnly>false</readOnly>
       <enableCache>true</enableCache>
       <registryRoot>/</registryRoot>
    </remoteInstance>
      
    <mount path="/_system/governance" overwrite="true">
       <instanceId>gov</instanceId>
       <targetPath>/_system/governance</targetPath>
    </mount>
      
    <mount path="/_system/config" overwrite="true">
       <instanceId>gov</instanceId>
       <targetPath>/_system/config</targetPath>
    </mount>
  7. Restart both the WSO2 DAS server and the WSO2 IS server.

Step 3: Create a service provider for WSO2 DAS Management Console

Follow the procedure below to configure a service provider for the WSO2 DAS Management Console. A service provider represents an external application from which a service is obtained. In this scenario, the service provider you create provides an authentication service. For more information about service providers, see WSO2 Identity Server Documentation - Configuring a Service Provider.

  1. Access the WSO2 IS Management Console using the following URL, and log in using your credentials.
    https://<IS_HOST>:<IS_PORT>/carbon/Ā 
  2. ClickĀ Main =>Ā Service ProvidersĀ =>Ā Add to open theĀ AddĀ New Service Provider page. Enter the following details, and clickĀ Register to register a new service provider.

    ParameterValue
    Service Provider NameDAS_SSO_CARBON_SERVER
    DescriptionSingle Sign-On for DAS Management Console.
    SaaS Application

    Select this check box.

    This makes the web application represented by the service provider accessible for all the users of all the tenants connected to the service provider.

  3. In theĀ Service Providers page, expand theĀ Inbound Authentication Configuration section. Then expand theĀ SAML2 Web SSO Configuration section and clickĀ Configure. This opens theĀ Register New Service Provider page.
  4. Enter information as follows.

    ParameterValue
    IssuercarbonServer
    Assertion Consumer URLhttps://<DAS_URL>:<DAS_PORT>/acs
    Enable Response SigningSelect this check box.
    Enable Single LogoutSelect this check box.
  5. Expand theĀ Local and Outbound Authentication ConfigurationĀ section, and select theĀ Use tenant domain in local subject identifierĀ check box. This appends theĀ tenant domain to the local subject identifier. This allows the tenant domains of the application users to be identified.
  6. ClickĀ Update to save these changes. A message appears to confirm that the service provider is successfully added.

Step 4: Create a service provider for WSO2 DAS Portal

Follow the procedure below to configure a service provider for the WSO2 DAS Portal. A service provider represents an external application from which a service is obtained. In this scenario, the service provider you create provides an authentication service. For more information about service providers, seeĀ WSO2 Identity Server Documentation - Configuring a Service Provider.

  1. Log into the WSO2 IS Management Console if you are not already logged in.
  2. ClickĀ MainĀ =>Ā Service ProvidersĀ =>Ā AddĀ to open theĀ AddĀ New Service ProviderĀ page. Enter the following details, and clickĀ RegisterĀ to register a new service provider.

    ParameterValue
    Service Provider NameDAS_SSO_PORTAL
    DescriptionSingle Sign-On for DAS Portal.
    SaaS Application

    Select this check box.

    This makes the web application represented by the service provider accessible for all the users of all the tenants connected to the service provider.

  3. In theĀ Service ProvidersĀ page, expand theĀ Inbound Authentication ConfigurationĀ section. Then expand theĀ SAML2 Web SSO ConfigurationĀ section and clickĀ Configure. This opens theĀ Register New Service ProviderĀ page.
  4. Enter information as follows.

    ParameterValue
    Issuerportal
    Assertion Consumer URLhttps://<DAS_URL>:<DAS_PORT>/portal/acs
    Enable Response SigningSelect this check box.
    Enable Single LogoutSelect this check box.
    Enable Audience RestrictionSelect this check box and add the following two audiences.
    • Token endpoint url (eg:Ā https://<IDP_URL>:<IDP_PORT>/oauth2/token)
    • Management console issuer name (i.e.Ā carbonServer)
    Enable Recipient ValidationSelect this check box and add the token endpoint URL as a recipient (e.g., https://<IDP_URL>:<IDP_PORT>/oauth2/token).
  5. Expand theĀ Local and Outbound Authentication Configuration section, and select theĀ Use tenant domain in local subject identifier check box. This appends theĀ tenant domain to the local subject identifier. This allows the tenant domains of the application users to be identified.
  6. ClickĀ Update to save these changes. A message appears to confirm that the service provider is successfully added.

Step 5: Update theĀ SAML2SSOAuthenticator configuration

This step is carried out in order to connect the service provider you created as an authenticator for WSO2 DAS. Follow the procedure below to update theĀ authenticators.xmlĀ file with the information required.

  1. Open theĀ  <DAS_HOME>/repository/conf/security/authenticators.xmlĀ file.
  2. Enable the required authenticator by settingĀ disabled="false" as shown in the example below.Ā 

    <Authenticator name="SAML2SSOAuthenticator" disabled="true">
  3. Configure the following parameters for the same authenticator that you enabled in the previous step.

    ParameterValue
    ServiceProviderID

    carbonServer

    This should be the ID of the service provider you created in Step 3.

    IdentityProviderSSOServiceURL https://<IDP_URL>:<IDP_PORT>/samlsso
    AssertionConsumerServiceURL https://<DAS_URL>:<DAS_PORT>/acs
  4. Save the changes.

Step 6: Update the authentication configuration

Follow the procedure below in order to specify SSO as the currently active authentication method for WSO2 DAS.

  1. Open theĀ <DAS_HOME>/repository/deployment/server/jaggeryapps/portal/configs/designer.json file.
  2. Update the properties in theĀ "authentication" configuration as follows.

    PropertyValue
    activeMethod sso
    issuer portal
    identityProviderURL https://<IDP_URL>:<IDP_PORT>/samlsso
    acs https://<DAS_URL>:<DAS_PORT>/portal/acs
    "activeMethod": "basic",
    "methods": {
        "sso": {
            "attributes": {
                "issuer": "portal",
                "identityProviderURL": "https://localhost:9443/samlsso",
                "responseSigningEnabled": true,
                "validateAssertionValidityPeriod": true,
                "validateAudienceRestriction": true,
                "assertionSigningEnabled": true,
                "acs": "https://localhost:9444/portal/acs",
                "identityAlias": "wso2carbon",
                "defaultNameIDPolicy": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
                "useTenantKey": false,
                "isPassive": false
            }
                },
  3. Save the changes.

Restart the WSO2 DAS server after you carry out all the steps given above.

com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links2' is unknown.