Configuring Single Sign-On for WSO2 DAS
SSO (Single Sign-On) allows you to be authenticated to access one application, and gain access to multiple other applications without having to repeatedly provide your credentials for authentication purposes.
To configure SSO for the WSO2 DAS Portal and the WSO2 DAS Management Console, follow the instructions given below:
Prerequisites
In order to configure SSO for WSO2 DAS, WSO2 IS should be downloaded and installed.
To download this product, go to the WSO2 Identity Server home page.
For detailed instructions, see WSO2 Identity Server Documentation - Â Installation Prerequisites.
Step 1: Share a user store between WSO2 DAS and WSO2 IS
Follow the procedure below to share a user store between WSO2 DAS and WSO2 IS.
- Create a new database named
DAS_UM_DB
 in MYSQL server. - Create tables inside the
DAS_UM_DB
 database by executing the script in the<DAS_HOME>/dbscripts/mysql.sql.
Define a datasource as follows in the
<DAS_HOME>/repository/conf/datasources/master-datasources.xml
file. This allows you to connect to theÂDAS_UM_DB
in order to share the user store.<datasource> <name>WSO2UM_DB</name> <description>The datasource used for user manager database</description> <jndiConfig> <name>jdbc/WSO2UM_DB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://localhost:3306/DAS_UM_DB</url> <username>username</username> <password>password</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>50</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> </configuration> </definition> </datasource>
- Add the same datasource configuration given in the previous step to theÂ
<IS_HOME>/repository/conf/datasources/master-datasources.xml
file. - Download the MySQL database driver and copy it to theÂ
<IS_HOME>/repository/components/lib
and theÂ<DAS_HOME>/repository/components/lib
directories. Update the
<DAS_HOME>/repository/conf/user-mgt.xml
file with thejndiConfig
name added in step3 (i.e., Âjdbc/WSO2UM_DB
) as shown below. Do the same update in theÂ<IS_HOME>/repository/conf/user-mgt.xml
 file.<configuration> ... <Property name="dataSource">jdbc/WSO2UM_DB</Property> </configuration>
Copy the following JDBC user store configuration that can be found in theÂ
<DAS_HOME>/repository/conf/user-mgt.xml
file to theÂ<IS_HOME>/repository/conf/user-mgt.xml
file. Remove the LDAP user store configuration available by default in the Â<IS_HOME>/repository/conf/user-mgt.xml
file.<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager"> <Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property> <Property name="ReadOnly">false</Property> <Property name="ReadGroups">true</Property> <Property name="WriteGroups">true</Property> <Property name="UsernameJavaRegEx">^[\S]{3,30}$</Property> <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property> <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property> <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property> <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property> <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property> <Property name="RolenameJavaRegEx">^[\S]{3,30}$</Property> <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property> <Property name="CaseInsensitiveUsername">true</Property> <Property name="SCIMEnabled">false</Property> <Property name="IsBulkImportSupported">true</Property> <Property name="PasswordDigest">SHA-256</Property> <Property name="StoreSaltedPassword">true</Property> <Property name="MultiAttributeSeparator">,</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="MaxRoleNameListLength">100</Property> <Property name="UserRolesCacheEnabled">true</Property> <Property name="UserNameUniqueAcrossTenants">false</Property> </UserStoreManage
- Restart both WSO2 DAS and WSO2 IS servers.
Step 2: Mount and share a registry between WSO2 DAS and WSO2 IS
Follow the procedure below to share a registry between WSO2 DAS and WSO2 IS.
- Create a new database namedÂ
DAS_REG_DB
in the MySQL server. - Create tables in the database you created by executing the script in the
<DAS_HOME>/dbscripts/mysql.sql
directory. Define a datasource as follows in theÂ
<DAS_HOME>/repository/conf/datasources/master-datasources.xml
 file. This allows you to connect to theÂDAS_REG_DB
 that you previously created.<datasource> <name>WSO2REG_DB</name> <description>The datasource used for registry database</description> <jndiConfig> <name>jdbc/WSO2REG_DB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://localhost:3306/DAS_REG_DB</url> <username>username</username> <password>password</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>50</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> </configuration> </definition> </datasource>
- Add the same datasource configuration provided in the above step to theÂ
<IS_HOME>/repository/conf/datasources/master-datasources.xml
 file. - Download the MySQL database driver from here and copy it to both theÂ
<IS_HOME>/repository/components/lib
 and theÂ<DAS_HOME>/repository/components/lib
 directories. Create the registry mounts by adding the following configuration to both theÂ
<DAS_HOME>/repository/conf/registry.xml
file and theÂ<IS_HOME>/repository/conf/registry.xml
file.<dbConfig name="govregistry"> <dataSource>jdbc/WSO2REG_DB</dataSource> </dbConfig> <remoteInstance url="https://localhost"> <id>gov</id> <dbConfig>govregistry</dbConfig> <readOnly>false</readOnly> <enableCache>true</enableCache> <registryRoot>/</registryRoot> </remoteInstance> <mount path="/_system/governance" overwrite="true"> <instanceId>gov</instanceId> <targetPath>/_system/governance</targetPath> </mount> <mount path="/_system/config" overwrite="true"> <instanceId>gov</instanceId> <targetPath>/_system/config</targetPath> </mount>
- Restart both the WSO2 DAS server and the WSO2 IS server.
Step 3: Create a service provider for WSO2 DAS Management Console
Follow the procedure below to configure a service provider for the WSO2 DAS Management Console. A service provider represents an external application from which a service is obtained. In this scenario, the service provider you create provides an authentication service. For more information about service providers, see WSO2 Identity Server Documentation - Configuring a Service Provider.
- Access the WSO2 IS Management Console using the following URL, and log in using your credentials.
https://<IS_HOST>:<IS_PORT>/carbon/Â
Click Main => Service Providers => Add to open the Add New Service Provider page. Enter the following details, and click Register to register a new service provider.
Parameter Value Service Provider Name DAS_SSO_CARBON_SERVER
Description Single Sign-On for DAS Management Console. SaaS Application Select this check box.
This makes the web application represented by the service provider accessible for all the users of all the tenants connected to the service provider.
- In the Service Providers page, expand the Inbound Authentication Configuration section. Then expand the SAML2 Web SSO Configuration section and click Configure. This opens the Register New Service Provider page.
Enter information as follows.
Parameter Value Issuer carbonServer
Assertion Consumer URL https://<DAS_URL>:<DAS_PORT>/acs
Enable Response Signing Select this check box. Enable Single Logout Select this check box. - Expand the Local and Outbound Authentication Configuration section, and select the Use tenant domain in local subject identifier check box. This appends the tenant domain to the local subject identifier and allows the tenant domains of the application users to be identified.
- Click Update to save these changes. A message appears to confirm that the service provider is successfully added.
Step 4: Create a service provider for WSO2 DAS Portal
Follow the procedure below to configure a service provider for the WSO2 DAS Portal. A service provider represents an external application from which a service is obtained. In this scenario, the service provider you create provides an authentication service. For more information about service providers, see WSO2 Identity Server Documentation - Configuring a Service Provider.
- Log into the WSO2 IS Management Console if you are not already logged in.
Click Main => Service Providers => Add to open the Add New Service Provider page. Enter the following details, and click Register to register a new service provider.
Parameter Value Service Provider Name DAS_SSO_PORTAL Description Single Sign-On for DAS Portal. SaaS Application Select this check box.
This makes the web application represented by the service provider accessible for all the users of all the tenants connected to the service provider.
- In the Service Providers page, expand the Inbound Authentication Configuration section. Then expand the SAML2 Web SSO Configuration section and click Configure. This opens the Register New Service Provider page.
Enter information as follows.
Parameter Value Issuer portal
Assertion Consumer URL https://<DAS_URL>:<DAS_PORT>/portal/acs
Enable Response Signing Select this check box. Enable Single Logout Select this check box. Enable Audience Restriction Select this check box and add the following two audiences. - Token endpoint url (eg:Â
https://<IDP_URL>:<IDP_PORT>/oauth2/token)
- Management console issuer name (i.e.Â
carbonServer
)
Enable Recipient Validation Select this check box and add the token endpoint URL as a recipient (e.g., https://<IDP_URL>:<IDP_PORT>/oauth2/token
).- Token endpoint url (eg:Â
- Expand the Local and Outbound Authentication Configuration section, and select the Use tenant domain in local subject identifier check box. This appends the tenant domain to the local subject identifier. This allows the tenant domains of the application users to be identified.
- Click Update to save these changes. A message appears to confirm that the service provider is successfully added.
Step 5: Update the SAML2SSOAuthenticator configuration
This step is carried out in order to connect the service provider you created as an authenticator for WSO2 DAS. Follow the procedure below to update the authenticators.xml
 file with the information required.
- Open theÂ
<DAS_HOME>/repository/conf/security/authenticators.xml
 file. Enable the required authenticator by settingÂ
disabled="false"
as shown in the example below.Â<Authenticator name="SAML2SSOAuthenticator" disabled="false">
Configure the following parameters for the same authenticator that you enabled in the previous step.
Parameter Value ServiceProviderID
carbonServer
This should be the ID of the service provider you created in Step 3.
IdentityProviderSSOServiceURL
https://<IDP_URL>:<IDP_PORT>/samlsso
AssertionConsumerServiceURL
https://<DAS_URL>:<DAS_PORT>/acs
- Save the changes.
Step 6: Update the authentication configuration
Follow the procedure below in order to specify SSO as the currently active authentication method for WSO2 DAS.
- Open theÂ
<DAS_HOME>/repository/deployment/server/jaggeryapps/portal/configs/designer.json
file. Update the properties in theÂ
"authentication"
configuration as follows.Property Value activeMethod
sso
issuer
portal
identityProviderURL
https://<IDP_URL>:<IDP_PORT>/samlsso
acs
https://<DAS_URL>:<DAS_PORT>/portal/acs
"activeMethod": "basic", "methods": { "sso": { "attributes": { "issuer": "portal", "identityProviderURL": "https://localhost:9443/samlsso", "responseSigningEnabled": true, "validateAssertionValidityPeriod": true, "validateAudienceRestriction": true, "assertionSigningEnabled": true, "acs": "https://localhost:9444/portal/acs", "identityAlias": "wso2carbon", "defaultNameIDPolicy": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "useTenantKey": false, "isPassive": false } },
- Save the changes.
Restart the WSO2 DAS server after you carry out all the steps given above.