Configuring Single Sign-on
Single Sign-On (SSO) is a major requirement when deploying WSO2 G-Reg Publisher and Store. SSO allows you to gain access to multiple applications when you are authenticated against one application. It is a common solution for repeated authentication.
Configuring single sign-on in WSO2 G-Reg
Specify the authentification method as SSO as follows in the following files to enable single sign-on in a standalone WSO2 G-Reg server instance.
<G-REG_HOME>/repository/deployment/server/jaggeryapps/store/config/store.json
<G-REG_HOME>/repository/deployment/server/jaggeryapps/publisher/config/publisher.json
"authentication": { "activeMethod": "sso",
Configuring WSO2 IS as an External Identity Provider
WSO2 Identity Server (IS) supports configuring SSO in WSO2 G-Reg out of the box. This scenario uses WSO2 G-Reg and WSO2 IS products to demonstrate configurations. It uses two WSO2 G-Reg instances for Publisher and Store, and one WSO2 IS instance as the external IdP.
Step 1 - sharing the user store
This scenario uses an Oracle JDBC user store as the user store.
<IS_HOME>
refers to the home directory of the WSO2 IS server node. All <GREG_HOME>
references relate to both Publisher and Store nodes. Therefore, you have to repeat the configurations mentioned below in both WSO2 G-Reg server instances.
- Create an Oracle database (e.g., '
grg520umdb
'). Add the below datasource configuration to the following files:
<datasource> <name>WSO2_UM_DB</name> <description>The datasource used for user manager</description> <jndiConfig> <name>jdbc/UM_DB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:oracle:thin:@192.168.10.2:1521/PDBORA12C</url> <username>grg520umdb</username> <password>grg520umdb</password> <driverClassName>oracle.jdbc.driver.OracleDriver</driverClassName> <maxActive>120</maxActive> <maxWait>900000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1 FROM DUAL</validationQuery> <validationInterval>30000</validationInterval> </configuration> </definition> </datasource>
<G-REG_HOME>/repository/conf/datasources/master-datasources.xml
<IS_HOME>/repository/conf/
datasources/master-
datasources.xml
Download and copy the Oracle JDBC driver JAR file to the following directories:
<G-REG_HOME>/repository/components/lib/
<IS_HOME>/repository/components/lib/
- Change the JNDI config name as follows in the following files:
<G-REG_HOME>/repository/conf/user-mgt.xml
<IS_HOME>/repository/conf/user-mgt.xml
<Realm> <Configuration> ... <Property name="dataSource">jdbc/UM_DB</Property> </Configuration> ... </Realm>
- Do the following changes in the
<IS_HOME>/repository/conf/user-mgt.
xml file to disable the default LDAP user store of WSO2 IS since this scenario uses a JDBC user store.Comment out the following line:
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
- Uncomment and enable the following line:
<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager>
Step 2 - sharing and mounting the Registry space
Follow the steps below to share and mount the Registry space of WSO2 G-Reg in all nodes.
- Create an Oracle database (e.g., '
grg520regdb
'). Add the below datasource configuration to the following files:
<datasource> <name>WSO2_REG_DB</name> <description>The datasource used for registry and user manager</description> <jndiConfig> <name>jdbc/REG_DB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:oracle:thin:@192.168.10.2 :1521/PDBORA12C</url> <username>grg520regdb</username> <password>grg520regdb</password> <driverClassName>oracle.jdbc.driver.OracleDriver</driverClassName> <maxActive>120</maxActive> <maxWait>900000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1 FROM DUAL</validationQuery> <validationInterval>30000</validationInterval> </configuration> </definition> </datasource>
<G-REG_HOME>/repository/conf/datasources/master-datasources.xml
<IS_HOME>/repository/conf/
datasources/master-
datasources.xml
Add the below content in the following files to mount the Registry.
Do not change the existing "
wso2registry
" dBConfig.<dbConfig name="registry"> <dataSource>jdbc/REG_DB</dataSource> </dbConfig> <remoteInstance url="https://serverIP:9443/registry"> <id>gregid</id> <dbConfig>registry</dbConfig> <readOnly>false</readOnly> <registryRoot>/</registryRoot> <enableCache>true</enableCache> <cacheId>greg520regdb@jdbc:oracle:thin:@192.168.10.2:1521/PDBORA12C</cacheId> </remoteInstance> <mount path="/_system/config" overwrite="true"> <instanceId>gregid</instanceId> <targetPath>/_system/config</targetPath> </mount> <mount path="/_system/governance" overwrite="true"> <instanceId>gregid</instanceId> <targetPath>/_system/governance</targetPath> </mount>
<G-REG_HOME>/repository/conf/registry.xml
<IS_HOME>/repository/conf/registry.xml
Start the servers using -Dsetup startup parameter or execute the scripts in the following files to create the necessary tables in each database.
<G-REG_HOME>/dbscripts/oracle.sql
<IS_HOME>/dbscripts/oracle.sql
Step 3 - configuring WSO2 IS as the Identity Provider
Follow the steps below to create two service providers called 'publisher' and 'store' to configure the WSO2 Identity Server (IS) node as the Identity Provider (IdP).
- Start the WSO2 IS server node, and log in to the Management Console using admin/admin credentials and the following URL: https://<IS_HOST>:<IS_PORT>/carbon/
- Click Main, then click Add in the Service Providers menu.
- Enter 'publisher' for the Service Provider Name and click Register.
- Click Inbound Authentication Configuration, next click SAML2 Web SSO Configuration and then click Configure.
- Enter the following details:
- Issuer: Enter 'publisher' for this.
- Assertion Consumer URLs: Enter the URL of the Publisher node (e.g., In this scenario, it is running in 192.168.10.5 server without a port offset.), and click Add.
Enable Response Signing: Check this option.
Herein, import the public key of the certificate, which is specified as Certificate Alias that is used in IS to G-Reg Publisher and Store. Otherwise, you will get SSL verification errors when logging in. This is applicable when you use a different keystore other than the default
wso2carbon.
jkskeystore.)- Enable Single Logout: Check this option.
- Click Register.
Repeat the above instructions to create another service provider called 'store'.
Enter 'store' for Issuer and enter the URL of the Store node (e.g., In this scenario, it is 'https://192.168.10.6:9443/store/acs' as it is running in 192.168.10.6 server without a port offset.) for Assertion Consumer URL.
Step 4 - enabling SSO in WSO2 G-Reg Publisher
Follow the steps below to enable Single Sign-on in WSO2 G-Reg Publisher node.
Change the following configurations in the
<G-REG_HOME>/repository/deployment/server/jaggeryapps/publisher/config/publisher.json
file."authentication": { "activeMethod": "sso", "methods": { "sso": { "attributes": { "issuer": "publisher", "identityProviderURL": "https://192.168.10.3:9443/samlsso", "responseSigningEnabled": "true", "acs": "https://192.168.10.5/publisher/acs", "identityAlias": "wso2carbon", "useTenantKey": false , "defaultNameIDPolicy": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "isPassive":false, "validateAssertionValidityPeriod": false, "validateAudienceRestriction": false, "assertionSigningEnabled": false } },
- Enter the URL of the WSO2 G-Reg Store node as the value of the
storeUrl
parameter in the<G-REG_HOME>/repository/deployment/server/jaggeryapps/publisher/config/publisher.json
file. (E.g.,"storeUrl": "https://192.168.10.6:9443/store"
)
Step 5 - enabling SSO in WSO2 G-Reg Store
Change the following configurations in the <G-REG_HOME>/repository/deployment/server/jaggeryapps/publisher/config/store.json
file, to enable Single Sign-on in WSO2 G-Reg Store node.
"authentication": { "activeMethod": "sso", "methods": { "sso": { "attributes": { "issuer": "store", "identityProviderURL": "https://192.168.10.3:9443/samlsso", "responseSigningEnabled": "true", "acs": "https://192.168.10.6:9443/store/acs", "identityAlias": "wso2carbon", "useTenantKey": false, "defaultNameIDPolicy": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "isPassive":false, "validateAssertionValidityPeriod": false, "validateAudienceRestriction": false, "assertionSigningEnabled": false } },
Now, start all servers as you have completed enabling Single Sign-On in them. When you log in to the WSO2 G-Reg Publisher using the 'https://192.168.10.5:9443/publisher/
' URL, the browser redirects you to the IDP (WSO2 Identity Server) as shown below.