This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Enabling SSO for WSO2 Servers

Applies to:

By default all WSO2 Servers starts in the HTTPS port 9443 and HTTP port 9763. Therefore when we run multiple WSO2 Servers we need to change the default ports so that there would be no port conflicts. So here is the plan we will follow in this scenario:

  • IS runs in https port 9443 (default)
  • AS runs in https port 9444 (offset = 1)
  • ESB runs in https port 9445 (offset = 2)
  • G-Reg runs in https port 9446 (offset = 3)

By default WSO2 Servers use Basic Authentication for its authentication purposes. However in a Single-Sign-On (SSO) environment, we need to use SAML-based Authentication to authenticate users to WSO2 Servers. The following needs to be done in order to enable SSO:

Configuring WSO2 Application Server

We need to do two main configurations at the Application Server. Changing the port configuration and changing the Authenticator configuration.

Port Configuration

  1. Download the WSO2 Application Server from here.
  2. Extract the .zip file.
  3. Locate the carbon.xml file in the unzipped folder which is found in the path: <AS_HOME>/repository/conf/carbon.xml
  4. Open the carbon.xml file and search for the configuration: <offset>0</offset>
  5. Change the offset value from 0 to 1.
  6. Save the carbon.xml and close it.

Authenticators Configuration

  1. Locate the authenticators.xml file which can be found in the path: <AS_HOME>/repository/conf/security/authenticators.xml
  2. Open the authenticators.xml file and set the "disabled" attribute value to "false" for the SAML2SSOAuthenticator configuration.

Configuring WSO2 Enterprise Service Bus

Similar to the Application Server we need to configure the port and the authenticator of ESB.

Port Configuration

  1. Download the WSO2 ESB from here.
  2. Similar to the Application Server, open the carbon.xml file and change the port offset to 2.

Authenticators Configuration

  1. Follow the exact same steps did for the Application Server and enable the SAML2SSOAuthenticator.
  2. Now we need to do another configuration. We need to change the ServiceProviderID. This ID is used by the Identity Server to identify the ESB's requests. Change this value to carbonServer2.

Configuring WSO2 Governance Registry

Port Configuration

  1. Download the WSO2 Governance Registry from here.
  2. Set the port offset to 3.

Authenticators Configuration

Enable the SAML2SSOAuthenticator and change the ServiceProviderID value to carbonServer3.

Configuring WSO2 Identity Server

  1. Download the WSO2 Identity Server from here.
  2. Extract the .zip file.
  3. Open a terminal and go into the <IS_HOME>/bin folder.
  4. Start the Identity Server using the wso2server.sh file in Unix or wso2server.bat file in Windows.
  5. Once the server is started visit the URL: https://localhost:9443/carbon/
  6. Sign-In to the Identity Server as an admin using the default credentials (username - admin and password - admin).
  7. In the Main section of the management console, click on SAML SSO under Manage.
  8. Now you get the SAML 2.0 based Single Sign-On page. Click Register New Service Provider. Here we have to register the AS, ESB and G-Reg servers as Service Providers.
  9. Fill up this page with the following configurations:

    1. Use the following configurations for Application Server and add them to the relevant sections in the Register New Service Provider screen:

      Issuer: carbonServer
      Assertion Consumer URL: https://localhost:9444/acs
      Enable Assertion Signing
      Enable Single Logout
      Enable Response Signing 

    2. Use the following values to register the ESB:

      Issuer : carbonServer2
      Assertion Consumer URL : https://localhost:9445/acs
      Use fully qualified username in the NameID
      Enable Assertion Signing
      Enable Single Logout
      Enable Response Signing 

    3. Use the following values to register the Governance Registry

      Issuer : carbonServer3
      Assertion Consumer URL : https://localhost:9446/acs
      Enable Assertion Signing
      Enable Single Logout
      Enable Response Signing 

        

Testing the SSO Environment

Now all the required configurations are done. Lets test the SSO environment.

  1. Access the Application Server: https://localhost:9444/carbon/
  2. You are redirected to the Identity Server for authentication. After successful authentication you are redirected back and logged into the Application Server.
  3. Access the ESB using the URL https://localhost:9445/carbon/. You are directly logged into ESB without any authentication challenge.
  4. Access the Governance Registry using the URL https://localhost:9446/carbon/. You are logged into G-Reg directly without any authentication challenge.
  5. Test the Single Sign Out,
    1. Logout from the AS. You are redirected to the SSO authentication page.
    2. Now you should be logged out from the ESB and GReg as well. Try accessing them.