This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, go to https://wso2.com/documentation/.

Configuring Federated Authenticators for an Identity Provider

Owned by Former user (Deleted)
Last updated: Jan 05, 2015
7 min read

You can configure the following federated authenticators by expanding the required forms.

In addition to this, you can create custom authenticators for more specific requirements.

Configuring OpenID

  1. Expand the OpenID Configuration section.

  2. Fill in the following fields where relevant.

    FieldDescription
    Enable OpenIDSelecting this option will enable OpenId to be used as an authenticator for users provisioned to the Identity Server.
    DefaultSelecting the Default checkbox signifies that OpenID is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.
    OpenID Server URLSpecify the OpenID Server URL. This is the URL to which the browser should be redirected after the authentication is successful. It should have this format: https://(host-name):(port)/acs.
    OpenID User ID LocationSelect whether the User ID is found in 'claimed_id' or if it is found among claims.
    Additional Query ParametersThis is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by this IS or application so these can be specified here.

Configuring SAML2 Web SSO

In a single sign on system there are two roles; Service Providers and Identity Providers. The important characteristic of a single sign on system is the pre-defined trust relationship between the service providers and the identity providers. Service providers trust the assertions issued by the identity providers and the identity providers issue assertions based on the results of authentication and authorization of principles which access services on the service provider's side.

SAML 2.0 web browser-based single-sign-on profile is defined under the SAML 2.0 Profiles specification. SAML 2.0 provides five main specifications:

  • Core
  • Binding
  • Profile
  • Metadata
  • Conformance

In a web browser-based SSO system, the flow can be started by the user either by attempting to access a service at the service provider, or by directly accessing the identity provider itself.

  1. Expand the SAML2 Web SSO Configuration form.

  2. Fill in the following fields where relevant.

    FieldDescription
    Enable SAML2 Web SSOSelecting this option enables SAML2 Web SSO to be used as an authenticator for users provisioned to the Identity Server.
    DefaultSelecting the Default checkbox signifies that SAML2 Web SSO is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.
    Identity Provider Entity IdThis is basically the issuer of the response. It must be unique among identity providers.
    Service Provider Entity IdThis is the entity Id of the Identity Server. This is useful when differentiating between tenants.
    SSO URLThis is the URL to which the browser should be redirected after the authentication is successful. It should have this format: https://(host-name):(port)/acs.
    Enable Authentication Request SigningSelecting this checkbox enables you to sign the authentication request.
    Enable Assertion EncryptionThis is a security feature where you can encrypt the SAML2 Assertions returned after authentication.
    Enable Assertion Signing

    Select Enable Assertion Signing to sign the SAML2 Assertions returned after the authentication. SAML2 relying party components expect these assertions to be signed by the Identity Server.

    Enable LogoutSelect Enable Single Logout so that all sessions are terminated once the user signs out from one server.
    Logout URLYou can enter a custom Logout URL if required. If you do not enter anything here it will simply return to the SSO URL you specified.
    Enable Logout Request SigningSelecting this checkbox enables you to sign the logout request.
    Enable Authentication Response Signing

    Select Enable Authentication Response Signing to sign the SAML2 Responses returned after the authentication.

    SAML2 Web SSO User Id LocationSelect whether the User ID is found in 'Name Identifier' or if it is found among claims.
    Additional Query ParametersThis is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by this IS or application so these can be specified here.

Configuring OAuth2/OpenID Connect

  1. Expand the OAuth2/OpenID Connect Configuration form.

  2. Fill in the following fields where relevant.

    FieldDescription
    Enable OAuth2/OpenIDConnectSelecting this option enables OAuth2/OpenID Connect to be used as an authenticator for users provisioned to the Identity Server.
    DefaultSelecting the Default checkbox signifies that the OAuth2/OpenID Connect credentials are the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.
    Authentication Endpoint URLThis is the authentication URL for OAuth/OpenID Connect. This is a standard OAuth URL.
    Token Endpoint URLThis is the token endpoint URL. This is a standard OAuth URL.
    Client IdThe username of the web application. The Client Id and Client Secret are necessary as they will be used for authentication at the Authentication Endpoint and Token Endpoint.
    Client SecretThe password of the web application. Click the Show button to view the value you enter.
    OpenID Connect User ID LocationSelect whether the User ID is found in the 'sub' attribute or if it is found among claims.
    Additional Query ParametersThis is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by this IS or application so these can be specified here.

Configuring WS-Federation (Passive)

WS-Federation (Web Services Federation) describes the management and brokering of trust relationships and security token exchange across Web services and organizational boundaries. WS-Federation is a part of the larger WS-Security framework. For example, WS-Federation builds on the Security Token Service (STS) by providing mechanisms that facilitate interactions. In the WS-Federation Model an Identity Provider is a Security Token Service (STS). Service Providers depend on an Identity Provider or Security Token Service to do the user authentication. OAuth is an important protocol for IdP services as most major Web services are also identity providers, mainly through the use of OAuth. These Web services include Google, Facebook, Yahoo, AOL, Microsoft, PayPal, MySpace, and Flickr among many more. Furthermore, all major email providers offer OAuth IdP services.

In most instances it is necessary to secure the Security Token Service. According the Trust Brokering model defined in the WS-Trust specification, the subject (user) should authenticate himself to the STS before obtaining a token. STS may use this authentication information when constructing the security token. For example, STS may populate the required claims based on the user name provided by the subject.

  1. Expand the WS-Federation (Passive) Configuration form.

  2. Fill in the following fields where relevant.

    FieldDescription
    Enable Passive STSSelecting this option enables Passive STS to be used as an authenticator for users provisioned to the Identity Server.
    DefaultSelecting the Default checkbox signifies that Passive STS is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.
    Passive STS RealmThis is used as an identifier.
    Passive STS URLThis is the URL to which the browser should be redirected after the authentication is successful. It should have this format: https://(host-name):(port)/acs.
    Passive STS User ID LocationSelect whether the User ID is found in 'Name Identifier' or if it is found among claims. This specifies how the user is identified.
    Additional Query ParametersThis is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by this IS or application so these can be specified here.

Configuring Facebook

  1. Expand the Facebook Configuration form.

  2. Fill in the following fields where relevant.

    FieldDescription
    Enable Facebook AuthenticationSelecting this option enables Facebook to be used as an authenticator for users provisioned to the Identity Server.
    DefaultSelecting the Default checkbox signifies that the Facebook credentials are the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.
    Client IdThis is the username from the Facebook app.
    Client SecretThis is the password from the Facebook app. Click the Show button to view the value you enter.

Configuring Yahoo

  1. Expand the Yahoo Configuration form.

  2. Fill in the following fields where relevant.

    FieldDescription
    EnableSelecting this option enables Yahoo to be used as an authenticator for users provisioned to the Identity Server.
    DefaultSelecting the Default checkbox signifies that Yahoo is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.

Configuring Google

  1. Expand the Google Configuration form.

  2. Fill in the following fields where relevant.

    FieldDescription
    EnableSelecting this option enables Google to be used as an authenticator for users provisioned to the Identity Server.
    DefaultSelecting the Default checkbox signifies that Google is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.

Configuring Microsoft Windows Live

  1. Expand the Microsoft (Hotmail, Msn, Live) Configuration form.

  2. Fill in the following fields where relevant.

    FieldDescription
    EnableSelecting this option enables Google to be used as an authenticator for users provisioned to the Identity Server.
    DefaultSelecting the Default checkbox signifies that Google is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.
    Client SecretThis is the password from the Microsoft Live application. Click the Show button to view the value you enter.
    Callback URLThis is the URL to which the browser should be redirected after the authentication is successful. It should have this format: https://(host-name):(port)/acs.
    Client IdThis is the username from the Microsoft Live application.

App ID and App Secret are the values from the Facebook app which are used as the values for the Client Id and Client Secret respectively.