This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, go to https://wso2.com/documentation/.
Configuring SAML 2.0 Web SSO
In a Single Sign On (SSO) system there are two roles; Service Providers and Identity Providers. The important characteristic of a single sign on system is the pre-defined trust relationship between the service providers and the identity providers. Service providers trust the assertions issued by the identity providers and the identity providers issue assertions based on the results of authentication and authorization of the those who try to access services of the service provider
The SAML 2.0 web browser-based single-sign-on profile is defined under the SAML 2.0 Profiles specification. In a web browser-based SSO system, the flow can be started by the user either by attempting to access a service at the service provider, or by directly accessing the identity provider itself.
If you want to send query parameters that need to be updated dynamically with each SAML make sure WSO2 IS 5.3.0 is WUM updated until 2018-01-15 or beyond. For more information, see Query Parameter.
You can configure the SAML federated authenticator through one of the following ways:
Manual Configuration
- Enter your username and password to log in to the Management Console.
- Navigate to the Main menu to access the Identity menu. Click Add under Identity Providers.
For more information, see Configuring an Identity Provider. Fill in the details in the Basic Information section.
- Expand the SAML2 Web SSO Configuration form and select Manual Configuration (selected by default).
- Fill in the following fields where relevant. The * indicates required fields.
| Field | Description | Sample value |
|---|---|---|
| Enable SAML2 Web SSO | Selecting this option enables SAML2 Web SSO to be used as an authenticator for users provisioned to the Identity Server. | Selected |
| Default | Selecting the Default checkbox signifies that SAML2 Web SSO is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators. | Selected |
| Identity Provider Entity Id | This is basically the <Issuer> value of the SAML2 response from the identity provider you are configuring. This value must be a unique string among identity providers inside the same tenant. This information should be taken from the external Identity provider. | https://idp.example.org/idp/shibboleth |
| Service Provider Entity Id | This is the entity ID of the Identity Server. This can be any value but when you configure a service provider in the external IDP you should give the same value as the Service Provider Entity Id. | wso2is |
| SSO URL | This is the URL that you want to send the SAML request to. This information should be taken from the external Identity provider. | |
| Enable Authentication Request Signing | Selecting this checkbox enables you to sign the authentication request. If this is enabled, you must sign the request using the private key of the identity provider. | Selected |
| Enable Assertion Encryption | This is a security feature where you can encrypt the SAML2 Assertions returned after authentication. So basically, the response must be encrypted when this is enabled. | Selected |
| Enable Assertion Signing | Select Enable Assertion Signing to sign the SAML2 Assertions returned after the authentication. SAML2 relying party components expect these assertions to be signed by the Identity Server. | Selected |
| Enable Logout | Select Enable Single Logout so that all sessions are terminated once the user signs out from one server. | Selected |
| Logout URL | If the external IDP support for logout you can select Enable Logout. Then you can set the URL of the external IDP, where you need to send the logout request, under Logout URL. If you do not set a value for this it will simply return to the SSO URL. | https://localhost:8443/idp/samlsso/logout |
| Enable Logout Request Signing | Selecting this checkbox enables you to sign the logout request. | Selected |
| Enable Authentication Response Signing | Select Enable Authentication Response Signing to sign the SAML2 responses returned after the authentication. | Selected |
| Signature Algorithm | Specifies the | Default value is RSA with SHA1. |
| Digest Algorithm | Specifies the | Default value is SHA1. |
| Attribute Consuming Service Index | Specifies the AttributeConsumingServiceIndex attribute. | By default, this field is empty. Therefore, this attribute is not sent with the request unless a value is defined. |
| Enable Force Authentication | Enable force authentication or decide if force authentication needs to be enabled as per the request. This affects the ForceAuthn attribute. | Default value is As Per Request. |
| Include Public Certificate | Includes the public certificate in the request. | Selected by default. |
| Include Protocol Binding | Includes the ProtocolBinding attribute in the request. | Selected by default. |
| Include NameID Policy | Includes the NameIDPolicy element in the request. | Selected by default. |
| Include Authentication Context | Includes a new RequestedAuthnContext element in the request, or reuses the context that is sent via the request. | Default value is Yes. |
| Authentication Context Class | Choose an Authentication Context Class Reference ( | Default value is PasswordProtectedTransport. |
| Authentication Context Comparison Level | Choose the Requested Authentication Context ‘Comparison’ attribute to be sent which specifies the comparison method used to evaluate the requested context classes or statements.
| Default value is Exact. |
| SAML2 Web SSO User Id Location | Select whether the User ID is found in the Name Identifier or if it is found among claims. If the user ID is found among the claims, it can override the User ID Claim URI configuration in the identity provider claim mapping section. | User ID found among claims. |
| HTTP Binding | Select the HTTP binding details that are relevant for your scenario. This refers to how the request is sent to the identity provider. HTTP-Redirect and HTTP-POST are standard means of sending the request. If you select As Per Request, it can handle any type of request. | HTTP-POST |
Additional Query Parameters | This is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by WSO2 IS or application. Those values can be specified here so that they can be sent along with the SAML request. If you want to send query parameters that need to be updated dynamically with each SAML request, you need to make sure WSO2 IS 5.3.0 is WUM updated until 2018-01-15 or beyond. The dynamic value needs to be defined within parenthesis.This value should be the key of the query parameter sent in the SAML request URL. Multiple parameters can be defined by separation of query parameters using the Example: locale={lang}&scope=openid email profile | paramName1=value1 |
Configure ACL URL in a production environment
The default assertion consumer URL that is sent with the SAML request includes the local domain and default port. In a production environment, you may need to change the assertion consumer URL. To do this, follow the steps given below:
- Open the
application-authentication.xml file found in the<IS_HOME>/repository/conf/identityfolder. Add the following property and update the assertion consumer URL as required.
<AuthenticatorConfig name="SAMLSSOAuthenticator" enabled="true"> <Parameter name="SAMLSSOAssertionConsumerUrl">https://localhost:9443/commonauth</Parameter> </AuthenticatorConfig>
Configuring hostname verification
In previous releases, SAML Single-Logout (SLO) requests for service providers were initiated without hostname verification. This can impose a security risk. From the IS 5.2.0 release onwards, certificate validation has been enforced and hostname verification is enabled by default. If you want to disable the hostname verification, configure the following property in the <IS_HOME>/repository/conf/identity/identity.xml file under the Server\SSOService tag.
<SLOHostNameVerificationEnabled>false</SLOHostNameVerificationEnabled>
Note: If the certificate is self-signed, import the service provider's public key to the IS client trust store to ensure that the SSL handshake in the SLO request is successful. For more information on how to do this, see Managing Keystores with the UI in the WSO2 Product Administration Guide.
Metadata File Configuration
About Metadata upload
When configuring a service provider (SP) or federated Identity Provider (Federated IdP), the user is required to enter configuration data to facilitate exchanging authentication and authorization data between entities in a standard way. Apart from manual entering of configuration data, the Identity Server 5.3.0 provides the facility to upload configuration data using a metadata XML file or referring to the metadata XML file located in a predetermined URL. These two methods of uploading configuration data enables faster entry of configuration data because it allows the user to use the same metadata xml file for multiple instances of entity configuration. In addition to the SAML metadata upload, IS also supports SAML metadata download for the resident identity providers using the Management Console and URL.
- Enter your username and password to log on to the Management Console.
- Navigate to the Main menu to access the Identity menu. Click Add under Identity Providers.
For more information, see Configuring an Identity Provider. Fill in the details in the Basic Information section.
- Expand the SAML2 Web SSO Configuration form and select Metadata File Configuration.
The following screen appears:
Choose the correct IdP metadata file and click Register.
Configure ACL URL in a production environment
The default assertion consumer URL that is sent with the SAML request includes the local domain and default port. In a production environment, you may need to change the assertion consumer URL. To do this, follow the steps below:
- Open the
application-authentication.xml file found in the<IS_HOME>/repository/conf/identityfolder. Add the following property and update the assertion consumer URL as required.
<AuthenticatorConfig name="SAMLSSOAuthenticator" enabled="true"> <Parameter name="SAMLSSOAssertionConsumerUrl">https://localhost:9443/commonauth</Parameter> </AuthenticatorConfig>
Configuring hostname verification
In previous releases, SAML Single-Logout (SLO) requests for service providers were initiated without hostname verification which can impose a security risk. From IS 5.2.0 release onwards, certificate validation has been enforced and hostname verification is enabled by default. If you want to disable the hostname verification, configure the following property in the <IS_HOME>/repository/conf/identity/identity.xml file under the Server\SSOService tag.
<SLOHostNameVerificationEnabled>false</SLOHostNameVerificationEnabled>
Note: If the certificate is self-signed, import the service provider's public key to the IS client trust store to ensure that the SSL handshake in the SLO request is successful. For more information on how to do this, see Managing Keystores with the UI in the WSO2 Product Administration Guide.
- Identity Federation is part of the process of configuring an identity provider. For more information on how to configure an identity provider, see Configuring an Identity Provider.
- See Configuring Shibboleth IdP as a Trusted Identity Provider for a sample of using SAML2 Web SSO configuration.