Adding and Configuring a Service Provider
This topic provides instructions on how to add a new service provider. You must provide configuration details to add this service provider in the WSO2 Identity Server so that the authentication and/or provisioning happens as expected. For more information on how the service provider fits into the WSO2 IS architecture, see Architecture.
The responsibility of the service provider configuration is to represent external service providers. The service provider configurations cover the following:
Define how the service provider talks to the Identity Server inbound authenticator
This is via inbound authenticators. When you register a service provider, you need to associate one or more inbound authenticators with it.Define how to authenticate users.
This can be via a local authenticator, request-path authenticator or federated authenticator. Based on this configuration, the Identity Server knows how to authenticate the user when it receives an authentication request (via an inbound authenticator) and based on the service provider who initiates it.Maintain claim mapping.
This is to map the service provider's own set of claims to the Identity Server's claims. For example, WSO2 Identity Server (WSO2 IS) has a claim called work email (http://wso2.org/claims/emails.work) but your service provider application expects to receive a value named email. If the service provider application receives a value named work email, it does not recognize it as it does not recognize it. Therefore, to ensure that the values sent by WSO2 IS is understood and recognized by the service provider application, you can use claim mapping.
When the authentication framework hands over a set of claims (which it gets from the local user store or from an external identity provider) to the response builder of the inbound authenticator, the framework talks to the service provider configuration component, find the claim mapping and do the claim conversion. See Configuring Inbound Authentication for a Service Provider for more information about response builder. Now the response builder will receive the claims in a manner understood by the corresponding service provider. Read more about claim management.
This topic contains the following sections.
Adding a service provider
Note: This section only describes how to add a service provider using the Management Console. Instead of adding a service provider via the management console, it is also possible to add a service provider using a configuration file as described here .
Click the Update button to update the details of the service provider.
Configuring a resident service provider
WSO2 Identity Server can mediate authentication requests between service providers and identity providers. At the same time, the Identity Server itself can act as a service provider and an identity provider. When it acts as a service provider it is known as the resident service provider.
The Identity Server mainly acts as a resident service provider while adding users to the system. You can enable provisioning configurations for the resident service provider. For example, if you try to add users to the system via the SCIM API ( You must use a privileged local account to invoke the API to authenticate with HTTP Basic Authentication ), the system will read the provisioning configurations from the resident service provider.
At the same time, if you want to configure outbound provisioning for any user management operation done via the management console, SOAP API or the SCIM API, you must configure outbound provisioning identity providers against the resident service provider. So, based on the outbound configuration, users added from the management console will also be provisioned to external systems like Salesforce and Google Apps.
Follow the instructions below to configure a resident service provider in the WSO2 Identity Server.
Sign in. Enter your username and password to log on to the Management Console.
Click Resident under the Service Providers on the Main tab.
The Resident Service Provider page appears.
Select the user store domain to provision users and groups for inbound authentication for SCIM or SOAP requests.
For outbound provisioning configurations, select the identity provider from the dropdown list available and click the plus button to add this identity provider for provisioning. For an identity provider to appear on this list you have to add the identity provider in the Identity Server. The following are the names that would appear for each type of provisioning connector.
Google provisioning connector - Google and googleapps
Salesforce provisioning connector - salesforce.com and salesforce
SCIM provisioning configuration - scim
SPML provisioning configuration - spml
Click Update.
Managing service providers
This topic provides instructions on how to manage service providers once they are created.
Viewing service providers
Follow the instructions below to view the list of service providers added in the WSO2 Identity Server.
Sign in. Enter your username and password to log on to the Management Console.
In the Main menu under the Identity section, click List under Service Providers. The list of service providers you added appears.
Editing service providers
Follow the instructions below to edit a service provider's details.
Sign in. Enter your username and password to log on to the Management Console.
In the Main menu under the Identity section, click List under Service Providers. The list of service providers you added appears.
Locate the service provider you want to edit and click on the corresponding Edit link.
You are directed to the edit screen. See here for details on the editable form.
Deleting service providers
Follow the instructions below to delete a service provider.
Sign in. Enter your username and password to log on to the Management Console.
In the Main menu under the Identity section, click List under Service Providers. The list of service providers you added appears.
Locate the service provider you want to delete and click on the corresponding Delete link.
Confirm your request in the WSO2 Carbon window. Click the Yes button.