ServiceProvideID - This can be any identifier and does not have to be a URL. However, the configured value should be equal to the value configured in the sp.xml file.
IdentityProviderSSOServiceURL - This is the URL of your IDP.
idpCertAlias - This is the certificate that gets used during response validation from the IDP. OpenSSO servers’ public key should be imported to the Carbon servers keystore with the alias name ‘opensso’.
Add the public key of the selected circle of trust in to the Carbon keystore (wso2carbon.jks) found under <PRODUCT_HOME>/resources/security/wso2carbon.jks. You can use Java keytool to do that.
Exporting a public key
Here we use the default shipped OpenSSO keystore certificate. It has the alias name of ‘test’ and typically located in /home/opensso/opensso/keystore.jks. The default password is ‘changeit’. To export the public key of ‘test’, use the following command:
keytool -export -keystore keystore.jks -alias test -file test.cer
The public key is stored in the ‘test.cer’ file. You can view the certificate content with the following command:
keytool -printcert -file test.cer
Importing a public key
Now import the ‘test.cer’ into Carbon key stores found under <PRODUCT_HOME>/repository/resources/security/wso2carbon.jks. The following command does this:
Try accessing the Carbon management console (e.g., https://localhost:9443/carbon). This redirects you to the IDP (OpenSSO login page). Enter your username and password in the OpenSSO login page. Once you are properly authenticated, you are redirected back to the WSO2 Carbon product home page as a logged in user.
The authenticated user has to be in the Carbon servers’ user-store for authorization (permission) purposes. Since the above described test environment does not share the same user store between IDP (OpenSSO server) and SP (Carbon server), create a user with the same name in the Carbon server user store. Otherwise there is an authorization failure during the server login.