This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Logging in to WSO2 Products via the Identity Server
When using multiple products of the WSO2 in a deployment, you need to log in to the management console of each and every product. This can be an overhead and a waste of time. Hence, it is useful to configure single sign-on for all the WSO2 products in the deployment and obtain access to all by providing credentials only once.
Applies to:
- WSO2 Identity Server (4.0.0 onwards)
- WSO2 Application Server (5.0.1 onwards)
- WSO2 Enterprise Service Bus (4.5.1 onwards)
- WSO2 Governance Registry (4.5.1 onwards)
- WSO2 API Manager (1.4.0 onwards)
By default, all WSO2 servers start in the HTTPS port 9443 and HTTP port 9763. Therefore, when you run multiple WSO2 servers you must change the default ports so that there would be no port conflicts. So you must do the following port allocations for this scenario:
- IS runs in https port 9443 (default)
- AS runs in https port 9444 (offset = 1)
- ESB runs in https port 9445 (offset = 2)
- G-Reg runs in https port 9446 (offset = 3)
By default, WSO2 servers use basic authentication for authentication. However, in a Single-Sign-On (SSO) environment, you must use SAML-based authentication to authenticate users to WSO2 servers. The following needs to be done in order to enable SSO:
For single sign-on to work, you need to configure the WSO2 products to share a common user store. For more information on configuring this, see Configuring the Primary User Store.
Configuring WSO2 Application Server
There are two main configurations to be done in the WSO2 Application Server. These are changing the port configuration and changing the configuration in the <PRODUCT_HOME>/repository/conf/security/authenticators.xml
file.
Port configuration
- Download the WSO2 Application Server from here.
- Extract the .zip file. This unzipped folder is referred to as
<AS_HOME>
in this topic. - Navigate to the
<AS_HOME>/repository/conf/carbon.xml
file in the unzipped folder. - Open the carbon.xml file and search for the following configuration:
<offset>0</offset>
- Change the
offset
value from0
to1
. - Save the carbon.xml file and close it.
Authenticators configuration
- Navigate to the
<AS_HOME>/repository/conf/security/authenticators.xml
file. Open the authenticators.xml file and set the "
disabled
" attribute value to "false
" for theSAML2SSOAuthenticator
configuration.Additional Configuration
When the cluster is hosted on the cloud or on a remote server, the
IdentityProviderSSOServiceURL
tag must be changed in the<PRODUCT_HOME>/repository/conf/security/authenticators.xml
file. This should point to the host URL of the load balancer of the cluster. This is done because the authentication is done by the WSO2 Identity Server cluster and the load balancer will decide where the authentication request is sent to.From WSO2 Identity Server 5.0.0 onwards, there are different SAML endpoints for each tenant. If the service provider calls the identity provider's SAML endpoint URL as https://is.com:9443/samlsso?tenantDomain=foo.com or the issuer name is appended with @<TenantDomain> like travelocity.com@foo.com, the SAML requests are directed to the foo.com tenant.
The
VerifySignatureWithUserDomain
parameter is used to make the most recent Carbon-based products switch behaviour to expect SAML responses in the previous way. I.e., if this is set astrue
, it means that the SAML response is verified with the tenant's key that the authenticated user is belongs to. If it is set tofalse
it means that the SAML response is verified with the tenant's key to which the SAML request is directed to. This can be set in the<PRODUCT_HOME>/repository/conf/security/authenticators.xml
file.<Parameter name="VerifySignatureWithUserDomain">true</Parameter>
Configuring WSO2 Enterprise Service Bus
Similar to the WSO2 Application Server, configure the port and the authenticator of the WSO2 Enterprise Service Bus.
Port configuration
- Download the WSO2 ESB from here and extract it. This unzipped folder is referred to as
<ESB_HOME>
in this topic. - Similar to the WSO2 Application Server, open the
<ESB_HOME>/repository/conf/carbon.xml
file and change the port offset to2
.
Authenticators configuration
- Follow the exact same steps done for the WSO2 Application Server and enable the
SAML2SSOAuthenticator
in the<ESB_HOME>/repository/conf/security/authenticators.xml
file. Change the
ServiceProviderID
. This ID is used by the Identity Server to identify the ESB's requests. Change this value tocarbonServer2
.Additional Configuration
When the cluster is hosted on the cloud or on a remote server, the
IdentityProviderSSOServiceURL
tag must be changed in the<PRODUCT_HOME>/repository/conf/security/authenticators.xml
file. This should point to the host URL of the load balancer of the cluster. This is done because the authentication is done by the WSO2 Identity Server cluster and the load balancer will decide where the authentication request is sent to.From WSO2 Identity Server 5.0.0 onwards, there are different SAML endpoints for each tenant. If the service provider calls the identity provider's SAML endpoint URL as https://is.com:9443/samlsso?tenantDomain=foo.com or the issuer name is appended with @<TenantDomain> liketravelocity.com@foo.com, the SAML requests are directed to the foo.com tenant.
The
VerifySignatureWithUserDomain
parameter is used to make the most recent Carbon-based products switch behaviour to expect SAML responses in the previous way. I.e., if this is set astrue
, it means that the SAML response is verified with the tenant's key that the authenticated user is belongs to. If it is set tofalse
it means that the SAML response is verified with the tenant's key to which the SAML request is directed to. This can be set in the<PRODUCT_HOME>/repository/conf/security/authenticators.xml
file.Parameter name="VerifySignatureWithUserDomain">true</Parameter>
Configuring WSO2 Governance Registry
Port configuration
- Download the WSO2 Governance Registry from here.
- Set the port offset to
3
.
Authenticators configuration
- Follow the exact same steps done for other WSO2 products and enable the
SAML2SSOAuthenticator
in the<G-REG_HOME>/repository/conf/security/authenticators.xml
file. Also change theServiceProviderID
value tocarbonServer3
.
Configuring WSO2 Identity Server
- Download the WSO2 Identity Server from here.
- Extract the .zip file.
- Open a terminal and navigate to the
<IS_HOME>/bin
folder. - Start the Identity Server using the wso2server.sh file in Unix or wso2server.bat file in Windows.
- Once the server is started, visit the following URL:
https://localhost:9443/carbon/
- Sign in to the WSO2 Identity Server. Enter your username and password to log on to the Management Console.
- Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
Fill in the Service Provider Name and provide a brief Description of the service provider in the resulting screen. If the service provider configuration is used by tenants as well, you must select the SaaS Application checkbox.
- Expand the SAML2 Web SSO Configuration under Inbound Authentication Configuration.
- Click Configure. Fill in the form that appears.
- Fill up this page with the following configurations. You must register different service providers for WSO2 Application Server, WSO2 ESB and WSO2 Governance Registry.
Use the following configurations for WSO2 Application Server and add them to the relevant sections in the New Service Provider screen:
Issuer: carbonServer
Assertion Consumer URL: https://localhost:9444/acs
Use fully qualified username in the NameID
Enable Response Signing
Enable Assertion Signing
Enable Single Logout
Use the following values to register the WSO2 ESB:
Issuer : carbonServer2
Assertion Consumer URL : https://localhost:9445/acs
Use fully qualified username in the NameID
Enable Response Signing
Enable Assertion Signing
Enable Single Logout
Use the following values to register the WSO2 Governance Registry.
Issuer : carbonServer3
Assertion Consumer URL : https://localhost:9446/acs
Use fully qualified username in the NameID
Enable Response Signing
Enable Assertion Signing
Enable Single Logout
Make a note of the following when you are using tenant configurations. This can be done in all the WSO2 Carbon servers.
Under the Local & Outbound Authentication Configuration you can configure different authentication mechanisms you like to enforce. For example you can configure a authentication chain and enable Multi-factor authentication for WSO2 Products.
- Click Register to save the values and register each service provider created.
Configuring WSO2 API Manager
For more information on configuring IS as the identity provider in WSO2 API Manager, see Configuring Identity Server as IDP for SSO.
Testing the SSO Environment
Now that all the required configurations are done, test the SSO environment.
- Access the Application Server:
https://localhost:9444/carbon/
- You are redirected to the Identity Server for authentication. After successful authentication you are redirected back and logged into the Application Server.
- Access the ESB using the URL
https://localhost:9445/carbon/
. You are directly logged into ESB without any authentication challenge. - Access the Governance Registry using the URL
https://localhost:9446/carbon/
. You are logged into G-Reg directly without any authentication challenge. - Test the Single Sign Out,
- Log out from WSO2 Application Server. You are redirected to the SSO authentication page.
- Now you should be logged out from ESB and Governance Registry as well. Try accessing them.