/
Adding and Configuring an Identity Provider

This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Adding and Configuring an Identity Provider

Apr 28, 2019

Introduction

An Identity Provider (IdP) is responsible for authenticating users and issuing identification information by using security tokens like SAML 2.0, OpenID Connect, OAuth 2.0 and WS-Trust. This is a favourable alternative to explicitly authenticating a user within a security realm.

The responsibility of the identity provider configuration is to represent external identity providers. These external identity providers can be Facebook, Yahoo, Google, Salesforce, Microsoft Windows Live, etc. If you want to authenticate users against these identity providers, then you must associate one or more federated authenticators with the WSO2 Identity Server. These identity providers support for different authentication protocols. For example, if you want to authenticate users against Salesforce, then you must associate the SAML 2.0 authenticator with the Salesforce identity provider, if you want to authenticate users against Yahoo, then you must associate the OpenID Connect authenticator with it. To make this process much easier, the WSO2 Identity Server also comes with a set of more specific federated authenticators. For example, if you want to authenticate against Facebook, you do not need to configure OAuth 2.0 authenticator. Instead, you can directly use the Facebook federated authenticator.

Each identity provider configuration can also maintain a claim mapping. This is to map the identity provider's own set of claims to WSO2 Identity Server's claims. When the response from an external identity provider is received by the response processor component of the federated authenticator, before it hands over the control to the authentication framework, the response processor will create a name/value pair of user claims received in the response from the identity provider. These claims are specific to the external identity provider. Then it is the responsibility of the authentication framework to read the claim mapping configuration from the identity provider component and do the conversion. So, while inside the framework, all the user claim values will be in a common format.

So, in short, WSO2 Identity Server allows you to add identity providers and specify various details that help you to link the identity provider to WSO2 Identity Server.  Therefore, you must specify all information required to send the authentication requests and get a response back from the identity provider. This topic contains the following sections.

Adding an identity provider

Follow the instructions below to add a new identity provider.

  1. Access the WSO2 Identity Server Management Console and sign in as an admin user.

  2. On the Main tab, click Identity > Identity Providers > Add.

  3. Fill in the details in the Basic Information section. 


    Note the following when filling the above form.

  4. Enter the Identity Provider Name and provide a brief Description of the identity provider. Only Identity Provider Name is a required field.

  5. Fill in the remaining details where applicable. Click the arrow buttons to expand the forms available to update.

  6. Click Register to add the Identity Provider.

Configuring a resident identity provider

Apart from mediating authentication requests between service providers and identity providers, WSO2 Identity Server can act as a service provider and an identity provider. When WSO2 Identity Server acts as an identity provider, it is called the resident identity provider

The resident identity provider configuration is helps service providers to send authentication or provisioning requests to WSO2 Identity Server via SAML, OpenID Connect, SCIM, or WS-Trust. For an example on how a resident identity provider is used to implement a security token service, see Configuring WS-Trust Security Token Service. The Resident identity provider configuration is a one-time configuration for a given tenant. It shows WSO2 Identity Server's metadata, e.g., endpoints. The resident identity provider configurations can be used to secure the WS-Trust endpoint with a security policy.

Follow the instructions below to configure a resident identity provider:

  1. Access the WSO2 Identity Server Management Console.

  2. Sign in as an admin user.

  3. On the Main tab, click Identity > Identity Providers > Resident


    The Resident Identity Provider page appears.

  4. Enter the required values as given below.

  5. You may configure inbound authentication by expanding the Inbound Authentication Configuration section. 

    1. To configure SAML2 configurations: 

      1. Click SAML2 Web SSO Configuration.


        The SAML2 Web SSO Configuration form appears.

      2. Enter the required values and learn the fixed values as given below. 

    2. To configure OAuth2 or OIDC, click OAuth2/OpenID Connect Configuration.

    3. To secure the WS-Trust endpoint with a security policy, click Security Token Service Configuration section.


      For more information on security token service (STS), see Configuring WS-Trust Security Token Service.

  6. You may view the inbound provisioning configurations by clicking Inbound Provisioning Configuration section. 

  7. Click Update

To modify the host name of the above-above mentioned URLs,

  1. open the carbon.xml file in the <IS_HOME>/repository/conf directory and update the value of the <HostName> parameter.

    <HostName>localhost</HostName>

  2. Open the identity.xml file in the <IS_HOME>/repository/conf/identity directory and update the vaule of the <IdentityPRoviderURL> parameter.

    <IdentityProviderURL>https://localhost:9443/samlsso</IdentityProviderURL>

    To ensure the client application is communicating with the right identity provider, WSO2 Identity Server compares the destination value in the SAML request with the URL in the above configuration.

Exporting SAML2 metadata of the resident IdP

To configure WSO2 Identity Server as a trusted identity provider in a service provider application, export the SAML2 metadata of the resident identity provider of WSO2 IS and import the metadata to the relevant service provider. 

Use one of the following approaches to do this. 

  1. Expand the Inbound Authentication Configuration section and then expand SAML2 Web SSO Configuration

  2. Click Download SAML2 metadata. A metadata.xml file will be downloaded on to your machine.

  3.  Import the metadata.xml file to the relevant service provider to configure WSO2 Identity Server as a trusted identity provider for your application. 

Managing identity providers

This section provides instructions on how to manage identity providers once they are created.

Viewing identity providers

Follow the instructions below to view the list of identity providers added in the WSO2 Identity Server.

  1. Sign in. Enter your username and password to log on to the Management Console.

  2. In the Main menu under the Identity section, click List under Identity Providers. The list of identity providers you added appears.

Editing identity providers

Follow the instructions below to edit an identity provider's details.

  1. Sign in. Enter your username and password to log on to the Management Console.

  2. In the Main menu under the Identity section, click List under Identity Providers. The list of identity providers you added appears.

  3. Locate the identity provider you want to edit and click on the corresponding Edit link.

  4. You are directed to the edit screen where you can modify the details you configured for the identity provider.

Deleting identity providers

Follow the instructions below to delete an identity provider.

  1. Sign in. Enter your username and password to log on to the Management Console.

  2. In the Main menu under the Identity section, click List under Identity Providers. The list of identity providers you added appears.

  3. Locate the identity provider you want to delete and click on the corresponding Delete link.

  4. Confirm your request in the WSO2 Carbon window. Click the Yes button.

Disabling/Enabling identity providers

Follow the instructions below to disable or enable an identity provider.

  1. Sign in. Enter your username and password to log on to the Management Console.

  2. In the Main menu under the Identity section, click List under Identity Providers. The list of identity providers you added appears.

  3. Locate the identity provider you want to delete and click on the corresponding Disable link to disable the identity provider. Clicking this link will change the link to Enable. To enable the identity provider again, click the Enable link.

  4. Click Ok on the confirmation form that appears when clicking Disable/Enable.
     

Related Topics

See the following topics for information on configuring service providers using different specifications.

See the following topics to configure different applications as service providers in Identity Server.