/
Configuring SAML2 Web Single-Sign-On

This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Configuring SAML2 Web Single-Sign-On

Aug 18, 2019

To configure SAML2 Web SSO:

  1. Expand the SAML2 Web SSO Configuration and click Configure.

  2. Select one of the following modes:

Metadata and URL configuration

When configuring a service provider (SP) or a federated identity provider (Federated IdP), the user is required to enter configuration data to facilitate exchanging authentication and authorization data between entities in a standard way. Apart from manual entering of configuration data, WSO2 IS allows you to upload configuration data using a metadata XML file or refer to a metadata XML file located in a predetermined URL. These two methods of uploading configuration data enable faster entry of configuration data because it allows the user to use the same metadata xml file for multiple instances of entity configuration. In addition to SAML metadata upload, WSO2 IS also supports SAML metadata download for the resident identity provider.

Manual configuration

  1. Select Manual Configuration and enter the required details as giveb below.

  2. Click Register.

Metadata file configuration

This option allows you to provide the configuration data required for configuring SAML2, by uploading a metadata .xml file instead of having to manually enter the values. This enables faster entry of configuration data and allows the user to use the same metadata XML file for multiple instances of entity configuration. 

  1. Select Metadata File Configuration. 


  2. Click Choose File, and select the .xml file containing the metadata for the service provider SAML configuration.  

  3. Click Upload

URL configuration

Metadata for a service provider may be published in a well known location via a URI. This option allows you to provide the configuration data required for configuring SAML2, by providing a URI(Ex: "https://spconfigs.com/sample-sp.xml") instead of having to manually enter the values. This enables faster entry of configuration data and allows the user to use the same metadata XML file for multiple instances of entity configuration. 

  1. Select URL Configuration and enter the URL containing the service provider metadata. 

  2. Click Upload

Additional configurations

  • If you need to sign the SAML response using an authenticated user's tenant keystore, please add the following configuration. (By default, the response is signed using the certificate that belongs to the tenant where the service provider is registered). This property must be added if the SAML authenticator version in the WSO2 Carbon products that you are using is 4.2.2 or higher (org.wso2.carbon.identity.authenticator.saml2.sso_4.2.2.jar).

    Add the <UseAuthenticatedUserDomainCrypto> property available in the <IS_HOME>/repository/conf/identity.xml file as shown below.

    <SSOService> ... <UseAuthenticatedUserDomainCrypto>true<UseAuthenticatedUserDomainCrypto> </SSOService>
Related Topics

See SAML 2.0 Web SSO for more information on SAML2 single-sign-on and see the following topics for samples of configuring single-sign-on using SAML2.

See Using the SAML2 Toolkit for support on debugging issues with SAML2 configurations.