This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Enabling SSO for WSO2 Servers
Applies to:
- WSO2 Identity Server (4.0.0 onwards)
- WSO2 Application Server (5.0.1Â onwards)
- WSO2 Enterprise Service Bus (4.5.1 onwards)
- WSO2 Governance Registry (4.5.1 onwards)
By default all WSO2 Servers starts in the HTTPS port 9443 and HTTP port 9763. Therefore when we run multiple WSO2 Servers we need to change the default ports so that there would be no port conflicts. So here is the plan we will follow in this scenario:
- IS runs in https port 9443 (default)
- AS runs in https port 9444 (offset = 1)
- ESB runs in https port 9445 (offset = 2)
- G-Reg runs in https port 9446 (offset = 3)
By default WSO2 Servers use Basic Authentication for its authentication purposes. However in a Single-Sign-On (SSO) environment, we need to use SAML-based Authentication to authenticate users to WSO2 Servers. The following needs to be done in order to enable SSO:
Configuring WSO2 Application Server
We need to do two main configurations at the Application Server. Changing the port configuration and changing the Authenticator configuration.
Port Configuration
- Download the WSO2 Application Server from here.
- Extract the .zip file.
- Locate the carbon.xml file in the unzipped folder which is found in the path:
<AS_HOME>/repository/conf/carbon.xml
- Open the carbon.xml file and search for the configuration:Â
<offset>0</offset>
- Change the offset value from 0 to 1.
- Save the carbon.xml and close it.
Authenticators Configuration
- Locate the authenticators.xml file which can be found in the path:Â
<AS_HOME>/repository/conf/security/authenticators.xml
- Open the authenticators.xml file and set the "disabled" attribute value to "false" for the SAML2SSOAuthenticator configuration.
Configuring WSO2 Enterprise Service Bus
Similar to the Application Server we need to configure the port and the authenticator of ESB.
Port Configuration
- Download the WSO2 ESB from here.
- Similar to the Application Server, open the carbon.xml file and change the port offset to 2.
Authenticators Configuration
- Follow the exact same steps did for the Application Server and enable the SAML2SSOAuthenticator.
- Now we need to do another configuration. We need to change the ServiceProviderID. This ID is used by the Identity Server to identify the ESB's requests. Change this value to carbonServer2.
Configuring WSO2 Governance Registry
Port Configuration
- Download the WSO2 Governance Registry from here.
- Set the port offset to 3.
Authenticators Configuration
Enable the SAML2SSOAuthenticator and change the ServiceProviderID value to carbonServer3.
Configuring WSO2 Identity Server
- Download the WSO2 Identity Server from here.
- Extract the .zip file.
- Open a terminal and go into the
<IS_HOME>/bin
folder. - Start the Identity Server using the wso2server.sh file in Unix or wso2server.bat file in Windows.
- Once the server is started visit the URL:Â
https://localhost:9443/carbon/
- Sign-In to the Identity Server as an admin using the default credentials (username - admin and password - admin).
- In the Main section of the management console, click on SAML SSOÂ under Manage.
- Now you get the SAML 2.0 based Single Sign-On page. Click Register New Service Provider. Here we have to register the AS, ESB and G-Reg servers as Service Providers.
- Fill up this page with the following configurations:
Use the following configurations for Application Server and add them to the relevant sections in the Register New Service Provider screen:
Issuer: carbonServer
Assertion Consumer URL: https://localhost:9444/acs
Enable Assertion Signing
Enable Single Logout
Enable Response Signing
Use the following values to register the ESB:
Issuer : carbonServer2
Assertion Consumer URL : https://localhost:9445/acs
Use fully qualified username in the NameID
Enable Assertion Signing
Enable Single Logout
Enable Response Signing
Use the following values to register the Governance Registry
Issuer : carbonServer3
Assertion Consumer URL : https://localhost:9446/acs
Enable Assertion Signing
Enable Single Logout
Enable Response Signing
 Â
Testing the SSO Environment
Now all the required configurations are done. Lets test the SSO environment.
- Access the Application Server:Â
https://localhost:9444/carbon/
- You are redirected to the Identity Server for authentication. After successful authentication you are redirected back and logged into the Application Server.
- Access the ESB using the URL
https://localhost:9445/carbon/
. You are directly logged into ESB without any authentication challenge. - Access the Governance Registry using the URL
https://localhost:9446/carbon/
. You are logged into G-Reg directly without any authentication challenge. - Test the Single Sign Out,
- Logout from the AS. You are redirected to the SSO authentication page.
- Now you should be logged out from the ESB and GReg as well. Try accessing them.
Â