The following diagram illustrates a typical deployment pattern for WSO2 Enterprise Mobility Manager.
As indicated in the above diagram, when clustering EMM, there is worker manager separation. However, this differs from standard WSO2 Carbon worker manager separation . In a standard WSO2 product cluster, worker and manager separation is derived from deployment synchronization. However, in EMM there is no deployment synchronization.
EMM includes an admin console that can be used by any user with administrative privileges. These users can perform some actions on enrolled devices and the devices can retrieve those actions by requesting the pending operations. This is done by either walking the device through a push notification or configuring the device to poll at a pre-compiled frequency.
Normally administrative tasks should be run from manager node.
There are two major deployment patterns for the manager node. One could be running the manager node in the private network due to security constraints and other is allowing end users to access the management node so that they can control and view their devices.
A manager node is used to run background tasks that are necessary to the update the device information such as the location and applications installed.
Virtual machines used in a high availability cluster
The following is a list of virtual machines (VMs) that are used in a high availability cluster and their details.
- Manager - 1 VM
- Worker - 2 VMs
- Key manager - 2 VMs
- DBs - 1 MySQL instance
All the VMs have 4 cores and 4GB memory.
Open ports
80 and 443 are from the NGINX server.
The following ports need to be opened for Android and iOS devices so that it can connect GCM (Google Cloud Message) and APNS (Apple Push Notification Service) and enroll to WSO2 EMM.
Android
The ports to open are 5228, 5229 and 5230. GCM typically uses only 5228, but it sometimes uses 5229 and 5230.
GCM does not provide specific IPs, so it is recommended to allow the firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169.
iOS
5223 - TCP port used by devices to communicate to APNS servers
2195 - TCP port used to send notifications to APNS
2196 - TCP port used by the APNS feedback service
443 - TCP port used as a fallback on Wi-Fi, only when devices are unable to communicate to APNS on port 5223
The APNS servers use load balancing. The devices will not always connect to the same public IP address for notifications. The entire 17.0.0.0/8 address block is assigned to Apple, so it is best to allow this range in the firewall settings.
Setting up the database
The following databases are needed when clustering EMM.
Database Name | Description | Database Script Location |
---|---|---|
CDM core database (DM_DS) | This database stores generic data about devices (such as unique identifier, device type, ownership type), device enrollment information, device operations, policy management related data, etc. |
<PRODUCT_HOME>/dbscripts/cdm/
|
APIM Database (WSO2AM_DB) | This database stores data related to JAX-RS APIs and OAuth token data. |
<PRODUCT_HOME>/dbscripts/apimgt/
|
Registry database (REG_DB) | This database acts as the registry database and stores governance and config registry data. The registry database must be mounted to all nodes in the cluster. |
<PRODUCT_HOME>/dbscripts/
|
User and permission manager (UM_DB) | This database stores the user permission related details. |
<PRODUCT_HOME>/dbscripts/
|
The following databases are related to plugins. These enable you to keep the data that is essential for these devices to work (such as APNS related keys) and this data is not available in the CDM core database.
Database Name | Description | Database Script Location |
---|---|---|
iOS DB (MobileIOSDM_DS) | Stores the iOS related the data. |
<PRODUCT_HOME>/dbscripts/cdm/plugins/ios
|
Android DB (MobileAndroidDM_DS) | Stores the Android related data. |
<PRODUCT_HOME>/dbscripts/cdm/plugins/android/
|
Windows DB (MobileWindowsDM_DS) | Stores the Microsoft Windows related data. |
<PRODUCT_HOME>/dbscripts/cdm/plugins/windows/
|
To change the datasource configurations, please change the following files.
Files to change | Datasource |
---|---|
<PRODUCT_HOME>/repository/conf/datasources/master-datasources.xml
| This file must include the datasource configuration for the following databases.
|
<PRODUCT_HOME>/repository/conf/datasources/emm-datasources.xml
| This file must include the datasource configuration for the following databases.
|
Mounting the registry
See Remote Instance and Mount Configuration Details for more information on registry mounting and why it is useful. These must be done in all nodes. Do the following steps to configure this.
O pen the
<PRODUCT_HOME>/repository/conf/
datasources/master-datasources.xml
file and add the following datasource configurations.<datasource> <name>WSO2REG_DB</name> <description>The datasource used for Registry database</description> <jndiConfig> <name>jdbc/WSO2REG_DB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://localhost:3306/C_REG</url> <username>root</username> <password></password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>50</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> </configuration> </definition> </datasource>
Add the following configurations to the
<PRODUCT_HOME>/repository/conf/registry.xml
file.<dbConfig name="mounted_registry"> <dataSource>jdbc/WSO2REG_DB</dataSource> </dbConfig> <remoteInstance url="https://localhost:9443/registry"> <id>instanceid</id> <dbConfig>mounted_registry</dbConfig> <readOnly>false</readOnly> <enableCache>true</enableCache> <registryRoot>/</registryRoot> <cacheId>root@jdbc:mysql://localhost:3306/C_REG</cacheId> </remoteInstance> <mount path="/_system/config" overwrite="true"> <instanceId>instanceid</instanceId> <targetPath>/_system/config</targetPath> </mount> <mount path="/_system/governance" overwrite="true"> <instanceId>instanceid</instanceId> <targetPath>/_system/governance</targetPath> </mount>
Configuring the load balancer
This section provides instructions on how to configure Nginx as the load balancer. You can use any load balancer for your setup and Nginx is used here as an example. This covers the configuration in the main Nginx configuration file.
The location of this file varies depending on how you installed the software on your machine. For many distributions, the file is located at /etc/nginx/nginx.conf. If it does not exist there, it may also be at /usr/local/nginx/conf/nginx.conf or /usr/local/etc/nginx/nginx.conf. You can create separate files inside the conf.d for each configuration. Three different configuration files are used for the Manager, Key Manager and Worker node in the example provided in this page.
In the Key Manager, create a VHost file inside the
/etc/nginx/conf.d
directory and add the following configurations into it.upstream keymgt.emm-c.wso2.com { ip_hash; server 192.168.57.149:9763; server 192.168.57.144:9763; } server { listen 80; server_name keymgt.emm-c.wso2.com; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_read_timeout 5m; proxy_send_timeout 5m; proxy_pass http://keymgt.emm-c.wso2.com; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } upstream ssl.keymgt.emm-c.wso2.com { ip_hash; server 192.168.57.149:9443; server 192.168.57.144:9443; } server { listen 443; server_name keymgt.emm-c.wso2.com; ssl on; ssl_certificate /opt/keys/server.crt; ssl_certificate_key /opt/keys/server.key; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_read_timeout 5m; proxy_send_timeout 5m; proxy_pass https://ssl.keymgt.emm-c.wso2.com; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }
In the Manager node, create a VHost file inside the
/etc/nginx/conf.d
directory and add the following configurations into it.upstream mgt.emm-c.wso2.com { ip_hash; server 192.168.57.146:9763; } server { listen 80; server_name mgt.emm-c.wso2.com; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_read_timeout 5m; proxy_send_timeout 5m; proxy_pass http://mgt.emm-c.wso2.com; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } upstream ssl.mgt.emm-c.wso2.com { ip_hash; server 192.168.57.146:9443; } server { listen 443; server_name mgt.emm-c.wso2.com; ssl on; ssl_certificate /opt/keys/server.crt; ssl_certificate_key /opt/keys/server.key; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_read_timeout 5m; proxy_send_timeout 5m; proxy_pass https://ssl.mgt.emm-c.wso2.com; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }
In the Worker node, create a VHost file inside the
/etc/nginx/conf.d
directory and add the following configurations into it.upstream wkr.emm-c.wso2.com { ip_hash; server 192.168.57.145:9763; server 192.168.57.142:9763; } server { listen 80; server_name wkr.emm-c.wso2.com; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_read_timeout 5m; proxy_send_timeout 5m; proxy_pass http://wkr.emm-c.wso2.com; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } upstream ssl.wkr.emm-c.wso2.com { ip_hash; server 192.168.57.145:9443; server 192.168.57.142:9443; } server { listen 443; server_name wkr.emm-c.wso2.com; ssl on; ssl_certificate /opt/keys/server.crt; ssl_certificate_key /opt/keys/server.key; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_read_timeout 5m; proxy_send_timeout 5m; proxy_pass https://ssl.wkr.emm-c.wso2.com; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }
Generating SSL certificates to NGINX
Create SSL certificates for both the manager and worker nodes using the instructions that follow.
Create the Server Key.
$sudo openssl genrsa -des3 -out server.key 1024
Certificate Signing Request.
$sudo openssl req -new -key server.key -out server.csr
Remove the password.
$sudo cp server.key server.key.org
$sudo openssl rsa -in server.key.org -out server.keySign your SSL Certificate.
$sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
While creating keys, enter the host name (*.emm-c.wso2.com) as the common name.
Add the public key of the NGINX server to the client_truststore.jks (you can download the public key from the browser). Use the following command to add the public key to client_truststore.jks
keytool -import -alias emm-c.wso2.com -file emm.wso2.com.crt -keystore <PRODUCT_HOME>/repository/resources/security/client-truststore.jks
Note: If you need to configure iOS in your cluster, do not configure the SSL certificate in above way. You can use the SSL certificate generated in the 6th step of iOS Configuration document.
Configuring the manager node
EMM has three key consoles.
EMM console - For device management related tasks such as adding policies, operations, users, roles and devices.
Publisher - Used for adding and publishing the enterprise mobile applications.
Store - Device user can go and subscribe to the apps and it gets installed to the device.
The above three consoles could be running inside the company network due to security concerns or could be exposed through a load balancer.
Note: There can be one EMM manager node if you use policy monitoring and policy change management. If you do not plan to use those, you can have a cluster of manager nodes.
Do the following to configure the manager node.
In the
<PRODUCT_HOME>/
repository/conf/security/authenticators.xml
file, do the following configurations. ThehostURL
,adminUsername
, andadminPassword
must be configured with the respective values in order to validate the OAuth token.<Authenticator name="OAuthAuthenticator" disabled="false"> ... <Config> <Parameter name="isRemote">true</Parameter> <Parameter name="hostURL">https://keymgt.emm-c.wso2.com</Parameter> <Parameter name="adminUsername">admin</Parameter> <Parameter name="adminPassword">admin</Parameter> </Config> </Authenticator>
Change the
ServerUrl
of theIdentityConfiguration
in the<PRODUCT_HOME>/repository/conf/security/cdm-config.xml
file. Enable policy monitoring and device monitoring as shown in the following configuration sample. You can change the frequency of the tasks running by changing theMonitoringFrequency
andFrequency
in thePolicyConfiguration
andTaskConfiguration
.<IdentityConfiguration> <ServerUrl>https://keymgt.emm-c.wso2.com</ServerUrl> <AdminUsername>admin</AdminUsername> <AdminPassword>admin</AdminPassword> </IdentityConfiguration> <PolicyConfiguration> ... <MonitoringEnable>true</MonitoringEnable> <MonitoringFrequency>60000</MonitoringFrequency> ... </PolicyConfiguration> <TaskConfiguration> <Enable>true</Enable> <Frequency>600000</Frequency> ……... </TaskConfiguration>
Change the
HostName
andMgtHostName
in the<PRODUCT_HOME>/repository/conf/carbon.xml
file.<HostName>wkr.emm-c.wso2.com</HostName> <MgtHostName>mgt.emm-c.wso2.com</MgtHostName>
Change the following in the
config.json
file in the<PRODUCT_HOME>/repository/deployment/server/jaggeryapps/emm/app/conf
directory. This must only be configured in the manager node as this is specific to the admin UI.…………………………. "httpsURL" : "https://mgt.emm-c.wso2.com", "httpURL" : "http://mgt.emm-c.wso2.com", …………………………. "oauthProvider": { "appRegistration": { "appType": "webapp", "clientName": "emm", "owner": "admin@carbon.super", "dynamicClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/dynamic-client-web/register", "apiManagerClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/api-application-registration/register/tenants", "grantType": "password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer urn:ietf:params:oauth:grant-type:jwt-bearer", "tokenScope": "admin", "callbackUrl": "https://mgt.emm-c.wso2.com/api/device-mgt/v1.0" }, "tokenServiceURL": "https://keymgt.emm-c.wso2.com/oauth2/token" }, ……………….. "generalConfig" : { "host" : "https://wkr.emm-c.wso2.com", ………………... },
Change the following in the
config.json
file in the<PRODUCT_HOME>/repository/deployment/server/jaggeryapps/emm-web-agent/app/conf
directory. This is used for the device agent download."httpsURL" : "https://wkr.emm-c.wso2.com", "httpURL" : "http://wkr.emm-c.wso2.com", "enrollmentDir": "/emm-web-agent/enrollment", "iOSConfigRoot" : "https://wkr.emm-c.wso2.com/ios-enrollment/", "iOSAPIRoot" : "https://wkr.emm-c.wso2.com/api/device-mgt/ios/v1.0/", "dynamicClientRegistrationEndPoint" : "https://keymgt.emm-c.wso2.com/dynamic-client-web/register/", "adminService":"https://wkr.emm-c.wso2.com", "idPServer":"https://keymgt.emm-c.wso2.com", "callBackUrl":"https://wkr.emm-c.wso2.com/mdm-admin", "oauthProvider": { "appRegistration": { "appType": "webapp", "clientName": "emm-web-agent", "owner": "admin@carbon.super", "dynamicClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/dynamic-client-web/register", "apiManagerClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/api-application-registration/register/tenants", "grantType": "password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer urn:ietf:params:oauth:grant-type:jwt-bearer", "tokenScope": "admin", "callbackUrl": "https://wkr.emm-c.wso2.com/api/device-mgt/v1.0" }, "tokenServiceURL": "https://keymgt.emm-c.wso2.com/oauth2/token" }, ………….. "generalConfig" : { "host" : "http://wkr.emm-c.wso2.com", ………………………….. },
Configuring the worker node
Do the following to configure the worker node.
In the
<PRODUCT_HOME>/repository/conf/security/authenticators.xml
file, do the following configurations. ThehostURL
,adminUsername
, andadminPassword
must be configured with the respective values in order to validate the OAuth token.<Authenticator name="OAuthAuthenticator" disabled="false"> <Priority>10</Priority> <Config> <Parameter name="isRemote">true</Parameter> <Parameter name="hostURL">https://keymgt.emm-c.wso2.com</Parameter> <Parameter name="adminUsername">admin</Parameter> <Parameter name="adminPassword">admin</Parameter> </Config> </Authenticator>
Change the
ServerUrl
ofIdentityConfiguration
in the<PRODUCT_HOME>/repository/conf/security/cdm-config.xml
file. This is used by the worker node to validate the user details after the Key Manager validates the OAuth token. You must disable policy monitoring and device monitoring as indicated in the following code snippet.<IdentityConfiguration> <ServerUrl>https://keymgt.emm-c.wso2.com</ServerUrl> <AdminUsername>admin</AdminUsername> <AdminPassword>admin</AdminPassword> </IdentityConfiguration> <PolicyConfiguration> ... <MonitoringEnable>false</MonitoringEnable> <MonitoringFrequency>60000</MonitoringFrequency> ... </PolicyConfiguration> <TaskConfiguration> <Enable>false</Enable> <Frequency>600000</Frequency> ... </TaskConfiguration>
Change the
HostName
andMgtHostName
in the<PRODUCT_HOME>/repository/conf/carbon.xml
file.<HostName>wkr.emm-c.wso2.com</HostName> <MgtHostName>wkr.emm-c.wso2.com</MgtHostName>
Change following in the
config.json
file in the<PRODUCT_HOME>/repository/deployment/server/jaggeryapps/emm-web-agent/app/conf
directory. These parameters are used to point to the NGINX URLs of worker nodes and the Key Manager. If this is not configured, the local IP address of the server is used."httpsURL" : "https://wkr.emm-c.wso2.com", "httpURL" : "http://wkr.emm-c.wso2.com", "enrollmentDir": "/emm-web-agent/enrollment", "iOSConfigRoot" : "https://wkr.emm-c.wso2.com/ios-enrollment/", "iOSAPIRoot" : "https://wkr.emm-c.wso2.com/api/device-mgt/ios/v1.0/", "dynamicClientRegistrationEndPoint" : "https://keymgt.emm-c.wso2.com/dynamic-client-web/register/", "adminService":"https://wkr.emm-c.wso2.com", "idPServer":"https://keymgt.emm-c.wso2.com", "callBackUrl":"https://wkr.emm-c.wso2.com/mdm-admin", "oauthProvider": { "appRegistration": { "appType": "webapp", "clientName": "emm-web-agent", "owner": "admin@carbon.super", "dynamicClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/dynamic-client-web/register", "apiManagerClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/api-application-registration/register/tenants", "grantType": "password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer urn:ietf:params:oauth:grant-type:jwt-bearer", "tokenScope": "admin", "callbackUrl": "https://wkr.emm-c.wso2.com/api/device-mgt/v1.0" }, "tokenServiceURL": "https://keymgt.emm-c.wso2.com/oauth2/token" }, ... "generalConfig" : { "host" : "http://wkr.emm-c.wso2.com", ... },
Configuring the Key Manager node
Do the following configurations in the Key Manager node.
Make sure that DB configurations are done and registry mounting is correctly set up.
Configure the
HostName
. To do this, edit the<PRODUCT_HOME>/repository/conf/carbon.xml
file as follows.
<HostName>keymgt.emm.wso2.com</HostName>
Configuring the iOS server
The following are the steps involved when configuring iOS. Also see iOS Server Configurations in the WSO2 EMM documentation for more information.
Installing WSO2 EMM iOS features via the P2 repository
Configuring the general iOS server settings
Generating the MDM APNS certificate
You must be enrolled in the Apple Developer Program as an individual or organization before starting the iOS server configurations.
Follow the instructions given below to configure the iOS server-side configurations:
Installing WSO2 EMM iOS features via the P2 repository
For more information on installing the P2 repository, see Installing WSO2 EMM iOS features via the P2 Repository .
Configuring the general iOS server settings
Update the following parameters in the ios-config.xml file, which is in the <EMM_HOME>/repository/conf directory. Enter the server IP or the server domain name for the following parameters.
<?xml version="1.0" encoding="ISO-8859-1"?> <iOSEMMConfigurations> <!-- iOS MDM endpoint urls --> <iOSEnrollURL>https://wkr.emm-c.wso2.com/ios-enrollment/scep</iOSEnrollURL> <iOSProfileURL>https://wkr.emm-c.wso2.com/ios-enrollment/profile</iOSProfileURL> <iOSCheckinURL>https://wkr.emm-c.wso2.com/ios-enrollment/checkin</iOSCheckinURL> <iOSServerURL>https://wkr.emm-c.wso2.com/ios-enrollment/server</iOSServerURL> </iOSEMMConfigurations>
Change the following properties in the config.json file in the <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/emm-web-agent/app/conf directory as follows.
..... "enrollmentDir": "/emm-web-agent/enrollment", "iOSConfigRoot" : "https://wkr.emm-c.wso2.com/ios-enrollment/", "iOSAPIRoot" : "https://wkr.emm-c.wso2.com/api/device-mgt/ios/v1.0/", "dynamicClientRegistrationEndPoint" : "https://keymgt.emm-c.wso2.com/dynamic-client-web/register/", "adminService":"https://wkr.emm-c.wso2.com", "idPServer":"https://keymgt.emm-c.wso2.com", "callBackUrl":"https://wkr.emm-c.wso2.com/mdm-admin", ……………. "usernameLength":30, "device" : { "ios" : { "location" : "https://wkr.emm-c.wso2.com/emm-web-agent/public/mdm.page.enrollments.ios.download-agent/asset/ios-agent.ipa", "bundleID" : "org.wso2.carbon.emm.iOSMDMAgent", "version" : "1.0", "appName" : "EMM iOS Agent" } },
You must generate the Certificate Authority (CA), Registration Authority (RA) and SSL certificate. For more information on general iOS server configurations, see General iOS Server Configurations .
Note: Once SSL certificates are generated and after following the rest of the steps, add the ia.crt and ia.key as the SSL certificates in NGINX.
Generating the MDM APNS certificate
For more information on generating the MDM APNS certificate, see Generating a MDM APNS Certificate .
Configuring the App Manager
For this release we are using WSO2 App Manager in the manager node. Applications will be uploaded to the manager node and URLs will be provided from the manager node. The devices will get them through the manager URLs.
To configure clustering with WSO2 App Manager, the Android agent has to be changed. Set the APP_MANAGER_HOST as http://mgt.emm-c.wso2.com in org.wso2.emm.agent.utils.Constants.
Configure single sign-on (SSO) for the Store and Publisher in the App Manager store and publisher. Change the following config elements in the <APPM_HOME>/repository/conf/app-manager.xml file.
Change the ServerURL, Username and Password elements in the <AuthManager> section to point to the Identity Server URL and credentials.
<ServerURL>https://keymgt.emm-c.wso2.com/services/</ServerURL>
Change the providerURL element in the <SSOConfiguration> section as shown below:
<IdentityProviderUrl>https://keymgt.emm-c.wso2.com/samlsso</IdentityProviderUrl><providerURL>https://keymgt.emm-c.wso2.com</providerURL>
Change the ServerURL element in the <EntitlementServiceConfiguration> section as shown below:
<ServerUrl>https://keymgt.emm-c.wso2.com</ServerUrl>
Change AppDownloadURLHost in <APPM_HOME>/repository/conf/app-manager.xml file.
<Config name="AppDownloadURLHost">http://mgt.emm-c.wso2.com</Config>
Change the identityProviderURL config in the <AppM_HOME>/repository/deployment/server/jaggeryapps/store/config/store.json file as shown below:
"ssoConfiguration": { "enabled": true, "issuer": "APPM_Store", "identityProviderURL": "https://keymgt.emm-c.wso2.com/samlsso", "keyStorePassword": "wso2carbon", "identityAlias": "wso2carbon", "responseSigningEnabled": "true", "storeAcs" : "https://mgt.emm-c.wso2.com/store/acs", "keyStoreName": "/repository/resources/security/wso2carbon.jks" },
Change the identityProviderURL element in the <AppM_HOME>/repository/deployment/server/jaggeryapps/publisher/config/publisher.json file as shown below:
"ssoConfiguration": { "enabled": true, "issuer": "APPM_Publisher", "identityProviderURL": "https://keymgt.emm-c.wso2.com/samlsso", "keyStorePassword": "wso2carbon", "identityAlias": "wso2carbon", "responseSigningEnabled": "true", "publisherAcs": "https://mgt.emm-c.wso2.com/publisher/sso", "keyStoreName": "/repository/resources/security/wso2carbon.jks" },
Start both the WSO2 App Manager and WSO2 Identity Server.
Log into the WSO2 Identity Server management console.
Click Add under Service Providers . This is found in the Main menu.
Give a name for the service provider and click Register .
You are navigated to the detailed configuration page. Expand SAML2 Web SSO Configuration inside the Inbound Authentication Configuration section and click Configure .
Provide the configurations to register the App Store as the SSO service provider. These sample values may change depending on your configuration.
Issuer: APPM_Store
Assertion Consumer URL: https://mgt.emm-c.wso2.com/store/acs. This is the URL for the ACS page for your running store app.
Select the following options:
Enable Response Signing
Enable Single Logout
Click Register once done.
Similarly, provide configurations to register the App Publisher and social apps as SSO service providers. These sample values may change depending in your configuration.
Issuer: APPM_Publisher
Assertion Consumer URL: https://mgt.emm-c.wso2.com/publisher/acs. This is the URL for the ACS page for your running publisher app.
Select the following options:
Enable Response Signing
Enable Single Logout
- Click Register once done.