Trusted Identity Providers

Trusted identity providers are the identity providers that are trusted by that tenant.

These identity providers can be configured by tenant admins and can be used in many different scenarios. One such scenario is the development and deployment of SSO enabled SaaS applications. This scenario is particularly relevant in the WSO2 Application Server compared to other application servers due to the fact that WSO2 Application Server supports out-of-the-box multitenancy. A SaaS application is an application deployed in the super tenant space but accessed by all the tenants. Each tenant can have its own set of trusted identity providers. I.e., the users of the tenant do not have to physically exist in the WSO2 Application Server but reside elsewhere. Authentication for the SaaS webapp is performed for the Trusted Identity Provider at the request of the SaaS application and the user's identity information would be transported using a SAML assertion. The SAML assertion could then be verified and validated using the APIs exposed by the IdPMetadataService class found in the WSO2 Application Server. In case the webapp is running on any other application server, you could still use this capability using the Web Service APIs exposed from the IdPMetadataService.

The roles that exist for the tenant at the Identity Provider can be defined and mapped to roles that exist in the WSO2 Application Server. The APIs provide operations to map the Identity Provider roles to tenant roles so that the SaaS applications can perform authorization on the tenant roles. The Shared Roles feature also goes hand-in-hand with the Trusted Identity Providers Management feature. The Shared Roles feature allows users of any tenant to be assigned to those shared roles. This way the SaaS application could be written against shared roles without worrying about tenant specific roles and authorization could be performed on shared roles.

Another scenario for this feature is in the WSO2 Identity Server. The SAML2 Assertion Profile for OAuth2 uses these registered Identity Providers of the tenant to verify the SAML2 assertion.

Adding a trusted identity provider

1. Log into the product's management console.
2. On the Configure menu, click Trusted Identity Providers.
3. Click on  Add New Trusted Identity Provider .
4. Enter the i dentity provider's name. This should be a unique name of this identity provider across this tenant.
5. Enter the issuer name of this identity provider. This will be used for validating the issuer name of the SAML token when using the validation APIs.
6. If this is the primary identity provider for this tenant, select the Primary Identity Provider option.
   The first identity provider registered would be the primary identity provider by default.
7. Enter the identity provider's URL.
8. Upload the public certificate of the identity provider. This will be used for validating SAML token signatures when using the validation APIs.
9. Click Add Role and add an identity provider Role. These will be the roles that are registered for this tenant at the identity provider.
10. Upload the role mappings file. This file will map the identity provider roles to tenant roles in the Identity Server.
11. Click  Add Audience and add the m andatory audience restriction elements that need to be present in the SAML token when it is to be used by this tenant for any purpose. 
    This will be used for validating SAML token Audience Restriction when using the validation APIs.
12. Enter the OAuth2 Token Endpoint URL or any alias used to refer to it uniquely within the tenant. This will be used when validating the audience restriction of the SAML token under the SAML2 Assertion Profile for OAuth2.
13. Click Register. The newly added Identity provider will appear in the registered identity provider list.