Service Provider Configurations used with APIs¶
This section guides you through the configurations you can include in a service provider application. See Calling Admin Services to enable the admin service.
Configuring SAML2 web SSO¶
Description | To add a Service Provider with SAML2 Web SSO capability, you have to first add SAML2 Web SSO configuration. This is done through the IdentitySAMLSSOConfigService that is exposed at https://<IS_HOST>:<IS_PORT>/services/IdentitySAMLSSOConfigService?wsdl . Replace the tag <IS_HOST>:<IS_PORT> with the relevant host and port number, for example, https://localhost:9443/services/IdentitySAMLSSOConfigService?wsdl . |
||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Permissions | /permission/admin/manage | ||||||||||||||||||||||||
Input Parameters |
|
Sample Request and Response¶
Click to view request and response formats
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.saml.sso.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:addRPServiceProvider>
<!--Optional:-->
<xsd:spDto>
<!--Zero or more repetitions:-->
<xsd1:assertionConsumerUrls>?</xsd1:assertionConsumerUrls>
<!--Optional:-->
<xsd1:assertionQueryRequestProfileEnabled>?</xsd1:assertionQueryRequestProfileEnabled>
<!--Optional:-->
<xsd1:attributeConsumingServiceIndex>?</xsd1:attributeConsumingServiceIndex>
<!--Optional:-->
<xsd1:certAlias>?</xsd1:certAlias>
<!--Optional:-->
<xsd1:defaultAssertionConsumerUrl>?</xsd1:defaultAssertionConsumerUrl>
<!--Optional:-->
<xsd1:digestAlgorithmURI>?</xsd1:digestAlgorithmURI>
<!--Optional:-->
<xsd1:doEnableEncryptedAssertion>?</xsd1:doEnableEncryptedAssertion>
<!--Optional:-->
<xsd1:doSignAssertions>?</xsd1:doSignAssertions>
<!--Optional:-->
<xsd1:doSignResponse>?</xsd1:doSignResponse>
<!--Optional:-->
<xsd1:doSingleLogout>?</xsd1:doSingleLogout>
<!--Optional:-->
<xsd1:doValidateSignatureInRequests>?</xsd1:doValidateSignatureInRequests>
<!--Optional:-->
<xsd1:enableAttributeProfile>?</xsd1:enableAttributeProfile>
<!--Optional:-->
<xsd1:enableAttributesByDefault>?</xsd1:enableAttributesByDefault>
<!--Optional:-->
<xsd1:idPInitSLOEnabled>?</xsd1:idPInitSLOEnabled>
<!--Optional:-->
<xsd1:idPInitSSOEnabled>?</xsd1:idPInitSSOEnabled>
<!--Zero or more repetitions:-->
<xsd1:idpInitSLOReturnToURLs>?</xsd1:idpInitSLOReturnToURLs>
<!--Optional:-->
<xsd1:issuer>?</xsd1:issuer>
<!--Optional:-->
<xsd1:nameIDFormat>?</xsd1:nameIDFormat>
<!--Optional:-->
<xsd1:nameIdClaimUri>?</xsd1:nameIdClaimUri>
<!--Zero or more repetitions:-->
<xsd1:requestedAudiences>?</xsd1:requestedAudiences>
<!--Zero or more repetitions:-->
<xsd1:requestedRecipients>?</xsd1:requestedRecipients>
<!--Optional:-->
<xsd1:signingAlgorithmURI>?</xsd1:signingAlgorithmURI>
<!--Optional:-->
<xsd1:sloRequestURL>?</xsd1:sloRequestURL>
<!--Optional:-->
<xsd1:sloResponseURL>?</xsd1:sloResponseURL>
</xsd:spDto>
</xsd:addRPServiceProvider>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.saml.sso.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:addRPServiceProvider>
<!--Optional:-->
<xsd:spDto>
<!--Zero or more repetitions:-->
<xsd1:assertionConsumerUrls>http://localhost:8080/travelocity.com/home.jsp</xsd1:assertionConsumerUrls>
<!--Optional:-->
<xsd1:assertionQueryRequestProfileEnabled>false</xsd1:assertionQueryRequestProfileEnabled>
<!--Optional:-->
<xsd1:attributeConsumingServiceIndex>1223160755</xsd1:attributeConsumingServiceIndex>
<!--Optional:-->
<xsd1:certAlias>wso2carbon</xsd1:certAlias>
<!--Optional:-->
<xsd1:defaultAssertionConsumerUrl>http://localhost:8080/travelocity.com/home.jsp</xsd1:defaultAssertionConsumerUrl>
<!--Optional:-->
<xsd1:digestAlgorithmURI>http://www.w3.org/2000/09/xmldsig#sha1</xsd1:digestAlgorithmURI>
<!--Optional:-->
<xsd1:doEnableEncryptedAssertion>true</xsd1:doEnableEncryptedAssertion>
<!--Optional:-->
<xsd1:doSignAssertions>true</xsd1:doSignAssertions>
<!--Optional:-->
<xsd1:doSignResponse>true</xsd1:doSignResponse>
<!--Optional:-->
<xsd1:doSingleLogout>true</xsd1:doSingleLogout>
<!--Optional:-->
<xsd1:doValidateSignatureInRequests>true</xsd1:doValidateSignatureInRequests>
<!--Optional:-->
<xsd1:enableAttributeProfile>true</xsd1:enableAttributeProfile>
<!--Optional:-->
<xsd1:enableAttributesByDefault>true</xsd1:enableAttributesByDefault>
<!--Optional:-->
<xsd1:idPInitSLOEnabled>true</xsd1:idPInitSLOEnabled>
<!--Optional:-->
<xsd1:idPInitSSOEnabled>true</xsd1:idPInitSSOEnabled>
<!--Zero or more repetitions:-->
<xsd1:idpInitSLOReturnToURLs>http://localhost:8090/travelocity.com/home.jsp</xsd1:idpInitSLOReturnToURLs>
<!--Optional:-->
<xsd1:issuer>travelocity.com</xsd1:issuer>
<!--Optional:-->
<xsd1:nameIDFormat>urn/oasis/names/tc/SAML/1.1/nameid-format/emailAddress</xsd1:nameIDFormat>
<!--Zero or more repetitions:-->
<xsd1:requestedAudiences>https://localhost:9443/oauth2/token</xsd1:requestedAudiences>
<!--Zero or more repetitions:-->
<xsd1:requestedRecipients>https://localhost:9443/oauth2/token</xsd1:requestedRecipients>
<!--Optional:-->
<xsd1:signingAlgorithmURI>http://www.w3.org/2000/09/xmldsig#rsa-sha1</xsd1:signingAlgorithmURI>
<!--Optional:-->
<xsd1:sloRequestURL></xsd1:sloRequestURL>
<!--Optional:-->
<xsd1:sloResponseURL></xsd1:sloResponseURL>
</xsd:spDto>
</xsd:addRPServiceProvider>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:createApplicationResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</ns:createApplicationResponse>
</soapenv:Body>
</soapenv:Envelope>
Note
Once the SAML SSO configuration is added, the issuer details need to be included in inbound authentication configurations of the service provider.
Parameter | Type | Description |
---|---|---|
inboundAuthKey | String | Specify the issuer here, which is the unique identifier of the service provider. This is also the issuer value specified in the SAML Authentication Request issued by the service provider. |
inboundAuthType | String | For SAML 2.0, authentication type should be ‘samlsso’ |
Property Name | Property Value |
---|---|
attrConsumServiceIndex | This is the consumer service index. The service provider should send this in the SAML request to get attributes of the authenticated subject. |
<xsd1:inboundAuthenticationConfig>
<!--Zero or more repetitions:-->
<xsd1:inboundAuthenticationRequestConfigs>
<!--Optional:-->
<xsd1:inboundAuthKey>travelocity.com</xsd1:inboundAuthKey>
<!--Optional:-->
<xsd1:inboundAuthType>samlsso</xsd1:inboundAuthType>
<!--Zero or more repetitions:-->
<xsd1:properties>
<!--Optional:-->
<xsd1:name>attrConsumServiceIndex</xsd1:name>
<!--Optional:-->
<xsd1:value>202240762</xsd1:value>
</xsd1:properties>
</xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>
Configuring OAuth/OpenID Connect¶
Description | To add a Service Provider with OAuth capability, add an OAuth application through the OAuthAdminService exposed at https:// |
---|---|
Permissions | /admin/manage/identity |
Input Parameters |
|
Request | See below |
Response | See below |
Sample Request and Response¶
Click to view request and response formats
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.oauth.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:registerOAuthApplicationData>
<!--Optional:-->
<xsd:application>
<!--Optional:-->
<xsd1:OAuthVersion>?</xsd1:OAuthVersion>
<!--Optional:-->
<xsd1:applicationAccessTokenExpiryTime>?</xsd1:applicationAccessTokenExpiryTime>
<!--Optional:-->
<xsd1:applicationName>?</xsd1:applicationName>
<!--Optional:-->
<xsd1:callbackUrl>?</xsd1:callbackUrl>
<!--Optional:-->
<xsd1:grantTypes>?</xsd1:grantTypes>
<!--Optional:-->
<xsd1:oauthConsumerKey>?</xsd1:oauthConsumerKey>
<!--Optional:-->
<xsd1:oauthConsumerSecret>?</xsd1:oauthConsumerSecret>
<!--Optional:-->
<xsd1:pkceMandatory>?</xsd1:pkceMandatory>
<!--Optional:-->
<xsd1:pkceSupportPlain>?</xsd1:pkceSupportPlain>
<!--Optional:-->
<xsd1:refreshTokenExpiryTime>?</xsd1:refreshTokenExpiryTime>
<!--Optional:-->
<xsd1:userAccessTokenExpiryTime>?</xsd1:userAccessTokenExpiryTime>
</xsd:application>
</xsd:registerOAuthApplicationData>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.oauth.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:registerOAuthApplicationData>
<!--Optional:-->
<xsd:application>
<!--Optional:-->
<xsd1:OAuthVersion>OAuth-2.0</xsd1:OAuthVersion>
<!--Optional:-->
<xsd1:applicationAccessTokenExpiryTime>3600</xsd1:applicationAccessTokenExpiryTime>
<!--Optional:-->
<xsd1:applicationName>playground</xsd1:applicationName>
<!--Optional:-->
<xsd1:callbackUrl>http://localhost:8080/playground2/oauth2client</xsd1:callbackUrl>
<!--Optional:-->
<xsd1:grantTypes>refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer implicit password client_credentials iwa:ntlm authorization_code</xsd1:grantTypes>
<!--Optional:-->
<xsd1:pkceMandatory>false</xsd1:pkceMandatory>
<!--Optional:-->
<xsd1:pkceSupportPlain>true</xsd1:pkceSupportPlain>
<!--Optional:-->
<xsd1:refreshTokenExpiryTime>84000</xsd1:refreshTokenExpiryTime>
<!--Optional:-->
<xsd1:userAccessTokenExpiryTime>3600</xsd1:userAccessTokenExpiryTime>
</xsd:application>
</xsd:registerOAuthApplicationData>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:registerOAuthApplicationDataResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</ns:registerOAuthApplicationDataResponse>
</soapenv:Body>
</soapenv:Envelope>
Note
Once OAuth application is created, you can retrieve the OAuth consumer
key and OAuth consumer secret by calling getOAuthApplicationDataByAppName
service
method.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:getOAuthApplicationDataByAppName>
<!--Optional:-->
<xsd:appName>playground</xsd:appName>
</xsd:getOAuthApplicationDataByAppName>
</soapenv:Body>
</soapenv:Envelope>
Once the OAuth configuration is added, the OAuth consumer key/secret details need to be included in inbound authentication configurations of the service provider.
Parameter | Type | Description |
---|---|---|
inboundAuthKey | String | OAuth Client Key |
inboundAuthType | String | For OAuth, authentication type should be ‘oauth2' |
Property Name | Property Value |
---|---|
oauthConsumerSecret | OAuth client secret |
<xsd1:inboundAuthenticationConfig>
<!--Zero or more repetitions:-->
<xsd1:inboundAuthenticationRequestConfigs>
<!--Optional:-->
<xsd1:inboundAuthKey>li6JMbjW6WDMKTWsRnGcjp5zcGhi</xsd1:inboundAuthKey>
<!--Optional:-->
<xsd1:inboundAuthType>oauth2</xsd1:inboundAuthType>
<!--Zero or more repetitions:-->
<xsd1:properties>
<!--Optional:-->
<xsd1:name>oauthConsumerSecret</xsd1:name>
<!--Optional:-->
<xsd1:value>NMB3EAfxh4YvSTqbb3iMkongAHjW</xsd1:value>
</xsd1:properties>
</xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>
Configuring WS-Trust Security Token service¶
Description | To configure a service provider with the WS-Trust Security Token Service (STS), add a trusted service through the STSAdminService exposed at https:// . Replace the tag with the relevant host and port number, for example, https://localhost:9443/services/STSAdminService?wsdl. |
---|---|
Permissions | /admin/manage/identity |
Input Parameters |
|
Request | See below |
Response | See below |
Sample Request and Response¶
Click to view request and response formats
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.sts.security.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:addTrustedService>
<!--Optional:-->
<ser:serviceAddress>?</ser:serviceAddress>
<!--Optional:-->
<ser:certAlias>?</ser:certAlias>
</ser:addTrustedService>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.sts.security.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:addTrustedService>
<!--Optional:-->
<ser:serviceAddress>https://www.example.com/sts</ser:serviceAddress>
<!--Optional:-->
<ser:certAlias>wso2carbon</ser:certAlias>
</ser:addTrustedService>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:addTrustedServiceResponse xmlns:ns="http://service.sts.security.carbon.wso2.org">
<ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</ns:addTrustedServiceResponse>
</soapenv:Body>
</soapenv:Envelope>
Note
Once the trusted service is registered, the service address needs to be included in inbound authentication configurations of the service provider.
Parameter | Type | Description |
---|---|---|
inboundAuthKey | String | The endpoint address of the trusted relying party. |
inboundAuthType | String | For WS-Trust Security Token Service, the authentication type should be ‘wstrust’ |
<xsd1:inboundAuthenticationConfig>
<!--Zero or more repetitions:-->
<xsd1:inboundAuthenticationRequestConfigs>
<!--Optional:-->
<xsd1:inboundAuthKey>https://www.example.com/sts</xsd1:inboundAuthKey>
<!--Optional:-->
<xsd1:inboundAuthType>wstrust</xsd1:inboundAuthType>
</xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>
Configuring WS-Federation (passive)¶
Description | To configure a service provider with the WS-Federation (passive), you only need to include following parameters in inbound authentication configurations of the service provider. |
---|---|
Input Parameters |
|
<xsd1:inboundAuthenticationConfig>
<!--Zero or more repetitions:-->
<xsd1:inboundAuthenticationRequestConfigs>
<!--Optional:-->
<xsd1:inboundAuthKey>TestSP</xsd1:inboundAuthKey>
<!--Optional:-->
<xsd1:inboundAuthType>passivests</xsd1:inboundAuthType>
<xsd1:properties>
<xsd1:name>passiveSTSWReply</name>
<xsd1:value>{url}</value>
</xsd1:properties>
</xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>
Related Links
- For key APIs relevant for developers, see Using APIs.
- For a list of the operations that can be performed with different permission levelsSee Permissions Required to Invoke Admin Services.
- The following article guides you through transforming existing SOAP-based services into REST services in WSO2 Identity Server: Exposing WSO2 Identity Server Admin Services the REST Way.