Identity Provider Configurations used with APIs¶
This section lists out some sample configurations that can be used when configuring an Identity Provider.
Federated authenticator configuration samples¶
A federated authenticator is used to authenticate a user through an external system (e.g. Yahoo, MSN, OpenIDConnect). To write your own custom federated authenticator, see Writing a Custom Federated Authenticator.
Warning
The <federatedAuthenticatorConfigs> and
<defaultAuthenticatorConfig> tags have similar
attributes. To configure a federated authenticator as the default
authenticator, use the desired configuration found below with the
<defaultAuthenticatorConfig> tag instead of the
<federatedAuthenticatorConfigs> tag. Note that there
can be only one <defaultAuthenticatorConfig> while
there can be multiple <federatedAuthenticatorConfigs>
.
SAML2 Web SSO configuration¶
<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<displayName>samlsso</displayName>
<enabled>true</enabled>
<name>SAMLSSOAuthenticator</name>
<properties>
<name>IdPEntityId</name>
<value>Identity Provider Entity Id</value>
</properties>
<properties>
<name>SPEntityId</name>
<value>Service Provider Entity Id</value>
</properties>
<properties>
<name>SSOUrl</name>
<value>https://localhost:9443/samlsso/</value>
</properties>
<properties>
<name>ISAuthnReqSigned</name>
<value>true</value>
</properties>
<properties>
<name>IsLogoutEnabled</name>
<value>true</value>
</properties>
<properties>
<name>LogoutReqUrl</name>
<value>https://example.com/logout/url</value>
</properties>
<properties>
<name>IsLogoutReqSigned</name>
<value>true</value>
</properties>
<properties>
<name>IsAuthnRespSigned</name>
<value>true</value>
</properties>
<properties>
<name>IsUserIdInClaims</name>
<value>false</value>
</properties>
<properties>
<name>IsAssertionEncrypted</name>
<value>true</value>
</properties>
<properties>
<name>isAssertionSigned</name>
<value>true</value>
</properties>
<properties>
<name>commonAuthQueryParams</name>
<value>paramName1=value1¶mName2=value2</value>
</properties>
</federatedAuthenticatorConfigs>Property Name |
Description |
|---|---|
IdPEntityId |
Identity Provider Entity Id |
SPEntityId |
Service Provider Entity Id |
SSOUrl |
SSO URL |
ISAuthnReqSigned |
Enable Authentication Request Signing |
IsLogoutEnabled |
Enable Logout |
LogoutReqUrl |
Logout Url |
IsLogoutReqSigned |
Enable Logout Request Signing |
IsAuthnRespSigned |
Enable Authentication Response Signing |
IsUserIdInClaims |
SAML2 Web SSO User ID Location |
IsAssertionEncrypted |
Enable Assertion Encryption |
isAssertionSigned |
Enable Assertion Signing |
commonAuthQueryParams |
Additional Query Parameters |
OAuth2/OpenID Connect configuration¶
<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<displayName>openidconnect</displayName>
<enabled>true</enabled>
<name>OpenIDConnectAuthenticator</name>
<properties>
<name>ClientId</name>
<value>ClientID</value>
</properties>
<properties>
<name>OAuth2AuthzUrl</name>
<value>https://localhost:9443/oauth2/authorize/</value>
</properties>
<properties>
<name>OAUTH2TokenUrl</name>
<value>https://localhost:9443/oauth2/token/</value>
</properties>
<properties>
<confidential>true</confidential>
<name>ClientSecret</name>
<value>ClientSecret</value>
</properties>
<properties>
<name>IsUserIdInClaims</name>
<value>false</value>
</properties>
<properties>
<name>commonAuthQueryParams</name>
<value>paramName1=value1¶mName2=value2</value>
</properties>
</federatedAuthenticatorConfigs>Property Name |
Description |
|---|---|
ClientId |
Client Id |
OAuth2AuthzUrl |
Authorization Endpoint URL |
OAUTH2TokenUrl |
Token Endpoint URL |
ClientSecret |
Client Secret |
IsUserIdInClaims |
OpenID Connect User ID Location |
commonAuthQueryParams |
Additional Query Parameters |
WS-Federation (Passive) configuration¶
<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<displayName>passivests</displayName>
<enabled>true</enabled>
<name>PassiveSTSAuthenticator</name>
<properties>
<name>RealmId</name>
<value>Passive STS Realm</value>
</properties>
<properties>
<name>PassiveSTSUrl</name>
<value>https://localhost:9443/passivests/</value>
</properties>
<properties>
<name>IsUserIdInClaims</name>
<value>false</value>
</properties>
<properties>
<name>commonAuthQueryParams</name>
<value>paramName1=value1</value>
</properties>
</federatedAuthenticatorConfigs>| Property Name | Description |
|---|---|
| RealmId | Passive STS Realm |
| PassiveSTSUrl | Passive STS URL |
| IsUserIdInClaims | Passive STS User ID Location |
| commonAuthQueryParams | Additional Query Parameters |
Facebook configuration¶
<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<displayName>facebook</displayName>
<enabled>true</enabled>
<name>FacebookAuthenticator</name>
<properties>
<name>ClientId</name>
<value>clientID</value>
</properties>
<properties>
<confidential>true</confidential>
<name>ClientSecret</name>
<value>secret</value>
</properties>
<properties>
<name>UserInfoFields</name>
<value>id,first_name,middle_name,gender,email</value>
</properties>
<properties>
<name>Scope</name>
<value>email</value>
</properties>
<properties>
<name>callBackUrl</name>
<value>https://localhost:9443/commonauth</value>
</properties>
</federatedAuthenticatorConfigs>| Property Name | Description |
|---|---|
| ClientId | This refers to the Client Id you received from the Facebook app you created. |
| ClientSecret | This refers to the Client Secret you received from the Facebook app you created. |
| UserInfoFields | These are the claims related to the user account on Facebook. WSO2 Identity Server requests these fields from Facebook when a user is authenticated with Facebook through the IS. See public_profile permission for more information about these fields. |
| Scope | Defines the permission to access particular information from a Facebook profile. See the Permissions Reference for a list of the different permission groups in Facebook APIs. |
| callBackUrl | Callback URL of the Identity Server. |
Yahoo configuration¶
<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<displayName>yahoo</displayName>
<enabled>true</enabled>
<name>YahooOpenIDAuthenticator</name>
</federatedAuthenticatorConfigs>Google configuration¶
<federatedAuthenticatorConfigs
xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<displayName>google</displayName>
<enabled>true</enabled>
<name>GoogleOpenIDAuthenticator</name>
</federatedAuthenticatorConfigs>Microsoft (Hotmail,MSN,Live) configuration¶
<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<displayName>microsoft(hotmail,</displayName>
<enabled>true</enabled>
<name>MicrosoftWindowsLive</name>
<properties>
<name>ClientSecret</name>
<value>clientsecret</value>
</properties>
<properties>
<name>windows-live-callback-url</name>
<value>https://example.com/callback/url</value>
</properties>
<properties>
<name>ClientId</name>
<value>clientID</value>
</properties>
</federatedAuthenticatorConfigs>Property Name |
Description |
|---|---|
ClientSecret |
Client Secret |
windows-live-callback-url |
Callback Url |
ClientId |
Client Id |
Outbound provisioning connector configuration samples¶
An outbound provisioning connector is used to provision users to external systems (e.g. Google, SalesForce). To write your own custom outbound provisioning connector, see Writing an Outbound Provisioning Connector.
Warning
The <provisioningConnectorConfigs> and <defaultProvisioningConnectorConfig> tags
have similar attributes. To configure an outbound provisioning connector
as the default provisioning connector, use the desired configuration
found below with the
<defaultProvisioningConnectorConfig> tag
instead of the
<provisioningConnectorConfigs> tag. There
can be only one
<defaultProvisioningConnectorConfig> while
there can be multiple
<provisioningConnectorConfigs> .
SalesForce provisioning configuration¶
<provisioningConnectorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<enabled>true</enabled>
<name>salesforce</name>
<provisioningProperties>
<name>sf-username</name>
<value>testuser</value>
</provisioningProperties>
<provisioningProperties>
<confidential>true</confidential>
<name>sf-password</name>
<value>testpw</value>
</provisioningProperties>
<provisioningProperties>
<name>sf-clientid</name>
<value>clientID</value>
</provisioningProperties>
<provisioningProperties>
<confidential>true</confidential>
<name>sf-client-secret</name>
<value>clientsecret</value>
</provisioningProperties>
<provisioningProperties>
<name>sf-api-version</name>
<value>1.0.0</value>
</provisioningProperties>
<provisioningProperties>
<name>sf-domain-name</name>
<value>example.com</value>
</provisioningProperties>
</provisioningConnectorConfigs>Property Name |
Description |
|---|---|
sf-username |
Username |
sf-password |
Password |
sf-clientid |
Client ID |
sf-client-secret |
Client Secret |
sf-api-version |
API version |
sf-domain-name |
Domain Name |
Google provisioning configuration¶
<provisioningConnectorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<enabled>true</enabled>
<name>googleapps</name>
<provisioningProperties>
<name>google_prov_application_name</name>
<value>TestApp</value>
</provisioningProperties>
<provisioningProperties>
<name>google_prov_admin_email</name>
<value>[email protected]</value>
</provisioningProperties>
<provisioningProperties>
<name>google_prov_service_acc_email</name>
<value>[email protected]</value>
</provisioningProperties>
<provisioningProperties>
<name>google_prov_familyname_claim_dropdown</name>
<value>ClaimB</value>
</provisioningProperties>
<provisioningProperties>
<name>google_prov_givenname_claim_dropdown</name>
<value>ClaimB</value>
</provisioningProperties>
<provisioningProperties>
<name>google_prov_email_claim_dropdown</name>
<value>ClaimA</value>
</provisioningProperties>
<provisioningProperties>
<name>google_prov_domain_name</name>
<value>mygoogledomain.com</value>
</provisioningProperties>
</provisioningConnectorConfigs>Property Name |
Description |
|---|---|
google_prov_application_name |
Application Name |
google_prov_admin_email |
Administrator's Email |
google_prov_service_acc_email |
Service Account Email |
google_prov_familyname_claim_dropdown |
Family Name |
google_prov_givenname_claim_dropdown |
Given Name |
google_prov_email_claim_dropdown |
Primary Email |
google_prov_domain_name |
Google Domain |
SCIM provisioning configuration¶
<provisioningConnectorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<enabled>true</enabled>
<name>scim</name>
<provisioningProperties>
<name>scim-username</name>
<value>testuser</value>
</provisioningProperties>
<provisioningProperties>
<confidential>true</confidential>
<name>scim-password</name>
<value>testpw</value>
</provisioningProperties>
<provisioningProperties>
<name>scim-user-ep</name>
<value>example.com</value>
</provisioningProperties>
<provisioningProperties>
<name>scim-group-ep</name>
<value>example.com</value>
</provisioningProperties>
<provisioningProperties>
<name>scim-user-store-domain</name>
<value>example.com</value>
</provisioningProperties>
</provisioningConnectorConfigs>Property Name |
Description |
|---|---|
scim-username |
Username |
scim-password |
Password |
scim-user-ep |
User Endpoint |
scim-group-ep |
Group Endpoint |
scim-user-store-domain |
User Store Domain |
SPML provisioning configuration¶
<provisioningConnectorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
<enabled>true</enabled>
<name>spml</name>
<provisioningProperties>
<name>spml-username</name>
<value>testuser</value>
</provisioningProperties>
<provisioningProperties>
<confidential>true</confidential>
<name>spml-password</name>
<value>testpw</value>
</provisioningProperties>
<provisioningProperties>
<name>spml-ep</name>
<value>example.com</value>
</provisioningProperties>
<provisioningProperties>
<name>spml-oc</name>
<value>spml2person</value>
</provisioningProperties>
</provisioningConnectorConfigs>Property Name |
Description |
|---|---|
spml-username |
Username |
spml-password |
Password |
spml-ep |
SPML Endpoint |
spml-oc |
SPML ObjectClass |