Skip to content

Identity Provider Configurations used with APIs

This section lists out some sample configurations that can be used when configuring an Identity Provider.

Federated authenticator configuration samples

A federated authenticator is used to authenticate a user through an external system (e.g. Yahoo, MSN, OpenIDConnect). To write your own custom federated authenticator, see Writing a Custom Federated Authenticator.

Warning

The <federatedAuthenticatorConfigs> and <defaultAuthenticatorConfig> tags have similar attributes. To configure a federated authenticator as the default authenticator, use the desired configuration found below with the <defaultAuthenticatorConfig> tag instead of the <federatedAuthenticatorConfigs> tag. Note that there can be only one <defaultAuthenticatorConfig> while there can be multiple <federatedAuthenticatorConfigs> .

SAML2 Web SSO configuration

<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
   <displayName>samlsso</displayName>
   <enabled>true</enabled>
   <name>SAMLSSOAuthenticator</name>
   <properties>
      <name>IdPEntityId</name>
      <value>Identity Provider Entity Id</value>
   </properties>
   <properties>
      <name>SPEntityId</name>
      <value>Service Provider Entity Id</value>
   </properties>
   <properties>
      <name>SSOUrl</name>
      <value>https://localhost:9443/samlsso/</value>
   </properties>
   <properties>
      <name>ISAuthnReqSigned</name>
      <value>true</value>
   </properties>
   <properties>
      <name>IsLogoutEnabled</name>
      <value>true</value>
   </properties>
   <properties>
      <name>LogoutReqUrl</name>
      <value>https://example.com/logout/url</value>
   </properties>
   <properties>
      <name>IsLogoutReqSigned</name>
      <value>true</value>
   </properties>
   <properties>
      <name>IsAuthnRespSigned</name>
      <value>true</value>
   </properties>
   <properties>
      <name>IsUserIdInClaims</name>
      <value>false</value>
   </properties>
   <properties>
      <name>IsAssertionEncrypted</name>
      <value>true</value>
   </properties>
   <properties>
      <name>isAssertionSigned</name>
      <value>true</value>
   </properties>
   <properties>
      <name>commonAuthQueryParams</name>
      <value>paramName1=value1&paramName2=value2</value>
   </properties>
</federatedAuthenticatorConfigs>

Property Name

Description

IdPEntityId

Identity Provider Entity Id

SPEntityId

Service Provider Entity Id

SSOUrl

SSO URL

ISAuthnReqSigned

Enable Authentication Request Signing

IsLogoutEnabled

Enable Logout

LogoutReqUrl

Logout Url

IsLogoutReqSigned

Enable Logout Request Signing

IsAuthnRespSigned

Enable Authentication Response Signing

IsUserIdInClaims

SAML2 Web SSO User ID Location

IsAssertionEncrypted

Enable Assertion Encryption

isAssertionSigned

Enable Assertion Signing

commonAuthQueryParams

Additional Query Parameters

OAuth2/OpenID Connect configuration

<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
   <displayName>openidconnect</displayName>
   <enabled>true</enabled>
   <name>OpenIDConnectAuthenticator</name>
   <properties>
      <name>ClientId</name>
      <value>ClientID</value>
   </properties>
   <properties>
      <name>OAuth2AuthzUrl</name>
      <value>https://localhost:9443/oauth2/authorize/</value>
   </properties>
   <properties>
      <name>OAUTH2TokenUrl</name>
      <value>https://localhost:9443/oauth2/token/</value>
   </properties>
   <properties>
      <confidential>true</confidential>
      <name>ClientSecret</name>
      <value>ClientSecret</value>
   </properties>
   <properties>
      <name>IsUserIdInClaims</name>
      <value>false</value>
   </properties>
   <properties>
      <name>commonAuthQueryParams</name>
      <value>paramName1=value1&paramName2=value2</value>
   </properties>
</federatedAuthenticatorConfigs>

Property Name

Description

ClientId

Client Id

OAuth2AuthzUrl

Authorization Endpoint URL

OAUTH2TokenUrl

Token Endpoint URL

ClientSecret

Client Secret

IsUserIdInClaims

OpenID Connect User ID Location

commonAuthQueryParams

Additional Query Parameters

WS-Federation (Passive) configuration

<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
   <displayName>passivests</displayName>
   <enabled>true</enabled>
   <name>PassiveSTSAuthenticator</name>
   <properties>
      <name>RealmId</name>
      <value>Passive STS Realm</value>
   </properties>
   <properties>
      <name>PassiveSTSUrl</name>
      <value>https://localhost:9443/passivests/</value>
   </properties>
   <properties>
      <name>IsUserIdInClaims</name>
      <value>false</value>
   </properties>
   <properties>
      <name>commonAuthQueryParams</name>
      <value>paramName1=value1</value>
   </properties>
</federatedAuthenticatorConfigs>
Property Name Description
RealmId Passive STS Realm
PassiveSTSUrl Passive STS URL
IsUserIdInClaims Passive STS User ID Location
commonAuthQueryParams Additional Query Parameters

Facebook configuration

<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
   <displayName>facebook</displayName>
   <enabled>true</enabled>
   <name>FacebookAuthenticator</name>
   <properties>
      <name>ClientId</name>
      <value>clientID</value>
   </properties>
   <properties>
      <confidential>true</confidential>
      <name>ClientSecret</name>
      <value>secret</value>
   </properties>
   <properties>
      <name>UserInfoFields</name>
      <value>id,first_name,middle_name,gender,email</value>
   </properties>
   <properties>
      <name>Scope</name>
      <value>email</value>
   </properties>
   <properties>
      <name>callBackUrl</name>
      <value>https://localhost:9443/commonauth</value>
   </properties>
</federatedAuthenticatorConfigs>
Property Name Description
ClientId This refers to the Client Id you received from the Facebook app you created.
ClientSecret This refers to the Client Secret you received from the Facebook app you created.
UserInfoFields These are the claims related to the user account on Facebook. WSO2 Identity Server requests these fields from Facebook when a user is authenticated with Facebook through the IS. See public_profile permission for more information about these fields.
Scope Defines the permission to access particular information from a Facebook profile. See the Permissions Reference for a list of the different permission groups in Facebook APIs.
callBackUrl Callback URL of the Identity Server.

Yahoo configuration

<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
   <displayName>yahoo</displayName>
   <enabled>true</enabled>
   <name>YahooOpenIDAuthenticator</name>
</federatedAuthenticatorConfigs>

Google configuration

<federatedAuthenticatorConfigs
    xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
    <displayName>google</displayName>
    <enabled>true</enabled>
    <name>GoogleOpenIDAuthenticator</name>
</federatedAuthenticatorConfigs>

Microsoft (Hotmail,MSN,Live) configuration

<federatedAuthenticatorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
   <displayName>microsoft(hotmail,</displayName>
   <enabled>true</enabled>
   <name>MicrosoftWindowsLive</name>
   <properties>
      <name>ClientSecret</name>
      <value>clientsecret</value>
   </properties>
   <properties>
      <name>windows-live-callback-url</name>
      <value>https://example.com/callback/url</value>
   </properties>
   <properties>
      <name>ClientId</name>
      <value>clientID</value>
   </properties>
</federatedAuthenticatorConfigs>

Property Name

Description

ClientSecret

Client Secret

windows-live-callback-url

Callback Url

ClientId

Client Id

Outbound provisioning connector configuration samples

An outbound provisioning connector is used to provision users to external systems (e.g. Google, SalesForce).  To write your own custom outbound provisioning connector, see Writing an Outbound Provisioning Connector.

Warning

The <provisioningConnectorConfigs> and <defaultProvisioningConnectorConfig> tags have similar attributes. To configure an outbound provisioning connector as the default provisioning connector, use the desired configuration found below with the <defaultProvisioningConnectorConfig> tag instead of the <provisioningConnectorConfigs> tag. There can be only one <defaultProvisioningConnectorConfig> while there can be multiple <provisioningConnectorConfigs> .

SalesForce provisioning configuration

<provisioningConnectorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
   <enabled>true</enabled>
   <name>salesforce</name>
   <provisioningProperties>
      <name>sf-username</name>
      <value>testuser</value>
   </provisioningProperties>
   <provisioningProperties>
      <confidential>true</confidential>
      <name>sf-password</name>
      <value>testpw</value>
   </provisioningProperties>
   <provisioningProperties>
      <name>sf-clientid</name>
      <value>clientID</value>
   </provisioningProperties>
   <provisioningProperties>
      <confidential>true</confidential>
      <name>sf-client-secret</name>
      <value>clientsecret</value>
   </provisioningProperties>
   <provisioningProperties>
      <name>sf-api-version</name>
      <value>1.0.0</value>
   </provisioningProperties>
   <provisioningProperties>
      <name>sf-domain-name</name>
      <value>example.com</value>
   </provisioningProperties>
</provisioningConnectorConfigs>

Property Name

Description

sf-username

Username

sf-password

Password

sf-clientid

Client ID

sf-client-secret

Client Secret

sf-api-version

API version

sf-domain-name

Domain Name

Google provisioning configuration

<provisioningConnectorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
   <enabled>true</enabled>
   <name>googleapps</name>
   <provisioningProperties>
      <name>google_prov_application_name</name>
      <value>TestApp</value>
   </provisioningProperties>
   <provisioningProperties>
      <name>google_prov_admin_email</name>
      <value>test@mygoogledomain.com</value>
   </provisioningProperties>
   <provisioningProperties>
      <name>google_prov_service_acc_email</name>
      <value>test@developer.gserviceaccount.com</value>
   </provisioningProperties>
   <provisioningProperties>
      <name>google_prov_familyname_claim_dropdown</name>
      <value>ClaimB</value>
   </provisioningProperties>
   <provisioningProperties>
      <name>google_prov_givenname_claim_dropdown</name>
      <value>ClaimB</value>
   </provisioningProperties>
   <provisioningProperties>
      <name>google_prov_email_claim_dropdown</name>
      <value>ClaimA</value>
   </provisioningProperties>
   <provisioningProperties>
      <name>google_prov_domain_name</name>
      <value>mygoogledomain.com</value>
   </provisioningProperties>
</provisioningConnectorConfigs>

Property Name

Description

google_prov_application_name

Application Name

google_prov_admin_email

Administrator's Email

google_prov_service_acc_email

Service Account Email

google_prov_familyname_claim_dropdown

Family Name

google_prov_givenname_claim_dropdown

Given Name

google_prov_email_claim_dropdown

Primary Email

google_prov_domain_name

Google Domain

SCIM provisioning configuration

<provisioningConnectorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
   <enabled>true</enabled>
   <name>scim</name>
   <provisioningProperties>
      <name>scim-username</name>
      <value>testuser</value>
   </provisioningProperties>
   <provisioningProperties>
      <confidential>true</confidential>
      <name>scim-password</name>
      <value>testpw</value>
   </provisioningProperties>
   <provisioningProperties>
      <name>scim-user-ep</name>
      <value>example.com</value>
   </provisioningProperties>
   <provisioningProperties>
      <name>scim-group-ep</name>
      <value>example.com</value>
   </provisioningProperties>
   <provisioningProperties>
      <name>scim-user-store-domain</name>
      <value>example.com</value>
   </provisioningProperties>
</provisioningConnectorConfigs>

Property Name

Description

scim-username

Username

scim-password

Password

scim-user-ep

User Endpoint

scim-group-ep

Group Endpoint

scim-user-store-domain

User Store Domain

SPML provisioning configuration

<provisioningConnectorConfigs xmlns="http://model.common.application.identity.carbon.wso2.org/xsd">
   <enabled>true</enabled>
   <name>spml</name>
   <provisioningProperties>
      <name>spml-username</name>
      <value>testuser</value>
   </provisioningProperties>
   <provisioningProperties>
      <confidential>true</confidential>
      <name>spml-password</name>
      <value>testpw</value>
   </provisioningProperties>
   <provisioningProperties>
      <name>spml-ep</name>
      <value>example.com</value>
   </provisioningProperties>
   <provisioningProperties>
      <name>spml-oc</name>
      <value>spml2person</value>
   </provisioningProperties>
</provisioningConnectorConfigs>

Property Name

Description

spml-username

Username

spml-password

Password

spml-ep

SPML Endpoint

spml-oc

SPML ObjectClass

Top