Configuring a SP and IdP Using Configuration Files¶
This topic provides instructions on how to create a service provider and identity provider in the WSO2 Identity Server using configuration files which is typically used during the deployment stage. This is configured so that multiple tenants in the Identity Server can have the same identity provider.
Even though this topic is not specifically about federated authentication, this
scenario also addresses a federated authentication
solution. This scenario requires two WSO2 Identity Server instances,
where one acts as the external identity provider, and the other acts as
the service provider. From this point onwards, the Identity Server
instance that acts as the external identity provider will be referred to
as identity provider IS
and the instance that
acts as the service provider will be referred to as
service provider IS
. Once the configurations
are done, the service provider IS
will
have the travelocity
application configured as a service provider and an
identity provider configured and shared across its tenant space. This is
illustrated via the following diagram.
The following are the high level steps required for this scenario.
- Add the
identity provider IS
to theservice provider IS
as an identity provider. - Add the
service provider IS
to theidentity provider IS
as a service provider. - Add the
travelocity.com
application in theservice provider IS
as a service provider. This uses the identity provider created earlier (in step 1) as a federated authenticator.
Note
The above processes can be easily done using the Management
Console, but the
service provider
and identity provider
created in
service provider IS
, will only be visible to the
tenant who creates them.
Therefore, difference here is that the identity
provider
and service provider
in service provider IS
are created using
configuration files are available to all the tenants
in service provider IS
.
The following sections provide instructions on how to carry out the above steps.
Before you begin¶
Do the following steps to setup two WSO2 Identity Server instances for this scenario.
- Download and install the two Identity Server instances.
-
Navigate to
<IDENTITY_PROVIDER_IS_HOME>/repository/conf/deployment.toml
and add anoffset
value to increment the port values in theidentity provider IS
so that there is no port conflict with theservice provider IS
. Port conflicts occur when multiple WSO2 product instances run on the same machine.[server] ... offset=2 ...
Note
To read more about new configurations, see New Configuration Model.
You have successfully setup the Identity Server instances. Now you can proceed to the the configuration steps.
Configure the Federated Identity Provider¶
This section involves adding the service provider IS
as a
service provider in the identity provider IS
from the management
console.
- Start the
identity provider IS
and access the Management Console. - Navigate to the Main -> Identity -> Service Providers -> Click Add.
-
Fill in the Service Provider Name and provide a brief Description of the service provider.
NOTE: for this scenario, enter the Service Provider Name as
ServiceProviderSP_IS
. -
Click Register to add the service provider.
- Expand the Inbound Authentication and SAML2 Web SSO Configuration sections and click Configure.
-
Do the following configurations.
Configurations to be done Description Issuer : travelocitySP
This must be the same as the value you enter for the Service Provider Entity Id when configuring the identity provider in the service provider IS
.Assertion Consumer URL : https://localhost:9443/commonauth
This is the URL to which the browser should be redirected to after the authentication is successful. This is the Assertion Consumer Service (ACS) URL of the service provider. The identity provider redirects the SAML2 response to this URL. However, if the SAML2 request is signed and SAML2 request contains the ACS URL, the Identity Server will honor the ACS URL of the SAML2 request. It should be defined in this format: https://(host-name):(port)/acs
.Enable Single Logout When single logout is enabled, the identity provider sends logout requests to all service providers. Basically, the identity provider acts according to the single logout profile. -
Click Register to save your changes.
Adding an identity provider¶
This section involves adding the identity provider IS
as an
identity provider in the service provider IS
via a file.
Create a file named identityProviderIDP_IS.xml
inside
the <SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/identity-providers
directory and add the following content into it. These configurations
basically add the identity provider in the
service provider IS
. Additionally, this has
the configurations necessary for a federated authentication scenario.
identityProviderIDP_IS.xml
<IdentityProvider>
<IdentityProviderName>identityProviderIDP_IS</IdentityProviderName>
<DisplayName>identityProviderIDP_IS</DisplayName>
<IdentityProviderDescription></IdentityProviderDescription>
<Alias>https://localhost:9444/oauth2/token/</Alias>
<IsPrimary></IsPrimary>
<IsEnabled>true</IsEnabled>
<IsFederationHub></IsFederationHub>
<HomeRealmId></HomeRealmId>
<ProvisioningRole></ProvisioningRole>
<FederatedAuthenticatorConfigs>
<saml2>
<Name>SAMLSSOAuthenticator</Name>
<DisplayName>samlsso</DisplayName>
<IsEnabled>true</IsEnabled>
<Properties>
<property>
<Name>IdPEntityId</Name>
<Value>identiryProviderIDP</Value>
</property>
<property>
<Name>IsLogoutEnabled</Name>
<Value>true</Value>
</property>
<property>
<Name>SPEntityId</Name>
<Value>travelocitySP</Value>
</property>
<property>
<Name>SSOUrl</Name>
<Value>https://localhost:9444/samlsso/</Value>
</property>
<property>
<Name>isAssertionSigned</Name>
<Value>false</Value>
</property>
<property>
<Name>commonAuthQueryParams</Name>
<Value></Value>
</property>
<property>
<Name>IsUserIdInClaims</Name>
<Value>false</Value>
</property>
<property>
<Name>IsLogoutReqSigned</Name>
<Value>false</Value>
</property>
<property>
<Name>IsAssertionEncrypted</Name>
<Value>false</Value>
</property>
<property>
<Name>IsAuthReqSigned</Name>
<Value>false</Value>
</property>
<property>
<Name>IsAuthnRespSigned</Name>
<Value>false</Value>
</property>
<property>
<Name>LogoutReqUrl</Name>
<Value>false</Value>
</property>
</Properties>
</saml2>
</FederatedAuthenticatorConfigs>
<DefaultAuthenticatorConfig>SAMLSSOAuthenticator</DefaultAuthenticatorConfig>
<ProvisioningConnectorConfigs>
</ProvisioningConnectorConfigs>
<DefaultProvisioningConnectorConfig></DefaultProvisioningConnectorConfig>
<ClaimConfig></ClaimConfig>
<Certificate></Certificate>
<PermissionAndRoleConfig></PermissionAndRoleConfig>
<JustInTimeProvisioningConfig></JustInTimeProvisioningConfig>
</IdentityProvider>
Note
Here, travelocitySP
must be the same value as the
value configured as the Issuer in the
identity provider IS
.
Tip
Tip : When studying the above configurations, you can identify the Service Provider Entity Id in the following code snippet.
<property>
<Name>SPEntityId</Name>
<Value>travelocitySP</Value>
</property>
Note
Note: This configuration will only allow the file based identity
provider to be visible in file based service providers.
Additionally, it will only be visible to the super tenant. To make it
visible across tenants and in the SP registration UI, add the prefix
SHARED\_
before the identity provider name to the
<IdentityProviderName>
element, as seen below.
<IdentityProviderName>SHARED_identityProviderIDP_IS</IdentityProviderName>
Adding this prefix allows this identity provider to be shared between the service providers. Consequently, it will also be shown in the UI drop down as a federated identity provider when configuring a service provider.
Adding Certificate
Add the certificate value to the identityProviderIDP_IS.xml
file within the <Certificate>
tag.
Note
The following is a sample command export the public certificate in PEM format
in WSO2 Identity Server. Navigate to <IDENTITY_PROVIDER_IS_HOME>/repository/resources/security
folder and
use the following command.
keytool -exportcert -alias wso2carbon -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon -rfc -file ispublic_crt.pem
Open the certificate file with a notepad so you see the
certificate value. Copy this certificate value and add it
within the <Certificate>
tag.
Note
Use the above command only if the identity provider is the WSO2
Identity Server. If the identity provider is a third party IDP, then you
can get the certificate in PEM format and read the value. You need to
copy the entire content of the PEM file and place it within the
<Certificate>
tag.
Adding a service provider¶
This section involves adding the travelocity.com
application as a
service provider in the service provider IS
via a file.
-
Open the
<SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/sso-idp-config.xml
file and add the following configuration under the<SSOIdentityProviderConfig>
properties
<ServiceProviders>
tag . This adds the travelocity application as a service provider.Additional configs to sso-idp-config.xml
<ServiceProvider> <Issuer>travelocity.com</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>http://wso2is.local:8080/travelocity.com/home.jsp</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>http://wso2is.local:8080/travelocity.com/home.jsp</DefaultAssertionConsumerServiceURL> <EnableSingleLogout>true</EnableSingleLogout> <SLOResponseURL></SLOResponseURL> <SLORequestURL></SLORequestURL> <SAMLDefaultSigningAlgorithmURI>http://www.w3.org/2000/09/xmldsig#rsa-sha1</SAMLDefaultSigningAlgorithmURI> <SAMLDefaultDigestAlgorithmURI>http://www.w3.org/2000/09/xmldsig#sha1</SAMLDefaultDigestAlgorithmURI> <SignResponse>true</SignResponse> <ValidateSignatures>false</ValidateSignatures> <EncryptAssertion>true</EncryptAssertion> <CertAlias></CertAlias> <EnableAttributeProfile>true</EnableAttributeProfile> <IncludeAttributeByDefault>true</IncludeAttributeByDefault> <ConsumingServiceIndex>2104589</ConsumingServiceIndex> <EnableAudienceRestriction>false</EnableAudienceRestriction> <AudiencesList> <Audience></Audience> </AudiencesList> <EnableRecipients>false</EnableRecipients> <RecipientList> <Recipient></Recipient> </RecipientList> <EnableIdPInitiatedSSO>false</EnableIdPInitiatedSSO> <EnableIdPInitSLO>false</EnableIdPInitSLO> <ReturnToURLList> <ReturnToURL></ReturnToURL> </ReturnToURLList> </ServiceProvider>
Tip
If the incoming SAML requests from the client (e.g.,
travelocity.com
) are signed, and the service provider Identity Server instance needs to validate the signature included in the authentication and logout requests, do the following:- Import the public certificate of the client to the primary
keystore (e.g.,
wso2carbon.jks
) - Add the corresponding certificate alias name to the
<CertAlias>
property and set the<ValidateSignatures>
property to true in thesso-idp-config.xml
file.
In the above configuration, the single logout is supported by Back-Channel Logout. In order to use SAML Front-Channel Logout, add the following properties under
<ServiceProvider>
tag.To enable SAML Front-Channel Logout with HTTP Redirect Binding
<EnableSingleLogout>true</EnableSingleLogout> <EnableFrontChannelLogout>true</EnableFrontChannelLogout> <FrontChannelLogoutBinding>HTTPRedirectBinding</FrontChannelLogoutBinding>
To enable SAML Front-Channel Logout with HTTP POST Binding
<EnableSingleLogout>true</EnableSingleLogout> <EnableFrontChannelLogout>true</EnableFrontChannelLogout> <FrontChannelLogoutBinding>HTTPPostBinding</FrontChannelLogoutBinding>
- Import the public certificate of the client to the primary
keystore (e.g.,
-
Create a file named
travelocity.com.xml
in the<SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/service-providers
directory. Add the following configurations into thetravelocity.com.xml
file you created. This adds the necessary SAML configurations to the travelocity service provider.travelocity.com.xml
Note
If you added the
SHARED\_
prefix to the identity provider name when adding the identity provider, replace the<IdentityProviderName>
value (found under the<LocalAndOutBoundAuthenticationConfig>
element) in thetravelocity.com.xml
file, with the following value.SHARED_identityProviderIDP_IS
<ServiceProvider> <ApplicationID>3</ApplicationID> <ApplicationName>travelocity.com</ApplicationName> <Description>travelocity Service Provider</Description> <IsSaaSApp>true</IsSaaSApp> <InboundAuthenticationConfig> <InboundAuthenticationRequestConfigs> <InboundAuthenticationRequestConfig> <InboundAuthKey>travelocity.com</InboundAuthKey> <InboundAuthType>samlsso</InboundAuthType> <Properties></Properties> </InboundAuthenticationRequestConfig> </InboundAuthenticationRequestConfigs> </InboundAuthenticationConfig> <LocalAndOutBoundAuthenticationConfig> <AuthenticationSteps> <AuthenticationStep> <StepOrder>1</StepOrder> <LocalAuthenticatorConfigs> <LocalAuthenticatorConfig> <Name>BasicAuthenticator</Name> <DisplayName>basicauth</DisplayName> <IsEnabled>true</IsEnabled> </LocalAuthenticatorConfig> </LocalAuthenticatorConfigs> <FederatedIdentityProviders> <IdentityProvider> <IdentityProviderName>identityProviderIDP_IS</IdentityProviderName> <IsEnabled>true</IsEnabled> <DefaultAuthenticatorConfig> <FederatedAuthenticatorConfigs> <FederatedAuthenticatorConfig> <Name>SAMLSSOAuthenticator</Name> <DisplayName>samlsso</DisplayName> <IsEnabled>true</IsEnabled> </FederatedAuthenticatorConfig> </FederatedAuthenticatorConfigs> </DefaultAuthenticatorConfig> </IdentityProvider> </FederatedIdentityProviders> <SubjectStep>true</SubjectStep> <AttributeStep>true</AttributeStep> </AuthenticationStep> </AuthenticationSteps> <subjectClaimUri> <!--selected URI --> </subjectClaimUri> </LocalAndOutBoundAuthenticationConfig> <RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs> <InboundProvisioningConfig></InboundProvisioningConfig> <OutboundProvisioningConfig></OutboundProvisioningConfig> <ClaimConfig> <AlwaysSendMappedLocalSubjectId>true</AlwaysSendMappedLocalSubjectId> <LocalClaimDialect>true</LocalClaimDialect><ClaimMappings><ClaimMapping><LocalClaim><ClaimUri>http://wso2.org/claims/givenname</ClaimUri></LocalClaim><RemoteClaim><ClaimUri>http://wso2.org/claims/givenName</ClaimUri>ClaimUri></RemoteClaim><RequestClaim>true</RequestClaim></ClaimMapping></ClaimMappings></ClaimConfig> <PermissionAndRoleConfig></PermissionAndRoleConfig> </ServiceProvider>
-
Restart the WSO2 Identity Server to apply the file-based configurations to the system.
Note
Please note that the management console will not show the SP related configuration information if it is loaded through a file
Running the travelocity application¶
Do the following steps to run the travelocity application.
-
Deploy the travelocity application. No need to register the service provider for travelocity as we created service provider via a file.
-
When you access the following link to the travelocity application, you are directed to the identity provider for authentication:
http://wso2is.local:8080/travelocity.com/index.jsp
Note
Check whether you have enabled following configurations while adding the service provider in the
identity provider IS
. You can check this by navigating to Main -> Identity -> Service Providers -> List -> Click Edit in the corresponding SP -> Inbound Authentication Configuration -> SAML2 Web SSO Configuration -> Edit.If you have
not enabled
the configs, add the following configs to travelocity as well.- Stop tomcat if it is already running.
- Navigate to
<TOMCAT_HOME>/webapps/travelocity.com/WEBINF/classes/travelocity.properties
file and change the following configs tofalse
if they are configured totrue
.
#Specify if SAMLResponse element is signed SAML2.EnableResponseSigning=false #Specify if SAMLAssertion element is signed SAML2.EnableAssertionSigning=false #Specify if AuthnRequests and LogoutRequests should be signed SAML2.EnableRequestSigning=false
Testing with tenants¶
Now you can test if the configurations you have done work in a tenant scenario.
-
Create new tenants in the
service provider IS
.Note
Note : You cannot provide access to the service provider and identity provider for a specific tenant domain. This is accessible to all the tenants configured.
-
Open the
<TOMCAT_HOME>/webapps/travelocity.com/WEBINF/classes/travelocity.properties
file.Note
If the tomcat server is running, you need to stop the server.
Full contents of the travelocity.properties file
EnableSAML2SSOLogin=true EnableOpenIDLogin=true EnableOAuth2SAML2Grant=false #Url to do send SAML2 SSO AuthnRequest SAML2SSOURL=samlsso #Url to do initiate OAuth2 SAML2 Grant Request OAuth2SAML2GrantURL=token #Url to initiate OpenID Authentication Request OpenIdURL=openid #URIs to skip SSOAgentFilter; comma separated values SkipURIs=/travelocity.com/index.jsp #A unique identifier for this SAML 2.0 Service Provider application SAML2.SPEntityId=travelocity.com #The URL of the SAML 2.0 Assertion Consumer SAML2.AssertionConsumerURL=http://localhost:8080/travelocity.com/home.jsp #A unique identifier for this SAML 2.0 Service Provider application SAML2.IdPEntityId=localhost #The URL of the SAML 2.0 Identity Provider SAML2.IdPURL=https://localhost:9443/samlsso #Identifier given for the Service Provider for SAML 2.0 attributes #exchange #SAML2.AttributeConsumingServiceIndex=1701087467 #Specify if SingleLogout is enabled/disabled SAML2.EnableSLO=true #This is the URL that is used for SLO SAML2.SLOURL=logout #Specify if SAMLResponse element is signed SAML2.EnableResponseSigning=false #Specify if SAMLAssertion element is signed SAML2.EnableAssertionSigning=false #Specify if SAMLAssertion element is encrypted SAML2.EnableAssertionEncryption=false #Specify if AuthnRequests and LogoutRequests should be signed SAML2.EnableRequestSigning=false #Specify if SAML request is a passive SAML2.IsPassiveAuthn=false #Password of the KeyStore for SAML and OpenID KeyStorePassword=wso2carbon #Alias of the IdP's public certificate IdPPublicCertAlias=wso2carbon #Alias of the SP's private key PrivateKeyAlias=wso2carbon #Private key password to retrieve the private key used to sign #AuthnRequest and LogoutRequest messages PrivateKeyPassword=wso2carbon #OAuth2 token endpoint URL OAuth2.TokenURL=https://localhost:9443/oauth2/token #OAuth2 Client ID OAuth2.ClientId=Qn5DQHCYfshxeZh6R9SL1HM2lsMa #OAuth2 Client Secret OAuth2.ClientSecret=cbkAs1gajdwPAMbrSR54hPAIcz0a #OpenId Provider Url OpenId.ProviderURL=https://localhost:9443/openid/ #openid.return_to parameter OpenId.ReturnToURL=http://localhost:8080/travelocity.com/home.jsp #Custom SAML post binding request page #SAML.PostBinding.RequestPage=path/to/the/html #Additional request parameters #QueryParams=tenantDomain=-1234 #SAML2.IsForceAuthn=true #Specify whether the consumer requests user attributes from the provider OpenId.EnableAttributeExchange=true #Specify whether the consumer runs in dumb mode OpenId.EnableDumbMode=false
-
In the
travelocity.properties
file updatetenantDomain
query param with the newly created tenant domain.QueryParams=tenantDomain=tenant.domain
Tip
Tip : You can uncomment values in this file by removing the
\#
. -
In order to enable response signature validation from the Travelocity side, first, you need to download the public certificate of the tenant.
Note
If you have not enabled signature validation, proceed to the next step.
-
Login using tenant credentials to the management console and navigate to
Main > Manage > Keystores > List.
Click onPublic Key
link to download the certificate. -
Now you need to import this public certificate to
<APACHE_HOME>/webapps/travelocity.com/WEB-INF/classes/wso2carbon.jks
file using the following command.keytool -import -alias <key_alias> -file <download_file> -keystore wso2carbon.jks
NOTE: Default password of the
wso2carbon.jks
iswso2carbon
. -
Update
IdPPublicCertAlias
property in the<APACHE_HOME>/webapps/travelocity.com/WEB-INF/classes/travelocity.properties
with provided alias in the previous step.Note
It is possible to disable response signature validation from the Travelocity application using the
SAML2.EnableResponseSigning
property available in<APACHE_HOME>/webapps/travelocity.com/WEB-INF/classes/travelocity.properties
file.
-
-
If you have made any changes to the port offset, you must ensure that this change is reflected in the port value of the following property in the
ravelocity.properties
file.SAML2.IdPURL=https://localhost:9443/samlsso
-
Restart Apache Tomcat and access the travelocity application. You will be able to log in using the identity provider credentials regardless of the tenant domain you are using. Access the travelocity application using the following: http://wso2is.local/travelocity.com/index.jsp
Related links
The following links provide additional information that may be relevant when attempting the instructions in this topic.
- See Configuring SAML SSO for information on using the travelocity.com application for single sign-on. This provides insight on some parameters used.
- See Adding and Configuring a Service Provider for information on creating a service provider using the WSO2 Identity Server management console.
- See Adding and Configuring an Identity Provider for information on creating an identity provider using the WSO2 Identity Server management console.
- See Configuring a SP and IdP Using Service Calls for information on creating a service provider or identity provider using admin services.