Skip to content

Configure an SP and IdP Using Configuration Files

This topic provides instructions on how to create a service provider and identity provider in WSO2 Identity Server using configuration files which is typically used during the deployment stage. This is configured so that multiple tenants in the Identity Server can have the same identity provider.

Even though this topic is not specifically about federated authentication, this scenario also addresses a federated authentication solution. This scenario requires two WSO2 Identity Server instances, where one acts as the external identity provider, and the other acts as the service provider. From this point onwards, the Identity Server instance that acts as the external identity provider will be referred to as identity provider IS and the instance that acts as the service provider will be referred to as service provider IS. Once the configurations are done, the service provider IS will have the travelocity application configured as a service provider and an identity provider configured and shared across its tenant space. This is illustrated via the following diagram.

configuring an sp and idp using configuration files

The following are the high level steps required for this scenario.

  1. Add the identity provider IS to the service provider IS as an identity provider.
  2. Add the service provider IS to the identity provider IS as a service provider.
  3. Add the application in the service provider IS as a service provider. This uses the identity provider created earlier (in step 1) as a federated authenticator.


The above processes can be easily done using WSO2 Identity Server Management Console, but the service provider and identity provider created in service provider IS, will only be visible to the tenant who creates them.

Therefore, difference here is that the identity provider and service provider in service provider IS are created using configuration files are available to all the tenants in service provider IS.

The following sections provide instructions on how to carry out the above steps.

Before you begin

Follow the instructions given below to setup two WSO2 Identity Server instances for this scenario.

  1. Download and install the two WSO2 Identity Server instances.
  2. Navigate to <IDENTITY_PROVIDER_IS_HOME>/repository/conf/deployment.toml and add an offset value to increment the port values in the identity provider IS so that there is no port conflict with the service provider IS. Port conflicts occur when multiple WSO2 product instances run on the same machine.



    To read more about new configurations, see New Configuration Model.

You have successfully setup the Identity Server instances. Now you can proceed to the the configuration steps.

Configure the federated identity provider

This section involves adding the service provider IS as a service provider in the identity provider IS from the management console.

  1. Start the identity provider IS and access WSO2 Identity Server Management Console (https://<IS_HOST>:<PORT>/carbon). Refer [Run the Product(
  2. Navigate to the Main > Identity > Service Providers > Click Add.
  3. Fill in the Service Provider Name and provide a brief Description of the service provider. 

    NOTE: For this scenario, enter the Service Provider Name as ServiceProviderSP_IS.

  4. Click Register to add the service provider.

  5. Expand the Inbound Authentication and SAML2 Web SSO Configuration sections and click Configure.
  6. Configure the following properties.

    Configurations to be done Description
    IssuertravelocitySP This must be the same as the value you enter for the Service Provider Entity Id when configuring the identity provider in the service provider IS.
    Assertion Consumer URL ­: https://localhost:9443/commonauth This is the URL to which the browser should be redirected to after the authentication is successful. This is the Assertion Consumer Service (ACS) URL of the service provider. The identity provider redirects the SAML2 response to this URL. However, if the SAML2 request is signed and SAML2 request contains the ACS URL, the Identity Server will honor the ACS URL of the SAML2 request. It should be defined in this format: https://(host-name):(port)/acs .
    Enable Single Logout When single logout is enabled, the identity provider sends logout requests to all service providers. Basically, the identity provider acts according to the single logout profile.
  7. Click Register to save your changes.

Add an identity provider

This section involves adding the identity provider IS as an identity provider in the service provider IS via a file.

Create a file named identityProviderIDP_IS.xml inside the <SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/identity­-providers directory and add the following content into it. These configurations basically add the identity provider in the service provider IS. Additionally, this has the configurations necessary for a federated authentication scenario.



Here, travelocitySP must be the same value as the value configured as the Issuer in the identity provider IS.


When studying the above configurations, you can identify the Service Provider Entity Id in the following code snippet.



This configuration will only allow the file based identity provider to be visible in file based service providers. Additionally, it will only be visible to the super tenant. To make it visible across tenants and in the SP registration UI, add the prefix SHARED\_ before the identity provider name to the <IdentityProviderName> element, as seen below.


Adding this prefix allows this identity provider to be shared between the service providers. Consequently, it will also be shown in the UI drop down as a federated identity provider when configuring a service provider.

Add a certificate

Add the certificate value to the identityProviderIDP_IS.xml file within the <Certificate> tag.


The following is a sample command to export the public certificate in PEM format in WSO2 Identity Server. Navigate to the <IDENTITY_PROVIDER_IS_HOME>/repository/resources/security folder and use the following command.

keytool -exportcert -alias wso2carbon -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon -rfc -file ispublic_crt.pem
Open the certificate file with a notepad so you see the certificate value. Copy this certificate value and add it within the <Certificate> tag.


Use the above command only if the identity provider is the WSO2 Identity Server. If the identity provider is a third party IDP, then you can get the certificate in PEM format and read the value. You need to copy the entire content of the PEM file and place it within the <Certificate> tag.

Add a service provider

This section involves adding the application as a service provider in the service provider IS via a file.

  1. Open the <SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/sso-idp-config.xml file and add the following configuration under the <SSOIdentityProviderConfig> properties
    <ServiceProviders> tag . This adds the travelocity application as a service provider.

    Additional configs to sso-idp-config.xml


    If the incoming SAML requests from the client (e.g., ) are signed, and the service provider identity server instance needs to validate the signature included in the authentication and logout requests, do the following:

    1. Import the public certificate of the client to the primary keystore (e.g., wso2carbon.jks )
    2. Add the corresponding certificate alias name to the <CertAlias> property and set the <ValidateSignatures> property to true in the sso-idp-config.xml file.

    In the above configuration, the single logout is supported by Back-Channel Logout. In order to use SAML Front-Channel Logout, add the following properties under <ServiceProvider> tag.

    To enable SAML Front-Channel Logout with HTTP Redirect Binding


    To enable SAML Front-Channel Logout with HTTP POST Binding


  2. Create a file named in the <SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/service-providers directory. Add the following configurations into the file you created. This adds the necessary SAML configurations to the travelocity service provider.


    If you added the SHARED\_ prefix to the identity provider name when adding the identity provider, replace the <IdentityProviderName> value (found under the <LocalAndOutBoundAuthenticationConfig> element) in the file, with the following value.

        <Description>travelocity Service Provider</Description>
        <subjectClaimUri> <!--selected URI --> </subjectClaimUri>
  3. Restart the WSO2 Identity Server to apply the file-based configurations to the system.


    WSO2 Identity Server Management Console will not show the SP-related configuration information if it is loaded through a file


Run the travelocity application


  • Download Apache Tomcat 8.x and install it. Tomcat server installation location will later be referred to as <TOMCAT_HOME> in this guide.

  • It is recommended that you use a hostname that is not localhost to avoid browser errors. Modify your machine's /etc/hosts entry to reflect this.


    Note that wso2is.local is used in this documentation as an example, but you must modify this when configuring the authenticators or connectors with this sample application.

CORS configuration

SAML2 POST Binding requires CORS configurations to be set up.

Before configuring the service provider, add the following configurations to the deployment.toml file found in <IS_HOME>/repository/conf/. Adding this configuration allows HTTP POST requests.

``` toml
allow_generic_http_requests = true
allow_any_origin = false
allowed_origins = [
allow_subdomains = false
supported_methods = [
support_any_header = true
supported_headers = []
exposed_headers = []
supports_credentials = true
max_age = 3600
tag_requests = false

Download the sample

To be able to deploy a WSO2 Identity Server sample, you need to download it onto your machine first.

Follow the instructions below to download the sample from GitHub.

  1. Navigate to WSO2 Identity Server Samples.

  2. Download the file from the latest release assets.

Deploy the sample web app

Deploy this sample web app on a web container.

  1. Copy the into the webapps folder. For example, <TOMCAT_HOME>/apache-tomcat-<version>/webapps

  2. Open a terminal window and add the following entry to the /etc/hosts file of your machine to configure the hostname.   wso2is.local

    Why is this step needed?

    Some browsers do not allow you to create cookies for a naked hostname, such as localhost. Cookies are required when working with SSO . Therefore, to ensure that the SSO capabilities work as expected in this tutorial, you need to configure the etc/host file as explained in this step.

    The etc/host file is a read-only file. Therefore, you won't be able to edit it by opening the file via a text editor. Instead, edit the file using the terminal commands.
    For example, use the following command if you are working on a Mac/Linux environment.

    sudo nano /etc/hosts
  3. Open the file found in the <TOMCAT_HOME>/webapps/ directory and configure the following property with the hostname ( wso2is.local ) that you configured above.

    #The URL of the SAML 2.0 Assertion Consumer
  4. Restart the Tomcat server.

To check the sample application, navigate to http://<TOMCAT_HOST>:<TOMCAT_PORT>/ on your browser.

For example, http://wso2is.local:8080/


If you wish to change properties like the issuer ID, consumer URL, and IdP URL, you can edit the file found in the directory. Also if the service provider is configured in a tenant you can use "QueryParams" property to send the tenant domain.For example, "".

This sample uses the following default values.

Properties Description A unique identifier for this SAML 2.0 service provider application
SAML2.AssertionConsumerURL= http://wso2is.local:8080/ The URL of the SAML 2.0 Assertion Consumer
SAML2.IdPURL= https://localhost:9443/samlsso The URL of the SAML 2.0 identity provider
SAML2.IsPassiveAuthn=true Set this to send SAML2 passive authentication requests

If you edit the file, restart the Apache Tomcat server for the changes to take effect.


Check whether you have enabled following configurations while adding the service provider in the identity provider IS. You can check this by navigating to Main > Identity > Service Providers > List > Click Edit in the corresponding SP > Inbound Authentication Configuration > SAML2 Web SSO Configuration > Edit.

SAML2 web SSO configuration

If you have not enabled the configs, add the following configs to travelocity as well.

  1. Stop tomcat if it is already running.
  2. Navigate to <TOMCAT_HOME>/webapps/­INF/classes/ file and change the following configs to false if they are configured to true.
#Specify if SAMLResponse element is signed

#Specify if SAMLAssertion element is signed

#Specify if AuthnRequests and LogoutRequests should be signed

Test with tenants

Now you can test if the configurations you have done work in a tenant scenario.

  1. Create new tenants in the service provider IS.


    You cannot provide access to the service provider and identity provider for a specific tenant domain. This is accessible to all the tenants configured.

  2. Open the <TOMCAT_HOME>/webapps/­INF/classes/ file.


    If the tomcat server is running, you need to stop the server.

    Full contents of the file
    #Url to do send SAML2 SSO AuthnRequest
    #Url to do initiate OAuth2 SAML2 Grant Request
    #Url to initiate OpenID Authentication Request
    #URIs to skip SSOAgentFilter; comma separated values
    #A unique identifier for this SAML 2.0 Service Provider application
    #The URL of the SAML 2.0 Assertion Consumer
    #A unique identifier for this SAML 2.0 Service Provider application
    #The URL of the SAML 2.0 Identity Provider
    #Identifier given for the Service Provider for SAML 2.0 attributes 
    #Specify if SingleLogout is enabled/disabled
    #This is the URL that is used for SLO
    #Specify if SAMLResponse element is signed
    #Specify if SAMLAssertion element is signed
    #Specify if SAMLAssertion element is encrypted
    #Specify if AuthnRequests and LogoutRequests should be signed
    #Specify if SAML request is a passive
    #Password of the KeyStore for SAML and OpenID
    #Alias of the IdP's public certificate
    #Alias of the SP's private key 
    #Private key password to retrieve the private key used to sign 
    #AuthnRequest and LogoutRequest messages
    #OAuth2 token endpoint URL
    #OAuth2 Client ID
    #OAuth2 Client Secret
    #OpenId Provider Url
    #openid.return_to parameter
    #Custom SAML post binding request page
    #Additional request parameters
    #Specify whether the consumer requests user attributes from the provider
    #Specify whether the consumer runs in dumb mode
  3. In the file update tenantDomain query param with the  newly created tenant domain.



    You can uncomment values in this file by removing the \#.

  4. In order to enable response signature validation from the Travelocity side, first, you need to download the public certificate of the tenant.


    If you have not enabled signature validation, proceed to the next step.

    1. Log in using tenant credentials to WSO2 Identity Server Management Console (https://<IS_HOST>:<PORT>/carbon) and navigate to Main > Manage > Keystores > List. Click on Public Key link to download the certificate.

      download public key certificate

    2. Now you need to import this public certificate to <APACHE_HOME>/webapps/ file using the following command.

      keytool -import -alias <key_alias> -file <download_file> -keystore wso2carbon.jks


      Default password of the wso2carbon.jks is wso2carbon.

    3. Update the IdPPublicCertAlias property in <APACHE_HOME>/webapps/ with provided alias in the previous step.


      It is possible to disable response signature validation from the Travelocity application using the SAML2.EnableResponseSigning property available in the <APACHE_HOME>/webapps/ file.

  5. If you have made any changes to the port offset, you must ensure that this change is reflected in the port value of the following property in the file.

  6. Restart Apache Tomcat and access the travelocity application. You will be able to log in using the identity provider credentials regardless of the tenant domain you are using. Access the travelocity application using http://wso2is.local/