Powered By Blogger

Mar 28, 2014


SAML2.0 SSO with WSO2 Identity Server

This blog post basically describes the SAML2.0 SSO behavior using the WSO2 Identity Server. Mainly in here I am going to demonstrate a very simple scenario just to understand the SAML behavior. 

When considering a single sign on system basic two roles are Service Provider and Identity Provider. In here there is a predefined trust between these two roles. When a user tries to access the Service Provider, the Identity Provider issues assertions after authenticated and authorized and the Service Provider trust the assertions issued by the Identity Provider. 

Some advantages with SSO are, users need only one username and password to access many services and also users are authenticated only once by the Identity Provider and then they are redirecting automatically to other services. Following diagram illustrates the scenario


Mainly in the scenario I have used two Identity Servers one as the Identity Provider and one as the Service Provider

Applies To : WSO2 Identity Server 4.6.0

Configure Identity Provider


  • Start WSO2 Identity Server and access Management Console
  • Now click on the SAML SSO under the Manage section
  • Now you will get a window to configure Service Provider
  • Click on 'Register New Service Provider' and provide details as follows. 
eg: Issuer - carbonServer
      Assertion Consumer URL - https://localhost:9444/acs

  • Click on update and now you can see the service provider has successfully added.


Configure Service Provider

  • Change the offset  to '1' by navigate to $IS_HOME/repository/conf/carbon.xml <Offset>1</Offset>

  • Then in order to include Authenticator Configurations for SAML2SSOAuthenticator go to $IS_HOME/repository/conf/security/authenticators.xml and include the below code

 <Authenticator name="SAML2SSOAuthenticator" disabled="false">

        <Priority>10</Priority>
        <Config>
            <Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter>
            <Parameter name="ServiceProviderID">carbonServer</Parameter>
            <Parameter name="IdentityProviderSSOServiceURL">https://localhost:9443/samlsso</Parameter>
            <Parameter name="NameIDPolicyFormat">urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</Parameter>
   <Parameter name="AssertionConsumerServiceURL">https://localhost:9444/acs</Parameter>     
</Config>
    </Authenticator>



Note: The service provider ID should be the issuer name included the Identity Provider.

Testing the Sample 

Note: In the above configuration enable the Authenticator by making the disabled into false.


  • Now add the plugin SAML 2 Tracer to the browser and start tracing
  • Then start the Identity Provider by navigate to $IS_HOME/bin in command window and type the command wso2server.sh
  • Then start the Service Provider and try to login by providing credentials.
  • Then in the SAML tracer you can see the request sent to the Identity Provider by the Service Provider as shown below



Posted by
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)