Sending attachements with with WSO2 ESB via MTOM

Prerequisites:

WSO2 ESB 4.8.1
WSO2 ESB 4.8.1 service pack1 (This is yet to release)
SoapUI 4.5.1

Environment:
Ubuntu
Java Runtime

Steps:

Enable backend service

1. Apply the sp1 to ESB 4.8.1
2. Go to /samples/axis2Server/src/MTOMSwASampleService and run 'ant'. Once it is build successfully, go to /samples/axis2Server and start the server as follows:
/axis2server.sh

3.Now you will be able to access the wsdl file of MTOMSwASampleService via below url:
http://localhost:9000/services/MTOMSwASampleService?wsdl

Configure ESB

3.1 Save the wsdl file as MTOMSwASampleService.wsdl and copy it to /repository/samples/resources/proxy directory.

4. Start ESB and login via console.
5. Create three dynamic sequences and save them in config regitry as follows:

Go to Manage->Service Bus->Sequences and click on Add Sequence.

•  InSeq

Sequence Name: InSeq
Click on Add Child->Core->Send and add a Send mediator.
Select Endpoint Type: Define Inline and click on Add button.
Create Address Endpoint.
Address: http://localhost:9000/services/MTOMSwASampleService

Show Advanced Options->Message Content
Optimize: MTOM
Hit 'Save & Close'.
Hit 'Update'.
Hit 'Save in Registry'.
Hit 'Save & Close'.

• OutSeq

Sequence Name: OutSeq
Click on Add Child->Core->Send and add a Send mediator.
Hit 'Update'.
Hit 'Save in Registry'.
Hit 'Save & Close'.

• ErrorSeq

Sequence Name:ErrorSeq
Hit 'Save in Registry'.
Hit 'Save & Close'.

6.  Go to Manage->Service Bus->Source View and paste the config
P.S: Ignore the names as they are dump values
Hit Update.

Setup SoapUI

7. Start SoapUI.
Click on 'New SoapUI project' and paste below wsdl url.
http://localhost:8280/services/StockQuoteProxy?wsdl

8. Click on 'uploadFileUsingMTOM' request in soap11 binding.
10. Edit current url as follows:
http://localhost:8280/services/StockQuoteProxy.StockQuoteProxyHttpSoap12Endpoint

9. Attach a image via attachment window. Click yes for  'cache attachment in request'.
10. Modify the request as depicted in the image below and change the value of image name according to your image name:

11. Now you can send the request. You will receive the attachment as the response as follows:

References:
https://axis.apache.org/axis2/java/core/docs/mtom-guide.html
https://docs.wso2.com/pages/viewpage.action?pageId=33136025

WSO2 Identity Server as a Federation Hub

Requirement:
Setup identity federation with two WSO2 IS instance with SAML2 Web SSO, one acts as a Federation hub (primary idp) and the other acts as the IDP (secondary idp).
These are fronted by nginx to hide the original characteristics and the existence of the Identity Servers.

 Prerequisits:
1. WSO2 IS 5.0.0 - two servers
2. Web Server to host Service Provide(s). e.g: Tomcat 7.0.x

Note: In this sample SAML request signing will be done only between primary idp and secondary idp as we already have self signed certificate, public/private key pairs available in WSO2 IS by default (Location:<carbon_home>/repository/resources).
If you want to create your own self signed certificate, refer this blog post.

Steps:

1. Configure nginx and modify /etc/nginx/sites-enabled/default file. You can refer the this blog post.

I have provided the configured file.

2. Use the following link to checkout and configure Service provider (travelocity application)
https://docs.wso2.com/display/IS460/Configuring+SAML2+SSO
(Refere the 'Configuring the web app' section only)
I have provided the configured travelocity.properties file.

3. Change the following configs in Primary IDP.
<carbon_home>/repository/conf/tomcat/catalina-server.xml add proxy port pointing load balancers port(i.e 443).
 <carbon_home>/repository/conf/carbon.xml change the hostname to identity-dev1.is.com 
4.Login to the Primary IDP console. 
5. Register a identity provider

• Identity Provider Name: Any meaningful name
• Identity Provider Public Certificate: Export the public certificate in pem format and upload it.

keytool -export -alias mycert -keystore wso2carbon.jks -storepass wso2carbon -file mycert.pem

• Alias will be auto generated as follows:

https://identity-dev1.is.com:443/oauth2/token/

5.1 Expand Federated Authenticators and configure SAML2 Web SSO Configuration.

• Tick Enable SAML2 Web SSO
• Identity Provider Entity Id: Any meaningful name
• Service Provider Entity Id: Any meaningful name (This value is required when registering service provider in Secondary IDP)
• Set the SSO URL to https://identity-dev2.is.com/samlsso/ 
• Tick Enable Authentication Request Signing
• Tick Enable Logout
• Tick Enable Logout Request Signing
• SAML2 Web SSO User ID Location: Tick User ID found in 'Name Identifier' 

Save the configurations.
6. Register a service provider

•  Service Provider Name: Any meaningful name

6.1 Expand Inbound Authentication Configuration and configure SAML2 Web SSO Configuration

• Issuer: travelocity.com (same value provided in travelocity.properties file for SAML.IssuerID)
• Assertion Consumer URL: http://localhost:8080/travelocity.com/samlsso-home.jsp (same value provided in travelocity.properties file for SAML.ConsumerUrl)
• Tick Use fully qualified username in the NameID
• Tick  Enable Single Logout
• Tick Enable Attribute Profile

Save the configurations.

6.2 Expand Local & Outbound Authentication Configuration and choose Authentication Type as Federated Authentication and select the identity provider created in step 5

 Save the configurations.

7.  Change the following configs in Secondary IDP.
 <carbon_home>/repository/conf/tomcat/catalina-server.xml add proxy port pointing load balancers port(i.e 443).
 <carbon_home>/repository/conf/carbon.xml change the hostname to identity-dev2.is.com and offset to 1
8. Login to Secondary IDP console
9. Register a service provider

•  Service Provider Name: Any meaningful name

9.1 Expand Inbound Authentication Configuration and configure SAML2 Web SSO Configuration

• Issuer: same value provided in 5.1 for Service Provider Entity Id
• Assertion Consumer URL: Any garbage value as signing SAML with CA certificate will skip this acs URL validation
• Tick Use fully qualified username in the NameID
• Tick  Enable Signature Validation in Authentication Requests and Logout Requests 
• Tick Enable Single Logout
• Tick Enable Attribute Profile

 Save the configurations.

 Now all the configurations are done.

10. You can access travelocity application with below url:

htttp://localhost:8080/travelocity.com

Note: If you are using firefox  install SSO tracer plugin to view decrypted SAML requests easily.