Setup identity federation with two WSO2 IS instance with SAML2 Web SSO, one acts as a Federation hub (primary idp) and the other acts as the IDP (secondary idp).
These are fronted by nginx to hide the original characteristics and the existence of the Identity Servers.
Prerequisits:
1. WSO2 IS 5.0.0 - two servers
2. Web Server to host Service Provide(s). e.g: Tomcat 7.0.x
Note: In this sample SAML request signing will be done only between primary idp and secondary idp as we already have self signed certificate, public/private key pairs available in WSO2 IS by default (Location:<carbon_home>
If you want to create your own self signed certificate, refer this blog post.
Steps:
1. Configure nginx and modify /etc/nginx/sites-enabled/default file. You can refer the this blog post.
I have provided the configured file.
2. Use the following link to checkout and configure Service provider (travelocity application)
https://docs.wso2.com/display/IS460/Configuring+SAML2+SSO
(Refere the 'Configuring the web app' section only)
I have provided the configured travelocity.properties file.
3. Change the following configs in Primary IDP.
<carbon_home>
4.Login to the Primary IDP console.
5. Register a identity provider
- Identity Provider Name: Any meaningful name
- Identity Provider Public Certificate: Export the public certificate in pem format and upload it.
- Alias will be auto generated as follows:
5.1 Expand Federated Authenticators and configure SAML2 Web SSO Configuration.
- Tick Enable SAML2 Web SSO
- Identity Provider Entity Id: Any meaningful name
- Service Provider Entity Id: Any meaningful name (This value is required when registering service provider in Secondary IDP)
- Set the SSO URL to https://identity-dev2.is.com/samlsso/
- Tick Enable Authentication Request Signing
- Tick Enable Logout
- Tick Enable Logout Request Signing
- SAML2 Web SSO User ID Location: Tick User ID found in 'Name Identifier'
6. Register a service provider
- Service Provider Name: Any meaningful name
- Issuer: travelocity.com (same value provided in travelocity.properties file for SAML.IssuerID)
- Assertion Consumer URL: http://localhost:8080/travelocity.com/samlsso-home.jsp (same value provided in travelocity.properties file for SAML.ConsumerUrl)
- Tick Use fully qualified username in the NameID
- Tick Enable Single Logout
- Tick Enable Attribute Profile
6.2 Expand Local & Outbound Authentication Configuration and choose Authentication Type as Federated Authentication and select the identity provider created in step 5
Save the configurations.
7. Change the following configs in Secondary IDP.
<carbon_home>
8. Login to Secondary IDP console
9. Register a service provider
- Service Provider Name: Any meaningful name
- Issuer: same value provided in 5.1 for Service Provider Entity Id
- Assertion Consumer URL: Any garbage value as signing SAML with CA certificate will skip this acs URL validation
- Tick Use fully qualified username in the NameID
- Tick Enable Signature Validation in Authentication Requests and Logout Requests
- Tick Enable Single Logout
- Tick Enable Attribute Profile
Now all the configurations are done.
10. You can access travelocity application with below url:
htttp://localhost:8080/travelocity.com
Note: If you are using firefox install SSO tracer plugin to view decrypted SAML requests easily.
No comments:
Post a Comment