This documentation is for WSO2 Governance Registry 5.3.0. View documentation for the latest release.
||
Skip to end of metadata
Go to start of metadata

Single Sign-On (SSO) is a major requirement when deploying WSO2 G-Reg Publisher and Store. SSO allows you to gain access to multiple applications when you are authenticated against one application. It is a common solution for repeated authentication.

Configuring single sign-on in WSO2 G-Reg

Specify the authentification method as SSO as follows in the following files to enable single sign-on in a standalone WSO2 G-Reg server instance.

  • <G-REG_HOME>/repository/deployment/server/jaggeryapps/store/config/store.json 
  • <G-REG_HOME>/repository/deployment/server/jaggeryapps/publisher/config/publisher.json 
"authentication": {
"activeMethod": "sso",

Configuring WSO2 IS as an External Identity Provider

WSO2 Identity Server (IS) supports configuring SSO in WSO2 G-Reg out of the box. This scenario uses WSO2 G-Reg and WSO2 IS products to demonstrate configurations. It uses two WSO2 G-Reg instances for Publisher and Store, and one WSO2 IS instance as the external IdP.

SSO deployment

Step 1 - sharing the user store

This scenario uses an Oracle JDBC user store as the user store.

<IS_HOME> refers to the home directory of the WSO2 IS server node. All <GREG_HOME> references relate to both Publisher and Store nodes. Therefore, you have to repeat the configurations mentioned below in both WSO2 G-Reg server instances.

  1. Create an Oracle database (e.g., 'grg520umdb').
  2. Add the below datasource configuration to the following files:

     <datasource>  
           <name>WSO2_UM_DB</name>  
           <description>The datasource used for user manager</description>  
           <jndiConfig>  
             <name>jdbc/UM_DB</name>  
           </jndiConfig>  
           <definition type="RDBMS">  
             <configuration>  
               <url>jdbc:oracle:thin:@192.168.10.2:1521/PDBORA12C</url>  
               <username>grg520umdb</username>  
               <password>grg520umdb</password>  
               <driverClassName>oracle.jdbc.driver.OracleDriver</driverClassName>  
               <maxActive>120</maxActive>  
               <maxWait>900000</maxWait>  
               <testOnBorrow>true</testOnBorrow>  
               <validationQuery>SELECT 1 FROM DUAL</validationQuery>  
               <validationInterval>30000</validationInterval>  
             </configuration>  
           </definition>  
     </datasource>  
    • <G-REG_HOME>/repository/conf/datasources/master-datasources.xml
    • <IS_HOME>/repository/conf/datasources/master-datasources.xml
  3. Download and copy the Oracle JDBC driver JAR file to the following directories:

    • <G-REG_HOME>/repository/components/lib/
    • <IS_HOME>/repository/components/lib/
  4. Change the JNDI config name as follows in the following files: 
    • <G-REG_HOME>/repository/conf/user-mgt.xml
    • <IS_HOME>/repository/conf/user-mgt.xml
    <Realm>
        <Configuration>  
               ...  
               <Property name="dataSource">jdbc/UM_DB</Property>
        </Configuration>  
             ...  
    </Realm>
  5. Do the following changes in the <IS_HOME>/repository/conf/user-mgt.xml file to disable the default LDAP user store of WSO2 IS since this scenario uses a JDBC user store.
    • Comment out the following line: <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">

    • Uncomment and enable the following line: <UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager>

Step 2 - sharing and mounting the Registry space

Follow the steps below to share and mount the Registry space of WSO2 G-Reg in all nodes.

  1. Create an Oracle database (e.g., 'grg520regdb').
  2. Add the below datasource configuration to the following files:

     <datasource>
        <name>WSO2_REG_DB</name>
        <description>The datasource used for registry and user manager</description>
        <jndiConfig>
            <name>jdbc/REG_DB</name>
        </jndiConfig>
        <definition type="RDBMS">
            <configuration>
                <url>jdbc:oracle:thin:@192.168.10.2 :1521/PDBORA12C</url>
                <username>grg520regdb</username>
                <password>grg520regdb</password>
                <driverClassName>oracle.jdbc.driver.OracleDriver</driverClassName>
                <maxActive>120</maxActive>
                <maxWait>900000</maxWait>
                <testOnBorrow>true</testOnBorrow>
                <validationQuery>SELECT 1 FROM DUAL</validationQuery>
                <validationInterval>30000</validationInterval>
            </configuration>
        </definition>
    </datasource>
    • <G-REG_HOME>/repository/conf/datasources/master-datasources.xml
    • <IS_HOME>/repository/conf/datasources/master-datasources.xml
  3. Add the below content in the following files to mount the Registry.

    Do not change the existing "wso2registry" dBConfig.

    <dbConfig name="registry">
        <dataSource>jdbc/REG_DB</dataSource>
    </dbConfig>
    <remoteInstance url="https://serverIP:9443/registry">
        <id>gregid</id>
        <dbConfig>registry</dbConfig>
        <readOnly>false</readOnly>
        <registryRoot>/</registryRoot>
        <enableCache>true</enableCache>
        <cacheId>greg520regdb@jdbc:oracle:thin:@192.168.10.2:1521/PDBORA12C</cacheId>
    </remoteInstance>
    <mount path="/_system/config" overwrite="true">
        <instanceId>gregid</instanceId>
        <targetPath>/_system/config</targetPath>
    </mount>
    <mount path="/_system/governance" overwrite="true">
        <instanceId>gregid</instanceId>
        <targetPath>/_system/governance</targetPath>
    </mount>
    • <G-REG_HOME>/repository/conf/registry.xml
    • <IS_HOME>/repository/conf/registry.xml
  4. Start the servers using -Dsetup startup parameter or execute the scripts in the following files to create the necessary tables in each database.

    • <G-REG_HOME>/dbscripts/oracle.sql
    • <IS_HOME>/dbscripts/oracle.sql

Step 3 - configuring WSO2 IS as the Identity Provider

Follow the steps below to create two service providers called 'publisher' and 'store' to configure the WSO2 Identity Server (IS) node as the Identity Provider (IdP).

  1. Start the WSO2 IS server node, and log in to the Management Console using admin/admin credentials and the following URL: https://<IS_HOST>:<IS_PORT>/carbon/
  2. Click Main, then click Add in the Service Providers menu.
    add new service provider
  3. Enter 'publisher' for the Service Provider Name and click Register.
    enter service provider name
  4. Click Inbound Authentication Configuration, next click SAML2 Web SSO Configuration and then click Configure.
    select SSO configuration
  5. Enter the following details:
    • Issuer: Enter 'publisher' for this.
    • Assertion Consumer URLs: Enter the URL of the Publisher node (e.g., In this scenario, it is running in 192.168.10.5 server without a port offset.), and click Add.
    • Enable Response Signing: Check this option.

      Herein, import the public key of the certificate, which is specified as Certificate Alias that is used in IS to G-Reg Publisher and Store. Otherwise, you will get SSL verification errors when logging in. This is applicable when you use a different keystore other than the default wso2carbon.jkskeystore.)

    • Enable Single Logout: Check this option.
    register the provider for publisher
  6. Click Register.
  7. Repeat the above instructions to create another service provider called 'store'.

    Enter 'store' for Issuer and enter the URL of the Store node (e.g., In this scenario, it is 'https://192.168.10.6:9443/store/acs' as it is running in 192.168.10.6 server without a port offset.) for Assertion Consumer URL.

    register the provider for store

Step 4 - enabling SSO in WSO2 G-Reg Publisher

Follow the steps below to enable Single Sign-on in WSO2 G-Reg Publisher node.

  1. Change the following configurations in the <G-REG_HOME>/repository/deployment/server/jaggeryapps/publisher/config/publisher.json file.

    "authentication": {  
         "activeMethod": "sso",  
         "methods": {  
           "sso": {  
             "attributes": {  
               "issuer": "publisher",  
               "identityProviderURL": "https://192.168.10.3:9443/samlsso",  
               "responseSigningEnabled": "true",  
               "acs": "https://192.168.10.5/publisher/acs",  
               "identityAlias": "wso2carbon",  
               "useTenantKey": false ,
               "defaultNameIDPolicy": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
               "isPassive":false,
               "validateAssertionValidityPeriod": false,
               "validateAudienceRestriction": false,
               "assertionSigningEnabled": false
              }  
           },
  2. Enter the URL of the WSO2 G-Reg Store node as the value of the storeUrl parameter in the <G-REG_HOME>/repository/deployment/server/jaggeryapps/publisher/config/publisher.json file. (E.g., "storeUrl": "https://192.168.10.6:9443/store")

Step 5 - enabling SSO in WSO2 G-Reg Store

Change the following configurations in the <G-REG_HOME>/repository/deployment/server/jaggeryapps/publisher/config/store.json file, to enable Single Sign-on in WSO2 G-Reg Store node.

"authentication": {  
     "activeMethod": "sso",  
     "methods": {  
       "sso": {  
         "attributes": {  
           "issuer": "store",  
           "identityProviderURL": "https://192.168.10.3:9443/samlsso",  
           "responseSigningEnabled": "true",  
           "acs": "https://192.168.10.6:9443/store/acs",  
           "identityAlias": "wso2carbon",  
           "useTenantKey": false,
            "defaultNameIDPolicy": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
           "isPassive":false,
           "validateAssertionValidityPeriod": false,
           "validateAudienceRestriction": false,
           "assertionSigningEnabled": false
             }  
       },  

Now, start all servers as you have completed enabling Single Sign-On in them. When you log in to the WSO2 G-Reg Publisher using the 'https://192.168.10.5:9443/publisher/' URL, the browser redirects you to the IDP (WSO2 Identity Server) as shown below.

browser redirection to WSO2 IS
Enter your credentials and log in to the Publisher. Now, if you log in to the Store you will be automatically logged-in to it as the same user. Also, if you logged out from one application, you will automatically be logged out from the other as well.
  • No labels