This documentation is for WSO2 Identity Server 5.0.0. View documentation for the latest release.
Configuring a Resident Identity Provider - Identity Server 5.0.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

WSO2 Identity Server can mediate authentication requests between service providers and identity providers. At the same time, the Identity Server itself can act as a service provider and an identity provider. When it acts as an identity provider it is known as the resident identity provider. This basically converts the Identity Server into a federated hub.

The resident identity provider configuration is very relevant for you if you are a service provider and want to send an authentication request or a provisioning request to the Identity Server (say via SAML, OpenID, OpenID Connect, SCIM, and WS-Trust).

Resident identity provider configuration is a one time configuration for a given tenant. It basically shows you the Identity Server's metadata, like the endpoints. In addition to the metadata, you can configure this if you want to secure the WS-Trust endpoint with a security policy.

Follow the instructions below to configure a resident identity provider.

  1. Sign in. Enter your username and password to log on to the Management Console.
  2. In the Main menu under the Identity section, click List under Identity Providers. The list of identity providers you added appears.
  3. Click the Resident Identity Provider link.
  4. The Resident Identity Provider page appears.
  5. Enter a Home Realm Identifier for the resident identity provider. Enter multiple identifiers as a comma separated list.
  6. Configure inbound authentication if required. This is not mandatory for creating a resident identity provider.
    • Set the Identity Provider Entity Id under SAML2 Web SSO Configuration. Specifying this gives the tenant identification, so any users provisioned through this tenant can be identified as such.

    • Configure the WS-Trust/WS-Federation (Passive). For more information on this, see here.

  7. Click Update.
  8. Click Ok to the confirmation message that appears.

Note the following information regarding the URLs on this screen.

About URLs

You can modify the host name of these URLs by changing the value in the <IS_HOME>/repository/conf/carbon.xml file using the following configuration.


Once you update the host name in the carbon.xml file, change the URL to reflect the new host name in the <IS_HOME>/repository/conf/identity.xml file.


The above URL is used for destination validation of the SAML request. The Identity Server compares the value of the "destination" inside the SAML request with the URL in the above configuration. This is done to ensure that the correct application is communicating with the right identity provider.

  • No labels