This documentation is for WSO2 Identity Server 5.3.0 . View documentation for the latest release.
Skip to end of metadata
Go to start of metadata

As an OAuth 2.0 Authorization Server, WSO2 Identity Server can accept SAML2 Assertions from OAuth 2.0 clients as means of resource owner authentication and authorization. Additionally, it can exchange it with OAuth 2.0 access tokens in order to access protected resources on behalf of the resource owner. 

In this sample usecase, we will see, how a user will be authenticated for Travelocity sample application over SAML 2.0 via WSO2 Identity Server. We will also see how Travelocity application exchanges the SAML assertion received, with the WSO2 Identity Server to receive an OAuth access token using SAML2 Bearer Assertion Profile. Finally, we will see how an OAuth protected resource can be accessed using the access token received.

Below diagram illustrates the request/response flow with respect to this sample use case where WSO2 Identity Server acts as the Authorization Server and as well as the Resource Server.

Configure OAuth/OpenID and SAML SSO

  1. See the Configuring Inbound Authentication for a Service Provider topic, to configure the OAuth/OpenID Connect service provider. Access token will be issued for thisapplication , exchanging withSAML2assertion .

    • Make sure SAML2 grant type is enabled under "Allowed Grant Types" in configured OAuth/OpenID Connect application.
    • You can provide any valid URL as the Callback URL while configuring the Oauth2 application. This URL value is not used for any other operations during this sample.
  2. Configure single sign-on with the Travelocity sample.

    See Configuring Single Sign-On to configure Travelocity application with WSO2 Identity Server.
  3. Navigate to Main > Service Providers > List and click Edit to modify the service provider you just created. Modify the following fields of the SAML configuration and click Update

    Select the Enable Audience Restriction and Enable Recipient Validation fields and enter the following values:

    Audience : https://localhost:9443/oauth2/token

    Recipient : https://localhost:9443/oauth2/token

    If you have configured the service provider in a tenant, you have to add the tenant domain as a query parameter to the access token endpoint. If the tenant domain is, enter the following values:

    Audience : https://localhost:9443/oauth2/token?

    Recipient : https://localhost:9443/oauth2/token?

  4. Open the file found in the <TOMCAT_HOME>/webapps/ folder and edit the following configurations and restart the tomcat server.

    OAuth2.ClientId=(enter the client id received at the application registration)
    OAuth2.ClientSecret= (enter the client secret received at the application registration)

    Optionally, you can provide the type of the user identified from the subject identifier of the SAMl2 assertion. By default, the user type is set to FEDERATED.

    Add following configuration to the <CARBON_HOME>/repository/conf/identity/identity.xml under the <SAML2Grant> configuration to enable this feature.

    If your users are local, you can enable user type as,


    If your users are federated, you can enable user type as,


    If you need backward compatibility, enable user type as,


    Also, you can set the user type per request as,


    Restart the server to apply the configuration changes.

Running the sample

    1. Access the following URL: http://wso2is.local:8080/

      You are directed to the following page.

    2. Click here to log in with SAML from Identity Server. You are redirected to the Identity Server for authentication.
    3. Enter the username and password and click SIGN IN.

    4. Click Request OAuth2 Access Token to receive the access token. 

      You receive an access token as shown below: 

    5. Now, you can use the introspection endpoint of the Identity Server to get the token information. 

      curl -k -u <username>:<password> -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=<access token>' https://<IS_HOST>:<IS_PORT>/oauth2/introspect Example: curl -k -u admin:admin -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=f3116b04-924f-3f1a-b323-4f0988b94f9f' https://localhost:9443/oauth2/introspect
      {"active":true,"token_type":"Bearer","exp":1508927700,"iat":1508924100,"client_id":"EiqKsYfVH6dffF0b6LmrFBJW95Aa","username":"[email protected]"}
    6. Now as the Travelocity application has exchanged the SAML assertion for a valid access token, we can use the received access token to access a protected resource in WSO2 Identity Server. So here, we will access the SCIM User Endpoint which is secured with OAuth to retrieve users.

      curl -v -k --header "Authorization: Bearer <access token>" https://<IS_HOST>:<IS_PORT>/wso2/scim/Users
      curl -v -k --header "Authorization: Bearer 865c60a5-969b-36b4-95e2-721a1fb5c867" https://localhost:9443/wso2/scim/Users
  • No labels