This documentation is for WSO2 Identity Server 5.4.0 . View documentation for the latest release.
||
Skip to end of metadata
Go to start of metadata

This section guides you through the configurations you can include in a service provider application. See Calling Admin Services to enable the admin service

Configuring SAML2 web SSO 

Permission Level: /permission/admin/manage

To add a Service Provider with SAML2 Web SSO capability, you have to first add SAML2 Web SSO configuration. This is done through the IdentitySAMLSSOConfigService exposed at https://<IS_HOST>:<IS_PORT>/services/IdentitySAMLSSOConfigService?wsdlReplace the tag <IS_HOST>:<IS_PORT> with the relevant host and port number, for example, https://localhost:9443/services/IdentitySAMLSSOConfigService?wsdl.

Input parameters

ParameterTypeDescription
issuerStringSpecify the Issuer. This is the <saml:Issuer> element that contains the unique identifier of the service provider. This is also the issuer value specified in the SAML Authentication Request issued by the service provider. When configuring single-sign-on across Carbon servers, ensure that this value is equal to the ServiceProviderID value mentioned in the <IS_HOME>/repository/conf/security/authenticators.xml file of the relying party Carbon server.
assertionConsumerUrlsStringSpecify the Assertion Consumer URLs. This is the URL to which the browser should be redirected to after the authentication is successful. This is the Assertion Consumer Service (ACS) URL of the service provider. The identity provider redirects the SAML2 response to this ACS URL. However, if the SAML2 request is signed and SAML2 request contains the ACS URL, the Identity Server will honor the ACS URL of the SAML2 request. It should have this format: https://(host-name):(port)/acs. You can add multiple assertion consumer URLs by repeating assertionConsumerUrls element.
defaultAssertionConsumerUrlString

Since there can be multiple assertion consumer URLs, you must define a Default Assertion Consumer URL in case you are unable to retrieve it from the authentication request.

Tip: In a service provider initiated single sign-on setup, the following needs to be considered.

  • If no ACS URL is given in the <AuthnRequest>, the Identity Server sends the response to the default ACS URL of the service provider (whether the request is signed or not).
  • If the ACS URL in <AuthnRequest> matches with one of the registered URLs, the Identity Server sends the response to the matched one. 
  • If the ACS URL in <AuthnRequest> does not match any of the registered ACS URLs and if the request is signed, the Identity Server sends the response to the ACS URL in the request only if the signature is valid. Alternatively, the <AuthnRequest> is rejected.

In an identity provider initiated single sign-on setup, the following needs to be considered.

  • If the “acs” query parameter is not present in the request, the Identity Server sends the response to default ACS URL of the service provider.
  • If the "acs” parameter is present and the value of that parameter matches with any of the registered ACS URLs of the service provider, then the Identity Server sends the response to the matched one.
nameIDFormatString

Specify the NameID format. This defines the name identifier formats supported by the identity provider. The service provider and identity provider usually communicate with each other regarding a specific subject. That subject should be identified through a Name-Identifier (NameID) , which should be in some format so that It is easy for the other party to identify it based on the format. Name identifiers are used to provide information regarding a user. 

certAliasString

This is used to validate the signature of SAML2 requests and is used to generate encryption. Basically, the service provider’s certificate must be mentioned here. Note that this can also be the Identity Server tenant's public certificate in a scenario where you are doing a tenant-specific configuration. 

signingAlgorithmURIString

Specifies the ‘SignatureMethod’ algorithm to be used in the ‘Signature’ element in POST binding. The default value can be configured in the <IS_HOME>/repository/conf/identity.xml file, in the SSOService element with SAMLDefaultSigningAlgorithmURI tag. If it is not provided the default algorithm is RSA­SHA 1 - ' http://www.w3.org/2000/09/xmldsig#rsa­sha1.

 Click here to expand for more information on signature algorithms.

The following table provides the list of signature algorithms available and their respective URI.

digestAlgorithmURIString

Specifies the ‘DigestMethod’ algorithm to be used in the ‘Signature’ element in POST binding. The default value can be configured in the <IS_HOME>/repository/conf/identity.xml file, in the SSOService element with SAMLDefaultDigestAlgorithmURI tag. If it is not provided the default algorithm is SHA 1 - ‘http://www.w3.org/2000/09/xmldsig#sha1.

 Click here to expand for more information on digest algorithms.

The following table provides the list of digest algorithms available and their respective URI.

doSignResponseBooleanSet true to sign the SAML2 Responses returned after the authentication process.
doValidateSignatureInRequestsBooleanSet true to specifies whether the identity provider must validate the signature of the SAML2 authentication request and the SAML2 logout request that is sent by the service provider. 
doEnableEncryptedAssertionBooleanSet true if you wish to encrypt the assertion.
doSignAssertionsBooleanSet this value to 'TRUE' or keep the value as empty since a valid assertion should be signed.
doSingleLogoutBooleanSet true if you want to terminate all sessions once the user signs out from one service provider. If single logout is enabled, the identity provider sends logout requests to all service providers. Basically, the identity provider acts according to the single logout profile. If the service provider supports a different URL for logout, you need to specify them using sloResponseURL and sloRequestURL parameters. These URLs indicate where the request and response should go to. If you do not specify this URL, the identity provider uses the Assertion Consumer Service (ACS) URL. 
enableAttributeProfileBooleanThe Identity Server provides support for a basic attribute profile where the identity provider can include the user’s attributes in the SAML Assertions as part of the attribute statement. Ste true to enable this profile. If you set true to enableAttributesByDefault parameter, the identity provider always includes the attribute values related to the requested claims in the SAML attribute statement.
requestedAudiencesStringYou can specify the audiences using this parameter.
requestedRecipients StringYou can specify the recipients using this parameter.
idPInitSSOEnabledBooleanSet true to enable IdP initiated SSO profile for the service provider.
idPInitSLOEnabledBooleanSet true to enable IdP initiated SLO profile for the service provider.
assertionQueryRequestProfileEnabledBooleanSet true to enable Assertion Query Request Profile to query assertions that are persisted to the database when you login to the service provider application. For more information, see Querying SAML Assertions.

Request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.saml.sso.identity.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:addRPServiceProvider>
         <!--Optional:-->
         <xsd:spDto>
            <!--Zero or more repetitions:-->
            <xsd1:assertionConsumerUrls>?</xsd1:assertionConsumerUrls>
            <!--Optional:-->
            <xsd1:assertionQueryRequestProfileEnabled>?</xsd1:assertionQueryRequestProfileEnabled>
            <!--Optional:-->
            <xsd1:attributeConsumingServiceIndex>?</xsd1:attributeConsumingServiceIndex>
            <!--Optional:-->
            <xsd1:certAlias>?</xsd1:certAlias>
            <!--Optional:-->
            <xsd1:defaultAssertionConsumerUrl>?</xsd1:defaultAssertionConsumerUrl>
            <!--Optional:-->
            <xsd1:digestAlgorithmURI>?</xsd1:digestAlgorithmURI>
            <!--Optional:-->
            <xsd1:doEnableEncryptedAssertion>?</xsd1:doEnableEncryptedAssertion>
            <!--Optional:-->
            <xsd1:doSignAssertions>?</xsd1:doSignAssertions>
            <!--Optional:-->
            <xsd1:doSignResponse>?</xsd1:doSignResponse>
            <!--Optional:-->
            <xsd1:doSingleLogout>?</xsd1:doSingleLogout>
            <!--Optional:-->
            <xsd1:doValidateSignatureInRequests>?</xsd1:doValidateSignatureInRequests>
            <!--Optional:-->
            <xsd1:enableAttributeProfile>?</xsd1:enableAttributeProfile>
            <!--Optional:-->
            <xsd1:enableAttributesByDefault>?</xsd1:enableAttributesByDefault>
            <!--Optional:-->
            <xsd1:idPInitSLOEnabled>?</xsd1:idPInitSLOEnabled>
            <!--Optional:-->
            <xsd1:idPInitSSOEnabled>?</xsd1:idPInitSSOEnabled>
            <!--Zero or more repetitions:-->
            <xsd1:idpInitSLOReturnToURLs>?</xsd1:idpInitSLOReturnToURLs>
            <!--Optional:-->
            <xsd1:issuer>?</xsd1:issuer>
            <!--Optional:-->
            <xsd1:nameIDFormat>?</xsd1:nameIDFormat>
            <!--Optional:-->
            <xsd1:nameIdClaimUri>?</xsd1:nameIdClaimUri>
            <!--Zero or more repetitions:-->
            <xsd1:requestedAudiences>?</xsd1:requestedAudiences>
            <!--Zero or more repetitions:-->
            <xsd1:requestedRecipients>?</xsd1:requestedRecipients>
            <!--Optional:-->
            <xsd1:signingAlgorithmURI>?</xsd1:signingAlgorithmURI>
            <!--Optional:-->
            <xsd1:sloRequestURL>?</xsd1:sloRequestURL>
            <!--Optional:-->
            <xsd1:sloResponseURL>?</xsd1:sloResponseURL>
         </xsd:spDto>
      </xsd:addRPServiceProvider>
   </soapenv:Body>
</soapenv:Envelope>
 Sample Request...
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.saml.sso.identity.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:addRPServiceProvider>
         <!--Optional:-->
         <xsd:spDto>
            <!--Zero or more repetitions:-->
            <xsd1:assertionConsumerUrls>http://localhost:8080/travelocity.com/home.jsp</xsd1:assertionConsumerUrls>
            <!--Optional:-->
            <xsd1:assertionQueryRequestProfileEnabled>false</xsd1:assertionQueryRequestProfileEnabled>
            <!--Optional:-->
            <xsd1:attributeConsumingServiceIndex>1223160755</xsd1:attributeConsumingServiceIndex>
            <!--Optional:-->
            <xsd1:certAlias>wso2carbon</xsd1:certAlias>
            <!--Optional:-->
            <xsd1:defaultAssertionConsumerUrl>http://localhost:8080/travelocity.com/home.jsp</xsd1:defaultAssertionConsumerUrl>
            <!--Optional:-->
            <xsd1:digestAlgorithmURI>http://www.w3.org/2000/09/xmldsig#sha1</xsd1:digestAlgorithmURI>
            <!--Optional:-->
            <xsd1:doEnableEncryptedAssertion>true</xsd1:doEnableEncryptedAssertion>
            <!--Optional:-->
            <xsd1:doSignAssertions>true</xsd1:doSignAssertions>
            <!--Optional:-->
            <xsd1:doSignResponse>true</xsd1:doSignResponse>
            <!--Optional:-->
            <xsd1:doSingleLogout>true</xsd1:doSingleLogout>
            <!--Optional:-->
            <xsd1:doValidateSignatureInRequests>true</xsd1:doValidateSignatureInRequests>
            <!--Optional:-->
            <xsd1:enableAttributeProfile>true</xsd1:enableAttributeProfile>
            <!--Optional:-->
            <xsd1:enableAttributesByDefault>true</xsd1:enableAttributesByDefault>
            <!--Optional:-->
            <xsd1:idPInitSLOEnabled>true</xsd1:idPInitSLOEnabled>
            <!--Optional:-->
            <xsd1:idPInitSSOEnabled>true</xsd1:idPInitSSOEnabled>
            <!--Zero or more repetitions:-->
            <xsd1:idpInitSLOReturnToURLs>http://localhost:8090/travelocity.com/home.jsp</xsd1:idpInitSLOReturnToURLs>
            <!--Optional:-->
            <xsd1:issuer>travelocity.com</xsd1:issuer>
            <!--Optional:-->
            <xsd1:nameIDFormat>urn/oasis/names/tc/SAML/1.1/nameid-format/emailAddress</xsd1:nameIDFormat>
            <!--Zero or more repetitions:-->
            <xsd1:requestedAudiences>https://localhost:9443/oauth2/token</xsd1:requestedAudiences>
            <!--Zero or more repetitions:-->
            <xsd1:requestedRecipients>https://localhost:9443/oauth2/token</xsd1:requestedRecipients>
            <!--Optional:-->
            <xsd1:signingAlgorithmURI>http://www.w3.org/2000/09/xmldsig#rsa-sha1</xsd1:signingAlgorithmURI>
            <!--Optional:-->
            <xsd1:sloRequestURL></xsd1:sloRequestURL>
            <!--Optional:-->
            <xsd1:sloResponseURL></xsd1:sloResponseURL>
         </xsd:spDto>
      </xsd:addRPServiceProvider>
   </soapenv:Body>
</soapenv:Envelope>


Response:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:createApplicationResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
      </ns:createApplicationResponse>
   </soapenv:Body>
</soapenv:Envelope>


Once the SAML SSO configuration is added, the issuer details need to be included in inbound authentication configurations of the service provider.


Parameter

Type

Description

inboundAuthKey

String

Specify the issuer here, which is the unique identifier of the service provider. This is also the issuer value specified in the SAML Authentication Request issued by the service provider.

inboundAuthType

String

For SAML 2.0, authentication type should be ‘samlsso’   

Property Name

Property Value

attrConsumServiceIndex

This is the consumer service index.  The service provider should send this in the SAML request to get attributes of the authenticated subject.  

<xsd1:inboundAuthenticationConfig>
    <!--Zero or more repetitions:-->
    <xsd1:inboundAuthenticationRequestConfigs>
        <!--Optional:-->
        <xsd1:inboundAuthKey>travelocity.com</xsd1:inboundAuthKey>
        <!--Optional:-->
        <xsd1:inboundAuthType>samlsso</xsd1:inboundAuthType>
        <!--Zero or more repetitions:-->
        <xsd1:properties>
            <!--Optional:-->
            <xsd1:name>attrConsumServiceIndex</xsd1:name>
            <!--Optional:-->
            <xsd1:value>202240762</xsd1:value>
        </xsd1:properties>
    </xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>


Configuring OAuth/OpenID Connect 

Permission Level: /admin/manage/identity

To add a Service Provider with OAuth capability, add an OAuth application through the OAuthAdminService exposed at https://<IS_HOST>:<IS_PORT>/services/OAuthAdminService?wsdl. Replace the tag <IS_HOST>:<IS_PORT> with the relevant host and port number, for example, https://localhost:9443/services/OAuthAdminService?wsdl.

Input parameters

ParameterTypeDescription
OAuthVersionString

Specify the Oauth version using this parameter. Accepted values are 'OAuth-1.0a' and 'OAuth-2.0'. If you set OAuth Version as OAuth-1.0a, there is no need to fill the grantTypes parameter. This is because this version of OAuth does not support grant types.

applicationNameStringService provider name

applicationAccessTokenExpiryTime

StringSpecify the time the application access token needs to expire. The value needs to be specified in milliseconds.
callbackUrl

This is the exact location in the service provider's application where an access token would be sent. This is a required field and it is important to configure, as it is imperative that the service provider receives the access token. This is necessary for security purposes to ensure that the token is not compromised.

Configure multiple callback URLs

From IS 5.2.0 onwards, regex-based consumer URLs are supported when defining the callback URL. This enables you to configure multiple callback URLs for one application.
For example, if you have two service providers that use the same application, you can now define a regex pattern which will work for both callback URLs instead of having to configure two different applications for the two service providers. Assume the two callback URLs for your two service providers are as follows:

To configure the callback URL to work for both of these URLs, set it using a regex pattern as follows:

regexp=(https://myapp.com/callback|https://testapp:8000/callback)

You must have the prefix 'regexp=' before your regex pattern. To define a normal URL, you can specify the callback URL without this prefix.

grantTypesString
Allowed Grant Types - The following are the grant types that are used to get the access token:
Code

Entering the username and password required at the service provider will result in a code being generated. This code can be used to obtain the access token. For more information on this grant type, see this Authorization Code specification.

Implicit

This is similar to the code grant type, but instead of generating a code, this directly provides the access token. For more information on this grant type, see this Implicit Grant specification.

Password

This authenticates the user using the password provided and the access token is provided. For more information on this grant type, see this Resource Owner Password Credentials Grant specification.

Client CredentialThis is the grant type for the client key and client secret. If these two items are provided correctly by the service provider, the access token is sent. For more information on this grant type, see this Client Credentials specification.
Refresh Token This will enable the user to obtain an access token by using the refresh token once the originally provided access token is used up. For more information on this grant type, see this Refresh Token specification.
SAML 

This uses SAML assertion to obtain the access token. For more information on this grant type, see this SAML2 Bearer specification.

IWA-NTLMThis is similar to the password grant type, but it is specific to Microsoft Windows users.
urn:ietf:params:oauth:grant-type:jwt-bearerThis is a custom grant type. It uses a JWT token to obtain the access token. For more information about this grant type, see this JWT specification.
oauthConsumerKeyStringThis the consumer key of the OAuth application. If you keep this empty, Identity server will generate a consumer key.
oauthConsumerSecretStringThis the consumer secret of the OAuth application. If you keep this empty, Identity server will generate a consumer secret.
pkceMandatoryBooleanSet true if you are using the Code grant type. PKCE is a recommended security measure used to mitigate a code interception attack. See Mitigating Authorization Code Interception Attacks for more information.
pkceSupportPlainBooleanSet true if you are using PKCE.

refreshTokenExpiryTime

StringSpecify the time the refresh token needs to expire. The value needs to be specified in milliseconds.

userAccessTokenExpiryTime

StringSpecify the time the user's access token needs to expire. The value needs to be specified in milliseconds.

Request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.oauth.identity.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:registerOAuthApplicationData>
         <!--Optional:-->
         <xsd:application>
            <!--Optional:-->
            <xsd1:OAuthVersion>?</xsd1:OAuthVersion>
			<!--Optional:-->
			<xsd1:applicationAccessTokenExpiryTime>?</xsd1:applicationAccessTokenExpiryTime>
            <!--Optional:-->
            <xsd1:applicationName>?</xsd1:applicationName>
            <!--Optional:-->
            <xsd1:callbackUrl>?</xsd1:callbackUrl>
            <!--Optional:-->
            <xsd1:grantTypes>?</xsd1:grantTypes>
            <!--Optional:-->
            <xsd1:oauthConsumerKey>?</xsd1:oauthConsumerKey>
            <!--Optional:-->
            <xsd1:oauthConsumerSecret>?</xsd1:oauthConsumerSecret>
            <!--Optional:-->
            <xsd1:pkceMandatory>?</xsd1:pkceMandatory>
            <!--Optional:-->
            <xsd1:pkceSupportPlain>?</xsd1:pkceSupportPlain>
			<!--Optional:-->
			<xsd1:refreshTokenExpiryTime>?</xsd1:refreshTokenExpiryTime>
			<!--Optional:-->
			<xsd1:userAccessTokenExpiryTime>?</xsd1:userAccessTokenExpiryTime>
         </xsd:application>
      </xsd:registerOAuthApplicationData>
   </soapenv:Body>
</soapenv:Envelope>
 Sample Request...
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.oauth.identity.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:registerOAuthApplicationData>
         <!--Optional:-->
         <xsd:application>
            <!--Optional:-->
            <xsd1:OAuthVersion>OAuth-2.0</xsd1:OAuthVersion>
			<!--Optional:-->
			<xsd1:applicationAccessTokenExpiryTime>3600</xsd1:applicationAccessTokenExpiryTime>
            <!--Optional:-->
            <xsd1:applicationName>playground</xsd1:applicationName>
            <!--Optional:-->
            <xsd1:callbackUrl>http://localhost:8080/playground2/oauth2client</xsd1:callbackUrl>
            <!--Optional:-->
            <xsd1:grantTypes>refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer implicit password client_credentials iwa:ntlm authorization_code</xsd1:grantTypes>
            <!--Optional:-->
            <xsd1:pkceMandatory>false</xsd1:pkceMandatory>
            <!--Optional:-->
            <xsd1:pkceSupportPlain>true</xsd1:pkceSupportPlain>
			<!--Optional:-->
			<xsd1:refreshTokenExpiryTime>84000</xsd1:refreshTokenExpiryTime>
			<!--Optional:-->
			<xsd1:userAccessTokenExpiryTime>3600</xsd1:userAccessTokenExpiryTime>
         </xsd:application>
      </xsd:registerOAuthApplicationData>
   </soapenv:Body>
</soapenv:Envelope>


Response:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:registerOAuthApplicationDataResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
      </ns:registerOAuthApplicationDataResponse>
   </soapenv:Body>
</soapenv:Envelope>


Once Oauth application is created, you can retrieve the OAuth consumer key and OAuth consumer secret by calling getOAuthApplicationDataByAppName service method.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:getOAuthApplicationDataByAppName>
         <!--Optional:-->
         <xsd:appName>playground</xsd:appName>
      </xsd:getOAuthApplicationDataByAppName>
   </soapenv:Body>
</soapenv:Envelope>


Once the OAuth configuration is added, the OAuth consumer key/secret details need to be included in inbound authentication configurations of the service provider.



Parameter

Type

Description

inboundAuthKey

String

OAuth Client Key

inboundAuthType

String

For OAuth, authentication type should be ‘oauth2'

   

Property Name

Property Value

oauthConsumerSecret

OAuth client secret

<xsd1:inboundAuthenticationConfig>
    <!--Zero or more repetitions:-->
    <xsd1:inboundAuthenticationRequestConfigs>
        <!--Optional:-->
        <xsd1:inboundAuthKey>li6JMbjW6WDMKTWsRnGcjp5zcGhi</xsd1:inboundAuthKey>
        <!--Optional:-->
        <xsd1:inboundAuthType>oauth2</xsd1:inboundAuthType>
        <!--Zero or more repetitions:-->
        <xsd1:properties>
            <!--Optional:-->
            <xsd1:name>oauthConsumerSecret</xsd1:name>
            <!--Optional:-->
            <xsd1:value>NMB3EAfxh4YvSTqbb3iMkongAHjW</xsd1:value>
        </xsd1:properties>
    </xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>


Configuring WS-Trust Security Token service

Permission Level: /admin/manage/identity

To configure a service provider with the WS-Trust Security Token Service (STS), add a trusted service through the STSAdminService exposed at https://<IS_HOST>:<IS_PORT>/services/STSAdminService?wsdl. Replace the tag <IS_HOST>:<IS_PORT> with the relevant host and port number, for example, https://localhost:9443/services/STSAdminService?wsdl.

Input parameters

ParamterTypeDescription
serviceAddressString

Specify the endpoint address or the trusted relying party.

certAliasStringSpecify the certificate alias of the imported public certificate of the trusted relying party.

Request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.sts.security.carbon.wso2.org">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:addTrustedService>
         <!--Optional:-->
         <ser:serviceAddress>?</ser:serviceAddress>
         <!--Optional:-->
         <ser:certAlias>?</ser:certAlias>
      </ser:addTrustedService>
   </soapenv:Body>
</soapenv:Envelope>
 Sample Request...
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.sts.security.carbon.wso2.org">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:addTrustedService>
         <!--Optional:-->
         <ser:serviceAddress>https://www.example.com/sts</ser:serviceAddress>
         <!--Optional:-->
         <ser:certAlias>wso2carbon</ser:certAlias>
      </ser:addTrustedService>
   </soapenv:Body>
</soapenv:Envelope>


Response:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:addTrustedServiceResponse xmlns:ns="http://service.sts.security.carbon.wso2.org">
         <ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
      </ns:addTrustedServiceResponse>
   </soapenv:Body>
</soapenv:Envelope>


Once the trusted service is registered, the service address needs to be included in inbound authentication configurations of the service provider.


Parameter

Type

Description

inboundAuthKey

String

The endpoint address of the trusted relying party.

inboundAuthType

String

For WS-Trust Security Token Service, the authentication type should be ‘wstrust’

<xsd1:inboundAuthenticationConfig>
    <!--Zero or more repetitions:-->
    <xsd1:inboundAuthenticationRequestConfigs>
        <!--Optional:-->
        <xsd1:inboundAuthKey>https://www.example.com/sts</xsd1:inboundAuthKey>
        <!--Optional:-->
        <xsd1:inboundAuthType>wstrust</xsd1:inboundAuthType>
    </xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>

Configuring WS-Federation (passive)

To configure a service provider with the WS-Federation (passive), you only need to include following parameters in inbound authentication configurations of the service provider.


Parameter

Type

Description

inboundAuthKey

String

Passive STS realm identifier

inboundAuthType

String

For Passive STS configuration, the authentication type should be ‘passivests’.

passiveSTSWReplyStringProvide the URL of the web app.
For example: https://localhost:8080/PassiveSTSSampleApp/index.jsp
<xsd1:inboundAuthenticationConfig>
    <!--Zero or more repetitions:-->
    <xsd1:inboundAuthenticationRequestConfigs>
        <!--Optional:-->
        <xsd1:inboundAuthKey>TestSP</xsd1:inboundAuthKey>
        <!--Optional:-->
        <xsd1:inboundAuthType>passivests</xsd1:inboundAuthType>
			<xsd1:properties>
        		<xsd1:name>passiveSTSWReply</name>
        		<xsd1:value>{url}</value>
    		</xsd1:properties>
    </xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>
Related Links
  • No labels