As an OAuth 2.0 Authorization Server, WSO2 Identity Server can accept SAML2 Assertions from OAuth 2.0 clients as a means of resource owner authentication and authorization. Additionally, it can exchange it with OAuth 2.0 access tokens in order to access protected resources on behalf of the resource owner.
In this sample use case, you will see how a user will be authenticated for Travelocity sample application over SAML 2.0 via WSO2 Identity Server. You will also see how Travelocity application exchanges the SAML assertion received, with the WSO2 Identity Server to receive an OAuth access token using SAML2 Bearer Assertion Profile. Finally, you will see how an OAuth protected resource can be accessed using the access token received.
Below diagram illustrates the request/response flow with respect to this sample use case where WSO2 Identity Server acts as the Authorization Server and as well as the Resource Server.
Configure OAuth/OpenID and SAML SSO
See the Configuring Inbound Authentication for a Service Provider to configure the OAuth/OpenID Connect service provider. Access token will be issued for this application, exchanging with SAML2 assertion.
- Make sure SAML2 grant type is enabled under "Allowed Grant Types" in configured OAuth/OpenID Connect application.
- You can provide any valid URL as the Callback URL while configuring the OAuth2 application. This URL value is not used for any other operations during this sample.
Configure single sign-on with the Travelocity sample.See Configuring Single Sign-On to configure Travelocity application with WSO2 Identity Server.
Navigate to Main>Service Providers>List and click Edit to modify the service provider you just created. Modify the following fields of the SAML configuration and click Update.
travelocity.propertiesfile found in the
<TOMCAT_HOME>/webapps/travelocity.com/WEB-INF/classesfolder and edit the following configurations and restart the tomcat server.
Optionally, you can provide the type of the user identified from the subject identifier of the SAMl2 assertion. By default, the user type is set to
Add the following configuration to the
<SAML2Grant>configuration to enable this feature.
If your users are local, you can enable user type as,
If your users are federated, you can enable user type as,
If you need backward compatibility, enable user type as,
Also, you can set the user type per request as,
Restart the server to apply the configuration changes.
Running the sample
- Access the following URL:
You are directed to the following page.
- Click Click here to login with SAML from Identity Server (Post binding or Redirect Binding) . You are redirected to the Identity Server for authentication.
- Enter the username and password and click SIGN IN.
- Click Request OAuth2 Access Token to receive the access token.
You receive an access token as shown below:
Now, you can use the introspection endpoint of the Identity Server to get the token information.
Now since the Travelocity application has exchanged the SAML assertion for a valid access token, you can use the received access token to access a protected resource in WSO2 Identity Server. Here, to retrieve users, you can use the SCIM User Endpoint which is secured with OAuth.