Using WSO2 Identity Cloud, you can create a custom application and configure it to facilitate Single Sign-On (SSO) using SAML. This custom application is a representation of your web application and can be integrated with WSO2 Identity Cloud to provide SSO for users of this application.
In this tutorial you will learn how to configure single sign-on for your custom application using SAML.
To demonstrate SSO of a SAML-based custom application, first, you need to obtain and configure a web application. Next, you must configure a custom application with standards-type SAML to represent this web application. Users of the web application can access it using Single Sign-on via the Identity Cloud. This tutorial uses Travelocity as the sample web application to demonstrate how SSO works.
The following is a video of this tutorial that is done using Google. The steps in this tutorial differ from the video as this tutorial uses a sample web application.
See the following topics for instructions on how to configure the sample web application with WSO2 Identity Cloud.
Adding a custom application
To know how to add a custom application, see here.
Configuring the sample web application
To deploy and configure the travelocity web application, follow the steps below.
Download the travelocity.com.war file. Before you deploy the application, you may need to download metadata.xml and edit the travelocity.properties file.
Expand to see how to download IdP metadata configuration xml
- Log in to WSO2 Identity Cloud.
Click the menu icon on the top, left corner of the screen and click Applications:

- Click DOWNLOAD IDP METADATA to download the IDP metadata file. (This file gets downloaded to a local folder.)

Expand to see how to edit the travelocity.properties file
- Open command prompt.
- Go to the folder where you have downloaded the travelocity.com.war file.
- Create a new directory (e.g.,
mkdir MyTest
). - Extract the travelocity.com.war to the newly created directory (e.g.,
unzip travelocity.com.war -d MyTest/
). This extracts all the files to the MyTest
directory. - Navigate to the ..
/WEB-INF/classes
directory. Edit the travelocity.properties file (see sample below) found inside the ../WEB-INF/classes
directory.
Expand to see the sample of travelocity.properties.xml file
# Copyright (c) WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
#
# WSO2 Inc. licenses this file to you under the Apache License,
# Version 2.0 (the "License"); you may not use this file except
# in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
EnableSAML2SSOLogin=true
EnableOpenIDLogin=true
EnableOAuth2SAML2Grant=false
#Url to do send SAML2 SSO AuthnRequest
SAML2SSOURL=samlsso
#Url to do initiate OAuth2 SAML2 Grant Request
OAuth2SAML2GrantURL=token
#Url to initiate OpenID Authentication Request
OpenIdURL=openid
#URIs to skip SSOAgentFilter; comma separated values
SkipURIs=/travelocity.com/index.jsp
#A unique identifier for this SAML 2.0 Service Provider application
SAML2.SPEntityId=travelocity.com
#The URL of the SAML 2.0 Assertion Consumer
SAML2.AssertionConsumerURL=http://localhost:8080/travelocity.com/home.jsp
#A unique identifier for this SAML 2.0 Service Provider application
SAML2.IdPEntityId=localhost
#The URL of the SAML 2.0 Identity Provider
SAML2.IdPURL=https://localhost:9443/samlsso
#Identifier given for the Service Provider for SAML 2.0 attributes
#exchange
#SAML2.AttributeConsumingServiceIndex=1701087467
#Specify if SingleLogout is enabled/disabled
SAML2.EnableSLO=true
#This is the URL that is used for SLO
SAML2.SLOURL=logout
#Specify if SAMLResponse element is signed
SAML2.EnableResponseSigning=true
#Specify if SAMLAssertion element is signed
SAML2.EnableAssertionSigning=true
#Specify if SAMLAssertion element is encrypted
SAML2.EnableAssertionEncryption=false
#Specify if AuthnRequests and LogoutRequests should be signed
SAML2.EnableRequestSigning=true
#Password of the KeyStore for SAML and OpenID
KeyStorePassword=wso2carbon
#Alias of the IdP's public certificate
IdPPublicCertAlias=wso2carbon
#Alias of the SP's private key
PrivateKeyAlias=wso2carbon
#Private key password to retrieve the private key used to sign
#AuthnRequest and LogoutRequest messages
PrivateKeyPassword=wso2carbon
#OAuth2 token endpoint URL
OAuth2.TokenURL=https://localhost:9443/oauth2/token
#OAuth2 Client ID
OAuth2.ClientId=Qn5DQHCYfshxeZh6R9SL1HM2lsMa
#OAuth2 Client Secret
OAuth2.ClientSecret=cbkAs1gajdwPAMbrSR54hPAIcz0a
#OpenId Provider Url
OpenId.ProviderURL=https://localhost:9443/openid/
#openid.return_to parameter
OpenId.ReturnToURL=http://localhost:8080/travelocity.com/home.jsp
#Custom SAML post binding request page
#SAML.PostBinding.RequestPage=path/to/the/html
#Additional request parameters
#QueryParams=tenantDomain=-1234
#SAML2.IsForceAuthn=true
#Specify whether the consumer requests user attributes from the provider
OpenId.EnableAttributeExchange=true
#Specify whether the consumer runs in dumb mode
OpenId.EnableDumbMode=false
Properties | Description |
---|
SAML2.SPEntityId=travelocity.com
| A unique identifier for this SAML 2.0 Service Provider application. |
SAML2.AssertionConsumerURL=http://<organization_domain>-travelocity.wso2apps.com/travelocity.com
| The URL of the SAML 2.0 Assertion Consumer. Note: organization_domain should be replaced by actual tenant created. |
SAML2.IdPURL=https://identity.cloud.wso2.com/identity/t/<organization_domain> | The URL of the SAML 2.0 Identity Provider. The value for SAML2.IdPURL is taken from 'SingleSignOnService' element in downloaded metadata xml file. (See sample below) |
Sample of WSO2IdentityCloudMetadata.xml
Save the file.
- Navigate to the
MyTest
directory. - Create the travelocity.com.war file (e.g.,
jar -cvf travelocity.com.war *
. ).
Go to WSO2 Integration Cloud and deploy the travelocity web application. Click the following for instructions on how to deploy a web application in Integration Cloud.
Configuring the custom application with the web app
- Once you enter the application name, the following page is displayed with Standards-based Federation and SAML2 Web SSO is selected by default as App type and Security Protocol. Make sure the Configure Manually button is selected.

- Scroll down and enter Issuer as 'travelocity.com' and provide the Assertion Consumer URL as 'http://demotenant-travelocity.wso2apps.com/travelocity.com/home.jsp' and click Add to add the link. Select Enable Response Signing.

- Scroll down. In Store Configuration, enter 'http://demotenant-travelocity.wso2apps.com/travelocity.com/home.jsp' as the Access URL.

- Click Save to add the application details.
- The added application is displayed, and you can delete or edit it by clicking the button next to the application thumbnail name.

- Click Go to User Portal.

- Click the added custom application that is in the user portal.

- You are directed to travelocity home page (http://demotenant-travelocity.wso2apps.com/travelocity.com/home.jsp) without having to sign in explicitly. This shows SAML based SSO capability for a custom application using Identity Cloud.