This documentation is for WSO2 Identity Server 5.3.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


An Identity Provider (IdP) is responsible for authenticating users  and issuing identification information by using security tokens like SAML 2.0, OpenID Connect, OAuth 2.0 and WS-Trust. This is a favorable favourable alternative to explicitly authenticating a user within a security realm.


So, in short, the WSO2 Identity Server allows you to add identity providers and specify various details that help you to link the identity provider to the WSO2 Identity Server. So Therefore, you must specify all information required to send the authentication requests and get a response back from the identity provider. This topic contains the following sections.


FieldDescriptionSample Value
Identity Provider Name

The Identity Provider Name must be unique as it is used as the primary identifier of the identity provider.

FacebookIdP, Twitter
Display Name

The Display Name is used to identify the identity provider. If this is left blank, the Identity Provider Name is used. This is used in the login page when selecting the identity provider that you wish to use to log in to the service provider.

Facebook, Twitter
DescriptionThe Description is added in the list of identity providers to provide more information on what the identity provider is. This is particularly useful in situations where there are many identity providers configured and a description is required to differentiate and identify them.This is the identity provider configuration.
Federation Hub Identity Provider

Select the Federation Hub Identity Provider check-box to indicate if this points to an identity provider that acts as a federation hub. A federation hub is an identity provider that has multiple identity providers configured to it and can redirect users to the correct identity provider depending on their Home Realm identifier or their Identity Provider Name. When we have this check-box selected additional window will pop-up in the multi-option page in the first identity server to get the home realm identifier for the desired identity provider in the identity provider hub.

Home Realm Identifier

The Home Realm Identifier value can be specified in each federated IDP and can send the Home Realm Identifier value as the “fidp” query parameter (e.g., fidp=googleIdp) in the authentication request by the service provider. The WSO2 Identity Server finds the IDP related to the “fidp” value and redirects the end user to the IDP directly rather than showing the SSO login page. By using this, you can avoid multi-option, in a multi-option scenario without redirecting to the multi-option page.

Identity Provider Public Certificate

The Identity Provider Public Certificate is the public certificate belonging to the identity provider. Uploading this is necessary to authenticate the response from the identity provider. See Using Asymmetric Encryption in the WSO2 Product Administration Guide for more information on how public keys work and how to sign these keys by a certification authority.

This can be any certificate. If the identity provider is another Identity Server, this can be a wso2.crtfilecrt file.

titleTo create the Identity Provider Certificate click here

Open your Command Line interface, traverse to the <IS_HOME>/repository/resources/security/ directory. Next, you must execute the following command.

Code Block
keytool -export -alias wso2carbon -file wso2.crt -keystore wso2carbon.jks -storepass wso2carbon

Once this command is run, the wso2.crtfile is generated and can be found in the <IS_HOME>/repository/resources/security/ directory. Click Choose File and navigate to this location in order to obtain and upload this file.

See Using Asymmetric Encryption in the WSO2 Product Administration Guide for more information.

The Alias is a value that has an equivalent value specified in the identity provider that we are configuring. This is required for authentication in some scenarios.

titleClick here for more information on the federation hub and the home realm identifier
titleAbout the federation hub and the home realm identifier

The federation hub has multiple identity providers configured to it. In a typical federation hub with multiple identity providers, each identity provider can have a unique home realm identifier that can be used to identify the identity provider you are logging into.

So when a user tries to log in to a service provider following flow will happen,

  • The Identity Server, which this service provider is configured on to will find the required federated authenticator from the service provider configuration
  • If this Identity Provider configured as a federation hub, the user can specify the preferred identity provider in the federation hub using the multi-option page of the first Identity Server.
  • This information will pass with the authentication request to the federation hub.
  • When the request comes to the federation hub, it is sent to the identity provider that the user specifies from the first identity server. For instance, if the users prefer to use their Facebook credentials to log in, and Facebook is one of the identity providers configured in the federation hub, the user simply has to specify Facebook as the domain in the login screen of first Identity Server.

When the Home Realm Identifier is not specified, you can either select the domain name from a dropdown in the login page, or you have to enter the domain value in a separate page prior to logging in. This can be configured as explained below.

Open the <IS_HOME>/repository/conf/identity/application-authentication.xml file. The ProxyMode configuration allows the framework to operate in either smart mode or dumb mode. In smart mode, both local and federated authentication is supported, while in dumb mode, only federated authentication is supported. If dumb mode is configured here, you must provide the Home Realm Identifier, or you have to display a separate screen to the user to get it.

If smart mode is configured, the default behavior applies, where you can enter a local username and password, or use federated authenticators for authentication.