This documentation is for WSO2 Identity Server 5.7.0 . View documentation for the latest release.

All docs This doc

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Configuring a resident identity provider

WSO2 Identity Server can mediate Apart from mediating authentication requests between service providers and identity providers. At the same time, the WSO2 Identity Server itself can act as a service provider and an identity provider. When it WSO2 Identity Server acts as an identity provider, it is known as the called the resident identity provider. 

Note

The resident identity provider configuration is

...

helps service providers to send

...

authentication

...

or

...

provisioning

...

requests to

...

WSO2 Identity Server

...

via SAML, OpenID Connect, SCIM,

...

or WS-Trust

...

. For an example

...

on how a resident identity provider is used to implement a security token service

...

, see Configuring WS-Trust Security Token Service. The Resident identity provider configuration is a one-time configuration for a given tenant. It

...

shows

...

WSO2 Identity Server's metadata, e.g.,

...

endpoints.

...

The resident identity provider configurations can be used to secure the WS-Trust endpoint with a security policy.

Follow the instructions below to configure a resident identity provider:

  1. Access the WSO2 Identity Server Management Console.
  2. Sign in . Enter your username and password to log on to the Management Console.

    In the Main menu under the Identity section, click Resident under Identity Providers
    Image Removed
    The Resident Identity Provider page appears.
    Image Removed

    Enter a Home Realm Identifier for the resident identity provider. You can enter multiple identifiers as a comma separated list.

    InfoThis value is essentially the domain name of the identity provider. If you do as an admin user.
  3. On the Main tab, click Identity > Identity Providers > Resident
    Image Added
    The Resident Identity Provider page appears.
    Image Added

  4. Enter the required values as given below.

    FieldDescriptionSample Value
    Home Realm IdentifierThis is the domain name of the identity provider. If you do not enter a value here, when an authentication request comes to
    the
    WSO2 Identity Server, a
    page is displayed prompting the user
    user will be prompted to specify a domain. You can enter multiple identifiers as a comma-separated list.
    info
    localhost
    Idle Session Time Out
    : This  represents the idle session time out for SSO sessions. The default value is set to 15min which means that if
    This is the duration in minutes for which an SSO session can be idle for. If WSO2 Identity Server does not receive any SSO authentication
    request for 15min for a given user SSO session would be timeout.  You can configure the idle time out value.

    Remember Me Period :  You can tick on the Remember Me option in Identity Server login page if you need to make remember the SSO session. You can define an expiry time for this remembrance period by configuring Remember Me Period . This is configurable and the default time is 2 weeks.

  5. Configure inbound authentication if required. This is not mandatory for creating a resident identity provider.
    • Set the  Identity Provider Entity Id under SAML2 Web SSO Configuration. Specifying this gives the tenant identification, so any users provisioned through this tenant can be identified as such.

    • Configure the Security Token Service (STS). You can configure this if you want to secure the WS-Trust endpoint with a security policy.
      Image Removed

  6. Click Update.
  7. Click Ok to the confirmation message that appears.

Note the following information regarding the URLs on this screen.

...

borderColorNavy
bgColorPowderBlue
titleColorWhite
borderWidth3
titleBGColorNavy
borderStylesolid
titleAbout URLs

You can modify the host nameoftheseURLs by changing the value in the <IS_HOME>/repository/conf/carbon.xml file using the following configuration.

Code Block
languagexml
themeEclipse
<HostName>localhost</HostName>

Once you update the host nameinthecarbon.xml file, change the URL to reflect the new hostname in the <IS_HOME>/repository/conf/identity/identity.xml file.

Code Block
languagexml
themeEclipse
<IdentityProviderURL>https://localhost:9443/samlsso</IdentityProviderURL>

The above URL is used for destination validation of the SAML request. The Identity Server compares the value of the "destination" inside the SAML request with the URL in the above configuration. This is done to ensure that the correct application is communicating with the right identity provider.

Info

You can add multiple destination URLs for Identity Server using the Resident Identity Provider UI under "SAML2 Web SSO Configuration". This feature is useful when some SPs directly connect to the IS and some SPs connect through a proxy server.

Image Removed

...

  1. requests for the given duration, a session time out occurs. The default value is 15.15
    Remember Me Period

    This is the duration in weeks for which WSO2 Identity Server should remember an SSO session given that you have selected the Remember Me option in the WSO2 Identity Server login screen.

    The default value is 2 weeks.

    2
  2. You may configure inbound authentication by expanding the Inbound Authentication Configuration section. 
    1. To configure SAML2 configurations: 
      1. Click SAML2 Web SSO Configuration.
        Image Added
        The SAML2 Web SSO Configuration form appears.
        Image Added
      2. Enter the required values and learn the fixed values as given below. 

        FieldDescriptionSample/Fixed Value
        Identity Provider Entity IDThis is for tenant identification. The users who are provisioned through this tenant can be identified using this ID.localhost
        Destination URLs

        This defines the destination URL of the identity provider. This helps the service providers that connect to WSO2 Identity Server through a proxy server to locate WSO2 Identity Server.

        https://localhost:9443/samlsso
        SSO URL

        This is the SAML SSO endpoint of the identity provider.

        https://localhost:9443/samlsso
        Logout Url

        This is the identity provider's end point that accepts SAML logout requests.

        https://localhost:9443/samlsso
        Artifact Resolution URL

        This is the identity provider's endpoint that resolves SAML artifacts.

        https://localhost:9443/samlartresolve
        Metadata Validity PeriodThis is the duration for which the metadata will be valid for.60
        Enable metadata signingThis facilitates to enable or disable metadata signingfalse
    2. To configure OAuth2 or OIDC, click OAuth2/OpenID Connect Configuration.
      Image Added

      FieldDescriptionSample/Fixed Value
      Identity Provider Entity IDThis is for tenant identification. The users who are provisioned through this tenant can be identified using this ID.localhost
      Authorization Endpoint URL

      This is the identity provider's OAuth2/OpenID Connect authorization endpoint URL.

      https://localhost:9443/oauth2/authorize
      Token Endpoint URL

      This is the identity provider's token endpoint URL.

      https://localhost:9443/oauth2/token
      Token Revocation Endpoint URL

      This is the URL of the endpoint at which access tokens and refresh token are revoked.

      https://localhost:9443/oauth2/revoke
      Token Introspection Endpoint URL

      This is the URL of the endpoint at which OAuth tokens are validated.

      https://localhost:9443/oauth2/introspect
      User Info Endpoint URL

      This the URL of the endpoint through which user information can be retrieved. The information is gathered by passing an access token.

      https://localhost:9443/oauth2/userinfo
      Session iFrame Endpoint URL

      This the URL of the endpoint that provides an iframe to synchronize the session states between the client and the identity provider.

      https://localhost:9443/oidc/checksession
      Logout Endpoint URL

      This is the identity provider's endpoint that accepts SAML logout requests.

      https://localhost:9443/oidc/logout
      Web finger Endpoint URL

      This is the URL of the OpenID Connect token discovery endpoint at which WSO2 Identity Server's meta data are retrieved from.

      https://localhost:9443/.well-known/webfinger
      Discovery Endpoint URL

      This is the URL of the endpoint that is used to discover the end user's OpenID provider and obtain the information required to interact with the OpenID provider, e.g., OAuth 2 endpoint locations.

      https://localhost:9443/oauth2/oidcdiscovery
      Dynamic Client Registration Endpoint URL

      This is the URL of the endpoint at which OpenID Connect dynamic client registration takes places.

      https://localhost:9443/api/identity/oauth2/dcr/v1.1/register
      JWKS Endpoint URL

      This is the URL of the endpoint that returns WSO2 Identity Server's public key set in JSON Web Key Set (JWKS) format.

      https://localhost:9443/oauth2/jwks
    3. To secure the WS-Trust endpoint with a security policy, click Security Token Service Configuration section.
      Image Added
      For more information on security token service (STS), see Configuring WS-Trust Security Token Service.
  3. You may view the inbound provisioning configurations by clicking Inbound Provisioning Configuration section. Image Added

    FieldDescriptionSample Value
    SCIM User Endpoint

    This is the identity provider's endpoint for SCIM user operations, e.g., creating and managing users.

    https://localhost:9443/wso2/scim/Users
    SCIM Group Endpoint

    This is the identity provider's endpoint for the SCIM user role operations, e.g., creating user roles, assigning user roles to users, and managing user roles.

    https://localhost:9443/wso2/scim/Groups
  4. Click Update

Note

To modify the host name of the above-above mentioned URLs,

  1. open the carbon.xml file in the <IS_HOME>/repository/conf directory and update the value of the <HostName> parameter.

    Code Block
    languagexml
    themeEclipse
    <HostName>localhost</HostName>
  2. Open the identity.xml file in the <IS_HOME>/repository/conf/identity directory and update the vaule of the <IdentityPRoviderURL> parameter.

    Code Block
    languagexml
    themeEclipse
    <IdentityProviderURL>https://localhost:9443/samlsso</IdentityProviderURL>
  3. To ensure the client application is communicating with the right identity provider, WSO2 Identity Server compares the destination value in the SAML request with the URL in the above configuration.

Exporting SAML2 metadata of the resident IdP

...

  1. Expand the Inbound Authentication Configuration section and then expand SAML2 Web SSO Configuration
  2. Click Download SAML2 metadata. A metadata.xml file will be downloaded on to your machine.
  3.  Import the metadata.xml file to the relevant service provider to configure WSO2 Identity Server as a trusted identity provider for your application. 

    Image RemovedImage Added

Managing identity providers

...