Page History

Note: When a service provider is created, it is assigned to a "APPLICATION" role (for instance, if you add Travelocity as the service provider, then the role will look like "Application/travelocity"). Users who wish to manage the created service provider should have this application role assigned. See Configuring Roles for guidance on how to do this.

When is this certificate used

This certificate is used to validate the signatures of the signed requests from the application (service provider) to the Identity Server. Therefore, the certificate is used in below scenarios:

• Validate the signature of the SAML2 authentication requests and the SAML2 logout requests that are sent by the service provider
  https://docs.wso2.com/display/IS530/Configuring+Single+Sign-On#ConfiguringSingleSign-On-Configuringtheserviceprovider
  
  
• Encrypt id_token sent to the service provider in OIDC Authentication Response
  
  
• Validate Signed Request Object sent in OAuth2/OIDC Authorization Request
  https://docs.wso2.com/display/IS550/OIDC+Request+Object+Support+in+WSO2+Identity+Server

Format of the certificate

WSO2 IS expects the certificate to be in PEM format.

PEM is a Base64 encoded format, therefore contains ASCII character and easier to deal with rather than a binary encoded certificate.

How to obtain the PEM encoded certificate

The PEM content of a certificate in a JKS file, can be obtained by following the steps below:

1. Export the certificate from the keystone. The exported certificate will be in binary format.

keytool -export -keystore <keystore-path> -alias <alias-of-the-certificate> -file <path-of-the-expected-certificate-file>

e.g. keytool -export -keystore wso2carbon.jks -alias wso2carbon -file wso2carbon.crt

2. Convert the above binary encoded certificate to a PEM encoded certificate

openssl x509 -inform der -in <path-of-binary-certificate> -out <path-of-expected-pem-content>

e.g. openssl x509 -inform der -in wso2carbon.crt -out wso2carbon.pem

Note: You can paste the public certificate in to the given text area or upload file in PEM format. If the Application Certificate field is left blank, WSO2 IS is backward compatible and follows the previous implementation to locate the certificates in the keystore.
This means that if it is a SAML SSO flow, the certificate alias mentioned in SAML inbound authentication configuration is used when the certificate is not updated via the management console. If it is an OIDC request object signature validation, the certficate will be retrived from default keystore, aliase to consumer key of the auth application.

Tip: By default, the SaaS Application check box is disabled, which means the web application is not shared among tenants so only users in the current tenant (the one you use to define the service provider) will be allowed to log into the web application. Alternatively, if you enabled the SaaS Application check box, that means this web application is shared among tenants so users from any tenant will be allowed to log into the web application. For example, if there are three tenants, namely TA, TB and TC and the service provider is registered and configured only in TA.

• If the SaaS Application configuration is disabled, only users in TA are able to log into the web application.

• If the SaaS Application configuration is enabled, all TA, TB, TC users are able to log into the web application.

• For more information on creating and managing tenants, see Creating and Managing Tenants.

In the resulting screen, click the arrow buttons to expand the forms available to update.