Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Start the IS server and log in to its Management Console UI (https://localhost:9443/carbon). 

    Tip

    If you use login pages that are hosted externally to log in to the Identity Server, give the absolute URLs of those login pages in the authenticators.xml and application-authenticators.xml files in the <IS_HOME>/repository/conf/securityidentity directory.

  2. Select Add under Service Providers menu.
  3. Give a service provider name and click Register.

    Tip

    In a multi tenanted environment, for all tenants to be able to log in to the APIM Web applications, do the following:

    • Click the SaaS Application option that appears after registering the service provider.

      If not, only users in the current tenant domain (the one you are defining the service provider in) will be allowed to log in to the Web application and you have to register new service providers for all Web applications (API Store and API Publisher in this case) from each tenant space separately. For example, let's say you have three tenants as TA, TB and TC and you register the service provider in TA only. If you tick the SaaS Application option, all users in TA, TB, TC tenant domains will be able to log in. Else, only users in TA will be able to log in.

    • Add the following inside the <SSOService> element in the <IS_HOME>/repository/conf/identity.xml file and restart the server.

      Code Block
      <SSOService>
            <UseAuthenticatedUserDomainCrypto>true</UseAuthenticatedUserDomainCrypto>
            ...
      </SSOService>

      If not, you get an exception as SAML response signature verification fails.

    • Because the servers in a multi-tenanted environment interact with all tenants, all nodes should share the same user store. Therefore, make sure you have a shared registry (JDBC mount, WSO2 Governance Registry etc.) instance across all nodes.
  4. You are navigated to the detailed configuration page. Expand SAML2 Web SSO Configuration inside the Inbound Authentication Configuration section.

  5. Provide the configurations to register the API Publisher as the SSO service provider. These sample values may change depending in your configuration.

      • Issuer : API_PUBLISHER
      • Assertion Consumer URL : https://localhost:9443/publisher/jagg/jaggery_acs.jag. Change the IP and port accordingly. This is the URL for the acs page in your running publisher app.
      • Select the following options:

        • Use fully qualified username in the NameID

        • Enable Response Signing

        • Enable Assertion Signing

        • Enable Single Logout

      • Click Register once done.

    For example:

  6. Similarly, provide the configurations to register the API Store as the SSO service provider. These sample values may change depending in your configuration.

      • Issuer : API_STORE
      • Assertion Consumer URL :  https://localhost:9443/store/jagg/jaggery_acs.jag. Change the IP and port accordingly. This is the URL for the acs page in your running store app.
      • Select the following options:
        • Use fully qualified username in the NameID
        • Enable Response Signing
        • Enable Assertion Signing
        • Enable Single Logout
      • Click Register once done.
  7. Make sure that the responseSigningEnabled element is set to true in both the following files:
    • <AM_HOME>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json
    • <AM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json

...