This documentation is for WSO2 Identity Server 5.1.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Start the  identity provider IS  and access the Management Console.
  2. Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
  3. Fill in the Service Provider Name and provide a brief Description of the service provider. For the purposes of this scenario, enter the Service Provider Name as ServiceProviderSP_IS.
  4. Click Register to add the service provider.
  5. Expand the Inbound Authentication and SAML2 Web SSO Configuration sections and click Configure.
  6. Do the following configurations.

    Configurations to be doneDescription


    This must be the same as the value you enter for the Service Provider Entity Id when configuring the identity provider in the service provider IS .

    Assertion Consumer URL­: https://localhost:9443/commonauthThis is the URL to which the browser should be redirected to after the authentication is successful. This is the Assertion Consumer Service (ACS) URL of the service provider. The identity provider redirects the SAML2 response to this URL. However, if the SAML2 request is signed and SAML2 request contains the ACS URL, the Identity Server will honor the ACS URL of the SAML2 request. It should be defined in this format: https://(host-name):(port)/commonauth.
    Use fully qualified username in the NameIDA fully qualified username is basically the username with the user store domain. In short, the username must be in the following format: {user store domain}{user name}.
    Enable Single LogoutWhen single logout is enabled, the identity provider sends logout requests to all service providers. Basically, the identity provider acts according to the single logout profile.
  7. Click Register to save your changes.



Tip: When studying the above configurations, you can identify the Service Provider Entity Id in the following code snippet.

Code Block

Here, travelocitySP must be the same value as the value configured as the Issuer in the identity provider IS.

About certificates: The following is a sample command if the identity provider is WSO2 Identity Server where you can export the public certificate in PEM format.

keytool -exportcert -alias wso2carbon -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon -rfc -file ispublic_crt.pem

Then, you can open the certificate file with a notepad so you see the certificate value. Copy this certificate value and put in the file within the <Certificate> tag.

Please note that above is only if the identity provider is the WSO2 Identity Server. If the identity provider is a third party IDP, then you can get the certificate in PEM format and read the value. You need to copy the entire content of the PEM file and place it between the <Certificate> tags.

Adding the service provider in the service provider IS


  1. Create new tenants in the  service provider IS .


    Note: You cannot provide access to the service provider and identity provider for a specific tenant domain. This is accessible to all the tenants configured.

  2. Open the <TOMCAT_HOME>/webapps/­INF/classes/ file.

    titleClick here to see the full contents of the file.
    Code Block
    #This is the URL of the page that is used to choose the login scheme
    #such as SAML SSO or OpenID. This Url will not be processed by the
    #Url to do send SAMLSSO AuthnRequest
    #Url to do send SAML2 Grant OAuth2 Request
    #Url to send OpenID Authentication Request
    #A unique identifier for this SAML 2.0 Service Provider application
    #SAML.Request.Query.Param=&tenantDomain=tenant.domain#The URL of the SAML 2.0 Assertion Consumer
    #The URL of the SAML 2.0 Identity Provider
    #This is the attribute name under which the authenticated session information
    #of SAML SSO and OpenID are stored
    #Identifier given for the Service Provider for SAML 2.0 attributes
    #Specify if SingleLogout is enabled/disabled
    #This is the URL that is used for SLO
    #Specify if SAMLResponse element is signed
    #Specify if SAMLAssertion element is signed
    #Specify if SAMLAssertion element is encrypted
    #Specify if AuthnRequests and LogoutRequests should be signed
    #Specify if force authentication enabled
    #Custom credentials class
    #KeyStore to cryptographic credentials
    #Password of the KeyStore for SAML and OpenID
    #Alias of the IdP's public certificate
    SAML.IdPCertAlias=wso2carbon#Alias of the SP's private key
    #Private key password to retrieve the private key used to sign
    #AuthnRequest and LogoutRequest messages
    #OAuth2 token endpoint URL
    #OAuth2 Client ID
    #OAuth2 Client Secret
    #OpenId Provider Url
    #openid.return_to parameter
    #This is the request parameter name under which to find the
    #openid.claimed_id value to send OpenID authentication request
    #Custom OpenID AttributesRequestor class
    #Additional request parameters
  3. In the file, locate and uncomment the following value. Replace the tenant domain (tenant.domain) with your newly created tenant domain.

    Code Block

    Tip: You can uncomment values in this file by removing the “#”.

  4. If you made any changes to the port offset, you must ensure that this change is reflected in the port value of the following property.

    Code Block
  5. Restart Apache Tomcat and access the travelocity application. You will be able to log in using the identity provider credentials regardless of the tenant domain you are using. Access the travelocity application using the following: http://localhost:8080/ 

titleRelated links

The following links provide additional information that may be relevant when attempting the instructions in this topic.