This documentation is for WSO2 Identity Server 5.1.0 . View documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page includes the following information pertaining to the process of enabling SSO using OpenSSO as the IDP.

Table of Contents

Prerequisites

  1. Download and install OpenAM/OpenSSO (download the WAR file from here).
  2. Download the WSO2 product.

...

Info

It is not necessary to introduce third party Jars into the server environment since WSO2 products pack all the necessary Jars that deal with SAML token parsing.

Setting up the Environment

Configuring OpenSSO

OpenSSO provides two options to register a service provider:

...

  1. Configure the sp.xml file. When doing this, keep the following in mind:

    Panel
    • The given sp.xml sample file uses https://localhost:9443/acs as the redirection URL. Configure it according to your environment: https://<carbonserverhot:port>/acs.
    • The EntityID element of the sp.xml should match the corresponding value of ServiceProviderID in the authenticators.xml file
    • The same values are used in single logout related parameters. However this is not tested in the single logout feature with OpenSSO at the time of writing.

    The following are the configurations used in the sp.xml file:

    Code Block
    <EntityDescriptor entityID="https://localhost:9443/acs" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    	<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false"  protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        	<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                             	Location="https://localhost:9443/acs/fedletSloRedirect"
                             	ResponseLocation="https://localhost:9443/acs/fedletSloRedirect"/>
        	<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                             	Location="https://localhost:9443/acs/fedletSloPOST"
                             	ResponseLocation="https://localhost:9443/acs/fedletSloPOST"/>
        	<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                             	Location="https://localhost:9443/acs/fedletSloSoap"/>
        	<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        	<AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                  	Location="https://localhost:9443/acs"/>
        	<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                                  	Location="https://localhost:9443/acs"/>
    	</SPSSODescriptor>
    	<RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    	xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
                    	xsi:type="query:AttributeQueryDescriptorType"
                    	protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"></RoleDescriptor>
    	<XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false"
                        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"></XACMLAuthzDecisionQueryDescriptor>
    </EntityDescriptor>
  2. Go to Common Tasks > Register Remote Service Provider and upload the file.
    1. Select sp.xml as the file to upload.
    2. Select a Circle of Trust configuration in the remote service provider.
  3. Go to Federation > Entity Providers in the OpenSSO management console and select the newly registered service provider.
  4. Select the response signing attribute.
     
  5. Under the NameID Format list, make sure you specify the ‘transient’ and ‘unspecified’ Name ID Formats.
     

Setting up the WSO2 product

  • Enable the SAML authenticator and configure the IDP URL in the authenticators.xml file found under <PRODUCT_HOME>/repository/conf/security/authenticators.xml.

    Code Block
    languagexml
    <Authenticator name="SAML2SSOAuthenticator" disabled="false">

    Change the following parameters accordingly:

    • ServiceProvideID - This can be any identifier and does not have to be a URL. However, the configured value should be equal to the value configured in the sp.xml file.
    • IdentityProviderSSOServiceURL - This is the URL of your IDP.
    • idpCertAlias - This is the certificate that gets used during response validation from the IDP. OpenSSO servers’ public key should be imported to the Carbon servers keystore with the alias name ‘opensso’.

Exporting/Importing certificates

Add the public key of the selected circle of trust in to the Carbon keystore (wso2carbon.jks) found under <PRODUCT_HOME>/resources/security/wso2carbon.jks. You can use Java keytool to do that.

Exporting a public key

Here we use the default shipped OpenSSO keystore certificate. It has the alias name of ‘test’ and typically located in /home/opensso/opensso/keystore.jks. The default password is ‘changeit’. To export the public key of ‘test’, use the following command:

...

Code Block
keytool -printcert -file test.cer

Importing a public key

Now import the ‘test.cer’ into Carbon key stores found under <PRODUCT_HOME>/repository/resources/security/wso2carbon.jks. The following command does this:

...

Code Block
keytool -list -alias opensso -keystore wso2carbon.jks -storepass wso2carbon

Testing the environment

Try accessing the Carbon management console (e.g., https://localhost:9443/carbon). This redirects you to the IDP (OpenSSO login page). Enter your username and password in the OpenSSO login page. Once you are properly authenticated, you are redirected back to the WSO2 Carbon product login page as a logged in user.

...