This documentation is for WSO2 Identity Server 5.1.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Go to the Management Console of the primary IS.
  2. Navigate to the Identity Providers section in the Main menu and click Add.
  3. Enter “Secondary" as the Identity Provider Name for this scenario.
  4. Expand the Federated Authenticators section and then expand the SAML2 Web SSOConfiguration section.
    Image RemovedImage Added 

  5. Make the following changes.
    1. Select the Enable SAML2 Web SSO checkbox.
    2. Enter “Secondary IDP” as Identity Provider Entity Id.
    3. Enter “Primary'” as the Service Provider Entity Id.
    4. Enter 'https://localhost:9444/samlsso/' as the SSO URL. This is the SAML2 SSO URL of the secondary IS.

    5. Select the Enable Logout checkbox.
  6. Click Register. The new identity provider named 'Secondary' is listed under List (go to Main menu and click List under Identity Providers).

  7. Now that the secondary Identity Server is added as an IdP in the primary Identity Server, this primary IS should be added as service provider in the Secondary IS instance.

  8. Go to Management Console of the Secondary IS instance using the following URL: https://localhost:9444/carbon

  9. Navigate to the Main menu and click Add under Service Providers. Enter service provider name as 'PrimaryIDP' for this sample scenario.

  10. Click Register

  11. In the form that appears, expand the Inbound Authentication Configuration and SAML2 Web SSO Configuration sections. 

  12. Click Configure. The following form appears.
    Image RemovedImage Added 

  13. Enter the following details in the form.

    1. Enter “Primary” as the Issuer, this is the same value as Service Provider Entity Id in step 5c.

    2. Enter value https://localhost:9443/commonauth as Assertion Consumer URL.

    3. Enable the following checkboxes.

      1. Enable Response Signing

      2. Enable Single Logout

  14. Click Update and then click Register. The primary Identity Server instance is added as the service provider in the secondary Identity Server instance.


The client application in this scenario is the travelocity sample application that can be checked out from WSO2 repo using the following command.GitHub repo. See Downloading a Sample topic for more information. 

Code Block
svn co http

The client application must be set up as a service provider in the primary Identity Server instance and this can be done by following the instruction here.

Then follow the below instructions

  1. After adding the client application as a service provider in the primary Identity Server instance, navigate to the Main menu and click List under Service Providers. Click Edit next to the service provider you created.
  2. Expand the Local & Outbound Authentication Configuration section. Here we set the travelocity client to use the primary IS instance and the identity provider named 'Secondary' also as its identity provider. For this we have to add authentication steps. 
    Image RemovedImage Added
    1. Click Advanced Configuration and from next UI, click Add Authentication Step
    2. Under Local Authenticators add the “basic” authenticator by selecting it from the combo box and clicking Add Authenticator
    3. Under Federated Authenticators select “Secondary” and add it.
    4. Click Update to save your changes.
  3. Click Update to save changes to your service provider configurations. Now when you log in to the client application it can select either the primary IS instance or secondary IS instance as the identity provider and therefore has access to both user spaces.
  4. Go to https://localhost:9443/carbon, the primary IS instance, and create a user named 'primaryuser' and set the password as 'primepass'.
  5. Go to https://localhost:9444/carbon, the secondary IS instance and create a user named 'secondaryuser' and set the password as 'secondpass'.
  6. Test your application. 
    1. After copying the "travelocity.war" file to the <TOMCAT_HOME>/webapps directory, run the Tomcat server. 
    2. Go to http://localhost:8080/ This is the client application.
      Image RemovedImage Added 
    3. Since we are using SAML for authentication, click the link in the first line. 
    4. In the resulting screen, log in with the username 'primaryuser' and the password 'primepass' for authentication as a local user in the primary IS instance.
      Image RemovedImage Added
      If you wish to authenticate a user in the secondary IS instance which is the secondary IdP, click “Secondary” under Other login options. In the resulting screen, log in using the username “secondaryuser' and password 'secondpass'. These credentials were created in the secondary IS instance.