This documentation is for WSO2 Identity Server 5.2.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Start the Identity Server and access the management console using https://localhost:9443/carbon/
  2. Log in to the Identity Server using default administrator credentials (the username and password are both "admin").
  3. In the management console found on the left of your screen, navigate to the Main menu and click Add under Service Provider
  4. Enter a Service Provider Name (e.g. "") and click Register
  5. Expand the Inbound Authentication Configuration section and then expand SAML2 Web SSO Configuration
  6. Click Configure. The following form appears. The values entered in the screen below are configurations for the sample. 
    Image RemovedImage Added

  7. Register the new service provider by providing the following values. See Configuring Inbound Authentication for a Service Provider for more information on the fields available in this form.

    FieldDescriptionSample Value

    This is the entity ID for the SAML2 service provider


    This value should be same as the SAML2.SPEntityId value specified inside the file.
    Assertion Consumer URLs

    This is the Assertion Consumer Service (ACS) URL of the service provider. The identity provider redirects the SAML2 response to this ACS URL. However, if the SAML2 request is signed and SAML2 request contains the ACS URL, the Identity Server will honor the ACS URL of the SAML2 request. 


    This value should be same as the SAML2.AssertionConsumerURL value mentioned inside the file.

    Enter this value: http://localhost:8080/ and click Add.
    Default Assertion Consumer URLThis must be the same value defined above. If you have defined multiple Assertion Consumer URLs, this value must be the same as the SAML2.AssertionConsumerURL value mentioned inside the  file as that is the default.
    NameID formatThe service provider and identity provider usually communicate with each other regarding a specific subject. That subject should be identified through a Name-Identifier (NameID) , which should be in some format so that It is easy for the other party to identify it based on the format. There are some formats that are defined by SAML2 specification. Enter the default value of this format (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress  )urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    Signing AlgorithmSpecifies the ‘SignatureMethod’ algorithm to be used in the ‘Signature’ element in POST binding. The default value can be configured in the<IS_HOME>/repository/conf/identity/identity.xml file, in the SSOService element with SAMLDefaultSigningAlgorithmURI tag. If it is not provided, the default algorithm is RSA­SHA 1, at URI ‘­sha1.­sha1
    Digest AlgorithmSpecifies the ‘DigestMethod’ algorithm to be used in the ‘Signature’ element in POST binding. The default value can be configured in the<IS_HOME>/repository/conf/identity/identity.xml file, in the SSOService element with SAMLDefaultDigestAlgorithmURI tag. If it is not provided the default algorithm is SHA 1, at URI ‘
    Use fully qualified username in the NameID

    A fully qualified username is basically the user name with the user store domain. In short, the username must be in the following format: {user store domain}{user name}

    Set as true by selecting the checkbox
    Enable Response Signing

    This is used to sign the SAML2 Responses returned after the authentication process is complete.

    Set as true by selecting the checkbox
    Enable Assertion Signing

    This is done to sign the SAML2 Assertions returned after the authentication process. SAML2 relying party components expect these assertions to be signed by the Identity Server.

    Set as true by selecting the checkbox
    Enable Signature Validation in Authentication Requests and Logout RequestsThis specifies whether the identity provider must validate the signature of the SAML2 authentication request and the SAML2 logout request that are sent by the service provider. Set as true by selecting the checkbox
    Enable Assertion EncryptionThis defines whether the SAML2 assertion must be encrypted or not. 
    Certificate AliasThis is used to validate the signature of SAML2 requests and is used to generate encryption.Select wso2carbon
    Enable Single LogoutEnable this to ensure that all sessions are terminated once the user signs out from one server.Set this as true by selecting the checkbox
    Enable Attribute ProfileThe Identity Server supports a basic attribute profile where the identity provider can include the user’s attributes in the SAML Assertions as an attribute statement. You can define the claims that must be included under service provider claim configurations. Also, once you select the “Include Attributes in the Response Always” checkbox, the identity provider always includes the attribute values related to selected claims in the SAML Attribute statement.
    Enable Audience RestrictionYou can define multiple audiences in the SAML Assertion. Configured audiences would be added into the SAML2 Assertion.
    Enable IdP Initiated SSO
    The service provider is not required to send the SAML2 request when this is enabled. Do a GET request following this pattern:

    https://{Hostname}:{Port}/samlsso?spEntityID={SAML2 SSO Issuer name}


    If your SAML2 SSO issuer has been configured in any other separate tenant other than super tenant, then you need to append thetenantDomain parameter as well.

    If the tenant domain is, the GET request would be as follows:


    Enable IdP initiated SLO

    The Identity Server facilitates IdP initiated SAML2 single log out requests. The following parameters can be used with the IdP initiated SLO request:

    • slo (mandatory parameter) - Must have the value “true” to mark the request as an IdP initiated log out request
    • spEntityID (optional) - Value of the parameter should be the SAML issuer name as in “Issuer” field in the SAML service provider configuration UI.
    • returnTo (optional) - Value of the parameter should be the URL which needs to be redirected to, after the log out.


      If this parameter is present in the request, then the ‘spEntityID’ parameter must also be present.
      Since this needs to be a trusted location, the value that comes with the request must match with one of the assertion consumer URLs or returnTo ULRs of the service provider.

    returnTo URL: https://localhost:8080/

    Note: To add the correct tenant domain with the username as the subject identifier in tenant mode,

    Expand the Local & Outbound Authentication Configuration section and do the following. 

    • Select Use tenant domain in local subject identifier to append the tenant domain to the local subject identifier.
    • Select Use user store domain in local subject identifier to append the user store domain that the user resides in the local subject identifier.

    For super tenant mode, this step is not required and the two options mentioned above should remain disabled by default.