Single sign-on is a key feature of the WSO2 Identity Server that enables users to access multiple applications using the same set of credentials. Additionally, the user can access all these applications without having to log into each and every one of them individually. For instance, if users log into application A, they would automatically have access to application B as well for the duration of that session without having to re-enter their credentials.
The profiles specification for Security Assertion Markup Language 2.0 (SAML 2.0) defines single sign-on based on a web browser. This topic provides instructions on how to use the sample available in the WSO2 Identity Server to configure SSO using SAML 2.0 with a sample service provider.
See the following topics for instructions on how to configure the sample with the WSO2 Identity Server.
|Table of Contents|
If you are running this sample on WSO2 Application Server, note that both SSOAgentSample application and WSO2 Application Server, contain different versions of the same slf4j jar. As a solution you can select ONE of the following approaches.
Configuring the SSO web application
|To obtain and configure the single sign-on travelocity sample, follow the steps below.|
Now the web application is successfully deployed on a web container.
Configuring the service provider
The next step is to configure travelocity.com as the service provider. The following steps instruct you on how to do this.
- Start the Identity Server and access the management console using
- Log in to the Identity Server using default administrator credentials (the username and password are both "admin"). If you need to create the service provider in a tenant space, you need to login with tenants user.
- In the management console found on the left of your screen, navigate to the Main menu and click Add under Service Provider.
- Enter a Service Provider Name (e.g. travelocity.com) and click Register.
- Expand the Inbound Authentication Configuration section and then expand SAML2 Web SSO Configuration.
- Select Manual Configuration.
- Register the new service provider by providing the following values. See the table below for more information about the fields in this form.
This is the entity ID for the SAML2 service provider
|Assertion Consumer URLs|
This is the Assertion Consumer Service (ACS) URL of the service provider. The identity provider redirects the SAML2 response to this ACS URL. However, if the SAML2 request is signed and SAML2 request contains the ACS URL, the Identity Server will honor the ACS URL of the SAML2 request.
|Enter this value: |
|Default Assertion Consumer URL||This must be the same value defined above. If you have defined multiple Assertion Consumer URLs, this value must be the same as the |
|NameID format||The service provider and identity provider usually communicate with each other regarding a specific subject. That subject should be identified through a Name-Identifier (NameID) , which should be in some format so that It is easy for the other party to identify it based on the format. There are some formats that are defined by SAML2 specification. Enter the default value of this format (|
|Certificate Alias||This is used to validate the signature of SAML2 requests and is used to generate encryption.|
In a tenant : Select the Certificate Alias with tenant domain name
|Response Signing Algorithm||Specifies the ‘SignatureMethod’ algorithm to be used in the ‘Signature’ element in POST binding. The default value can be configured in the|
|Response Digest Algorithm||Specifies the ‘DigestMethod’ algorithm to be used in the ‘Signature’ element in POST binding. The default value can be configured in the|
|Enable Response Signing|
This is used to sign the SAML2 Responses returned after the authentication process is complete.
|Set as true by selecting the checkbox|
|Enable Signature Validation in Authentication Requests and Logout Requests||This specifies whether the identity provider must validate the signature of the SAML2 authentication request and the SAML2 logout request that are sent by the service provider.||Leave unchecked for travelocity sample|
|Enable Assertion Encryption||This defines whether the SAML2 assertion must be encrypted or not.||Leave unchecked for travelocity sample|
|Enable Single Logout||Enable this to ensure that all sessions are terminated once the user signs out from one server.||Set this as true by selecting the checkbox|
|SLO Response URL||If the service provider has a different endpoint that accepts the single logout response other than the assertion consumer URL, you can provide that endpoint value here.|
|SLO Request URL||If the service provider has a different endpoint that accepts single logout requests from the identity server other than the assertion consumer URL, you can provide that endpoint value here.|
SAML single logout is supported by both SAML Back-Channel Logout and SAML Front-Channel Logout methods. By default, when you select Enable Single Logout, it will enable Back-Channel Logout . In order to enable SAML Front-Channel Logout, you can either select Front-Channel Logout (HTTP Redirect Binding) or Front-Channel Logout (HTTP POST Binding) .
|Select Back-Channel Logout for travelocity sample|
|Enable Attribute Profile||The Identity Server supports a basic attribute profile where the identity provider can include the user’s attributes in the SAML Assertions as an attribute statement. You can define the claims that must be included under service provider claim configurations. Also, once you select the “Include Attributes in the Response Always” checkbox, the identity provider always includes the attribute values related to selected claims in the SAML Attribute statement.||Leave unchecked for travelocity sample|
|Enable Audience Restriction||You can define multiple audiences in the SAML Assertion. Configured audiences would be added to the SAML2 Assertion.||Leave unchecked for travelocity sample|
|Enable IdP Initiated SSO|
Depending on your application flow you can choose whether to enable IdP initiated SSO. The IdP initiated SSO profile enables to start an authentication flow by sending a GET request to the Identity server with the following format.
Leave unchecked for travelocity sample
|Enable IdP initiated SLO|
The Identity Server facilitates IdP initiated SAML2 single log out requests. This is useful if the application can not manage the session index received with the SAML response and still wants to perform log out. The following parameters can be used with the IdP initiated SLO request:
|Leave unchecked for travelocity sample|
|Enable Assertion Query Request Profile||Enable Assertion Query Request Profile can used for query assertions following SAML2.0 specification. This can query assertions that are persisted to the database when you login to the service provider application. For more information, see Querying SAML Assertions.||Leave unchecked for travelocity sample|
Note: To add the correct tenant domain with the username as the subject identifier in tenant mode,
Expand the Local & Outbound Authentication Configuration section and do the following.
9. Click Update to register.
- Configure claims for the service provider. To do this, do the following. For more information on configuring this, see Configuring Claims for a Service Provider.
- Expand the Claim Configuration section in the service provider form.
- You can select the claims that must be sent to the service provider. If you just want to send them as claim URIs, select Use Local Claim Dialect.
- Alternatively, if you want to define new claim URIs for the attributes that are sent, you can define any values for them and map these values with the claim URIs local to WSO2.
For example, you want to set the email address of the user as
- After providing the above information, click Register.
- By default outbound authentication has been set as Default authentication type. This specifies that the identity provider authenticates the users with the username/password by validating with the identity provider's user store.
After successfully registering the service provider, log out from management console. The next step is to run the sample.
Running the sample
http://wso2is.local:8080/travelocity.com. You are directed to the following page:
- Since you need to use SAML2 for this sample, click the first link, i.e., Click here to login with SAML from Identity Server. You are redirected to the Identity Server for authentication.
- Enter the default admin credentials (admin/admin).
- Now you are logged in and you can see the home page of the travelocity.com app.