This documentation is for WSO2 Identity Server 5.3.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Sign in. Enter your username and password to log on to the Management Console.
  2. In the Main menu under the Identity section, click Resident under Identity Providers

    The Resident Identity Provider page appears.

    Enter a Home Realm Identifier for the resident identity provider. You can enter multiple identifiers as a comma separated list.


    This value is essentially the domain name of the identity provider. If you do not enter a value here, when an authentication request comes to the Identity Server, a page is displayed prompting the user to specify a domain.


    Idle Session Time Out : This  represents the idle session time out for SSO sessions. The default value is set to 15min which means that if Identity Server does not receive any SSO authentication request for 15min for a given user SSO session would be timeout.  You can configure the idle time out value.

    Remember Me Period :  You can tick on the Remember Me option in Identity Server login page if you need to make remember the SSO session. You can define an expiry time for this remembrance period by configuring Remember Me Period . This is configurable and the default time is 2 weeks.

  3. Optionally, configure inbound authentication if required by setting the Indetity Identity Provider Entity Id. This is not mandatory for creating a resident identity provider.
    • If you want to change the default issuer that is localhost to a domain name, you need define the Identity Provider Entity Id under SAML2 Web SSO Configuration.

    • Configure the Security Token Service (STS). You can configure this if you want to secure the WS-Trust endpoint with a security policy.

  4. Click Update.
  5. Click Ok to the confirmation message that appears.


titleAbout URLs

You can modify the host nameoftheseURLs name of these URLs by changing the value in the <IS_HOME>/repository/conf/carbon.xml file using the following configuration.

Code Block

Once you update the host nameinthename in the carbon.xml file, change the URL to reflect the new hostname in the <IS_HOME>/repository/conf/identity/identity.xml file.

Code Block

The above URL is used for destination validation of the SAML request. The Identity Server compares the value of the "destination" inside the SAML request with the URL in the above configuration. This is done to ensure that the correct application is communicating with the right identity provider.


You can add multiple destination URLs for Identity Server using the Resident Identity Provider UI under "SAML2 Web SSO Configuration". This feature is useful when some SPs directly connect to the IS and some SPs connect through a proxy server.

  • SSO URL: https://localhost:9443/samlsso The SAML SSO endpoint of the IdentityProfivderIdentity Provider.
  • Logout URL: https://localhost:9443/samlsso
    Theend point of theIdentityPorvider The endpoint of the Identity Provider that accepts SAML log out requests.
  • Authorization Endpoint URL: https://localhost:9443/oauth2/authz The Identity Provider's OAtuh2OAuth2/ OpenID Connectauthorizationend Connect authorization end point URL.
  • Token Endpoint URL: https://localhost:9443/oauth2/token The Identity Providerstokenend Provider's token end point URL.
  • User Info Endpoint URL: https://localhost:9443/oauth2/token Theend The end point of the Identity Provider that is used to get the information of the users. Theinformationisgathred The information is gathered by passing an access token.
  • SCIM User Endpoint: https://localhost:9443/wso2/scim/Users
    The Identity Provider'send s end point for SCIM user operations, such as creating and managing users
  • SCIM Group Endpoint: https://localhost:9443/wso2/scim/Groups
    The IdentityProvidersendpointforthe Identity Provider's endpoint for the SCIM user role operations, such as creating roles, assigning users to roles, and managing roles.

Exporting SAML2 metadata of the resident IdP

To configure WSO2 Identity Server as a trusted identity provider in a service provider application, export the SAML2 metadata of the resident identity provider of WSO2 IS and import the metadata to the relevant service provider. 


Use one of the following approaches to do this. 

  1. Expand the Inbound Authentication Configuration section and then expand SAML2 Web SSO Configuration
  2. Click Download SAML2 metadata. A metadata.xml file will be downloaded on to your machine.
  3.  Import the metadata.xml file to the relevant service provider to configure WSO2 Identity Server as a trusted identity provider for your application. 

    Image Added

Managing identity providers