This documentation is for WSO2 Identity Server 5.3.0. View documentation for the latest release.
Page Comparison - Adding and Configuring a Service Provider (v.50 vs v.51) - Identity Server 5.3.0 - WSO2 Documentation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This topic provides instructions on how to add a new service provider. You must provide configuration details to add this service provider in the WSO2 Identity Server so that the authentication and/or provisioning happens as expected. For more information on how the service provider fits in to the WSO2 IS architecture, see Architecture.

The responsibility of the service provider configuration is to represent external service providers. The service provider configurations cover the following:

  • Define how the service provider talks to the Identity Server 
    This is via inbound authenticators. When you register a service provider, you need to associate one or more inbound authenticators with it.
  • Define how to authenticate users
    This can be via a local authenticator, request-path authenticator or federated authenticator. Based on this configuration, the Identity Server knows how to authenticate the user when it receives an authentication request (via an inbound authenticator) and based on the service provider who initiates it.
  • Maintain claim mapping
    This is to map the service provider's own set of claims to the Identity Server's claims, for example in your profile in the identity server has claim called work email (http://wso2.org/claims/emails.work) but your service provider application expect this to send this as email this will be done via claim mappings. When the authentication framework hands over a set of claims (which it gets from the local user store or from an external identity provider) to the response builder of the inbound authenticator, the framework talks to the service provider configuration component, find the claim mapping and do the claim conversion. See Configuring Inbound Authentication for a Service Provider for more information about response builder. Now the response builder will receive the claims in a manner understood by the corresponding service provider. Please read more about WSO2 IS claim management.

This topic contains the following sections.

Table of Contents
maxLevel3
minLevel3
excludeManual configuration|Metadata file configuration|URL configuration|Claim mapping|Configuring passive STS|Configuring STS|Adding a service provider for the STS client

Adding a service provider

Note

Note: This section only describes how to add a service provider using the Management Console. Instead of adding a service provider via the management console, it is also possible to add a service provider using a configuration file as described  here .

  1. Log in to the Management Console
  2. Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
  3. Fill in the Service Provider Name and provide a brief Description of the service provider. Only Service Provider Name is a required field.

    Warning
    The Service Provider Name should not contain any special characters except for fullstops (.), hyphens (-), underscores (_) and spaces.
    Note
    The 20th January 2018(2018-1-21)WUM update provides a better user experience to manage application certificates. These certificates are used to validate the signatures in the messages (e.g., SAML requests) that come from the applications. In WSO2 IS these applications are known as service providers.
    The WUM update provides the following improvements:
    • Allows the Identity administrator to add the application certificate to the service provider creation User Interface (UI) of the management console.
      Previously, when configuring the service provider the Identity administrator needs to add the certificate to the keystore and then specify the certificate alias name.
    • Stores the certificates in the database instead of the keystore file.
      Previously, after adding a new certificate, you need to start WSO2 IS since the keystore file was used to store the certificates.
    Follow the steps given below to enable the feature:
    1. WUM update your product to 20th January 2018 or beyond..  For more information on updating WSO2 Identity Server, see  Updating WSO2 Products .
    2. Add the database schema to store the certificates.
      Please refer the update summary PDF document that is in the <WUM_UPDATE_PRODUCT_ARCHIVE>/updates/summary-<DATE> directory, to get the details of the SQL queries.
      Once the schema change is done, the feature is available on your WSO2 IS 5.3.0 WUM updated pack.

    Adding a service provider after enabling the feature:

    1. Click Add under Service Providers.
    2. Add a name and description for the service provider.
    3. Copy the content in your .pem certificate and paste it as the value for Application Certificate.

    4. Click Register.

    Example:

    It is not mandatory to WUM update your WSO2 IS 5.3.0 pack and enable this new feature.
    If you do WUM update the pack, WSO2 IS 5.3.0 is backward compatible and follows the previously implementation to locate the certificates in the keystore if the certificate is not added via the management console.
    For example, if it is a SAML SSO flow, the certificate alias mentioned in SAML inbound authentication configuration is used when the certificate is not updated via the management console. If it is an OIDC request object signature validation, the thumb print in the JWT is used.




  4. Click Register to add the new service provider.

    Note

    Note: The service provider you create can be viewed by any user within your tenant domain in the Main view of the management console by clicking List under the Service Provider section. However, you must keep in mind that when a service provider is created, it is assigned to a "Internal" role. All users in the tenant domain must be assigned to this role in order to view the service provider created. See Configuring Roles for guidance on how to do this.

  5. The Service Providers screen appears. Here you have the option of selecting if the service provider is a SaaS Application or not. The SaaS Application configuration defines which users you want to be able to log into your web application.

    Tip

    Tip: By default, the SaaS Application checkbox is disabled, which means the web application is not shared among tenants so only users in the current tenant (the one you use to define the service provider) will be allowed to log into the web application. Alternatively, if you enabled the SaaS Application checkbox, that means this web application is shared among tenants so users from any tenant will be allowed to log into the web application. For example, if there are three tenants, namely TA, TB and TC and the service provider is registered and configured only in TA.

    • If the SaaS Application configuration is disabled, only users in TA are able to log into the web application.

    • If the SaaS Application configuration is enabled, all TA, TB, TC users are able to log into the web application.

    • For more information on creating and managing tenants, see Creating and Managing Tenants.
  6. In the resulting screen, click the arrow buttons to expand the forms available to update.

    Expand
    titleClick here for details on how to configure claims

    Include Page
    Configuring Claims for a Service Provider
    Configuring Claims for a Service Provider

    Expand
    titleClick here for details on how to configure roles and permissions

    Include Page
    Configuring Roles and Permissions for a Service Provider
    Configuring Roles and Permissions for a Service Provider

    Expand
    titleClick here for details on how to configure inbound authentication

    Include Page
    Configuring Inbound Authentication for a Service Provider
    Configuring Inbound Authentication for a Service Provider

    Expand
    titleClick here for details on how to configure local and outbound authentication

    Include Page
    Configuring Local and Outbound Authentication for a Service Provider
    Configuring Local and Outbound Authentication for a Service Provider

    Expand
    titleClick here for details on how to configure inbound provisioning

    Include Page
    Configuring Inbound Provisioning for a Service Provider
    Configuring Inbound Provisioning for a Service Provider

    Expand
    titleClick here for details on how to configure outbound provisioning

    Include Page
    Configuring Outbound Provisioning for a Service Provider
    Configuring Outbound Provisioning for a Service Provider

  7. Click the Update button to update the details of the service provider.

Configuring a resident service provider

WSO2 Identity Server can mediate authentication requests between service providers and identity providers. At the same time, the Identity Server itself can act as a service provider and an identity provider. When it acts as a service provider it is known as the resident service provider.

The Identity Server mainly acts as a resident service provider while adding users to the system. You can enable provisioning configurations for the resident service provider. For example, if you try to add users to the system via the SCIM API ( You must use a privileged local account to invoke the API to authenticate with HTTP Basic Authentication.), the system will read the provisioning configurations from the resident service provider.

At the same time, if you want to configure outbound provisioning for any user management operation done via the management console, SOAP API or the SCIM API, you must configure outbound provisioning identity providers against the resident service provider. So, based on the outbound configuration, users added from the management console will also be provisioned to external systems like Salesforce and Google Apps.

Follow the instructions below to configure a resident service provider in the WSO2 Identity Server.

  1. Sign in. Enter your username and password to log on to the Management Console.
  2. Click Resident under the Service Providers on the Main tab. 
  3. The Resident Service Provider page appears.
    1. Select the user store domain to provision users and groups for inbound authentication for SCIM or SOAP requests.
    2. For outbound provisioning configurations, select the identity provider from the dropdown list available and click the plus button to add this identity provider for provisioning. For an identity provider to appear on this list you have to add the identity provider in the Identity Server. The following are the names that would appear for each type of provisioning connector.
      • Google provisioning connector - Google and googleapps
      • Salesforce provisioning connector - salesforce.com and salesforce
      • SCIM provisioning configuration - scim
      • SPML provisioning configuration - spml
  4. Click Update.

Managing service providers

This topic provides instructions on how to manage service providers once they are created.

Viewing service providers

Follow the instructions below to view the list of service providers added in the WSO2 Identity Server.

  1. Sign in. Enter your username and password to log on to the Management Console.
  2. In the Main menu under the Identity section, click List under Service Providers. The list of service providers you added appears.

Editing service providers

Follow the instructions below to edit a service provider's details.

  1. Sign in. Enter your username and password to log on to the Management Console.
  2. In the Main menu under the Identity section, click List under Service Providers. The list of service providers you added appears.
  3. Locate the service provider you want to edit and click on the corresponding Edit link.
  4. You are directed to the edit screen. See here for details on the editable form.

Deleting service providers

Follow the instructions below to delete a service provider.

  1. Sign in. Enter your username and password to log on to the Management Console.
  2. In the Main menu under the Identity section, click List under Service Providers. The list of service providers you added appears.
  3. Locate the service provider you want to delete and click on the corresponding Delete link.
  4. Confirm your request in the WSO2 Carbon window. Click the Yes button.
Panel
titleRelated Topics

See the following topics for information on configuring service providers using different specifications.

  • See the Single Sign-On topic for details on how to configure a service provider for single sign-on using different specifications.
  • See Identity Provisioning for information on configuring inbound and outbound provisioning with a service provider.

See the following topics to configure different applications as service providers in Identity Server.