This documentation is for WSO2 Identity Server 5.3.0 . View documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. See here for details on adding a service provider. 
  2. Expand the Inbound Authentication Configuration followed by the WS-Federation (Passive) Configuration section and provide the following values. 

    No include

    See Configuring WS-Federation (Passive)for more information.

    • Passive STS Realm - This should be an unique identifier for the web app. Provide the same realm name given to the web app you are configuring WS-Federation for.
    • Passive STS WReply URL - Provide the URL of the web app you are configuring WS-Federation for.  This endpoint URL will handle the token response.

      Tip
      titleTip

      If you want to configure an expiration time for the security token, you need to add the following configuration in the <IS_HOME>/repository/conf/carbon.xml file, under the <Server> element:

      Code Block
      <STSTimeToLive>1800000</STSTimeToLive>

      Here, the expiration time should be specified in milliseconds.

      Image Modified

  3. Expand the Claim Configuration section and map the relevant claims. See Configuring Claims for a Service Provider for more information. 
  4. Click Update to save changes. 
Tip

Currently the signing algorithm used for passive STS by default is rsa-sha1 and the digest algorithm used is sha1. To change the default algorithms, add the following configuration under the <security> tag in the carbon.xml file found in the <IS_HOME>/repository/conf directory. The example given below sets the signing algorithm to rsa-sha256 and the digest algorithm to sha256.

Code Block
<STSSignatureAlgorithm>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256</STSSignatureAlgorithm>
<STSDigestAlgorithm>http://www.w3.org/2001/04/xmlenc#sha256</STSDigestAlgorithm>

To configure this, apply the 3758 WUM update to WSO2 IS 5.6.0 using the WSO2 Update Manager (WUM). To deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM in the WSO2 Administration Guide.

Panel
titleRelated Topics