This documentation is for WSO2 Identity Server 5.4.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • Authenticator disabled - This should be set to false.
  • Priority - This is the priority level of the authenticator. In the Carbon Runtime, the authenticator with the highest priority will be picked up. This value should be greater than 5 in order to supersede the default username/password-based authenticator.
  • Parameter LoginPage - This is the default login page URL of Carbon. All requests coming to this page will be intercepted for authentication. It is not necessary to change this value from the value given in the sample configuration.
  • Parameter ServiceProviderID - This is the unique identifier for the Carbon Server in an SSO setup. This value should be used as the value of the issuer in the Identity Server configuration.
  • Parameter IdentityProviderSSOServiceURL - This is the Identity Server URL to which the users will be redirected for authentication. It should have this format: https://(host-name):(port)/samlsso.
  • Parameter NameIDPolicyFormat - This specifies the name identifier format that the Carbon server wants to receive in the subject of an assertion from a particular identity provider.
  • Parameter IdPCertAlias - This is uncommented by default. This is the alias of the identity provider certificate. This is specifically used whenever a Carbon server uses IS as the identity provider. The configuration needs to be done at the relying party server's <PRODUCT_HOME>/repository/conf/security/authenticators.xml file.

Step 3 - Sharing the user store

For single sign-on to work, you need to configure the WSO2 products to share a common user store. For more information on configuring this, see Configuring the Primary User Store.

Step 4 - Configuring the Identity Server as the Single Sign-On provider

Finally, you need to configure the Identity Server to act as the Single Sign-on provider. Each relying party should be registered as a service provider at the Identity Server-end. The following is a sample configuration for registering a Carbon server as a service provider.