This documentation is for WSO2 Identity Server 5.5.0 . View documentation for the latest release.

All docs This doc

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


Parameter

Type

Description

inboundAuthKey

String

Specify the issuer here, which is the unique identifier of the service provider. This is also the issuer value specified in the SAML Authentication Request issued by the service provider.

inboundAuthType

String

For SAML 2.0, authentication type should be ‘samlsso’   

Property Name

Property Value

attrConsumServiceIndex

This is the consumer service index.  The service provider should send this in the SAML request to get attributes of the authenticated subject.  

Code Block
languagexml
<xsd1:inboundAuthenticationConfig>
    <!--Zero or more repetitions:-->
    <xsd1:inboundAuthenticationRequestConfigs>
        <!--Optional:-->
        <xsd1:inboundAuthKey>travelocity.com</xsd1:inboundAuthKey>
        <!--Optional:-->
        <xsd1:inboundAuthType>samlsso</xsd1:inboundAuthType>
        <!--Zero or more repetitions:-->
        <xsd1:properties>
            <!--Optional:-->
            <xsd1:name>attrConsumServiceIndex</xsd1:name>
            <!--Optional:-->
            <xsd1:value>202240762</xsd1:value>
        </xsd1:properties>
    </xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>


Configuring OAuth/OpenID Connect 

Permission Level: /admin/manage/identity

To add a Service Provider with OAuth capability, add an OAuth application through the OAuthAdminService exposed at https://<IS_HOST>:<IS_PORT>/services/OAuthAdminService?wsdl. Replace the tag <IS_HOST>:<IS_PORT> with the relevant host and port number, for example, https://localhost:9443/services/OAuthAdminService?wsdl.

Input parameters

ParameterTypeDescription
OAuthVersionString

Specify the Oauth version using this parameter. Accepted values are 'OAuth-1.0a' and 'OAuth-2.0'. If you set OAuth Version as OAuth-1.0a, there is no need to fill the grantTypes parameter. This is because this version of OAuth does not support grant types.

applicationNameStringService provider name

applicationAccessTokenExpiryTime

StringSpecify the time the application access token needs to expire. The value needs to be specified in milliseconds.
callbackUrl

This is the exact location in the service provider's application where an access token would be sent. This is a required field and it is important to configure, as it is imperative that the service provider receives the access token. This is necessary for security purposes to ensure that the token is not compromised.

Info
titleConfigure multiple callback URLs

From IS 5.2.0 onwards, regex-based consumer URLs are supported when defining the callback URL. This enables you to configure multiple callback URLs for one application.
For example, if you have two service providers that use the same application, you can now define a regex pattern which will work for both callback URLs instead of having to configure two different applications for the two service providers. Assume the two callback URLs for your two service providers are as follows:

To configure the callback URL to work for both of these URLs, set it using a regex pattern as follows:

Code Block
regexp=(https://((myapp\.com/callback|https://)|(testapp:8000))(/callback))
Note

You must have the prefix 'regexp=' before your regex pattern. To define a normal URL, you can specify the callback URL without this prefix.

grantTypesString
Anchor
grants
grants
Allowed Grant Types - The following are the grant types that are used to get the access token:
Code

Entering the username and password required at the service provider will result in a code being generated. This code can be used to obtain the access token. For more information on this grant type, see this Authorization Code specification.

Implicit

This is similar to the code grant type, but instead of generating a code, this directly provides the access token. For more information on this grant type, see this Implicit Grant specification.

Password

This authenticates the user using the password provided and the access token is provided. For more information on this grant type, see this Resource Owner Password Credentials Grant specification.

Client CredentialThis is the grant type for the client key and client secret. If these two items are provided correctly by the service provider, the access token is sent. For more information on this grant type, see this Client Credentials specification.
Refresh Token This will enable the user to obtain an access token by using the refresh token once the originally provided access token is used up. For more information on this grant type, see this Refresh Token specification.
SAML 

This uses SAML assertion to obtain the access token. For more information on this grant type, see this SAML2 Bearer specification.

IWA-NTLMThis is similar to the password grant type, but it is specific to Microsoft Windows users.
urn:ietf:params:oauth:grant-type:jwt-bearerThis is a custom grant type. It uses a JWT token to obtain the access token. For more information about this grant type, see this JWT specification.
oauthConsumerKeyStringThis the consumer key of the OAuth application. If you keep this empty, Identity server will generate a consumer key.
oauthConsumerSecretStringThis the consumer secret of the OAuth application. If you keep this empty, Identity server will generate a consumer secret.
pkceMandatoryBooleanSet true if you are using the Code grant type. PKCE is a recommended security measure used to mitigate a code interception attack. See Mitigating Authorization Code Interception Attacks for more information.
pkceSupportPlainBooleanSet true if you are using PKCE.

refreshTokenExpiryTime

StringSpecify the time the refresh token needs to expire. The value needs to be specified in milliseconds.

userAccessTokenExpiryTime

StringSpecify the time the user's access token needs to expire. The value needs to be specified in milliseconds.

Request:

Code Block
languagexml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.oauth.identity.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:registerOAuthApplicationData>
         <!--Optional:-->
         <xsd:application>
            <!--Optional:-->
            <xsd1:OAuthVersion>?</xsd1:OAuthVersion>
			<!--Optional:-->
			<xsd1:applicationAccessTokenExpiryTime>?</xsd1:applicationAccessTokenExpiryTime>
            <!--Optional:-->
            <xsd1:applicationName>?</xsd1:applicationName>
            <!--Optional:-->
            <xsd1:callbackUrl>?</xsd1:callbackUrl>
            <!--Optional:-->
            <xsd1:grantTypes>?</xsd1:grantTypes>
            <!--Optional:-->
            <xsd1:oauthConsumerKey>?</xsd1:oauthConsumerKey>
            <!--Optional:-->
            <xsd1:oauthConsumerSecret>?</xsd1:oauthConsumerSecret>
            <!--Optional:-->
            <xsd1:pkceMandatory>?</xsd1:pkceMandatory>
            <!--Optional:-->
            <xsd1:pkceSupportPlain>?</xsd1:pkceSupportPlain>
			<!--Optional:-->
			<xsd1:refreshTokenExpiryTime>?</xsd1:refreshTokenExpiryTime>
			<!--Optional:-->
			<xsd1:userAccessTokenExpiryTime>?</xsd1:userAccessTokenExpiryTime>
         </xsd:application>
      </xsd:registerOAuthApplicationData>
   </soapenv:Body>
</soapenv:Envelope>
Expand
titleSample Request...
Code Block
languagexml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.oauth.identity.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:registerOAuthApplicationData>
         <!--Optional:-->
         <xsd:application>
            <!--Optional:-->
            <xsd1:OAuthVersion>OAuth-2.0</xsd1:OAuthVersion>
			<!--Optional:-->
			<xsd1:applicationAccessTokenExpiryTime>3600</xsd1:applicationAccessTokenExpiryTime>
            <!--Optional:-->
            <xsd1:applicationName>playground</xsd1:applicationName>
            <!--Optional:-->
            <xsd1:callbackUrl>http://localhost:8080/playground2/oauth2client</xsd1:callbackUrl>
            <!--Optional:-->
            <xsd1:grantTypes>refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer implicit password client_credentials iwa:ntlm authorization_code</xsd1:grantTypes>
            <!--Optional:-->
            <xsd1:pkceMandatory>false</xsd1:pkceMandatory>
            <!--Optional:-->
            <xsd1:pkceSupportPlain>true</xsd1:pkceSupportPlain>
			<!--Optional:-->
			<xsd1:refreshTokenExpiryTime>84000</xsd1:refreshTokenExpiryTime>
			<!--Optional:-->
			<xsd1:userAccessTokenExpiryTime>3600</xsd1:userAccessTokenExpiryTime>
         </xsd:application>
      </xsd:registerOAuthApplicationData>
   </soapenv:Body>
</soapenv:Envelope>


Response:

Code Block
languagexml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:registerOAuthApplicationDataResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
      </ns:registerOAuthApplicationDataResponse>
   </soapenv:Body>
</soapenv:Envelope>


Once OAuth application is created, you can retrieve the OAuth consumer key and OAuth consumer secret by calling getOAuthApplicationDataByAppName service method.

Code Block
languagexml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:getOAuthApplicationDataByAppName>
         <!--Optional:-->
         <xsd:appName>playground</xsd:appName>
      </xsd:getOAuthApplicationDataByAppName>
   </soapenv:Body>
</soapenv:Envelope>


Once the OAuth configuration is added, the OAuth consumer key/secret details need to be included in inbound authentication configurations of the service provider.



Parameter

Type

Description

inboundAuthKey

String

OAuth Client Key

inboundAuthType

String

For OAuth, authentication type should be ‘oauth2'

   

Property Name

Property Value

oauthConsumerSecret

OAuth client secret

Code Block
languagexml
<xsd1:inboundAuthenticationConfig>
    <!--Zero or more repetitions:-->
    <xsd1:inboundAuthenticationRequestConfigs>
        <!--Optional:-->
        <xsd1:inboundAuthKey>li6JMbjW6WDMKTWsRnGcjp5zcGhi</xsd1:inboundAuthKey>
        <!--Optional:-->
        <xsd1:inboundAuthType>oauth2</xsd1:inboundAuthType>
        <!--Zero or more repetitions:-->
        <xsd1:properties>
            <!--Optional:-->
            <xsd1:name>oauthConsumerSecret</xsd1:name>
            <!--Optional:-->
            <xsd1:value>NMB3EAfxh4YvSTqbb3iMkongAHjW</xsd1:value>
        </xsd1:properties>
    </xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>


Configuring WS-Trust Security Token service

Permission Level: /admin/manage/identity

To configure a service provider with the WS-Trust Security Token Service (STS), add a trusted service through the STSAdminService exposed at https://<IS_HOST>:<IS_PORT>/services/STSAdminService?wsdl. Replace the tag <IS_HOST>:<IS_PORT> with the relevant host and port number, for example, https://localhost:9443/services/STSAdminService?wsdl.

Input parameters

ParameterTypeDescription
serviceAddressString

Specify the endpoint address or the trusted relying party.

certAliasStringSpecify the certificate alias of the imported public certificate of the trusted relying party.

Request:

Code Block
languagexml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.sts.security.carbon.wso2.org">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:addTrustedService>
         <!--Optional:-->
         <ser:serviceAddress>?</ser:serviceAddress>
         <!--Optional:-->
         <ser:certAlias>?</ser:certAlias>
      </ser:addTrustedService>
   </soapenv:Body>
</soapenv:Envelope>
Expand
titleSample Request...
Code Block
languagexml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.sts.security.carbon.wso2.org">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:addTrustedService>
         <!--Optional:-->
         <ser:serviceAddress>https://www.example.com/sts</ser:serviceAddress>
         <!--Optional:-->
         <ser:certAlias>wso2carbon</ser:certAlias>
      </ser:addTrustedService>
   </soapenv:Body>
</soapenv:Envelope>


Response:

Code Block
languagexml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:addTrustedServiceResponse xmlns:ns="http://service.sts.security.carbon.wso2.org">
         <ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
      </ns:addTrustedServiceResponse>
   </soapenv:Body>
</soapenv:Envelope>


Once the trusted service is registered, the service address needs to be included in inbound authentication configurations of the service provider.


Parameter

Type

Description

inboundAuthKey

String

The endpoint address of the trusted relying party.

inboundAuthType

String

For WS-Trust Security Token Service, the authentication type should be ‘wstrust’

Code Block
languagexml
<xsd1:inboundAuthenticationConfig>
    <!--Zero or more repetitions:-->
    <xsd1:inboundAuthenticationRequestConfigs>
        <!--Optional:-->
        <xsd1:inboundAuthKey>https://www.example.com/sts</xsd1:inboundAuthKey>
        <!--Optional:-->
        <xsd1:inboundAuthType>wstrust</xsd1:inboundAuthType>
    </xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>

Configuring WS-Federation (passive)

To configure a service provider with the WS-Federation (passive), you only need to include following parameters in inbound authentication configurations of the service provider.


Parameter

Type

Description

inboundAuthKey

String

Passive STS realm identifier

inboundAuthType

String

For Passive STS configuration, the authentication type should be ‘passivests’.

passiveSTSWReplyStringProvide the URL of the web app.
For example: https://localhost:8080/PassiveSTSSampleApp/index.jsp
Code Block
languagexml
<xsd1:inboundAuthenticationConfig>
    <!--Zero or more repetitions:-->
    <xsd1:inboundAuthenticationRequestConfigs>
        <!--Optional:-->
        <xsd1:inboundAuthKey>TestSP</xsd1:inboundAuthKey>
        <!--Optional:-->
        <xsd1:inboundAuthType>passivests</xsd1:inboundAuthType>
			<xsd1:properties>
        		<xsd1:name>passiveSTSWReply</name>
        		<xsd1:value>{url}</value>
    		</xsd1:properties>
    </xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>
Panel
titleRelated Links