This documentation is for WSO2 Identity Server 5.7.0. View documentation for the latest release.
Page Comparison - Adding and Configuring an Identity Provider (v.15 vs v.16) - Identity Server 5.7.0 - WSO2 Documentation

All docs This doc

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Sign in. Enter your username and password to log on to the Management Console
  2. Navigate to the Main menu to access the Identity menu. Click Add under Identity Providers.
  3. Fill in the details in the Basic Information section. 

    Note the following when filling the above form.

    FieldDescriptionSample Value
    Identity Provider Name

    The Identity Provider Name must be unique as it is used as the primary identifier of the identity provider.

    FacebookIdP
    Display Name

    The Display Name is used to identify the identity provider. If this is left blank, the Identity Provider Name is used. This is used in the login page when selecting the identity provider that you want to use to log in to the service provider.

    Facebook
    DescriptionThe Description is added in the list of identity providers to provide more information on what the identity provider is. This is particularly useful in situations where there are many identity providers configured and a description is required to differentiate and identify them.This is the identity provider configuration for Facebook.
    Federation Hub Identity Provider

    Select the Federation Hub Identity Provider check-box to indicate if this points to an identity provider that acts as a federation hub. A federation hub is an identity provider that has multiple identity providers configured to it and can redirect users to the correct identity provider depending on their Home Realm identifier or their Identity Provider Name. When we have this check-box selected additional window will pop-up in the multi-option page in the first identity server to get the home realm identifier for the desired identity provider in the identity provider hub.

    Selected
    Home Realm Identifier

    The Home Realm Identifier  value can be specified in each federated IDP and can send the Home Realm Identifier value as the “fidp” query parameter (e.g., fidp=googleIdp) in the authentication request by the service provider. Then WSO2 Identity Server finds the IDP related to the “fidp” value and redirects the end user to the IDP directly rather than showing the SSO login page. By using this, you can avoid multi-option, in a multi-option scenario without redirecting to the multi-option page.

    FB

    Anchor
    multipleCert
    multipleCert
    Identity Provider Public Certificate

    The Identity Provider Public Certificate is the public certificate of the identity provider. Uploading this is necessary to authenticate responses from the identity provider.
    If necessary, you can upload multiple certificates for an identity provider. This is useful in scenarios where one certificate is expired, but the second can be used for certificate validation.

    For example, consider a scenario where a third party IDP needs to change its certificate in one week, but cannot specify the exact time that the certificate would change. In such a scenario, it is useful to be able to upload a secondary certificate to the IDP so that during SAML assertion validation if certificate validation fails with the first certificate, the second certificate can be used for certificate validation.

    Tip
    titleTip

    If you are adding an identity provider using a configuration file, and you want to specify multiple certificates for the identity provider, use the following sample configuration: 

    Code Block
    <Certificate>
    -----BEGIN CERTIFICATE-----
    MIIDUTCCAjmgAwIBAgIEXvHuADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJMSzELMAkGA1UE
    CBMCV1MxCzAJBgNVBAcTAlNMMQ0wCwYDVQQKEwRIb21lMQ0wCwYDVQQLEwRIb21lMRIwEAYDVQQD
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDUTCCAjmgAwIBAgIEXvHuADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJMSzELMAkGA1UE
    CBMCV1MxCzAJBgNVBAcTAlNMMQ0wCwYDVQQKEwRIb21lMQ0wCwYDVQQLEwRIb21lMRIwEAYDVQQD
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDUTCCAjmgAwIBAgIEHMcPtzANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJM
    SzELMAkGA1UECBMCV1MxCzAJBgNVBAcTAlNMMQ0wCwYDVQQKEwRIb21lMQ0wCwYD
    -----END CERTIFICATE-----
    </Certificate>

    See Using Asymmetric Encryption in the WSO2 Product Administration Guide for information on how public keys work, and how to get the keys signed by a certification authority.

    This can be any certificate. If the identity provider is another Identity Server, this can be a wso2.crt file.

    Note

    Note: To create the Identity Provider Certificate, open your command line interface, traverse to the <IS_HOME>/repository/resources/security/ directory, and execute the following command:

    Code Block
    keytool -export -alias wso2carbon -file wso2.crt -keystore wso2carbon.jks -storepass wso2carbon

    This generates the wso2.crt file.
    You can find the generated file in the <IS_HOME>/repository/resources/security/ directory. Click Choose File and navigate to this location to obtain and the file so that you can upload the file.

    See Using Asymmetric Encryption in the WSO2 Product Administration Guide for more information.
    Alias

    The Alias is a value that has an equivalent value specified in the identity provider that we are configuring. This is required for authentication in some scenarios.

    http://localhost:9443/oauth2/token



    Expand
    titleClick here for more information on the federation hub and the home realm identifier
    Info
    titleAbout the federation hub and the home realm identifier

    The federation hub has multiple identity providers configured to it. In a typical federation hub with multiple identity providers, each identity provider can have a unique home realm identifier that can be used to identify the identity provider you are logging into.

    So when a user tries to log in to a service provider following flow will happen,

    • The Identity Server which this service provider is configured on will find the required federated authenticator from the service provider configuration
    • If this Identity Provider configured as a federation hub, the user can specify the preferred identity provider in the federation hub using the multi-option page of the first Identity Server.
    • This information will pass with the authentication request to the federation hub.
    • When the request comes to the federation hub, it is sent to the identity provider that the user specifies from the first identity server. For instance, if the users prefer to use their Facebook credentials to log in, and Facebook is one of the identity providers configured in the federation hub, the user simply has to specify Facebook as the domain in the login screen of first Identity Server.

    When the Home Realm Identifier is not specified, you can either select the domain name from a dropdown in the login page, or you have to enter the domain value in a separate page prior to logging in. This can be configured as explained below.

    Open the <IS_HOME>/repository/conf/identity/application-authentication.xml file. The ProxyMode configuration allows the framework to operate in either smart mode or dumb mode. In smart mode, both local and federated authentication is supported, while in dumb mode, only federated authentication is supported. If dumb mode is configured here, you must provide the Home Realm Identifier, or you have to display a separate screen to the user to get it.

    If smart mode is configured, the default behavior applies, where you can enter a local username and password, or use federated authenticators for authentication.

    <ProxyMode>smart</ProxyMode>

    Expand
    titleClick here for more information on the Alias
    Info
    titleAbout the Alias

    The Alias is used in the following authentication scenario.

    Here a SAML identity provider sends a SAML token to a web application for authentication. The SAML token has an audience restriction element that controls access and has a reference to the web application in order to access it. Using this token, the authentication takes place. Now, if the web application needs to access an API that is protected by OAuth 2.0, the same SAML token is sent to the token endpoint of the Identity Server. The Alias value you configure in the Identity Server is associated with this token endpoint. This alias value must be added to the audience restriction element of the SAML token. When this SAML token is sent to the Identity Server, you obtain an access token, which is used to access the API.

    So in order to configure this, you must add the SAML identity provider as an identity provider in the Identity Server using the instructions in this topic. When configuring this in the Identity Server, you must specify the token alias for this scenario to work. This indicates that any token coming from the SAML identity provider must have this alias value in the audience restriction element.

  4. Enter the Identity Provider Name and provide a brief Description of the identity provider. Only Identity Provider Name is a required field.
  5. Fill in the remaining details where applicable. Click the arrow buttons to expand the forms available to update.
    Adding Configurations for the Identity Provider

    Expand
    titleClick here for details on how to configure claims

    Include Page
    Configuring Claims for an Identity Provider
    Configuring Claims for an Identity Provider

    Expand
    titleClick here for details on how to configure roles

    Include Page
    Configuring Roles for an Identity Provider
    Configuring Roles for an Identity Provider

    Expand
    titleClick here for details on how to configure federated authenticators

    Include Page
    Configuring Federated Authentication
    Configuring Federated Authentication

    Expand
    titleClick here for details on how to configure just-in-time provisioning

    Include Page
    Configuring Just-In-Time Provisioning for an Identity Provider
    Configuring Just-In-Time Provisioning for an Identity Provider

    Expand
    titleClick here for details on how to configure outbound provisioning connectors

    Include Page
    Configuring Outbound Provisioning Connectors for an Identity Provider
    Configuring Outbound Provisioning Connectors for an Identity Provider

  6. Click Register to add the Identity Provider.

Configuring a resident identity provider

Apart from mediating authentication requests between service providers and identity providers, WSO2 Identity Server can act as a service provider and an identity provider. When WSO2 Identity Server acts as an identity provider, it is called the resident identity provider

Note

The resident identity provider configuration is helps service providers to send authentication or provisioning requests to WSO2 Identity Server via SAML, OpenID Connect, SCIM, or WS-Trust. For an example on how a resident identity provider is used to implement a security token service, see Configuring WS-Trust Security Token Service. The Resident identity provider configuration is a one-time configuration for a given tenant. It shows WSO2 Identity Server's metadata, e.g., endpoints. The resident identity provider configurations can be used to secure the WS-Trust endpoint with a security policy.

Follow the instructions below to configure a resident identity provider:

...

On the Main tab, click Identity > Identity Providers > Resident
Image Removed
The Resident Identity Provider page appears.
Image Removed

Enter the required values as given below.

...

This is the duration in weeks for which WSO2 Identity Server should remember an SSO session given that you have selected the Remember Me option in the WSO2 Identity Server login screen.

The default value is 2 weeks.

...

Enter the required values and learn the fixed values as given below. 

...

This defines the destination URL of the identity provider. This helps the service providers that connect to WSO2 Identity Server through a proxy server to locate WSO2 Identity Server.

...

This is the SAML SSO endpoint of the identity provider.

...

This is the identity provider's end point that accepts SAML logout requests.

...

This is the identity provider's endpoint that resolves SAML artifacts.

...

To configure OAuth2 or OIDC, click OAuth2/OpenID Connect Configuration.
Image Removed

...

This is the identity provider's OAuth2/OpenID Connect authorization endpoint URL.

...

This is the identity provider's token endpoint URL.

...

This is the URL of the endpoint at which access tokens and refresh token are revoked.

...

This is the URL of the endpoint at which OAuth tokens are validated.

...

This the URL of the endpoint through which user information can be retrieved. The information is gathered by passing an access token.

...

This the URL of the endpoint that provides an iframe to synchronize the session states between the client and the identity provider.

...

This is the identity provider's endpoint that accepts SAML logout requests.

...

This is the URL of the OpenID Connect token discovery endpoint at which WSO2 Identity Server's meta data are retrieved from.

...

This is the URL of the endpoint that is used to discover the end user's OpenID provider and obtain the information required to interact with the OpenID provider, e.g., OAuth 2 endpoint locations.

...

This is the URL of the endpoint at which OpenID Connect dynamic client registration takes places.

...

This is the URL of the endpoint that returns WSO2 Identity Server's public key set in JSON Web Key Set (JWKS) format.

...

You may view the inbound provisioning configurations by clicking Inbound Provisioning Configuration section. Image Removed

...

This is the identity provider's endpoint for SCIM user operations, e.g., creating and managing users.

...

This is the identity provider's endpoint for the SCIM user role operations, e.g., creating user roles, assigning user roles to users, and managing user roles.

...

Click Update

Note

To modify the host name of the above-above mentioned URLs,

  1. open the carbon.xml file in the <IS_HOME>/repository/conf directory and update the value of the <HostName> parameter.

    Code Block
    languagexml
    themeEclipse
    <HostName>localhost</HostName>
  2. Open the identity.xml file in the <IS_HOME>/repository/conf/identity directory and update the vaule of the <IdentityPRoviderURL> parameter.

    Code Block
    languagexml
    themeEclipse
    <IdentityProviderURL>https://localhost:9443/samlsso</IdentityProviderURL>
  3. To ensure the client application is communicating with the right identity provider, WSO2 Identity Server compares the destination value in the SAML request with the URL in the above configuration.

Exporting SAML2 metadata of the resident IdP

To configure WSO2 Identity Server as a trusted identity provider in a service provider application, export the SAML2 metadata of the resident identity provider of WSO2 IS and import the metadata to the relevant service provider. 

Tip

Use one of the following approaches to do this. 

  1. Expand the Inbound Authentication Configuration section and then expand SAML2 Web SSO Configuration
  2. Click Download SAML2 metadata. A metadata.xml file will be downloaded on to your machine.
  3.  Import the metadata.xml file to the relevant service provider to configure WSO2 Identity Server as a trusted identity provider for your application. 

    Image Removed

Excerpt Include
IS580:Adding and Configuring an Identity Provider
IS580:Adding and Configuring an Identity Provider
nopaneltrue

Managing identity providers

...