This documentation is for WSO2 Identity Server 5.0.0. View documentation for the latest release.
Configuring SAML2 SSO - Identity Server 5.0.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

This sample is a demonstration on how to configure SAML2 SSO using a sample service provider.

When running this sample on AS

Both this SSOAgentSample application and WSO2 Application Server contain different versions of the same slf4j jar. As a solution you can select ONE of the following approaches.

  1. Remove log4j-over-slf4j-1.6.1.jar file from directory and deploy.
  2. Modify <AS_HOME>/repository/conf/tomcat/webapp-classloading-environments.xml to resolve the slf4j conflict and restart the WSO2 Application Server. This change is done so as not to expose the org.slf4j.* package from WSO2 Carbon. 


Configuring the web app

  1. Check out the source from the repository location which contains the samples.

    svn co
  2. Remove the parent entry in the pom.xml file that comes along with the sample. The contents of the pom.xml file will look similar to the following.

    <project xmlns="" xmlns:xsi="" xsi:schemaLocation="">
    	<name>Identity Server : SSO Samples</name>
  3. Go to <HOME>/sso/SSOAgentSample in the checked out folder and build the sample with following command.

    mvn clean install
  4. After successfully building the sample, a .war file named can be found inside the <HOME>/sso/SSOAgentSample/target folder.
  5. Deploy this sample web app on a web container. To do this, use the Apache Tomcat server.

    Since this sample is written based on Servlet 3.0 it needs to be deployed on Tomcat 7.x.

    Use the following steps to deploy the web app in the web container:

    1. Stop the Apache Tomcat server if it is already running.
    2. Copy the travelocity.war file to the <TOMCAT_HOME>/webapps folder.
    3. Start the Apache Tomcat server.

The file, which is found inside the folder, can be used to change the properties like issuerID, consumer url and IdP url. This sample uses default values.

  • A unique identifier for this SAML 2.0 Service Provider application:
  • The URL of the SAML 2.0 Assertion Consumer: SAML.ConsumerUrl=http://localhost:8080/
  • The URL of the SAML 2.0 Identity Provider: SAML.IdPUrl=https://localhost:9443/samlsso

Now that the web app is successfully deployed on a web container; the next step is to configure WSO2 Identity Server as the identity provider.

Configuring WSO2 Identity Server as an identity provider

  1. Start the Identity Server and access the management console using https://localhost:9443/carbon/
  2. Log in to the Identity Server using default administrator credentials (the username and password are both "admin").
  3. In the management console found on the left of your screen, navigate to the Main menu and click add under Service Provider
  4. Expand the Inbound Authentication Configuration section and then expand SAML2 Web SSO Configuration
  5. Click Configure. A form appears. Register the new service provider by providing the following values.
    • Issuer:

      This value should be same as the SAML.IssuerID value specified inside the file.

    • Assertion Consumer URL: http://localhost:8080/

      This value should be same as the SAML.ConsumerUrl value mentioned inside the file.

    • NameID format: Enter the default value here (i.e., urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)
    • Use fully qualified username in the NameID: Set this as true by selecting the checkbox
    • Enable Response Signing: Set this as true by selecting the checkbox
    • Enable Assertion Signing: Set this as true by selecting the checkbox
    • Enable Signature Validation in Authentication Requests and Logout Requests: Set this as true (Certificate alias = wso2carbon)
    • Enable Single Logout: Set this as true by selecting the checkbox
  6. After providing above values click Register.

After successfully registering the service provider, log out from management console. You have now configuring Identity Server as the identity provider. The next step is to run the sample.

Running the sample

  1. Visit http://localhost:8080/ You are directed to the following page:
  2. Since you need to use SAML2 for this sample, click the first link, i.e., Click here to login with SAML from Identity Server. You are redirected to the Identity Server for authentication.
  3. Enter the default admin credentials (admin/admin).
  4. Now you are logged in and you can see the home page of the app.
  1. If you need to view the SAML request and response, please add the following debug log to the file found inside <PRODUCT_HOME>/repository/conf.
  2. Since single log out is enabled, if you click the logout button in the home page, you will successfully log out.
  • No labels