How to create a SP and a IDP which are visible across tenant space via Config files in IS

Transcription

1 How to create a SP and a IDP which are visible across tenant space via Config files in IS This Documentation is explaining the way to create a SP and IDP which works are visible to all the tenant domains. For the convenience of this document, I ll explain the solution with the sample travelocity application. You can find how to configure SAML2 SSO in [1]. Which will guide you how to configure SAML2 SSO in IS. Try that out so you will get an understanding about the parameters used. That documentation is not about Federated authentication. But this documentation explains scenario about Federated Authentication. So for the scenario explained in this documentation, we need two IS instances. One act as the external Identity Provider, and the other act as the service provider. For convenience let s call IS which act as Identity Provider as IDP_IS and IS which act as Service Provider as SP_IS. Final outcome will be as below. SP_IS will have a Service Provider(SP) and an Identity Provider(IDP) which are shared across SP_IS s tenant space. For this to be done we have to register the IDP_IS in SP_IS as an Identity Provider(IDP). Then we need to register SP_IS in IDP_IS as a Service Provider. Next step is to register the travelocity application in the SP_IS as a SP which will use earlier created Identity Provider(IDP) as a federated authenticator. This process can be done using UI very easily. But then the SP and IDP created in SP_IS are only visible to the tenant who creates them. So the difference in here is, IDP and SP in SP_IS should be registered using configuration files so that they are available to all the tenants in SP_IS. Lets begin, Step 1 Registering the SP_IS as a Service Provider(SP) in IDP_IS Unpack two IS instances and call them IDP_IS and SP_IS. Open IDP_IS/repository/conf/carbon.xml file. Find offset xml element and change its value to 1 as below. <Offset>1</Offset> Then startup the IDP_IS server. Then goto management console using [2] and log in.

2 Click on Add menu item under Service Providers sub menu in Main menu to add a Service Provider. Enter the Service Provider Name as ServiceProviderSP_IS and click Register. It will register SP_IS as a Service Provider(SP) in IDP_IS. Now lets configure Inbound Authentication Configuration of the created Service Provider. Expand Inbound Authentication Configuration and then expand SAML2 Web SSO Configuration since we are using SAML2 SSO to talk between IDP_IS and SP_IS Click on the Configure link. Fill the fields as below Issuer travelocitysp (This will be same as Service Provider Entity Id when configuring IDP in SP_IS in step 2) Assertion Consumer URL Tick Use fully qualified username in the NameID Tick Enable Single Logout So the window will look like as below.

3 Click Register Step 2 Registering IDP_IS as an IDP in SP_IDP For this, create identityprovideridp_is.xml file inside SP_IS/repository/conf/identity/identity providers folder and put below content to it. <IdentityProvider> <IdentityProviderName>identityProviderIDP_IS</IdentityProviderName> <DisplayName>identityProviderIDP_IS</DisplayName> <IdentityProviderDescription></IdentityProviderDescription> <Alias> <IsPrimary></IsPrimary> <IsFederationHub></IsFederationHub> <HomeRealmId></HomeRealmId> <ProvisioningRole></ProvisioningRole>

4 <FederatedAuthenticatorConfigs> <saml2> <Name>SAMLSSOAuthenticator</Name> <DisplayName>samlsso</DisplayName> <Properties> <Name>IdpEntityId</Name> <Value>identiryProviderIDP</Value> <Name>IsLogoutEnabled</Name> <Value>true</Value> <Name>SPEntityId</Name> <Value>travelocitySP</Value> <Name>SSOUrl</Name> <Value> <Name>isAssertionSigned</Name> <Name>commonAuthQueryParams</Name> <Value></Value> <Name>IsUserIdInClaims</Name> <Name>IsLogoutReqSigned</Name> <Name>IsAssertionEncrypted</Name> <Name>IsAuthReqSigned</Name> <Name>IsAuthnRespSigned</Name>

5 <Name>LogoutReqUrl</Name> </Properties> </saml2> </FederatedAuthenticatorConfigs> <DefaultAuthenticatorConfig> </DefaultAuthenticatorConfig> <ProvisioningConnectorConfigs> <ProvisioningConnectorConfig> <ProvisioningProperties> </ProvisioningProperties> </ProvisioningConnectorConfig> </ProvisioningConnectorConfigs> <DefaultProvisioningConnectorConfig></DefaultProvisioningConnectorConfig> <ClaimConfig></ClaimConfig> <Certificate></Certificate> <PermissionAndRoleConfig></PermissionAndRoleConfig> <JustInTimeProvisioningConfig></JustInTimeProvisioningConfig> </IdentityProvider> Step 3 Configuring the Service Provider for travelocity in SP_IS Open SP_IS/repository/conf/security/sso idp config.xml file and add below ServiceProvider element to it <ServiceProvider> <Issuer>travelocity.com</Issuer> <AssertionConsumerService> jsp</assertionconsumerservice> <SignAssertion>false</SignAssertion> <SignResponse>false</SignResponse> <EnableAttributeProfile>false</EnableAttributeProfile> <IncludeAttributeByDefault>false</IncludeAttributeByDefault> <EnableSingleLogout>true</EnableSingleLogout> <SingleLogoutUrl></SingleLogoutUrl> <EnableAudienceRestriction>false</EnableAudienceRestriction> <ConsumingServiceIndex></ConsumingServiceIndex> </ServiceProvider> Then create travelocity.com.xml file inside SP_IS/repository/conf/identity/service providers folder and add following content to it. <ServiceProvider> <ApplicationID>3</ApplicationID>

6 <ApplicationName>travelocity.com</ApplicationName> <Description>travelocity Service Provider</Description> <IsSaaSApp>true</IsSaaSApp> <InboundAuthenticationConfig> <InboundAuthenticationRequestConfigs> <InboundAuthenticationRequestConfig> <InboundAuthKey>travelocity.com</InboundAuthKey> <InboundAuthType>samlsso</InboundAuthType> <Properties> </Properties> </InboundAuthenticationRequestConfig> </InboundAuthenticationRequestConfigs> </InboundAuthenticationConfig> <LocalAndOutBoundAuthenticationConfig> <AuthenticationSteps> <AuthenticationStep> <StepOrder>1</StepOrder> <! <LocalAuthenticatorConfigs> <LocalAuthenticatorConfig> <Name>BasicAuthenticator</Name> <DisplayName>basicauth</DisplayName> </LocalAuthenticatorConfig> </LocalAuthenticatorConfigs> > <FederatedIdentityProviders> <IdentityProvider> <IdentityProviderName>identityProviderIDP_IS</IdentityProviderName> <DefaultAuthenticatorConfig> <FederatedAuthenticatorConfig> <Name>SAMLSSOAuthenticator</Name> <DisplayName>samlsso</DisplayName> </FederatedAuthenticatorConfig> </DefaultAuthenticatorConfig> </IdentityProvider> </FederatedIdentityProviders> <SubjectStep>true</SubjectStep> <AttributeStep>true</AttributeStep> </AuthenticationStep> </AuthenticationSteps> </LocalAndOutBoundAuthenticationConfig> <RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs> <InboundProvisioningConfig></InboundProvisioningConfig> <OutboundProvisioningConfig></OutboundProvisioningConfig> <ClaimConfig>

7 <AlwaysSendMappedLocalSubjectId>true</AlwaysSendMappedLocalSubjectId> </ClaimConfig> <PermissionAndRoleConfig></PermissionAndRoleConfig> </ServiceProvider> And that s it. Now start up the SP_IS server. Deploy the travelocity.com.war file provided to a tomcat server. Then try to access [3]. You ll be redirected to the IDP_IS for authentication. Step 3 Testing for tenant domains Create some tenants in SP_IS. Then open TOMCAT_HOME/webapps/travelocity.com/WEB INF/classes/travelocity.properties file and find #SAML.Request.Query.Param=&tenantDomain=tenant.domain value. Uncomment it by removing the # and replace the tenant domain(tenant.domain) with your newly created tenant domain. Restart TOMCAT and try to again access [3]. You ll be able to login using the IDP regardless of the tenant domain you are using. Below is the full content of the travelocity.properties file EnableSAMLSSOLogin=true EnableOpenIDLogin=true EnableSAML2Grant=false #This is the URL of the page that is used to choose the login scheme #such as SAML SSO or OpenID. This Url will not be processed by the #SSOAgentFilter LoginUrl=index.jsp #Url to do send SAMLSSO AuthnRequest SAMLSSOUrl=samlsso #Url to do send SAML2 Grant OAuth2 Request SAML2GrantUrl=token #Url to send OpenID Authentication Request OpenIDUrl=openid #A unique identifier for this SAML 2.0 Service Provider application SAML.IssuerID=travelocity.com #SAML.Request.Query.Param=&tenantDomain=tenant.domain

8 #The URL of the SAML 2.0 Assertion Consumer SAML.ConsumerUrl= #The URL of the SAML 2.0 Identity Provider SAML.IdPUrl= #This is the attribute name under which the authenticated session information #of SAML SSO and OpenID are stored SSOAgentSessionBeanName=SSOAgentSessionBean #Identifier given for the Service Provider for SAML 2.0 attributes #exchange #SAML.AttributeConsumingServiceIndex= #Specify if SingleLogout is enabled/disabled SAML.EnableSLO=true #This is the URL that is used for SLO SAML.LogoutUrl=logout #Specify if SAMLResponse element is signed SAML.EnableResponseSigning=false #Specify if SAMLAssertion element is signed SAML.EnableAssertionSigning=false #Specify if SAMLAssertion element is encrypted SAML.EnableAssertionEncryption=false #Specify if AuthnRequests and LogoutRequests should be signed SAML.EnableRequestSigning=false #Specify if force authentication enabled SAML.EnableForceAuthentication=false #Custom credentials class SAML.SSOAgentCredentialImplClass=org.wso2.carbon.identity.sso.agent.saml.SS OAgentKeyStoreCredential #KeyStore to cryptographic credentials #KeyStore=/home/johann/Desktop/wso2is 4.1.0/repository/resources/security/w so2carbon.jks #Password of the KeyStore for SAML and OpenID KeyStorePassword=wso2carbon #Alias of the IdP's public certificate SAML.IdPCertAlias=wso2carbon

9 #Alias of the SP's private key SAML.PrivateKeyAlias=wso2carbon #Private key password to retrieve the private key used to sign #AuthnRequest and LogoutRequest messages SAML.PrivateKeyPassword=wso2carbon #OAuth2 token endpoint URL SAML.OAuth2TokenEndpoint= #OAuth2 Client ID SAML.OAuth2ClientID=Qn5DQHCYfshxeZh6R9SL1HM2lsMa #OAuth2 Client Secret SAML.OAuth2ClientSecret=cbkAs1gajdwPAMbrSR54hPAIcz0a #OpenId Provider Url OpenID.OpenIdProviderUrl= #openid.return_to parameter OpenID.ReturnToUrl= #This is the request parameter name under which to find the #openid.claimed_id value to send OpenID authentication request OpenID.ClaimedIDParameterName=claimed_id #Custom OpenID AttributesRequestor class OpenID.AttributesRequestorImplClass=SampleAttributesRequestor #Additional request parameters #SAML.Request.Query.Param=&forceAuth=true NOTE You cannot specifically specify what tenant domains specifically has access to the created SP and IDP. They will be visible to all the tenants when configured as described above. [1] [2] [3]