How to create a SP and a IDP which are visible across tenant space via Config files in IS



Similar documents
Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

Using SAML for Single Sign-On in the SOA Software Platform

Copyright Pivotal Software Inc, of 10

Egnyte Single Sign-On (SSO) Installation for OneLogin

SAML Authentication within Secret Server

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Configuring EPM System for SAML2-based Federation Services SSO

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

CA CloudMinder. Getting Started with SSO 1.5

Department Service Integration with e-pramaan

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

How To Use Saml 2.0 Single Sign On With Qualysguard

Software Design Document SAMLv2 IDP Proxying

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

Getting Started with AD/LDAP SSO

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

OpenLogin: PTA, SAML, and OAuth/OpenID

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Connected Data. Connected Data requirements for SSO

T his feature is add-on service available to Enterprise accounts.

HP Software as a Service. Federated SSO Guide

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

Flexible Identity Federation

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

The increasing popularity of mobile devices is rapidly changing how and where we

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Flexible Identity Federation

SAML Single-Sign-On (SSO)

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

SAML SSO Configuration

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

Configuring SAML2 for Single Sign On to Smartsheet (Enterprise Only)

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Egnyte Single Sign-On (SSO) Installation for Okta

OIOSAML 2.0 Toolkits Test results May 2009

Web Based Single Sign-On and Access Control

PingFederate. Identity Menu Builder. User Guide. Version 1.0

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Alfresco Share SAML. 2. Assert user is an IDP user (solution for the Security concern mentioned in v1.0)

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

How To Use Salesforce Identity Features

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Copyright: WhosOnLocation Limited

Disclaimer. SAP 2008 / SAP TechEd 08 / SIM202 / Page 2

This section includes troubleshooting topics about single sign-on (SSO) issues.

CA Nimsoft Service Desk

JOSSO 2.4. Ws-Federation Integration Tutorial

HP Software as a Service

Authentication and Single Sign On

DocuSign Information Guide. Single Sign On Functionality. Overview. Table of Contents

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

PARTNER INTEGRATION GUIDE. Edition 1.0

Single Sign-On Implementation Guide

PHP Integration Kit. Version User Guide

Spring Security SAML module

TIB 2.0 Administration Functions Overview

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

White Paper. Fabasoft Folio Thin Client Support. Fabasoft Folio 2015 Update Rollup 2

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Single Sign-On Implementation Guide

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Perceptive Experience Single Sign-On Solutions

IBM WebSphere Application Server

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

McAfee Cloud Identity Manager

ADFS Integration Guidelines

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page

Novell Access Manager

API-Security Gateway Dirk Krafzig

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Single Sign-On Implementation Guide

Salesforce Files Connect Implementation Guide

Microsoft Office 365 Using SAML Integration Guide

Department Service Integration with e-pramaan

SAML Authentication Quick Start Guide

SAM Context-Based Authentication Using Juniper SA Integration Guide

Feide Technical Guide. Technical details for integrating a service into Feide

Configuring. Moodle. Chapter 82

WebNow Single Sign-On Solutions

McAfee One Time Password

Building Secure Applications. James Tedrick

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

CONFIGURING FUSE BUSINESS

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

Using Internet or Windows Explorer to Upload Your Site

Logout in Single Sign-on Systems

SAP NetWeaver AS Java

Transcription:

How to create a SP and a IDP which are visible across tenant space via Config files in IS This Documentation is explaining the way to create a SP and IDP which works are visible to all the tenant domains. For the convenience of this document, I ll explain the solution with the sample travelocity application. You can find how to configure SAML2 SSO in [1]. Which will guide you how to configure SAML2 SSO in IS. Try that out so you will get an understanding about the parameters used. That documentation is not about Federated authentication. But this documentation explains scenario about Federated Authentication. So for the scenario explained in this documentation, we need two IS instances. One act as the external Identity Provider, and the other act as the service provider. For convenience let s call IS which act as Identity Provider as IDP_IS and IS which act as Service Provider as SP_IS. Final outcome will be as below. SP_IS will have a Service Provider(SP) and an Identity Provider(IDP) which are shared across SP_IS s tenant space. For this to be done we have to register the IDP_IS in SP_IS as an Identity Provider(IDP). Then we need to register SP_IS in IDP_IS as a Service Provider. Next step is to register the travelocity application in the SP_IS as a SP which will use earlier created Identity Provider(IDP) as a federated authenticator. This process can be done using UI very easily. But then the SP and IDP created in SP_IS are only visible to the tenant who creates them. So the difference in here is, IDP and SP in SP_IS should be registered using configuration files so that they are available to all the tenants in SP_IS. Lets begin, Step 1 Registering the SP_IS as a Service Provider(SP) in IDP_IS Unpack two IS instances and call them IDP_IS and SP_IS. Open IDP_IS/repository/conf/carbon.xml file. Find offset xml element and change its value to 1 as below. <Offset>1</Offset> Then startup the IDP_IS server. Then goto management console using [2] and log in.

Click on Add menu item under Service Providers sub menu in Main menu to add a Service Provider. Enter the Service Provider Name as ServiceProviderSP_IS and click Register. It will register SP_IS as a Service Provider(SP) in IDP_IS. Now lets configure Inbound Authentication Configuration of the created Service Provider. Expand Inbound Authentication Configuration and then expand SAML2 Web SSO Configuration since we are using SAML2 SSO to talk between IDP_IS and SP_IS Click on the Configure link. Fill the fields as below Issuer travelocitysp (This will be same as Service Provider Entity Id when configuring IDP in SP_IS in step 2) Assertion Consumer URL https://localhost:9443/commonauth Tick Use fully qualified username in the NameID Tick Enable Single Logout So the window will look like as below.

Click Register Step 2 Registering IDP_IS as an IDP in SP_IDP For this, create identityprovideridp_is.xml file inside SP_IS/repository/conf/identity/identity providers folder and put below content to it. <IdentityProvider> <IdentityProviderName>identityProviderIDP_IS</IdentityProviderName> <DisplayName>identityProviderIDP_IS</DisplayName> <IdentityProviderDescription></IdentityProviderDescription> <Alias>https://localhost:9444/oauth2/token/</Alias> <IsPrimary></IsPrimary> <IsFederationHub></IsFederationHub> <HomeRealmId></HomeRealmId> <ProvisioningRole></ProvisioningRole>

<FederatedAuthenticatorConfigs> <saml2> <Name>SAMLSSOAuthenticator</Name> <DisplayName>samlsso</DisplayName> <Properties> <Name>IdpEntityId</Name> <Value>identiryProviderIDP</Value> <Name>IsLogoutEnabled</Name> <Value>true</Value> <Name>SPEntityId</Name> <Value>travelocitySP</Value> <Name>SSOUrl</Name> <Value>https://localhost:9444/samlsso/</Value> <Name>isAssertionSigned</Name> <Name>commonAuthQueryParams</Name> <Value></Value> <Name>IsUserIdInClaims</Name> <Name>IsLogoutReqSigned</Name> <Name>IsAssertionEncrypted</Name> <Name>IsAuthReqSigned</Name> <Name>IsAuthnRespSigned</Name>

<Name>LogoutReqUrl</Name> </Properties> </saml2> </FederatedAuthenticatorConfigs> <DefaultAuthenticatorConfig> </DefaultAuthenticatorConfig> <ProvisioningConnectorConfigs> <ProvisioningConnectorConfig> <ProvisioningProperties> </ProvisioningProperties> </ProvisioningConnectorConfig> </ProvisioningConnectorConfigs> <DefaultProvisioningConnectorConfig></DefaultProvisioningConnectorConfig> <ClaimConfig></ClaimConfig> <Certificate></Certificate> <PermissionAndRoleConfig></PermissionAndRoleConfig> <JustInTimeProvisioningConfig></JustInTimeProvisioningConfig> </IdentityProvider> Step 3 Configuring the Service Provider for travelocity in SP_IS Open SP_IS/repository/conf/security/sso idp config.xml file and add below ServiceProvider element to it <ServiceProvider> <Issuer>travelocity.com</Issuer> <AssertionConsumerService>http://localhost:8080/travelocity.com/home. jsp</assertionconsumerservice> <SignAssertion>false</SignAssertion> <SignResponse>false</SignResponse> <EnableAttributeProfile>false</EnableAttributeProfile> <IncludeAttributeByDefault>false</IncludeAttributeByDefault> <EnableSingleLogout>true</EnableSingleLogout> <SingleLogoutUrl></SingleLogoutUrl> <EnableAudienceRestriction>false</EnableAudienceRestriction> <ConsumingServiceIndex></ConsumingServiceIndex> </ServiceProvider> Then create travelocity.com.xml file inside SP_IS/repository/conf/identity/service providers folder and add following content to it. <ServiceProvider> <ApplicationID>3</ApplicationID>

<ApplicationName>travelocity.com</ApplicationName> <Description>travelocity Service Provider</Description> <IsSaaSApp>true</IsSaaSApp> <InboundAuthenticationConfig> <InboundAuthenticationRequestConfigs> <InboundAuthenticationRequestConfig> <InboundAuthKey>travelocity.com</InboundAuthKey> <InboundAuthType>samlsso</InboundAuthType> <Properties> </Properties> </InboundAuthenticationRequestConfig> </InboundAuthenticationRequestConfigs> </InboundAuthenticationConfig> <LocalAndOutBoundAuthenticationConfig> <AuthenticationSteps> <AuthenticationStep> <StepOrder>1</StepOrder> <! <LocalAuthenticatorConfigs> <LocalAuthenticatorConfig> <Name>BasicAuthenticator</Name> <DisplayName>basicauth</DisplayName> </LocalAuthenticatorConfig> </LocalAuthenticatorConfigs> > <FederatedIdentityProviders> <IdentityProvider> <IdentityProviderName>identityProviderIDP_IS</IdentityProviderName> <DefaultAuthenticatorConfig> <FederatedAuthenticatorConfig> <Name>SAMLSSOAuthenticator</Name> <DisplayName>samlsso</DisplayName> </FederatedAuthenticatorConfig> </DefaultAuthenticatorConfig> </IdentityProvider> </FederatedIdentityProviders> <SubjectStep>true</SubjectStep> <AttributeStep>true</AttributeStep> </AuthenticationStep> </AuthenticationSteps> </LocalAndOutBoundAuthenticationConfig> <RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs> <InboundProvisioningConfig></InboundProvisioningConfig> <OutboundProvisioningConfig></OutboundProvisioningConfig> <ClaimConfig>

<AlwaysSendMappedLocalSubjectId>true</AlwaysSendMappedLocalSubjectId> </ClaimConfig> <PermissionAndRoleConfig></PermissionAndRoleConfig> </ServiceProvider> And that s it. Now start up the SP_IS server. Deploy the travelocity.com.war file provided to a tomcat server. Then try to access [3]. You ll be redirected to the IDP_IS for authentication. Step 3 Testing for tenant domains Create some tenants in SP_IS. Then open TOMCAT_HOME/webapps/travelocity.com/WEB INF/classes/travelocity.properties file and find #SAML.Request.Query.Param=&tenantDomain=tenant.domain value. Uncomment it by removing the # and replace the tenant domain(tenant.domain) with your newly created tenant domain. Restart TOMCAT and try to again access [3]. You ll be able to login using the IDP regardless of the tenant domain you are using. Below is the full content of the travelocity.properties file EnableSAMLSSOLogin=true EnableOpenIDLogin=true EnableSAML2Grant=false #This is the URL of the page that is used to choose the login scheme #such as SAML SSO or OpenID. This Url will not be processed by the #SSOAgentFilter LoginUrl=index.jsp #Url to do send SAMLSSO AuthnRequest SAMLSSOUrl=samlsso #Url to do send SAML2 Grant OAuth2 Request SAML2GrantUrl=token #Url to send OpenID Authentication Request OpenIDUrl=openid #A unique identifier for this SAML 2.0 Service Provider application SAML.IssuerID=travelocity.com #SAML.Request.Query.Param=&tenantDomain=tenant.domain

#The URL of the SAML 2.0 Assertion Consumer SAML.ConsumerUrl=http://localhost:8080/travelocity.com/home.jsp #The URL of the SAML 2.0 Identity Provider SAML.IdPUrl=https://localhost:9443/samlsso #This is the attribute name under which the authenticated session information #of SAML SSO and OpenID are stored SSOAgentSessionBeanName=SSOAgentSessionBean #Identifier given for the Service Provider for SAML 2.0 attributes #exchange #SAML.AttributeConsumingServiceIndex=1701087467 #Specify if SingleLogout is enabled/disabled SAML.EnableSLO=true #This is the URL that is used for SLO SAML.LogoutUrl=logout #Specify if SAMLResponse element is signed SAML.EnableResponseSigning=false #Specify if SAMLAssertion element is signed SAML.EnableAssertionSigning=false #Specify if SAMLAssertion element is encrypted SAML.EnableAssertionEncryption=false #Specify if AuthnRequests and LogoutRequests should be signed SAML.EnableRequestSigning=false #Specify if force authentication enabled SAML.EnableForceAuthentication=false #Custom credentials class SAML.SSOAgentCredentialImplClass=org.wso2.carbon.identity.sso.agent.saml.SS OAgentKeyStoreCredential #KeyStore to cryptographic credentials #KeyStore=/home/johann/Desktop/wso2is 4.1.0/repository/resources/security/w so2carbon.jks #Password of the KeyStore for SAML and OpenID KeyStorePassword=wso2carbon #Alias of the IdP's public certificate SAML.IdPCertAlias=wso2carbon

#Alias of the SP's private key SAML.PrivateKeyAlias=wso2carbon #Private key password to retrieve the private key used to sign #AuthnRequest and LogoutRequest messages SAML.PrivateKeyPassword=wso2carbon #OAuth2 token endpoint URL SAML.OAuth2TokenEndpoint=https://localhost:9443/oauth2/token #OAuth2 Client ID SAML.OAuth2ClientID=Qn5DQHCYfshxeZh6R9SL1HM2lsMa #OAuth2 Client Secret SAML.OAuth2ClientSecret=cbkAs1gajdwPAMbrSR54hPAIcz0a #OpenId Provider Url OpenID.OpenIdProviderUrl=https://localhost:9443/openid/ #openid.return_to parameter OpenID.ReturnToUrl=http://localhost:8080/travelocity.com/home.jsp #This is the request parameter name under which to find the #openid.claimed_id value to send OpenID authentication request OpenID.ClaimedIDParameterName=claimed_id #Custom OpenID AttributesRequestor class OpenID.AttributesRequestorImplClass=SampleAttributesRequestor #Additional request parameters #SAML.Request.Query.Param=&forceAuth=true NOTE You cannot specifically specify what tenant domains specifically has access to the created SP and IDP. They will be visible to all the tenants when configured as described above. [1] http://docs.wso2.com/display/is500/configuring+saml2+sso [2] https://localhost:9443/carbon/ [3] http://localhost:8080/travelocity.com/index.jsp

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information