Secondary IS as a Federated IDP for WSO2 IS
It is almost a month since I have started working with the Identity Access Management (IAM) team at WSO2. While trying to fix a bug I had to configure the following setup.
- Create a Service Provider (SP) where SAML2 is used for authentication and OAuth2 for authorization in the Identity Server (IS)
- Add a secondary IS as a federated Identity Provider (configure to obtain attributes as well)
1. Configuring an SP with SAML2 and Oauth2
For this I’m going to configure Travelocity app where SAML2 is used for authentication and Oauth2 is used for authorization.
First you need to download the IS pack and run the IS server.
Then you need to download the Travelocity app ( product-is repo , clone this repo and run mvn clean install, then go into product-is/modules/samples/sso/sso-agent-sample, there you can find the source code for Travelocity as a maven project ) build it and deploy it in a Tomcat Servlet Container.
note:
Since IS uses cookies for session management, when you deploy Travelocity app in localhost, lot of browsers do not accept the cookies for naked host names (e.g. localhost), for that you need to add the following line to /etc/hosts file.
127.0.0.1 <tab> localhost.com.
Restart the system to get affected the changes system-wide.
Also you need to change following two properties in the ${travelocity-root-directory}/src/main/resources/travelocity.properties file to have localhost.com instead of localhost.
#The URL of the SAML 2.0 Assertion Consumer
SAML2.AssertionConsumerURL=http://localhost.com:8080/travelocity.com/home.jsp
#openid.return_to parameter
OpenId.ReturnToURL=http://localhost.com:8080/travelocity.com/home.jsp
Also you need to replace the ClientId and ClientSecret in travelocity.properties file. ClientId and ClientSecret can be obtained after finshing the OAuth/OpenId Connect Configuration of the Travelocity SP in Primary-IS.
Now build and deploy the Travelocity app.
1.1 Configuration steps for an SP for Travelocity app in IS.
For the Travelocity app IS act as the IDP, Travelocity app is the SP. Thus we need to configure an SP in IS management console. Let’s do that.
Login to the IS management console. (by typing default admin:admin username:password).
Then select the “Main” tab (default selected) on the left most stripe.
There under ‘Service Providers’ press Add button.
In the layout give a name for SP (e.g. travelocity) and press Register.
Then you’ll be directed to a layout where you can edit the configurations.
You need to edit the ‘Inbound Authentication Configuration’. There SAML2 Web SSO Configuration, OAuth/OpenID Connect Configuration both should be configured.
1.1.1 SAML2 Web SSO Configuration
Expand the ‘Inbound Authentication Configuration’, then click on ‘SAML2 Web SSO Configuration’.
Under ‘Select Mode’, choose ‘Manual Configuration’
Issuer: travelocity.com
(this can be found in travelocity.properties file in ${travelocity-root-directory}/src/main/resources/ as
#A unique identifier for this SAML 2.0 Service Provider application
SAML2.SPEntityId=travelocity.com)
Assertion Consumer URLs: http://localhost.com:8080/travelocity.com/home.jsp
(this can be found in travelocity.properties file in ${travelocity-root-directory}/src/main/resources/ as
#The URL of the SAML 2.0 Assertion Consumer
SAML2.AssertionConsumerURL=http://localhost.com:8080/travelocity.com/home.jsp)
Tick the following;
Enable Response Signing
Enable Single Logout
Enable Attribute Profile
Include Attributes in the Response Always
Enable Audience Restriction
Audience: https://localhost:9443/oauth2/token
Enable Recipient Validation
Recipient: https://localhost:9443/oauth2/token
After filling the above fields click on ‘Add’ button (if it is not the first time ‘Update’ button).
1.1.2 OAuth/OpenID Connect Configuration
After finishing the ‘SAML2 Web SSO Configuration’. Now it time to Configure ‘OAuth/OpenID Connect Configuration’.
Expand the ‘Inbound Authentication Configuration’, then click on ‘OAuth/OpenID Connect Configuration’.
select 0auth version 2.0
deselect ‘code’ and ‘implicit’ grant types. select all the other grant types.
Then click on ‘Add’ button (if it is not the first time ‘Update’ button).
1.1.3 Claim Configuration
Configure Claims that need to be obtained from the IDP, also this should be configured in the SP that we are planning to configure an SP for Primary-IS. If you didn’t understand this skip this and follow the rest of the post. Then you’ll be able to figure it out.
2. Add a secondary IS as a federated SAML2 Identity Provider
2.1 Running a Secondary IS
To have a secondary IS running first need to download the WSO2-IS pack (or get a copy of Already Downloaded IS pack, here you will get the configured data as well). Then extract it into a directory of your choice.
go into the the ${IS-2-ROOT}/bin and run the following command.
./wso2server.sh -DportOffset=3
Default port for running WSO2 IS is 9443. So when we run ./wso2server.sh without specifying a port offset, it will run in the default 9443 port. In case of you need to run two ISs then you need run those in two ports. What -DportOffset parameter do is, it runs the server in port 9443+(portOffset).
2.2 Configuring Secondary IS as a federated Identity Provider.
Primary-IS: where Travelocity SP is configured.
Secondary-IS: IS which as the federated Identity Provider for Travelocity.
Here it is similar to what we do in the above step. Secondary-IS act as the IDP for the Primary-IS. Primary-IS act as the service provide. Thus we need to do two things here;
- Configure an IDP in the Primary-IS specifying the details about Secondary-IS
- Configure an SP in the Secondary-IS specifying the details about Primary-IS
2.2.1 Configure an IDP in the Primary-IS specifying the details about Secondary-IS
Login to the Primary-IS management console.
In the ‘Main’ tab under the ‘Identity Provider’ section, click on Add button. Then you’ll see the following layout.
Identity Provider Name: IdentityServerIDP
Expand the ‘Federated Authenticators’ and within that expand ‘SAML2 Web SSO Configuration’.
Enable SAML2 Web SSO
Specifies if SAML2 Web SSO is enabled for this identity provider
Service Provider Entity Id: IdentitySP
(should be an unique name, this will be the issuer for SP configuration on Secondary-IS)
Identity Provider Entity Id: localhost
SSO URL: https://localhost:9446/samlsso
(Both of the above parameters should be obtained from the Secondary-IS. Login to Secondary-IS, In the ‘Main’ tab, under ‘Identity Providers’ section click on ‘Resident’. There expand the ‘Inbound Authentication Configuration’ and then expand ‘SAML2 Web SSO Configuration’. There you can find these parameters )
Keep other configurations as it is and Add the identity provider by clicking on Add button at the end of the page.
2.2.2 Configure an SP in the Secondary-IS specifying the details about Primary-IS
Login to the Secondary-IS management console.
In the ‘Main’ tab under Service Providers click on Add to create an SP.
In the layout give a name for SP (e.g. PrimaryISSP) and press Register.
Then you’ll be directed to a layout where you can edit the configurations.
Expand the ‘Inbound Authentication Configuration’. There click on ‘SAML2 Web SSO Configuration’.
Issuer: IdentitySP
(Service Provider Entity Id of IDP configured on Primary-IS)
Assertion Consumer URLs: https://localhost:9443/commonauth
Tick the following;
Enable Attribute Profile
Include Attributes in the Response Always
After filling the above fields click on ‘Add’ button (if it is not the first time ‘Update’ button).
2.2.3 Claim Configuration
Here we should configure what are the claims that we wish to obtain from the secondary-IS federated IDP. see the wso2 documentation for claim configurations.
Checking Whether All works fine.
Go to the deployed Travelocity App. You will see the following page. Then click to login to the app. Then you should be redirected to you Secondary-IS login page.
Enter valid user credentials for a valid user in Secondary-IS. (you can login with defualt admin:admin user).
Then in the redirected page after successful login you should be able to see the requested user claims.
Click on ‘get oauth access token’ to get an access token. If this succeed it means OAuth2 configuration is right and everything is working fine