I created an external Identity provider in the wso2 identity server carbon console under Identity Providers. I want to add this identity provider to my Service provider API_PUBLISHER in wso2 identity server carbon console.
But I see the option Federated Authentication disabled under Local & Outbound Authentication Configuration for the service provider. All other options (Default,Local Authentication and Advanced Authentication) are enabled
You need to configure a federated authenticator for the external identity provider.
When you created an external identity provider, it needs a defined method to communicate with an actual identity provider like google. Federated authenticators are used for that purpose. Once you configured a federated authenticator for your external IDP, wso2is will allow you to use the external IDP with your service provider.
wso2is supports federated authentication with many popular IDPs including Google, Facebook. It also lets you configure any OAuth2, SAML and WS-Fed based IDP as well.
Related
What are the debug options available at the WSO2 Identity server to trace the Identity Federation (outbound) using OpenID protocol? Are there parameters available at the log4j.properties, or service configurations that enables tracing under WSO2 Rel 5.1?
Even when the Identity Provider is configured to run with a federated lookup connecting to a remote Idp, the server is only validating locally registered accounts. Having a debug trace feature inside the server would be helpful to track the message routing and flow.
Configuration Details for Outbound Identity Federation:
Identity Provider Name: extbasicws01_openid
Display Name: extbasicws01_openid
Description: OpenID real for SSO
Federated Authenticators - OpenID Configuration
Federation Hub Identity Provider: checked
Home Realm Identifier: travelocity.com
Certificate: Public key PEM downloaded from central IdP
Alias (default URL):
Enabled OpenID - checked
Default - Specifies if OpenD is the default
OpenID server URL: central IDP URL
User ID found in 'claimed_id' - checked
Additional Query Parameters - blank
Any update on this topic? Still watching for a trace option to better track the federated mode in outbound connections, specially when using the OpenID standard. Currently testing with the Travelocity.com client and openid login. Local authentication with WSO2 Identities are answering, but outbound authentications are not sending a redirect to the external IdP. Any hints how to update the WSO2 Identity provider configuration to activate the federated mode with OpenID?
You can add the following in the {IS_HOME}/repository/conf/log4j.properties file to enable debug logs for OpenID.
log4j.logger.org.wso2.carbon.identity.application.authenticator.openid=DEBUG
Could you please clarify if there is a chance to interconnect a WSO2 Identity Server with an existing corporate IdP using the SAML as federated connection mechanism. What exactly needs to be configured to unify the realm and proxy the authentication with the external IDP?
Thanks in advance for your support.
If you use WSO2 IS as a proxy or a federation bus, then you need to register your IDP and Service provider in WSO2 IS and in your IDP you should register WSO2 IS as a service provider.
If you use WSO2 IS as your service provider, you need to register your existing IDP in WSO2 IS as IDP and WSO2 as service provider in you IDP side.
You can follow this document for more information.
Thanks!
I can not understand the difference between service provier and resident service provider.I understand like following.
When i want provisioing and service provider using HTTP Basic Authentication and SCIM API, IS server have to configure resident service provider's provisioning configuration. Is it right?
When i want provisioing and service provider using OAuth Authentication Authentication and SCIM API, IS server doesn't need to to configure resident service provider, just required service provider's provisioning configuration. Is it right?
Yes. Your understanding is correct. WSO2IS normally can mediate authentication requests between SPs and IDPs. At the same time, the Identity Server itself can act as a service provider and an identity provider. When it acts as a service provider it is known as the Resident Service Provider. When you are provisioning users using SCIM, WSO2IS would be act as a service provider. Therefore you can find only the provisioning related configuration from there. Also, i guess, this may be help to understand the in-bound/out-bound provisioning with WSO2IS much better manner.
How easy or difficult it is for a SAML Identity Provider to work with a WS-Federation Service Provider? Are there tools that will allow a SAML IDp to work with any Service Provider despite the technology used?
Which side will have the most effort?
Thank you!
If each IDP only supports that protocol, then no.
Most IDP e.g. ADFS support both so can act as a bridge.
Update:
ADFS sits in the middle as a broker. It can talk SAML to SAML sites and WS-Fed to WS-Fed sites.
So you now have three STS: SAML, WS-Fed and ADFS. ADFS essentially translates between the two.
The only "tools" that are available are the stacks for SAML and WS-Fed e.g.
WIF for WS-Fed
SAML : SAML connectivity / toolkit
Can I configure WSO2 Identity Server 4.6.0 as an IDP for my own SAML applications and, at the same time, configure IS as a SAML service provider to an external IDP?
I would like to achieve the following:
user access my own SAML SP, which sends an AuthnRequest to my local WSO2 IDP, which in turn forwards the user to the external IDP for authentication. And after authentication with the external IDP returns to my own SAML SP application.
The scenario seems only possible with WSO2 IS 5.0.0 and the new "identity bus" feature.