I'm trying to setup what I'll call a SAML2 idp initiated chain on wso2is (5.1.0) . Diagram below:
website.com (sp) <--saml2 idp init-- (idp) wso2is (sp) <--POST saml2 idp init-- (idp) 3rdPartyIDP
The idea being that a 3rd party want's to do an IDP initiated POST saml2 call to authenticate against our internal website but anytime the saml2 call is made wso2 just shows the login page (on wso2is) for the website.com sp. I currently have advanced authentication setup with 3rdParty saml IDP and other IDPs that allow SP initiated saml, they work as expected.
idp iniated SAML2 works fine from wso2is if i use the link: https://wso2is/samlsso?spEntityID=website.com so I thought I would be able to use this as the saml consumer location for the 3rdParty site however as stated however it ends up on the wso2is login page for the website sp with a SAMLresponse as a query parameter instead of performing a second IDP initiated call down the website sp as I'd expect.
Does my consumer URL that I'm providing to the 3rdParty IDP seem correct? Is this flow even possible with wso2is?
https://wso2is/samlsso?spEntityID=website.com is the correct consumer URL to point in this scenario. You need to do following as well.
Configure an Identity Provider in WSO2 IS adding 3rd party saml2 Idp as a Federated authenticator. Refer this URL for more details https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider
Go to the Service Provider Configuration added for website.com in IS, expand Local & Outbound Authentication Configuration. Select Federated Authentication and pick the Identity Provider you configured from the drop down. Update the Service Provider configuration.
Related
Version: WSO2 Identity Server 5.4.1+
For audit purposes we wrote a UserOperationEventListener in order to hook into the authentication process by implementing doPostAuthenticate().
This captures API authentication and web login via form.
Unfortunately the listener is not called when IS operates as a SAML SP to another 3rd party SAML IDP.
Question: Is there a Listener which is called when a SAML authentication is successful?
Or is there another way to hook into the authentication flow to an external IDP?
Just an update in case anyone has the same requirements. We have now implemented an AuthenticationDataPublisher Listener which covers all session creation events. In addition with above UserOperationEventListener it covers:
Resource Owner Password Credential authentication
local authentication during code/implicit flows
login via upstream federated authentication e.g. SAML, OIDC
SOAP admin API authentication
Currently our apps integrate (service provider) with WSO2 IS v5.1.0 with multitenancy. We are using SAML2 Web SSO Authentication. There is an requirement to do profile update, change password, manage user from service provider.
I found 1 sample apps that use SAML2 token for authentication
https://github.com/firzhan/saml2.sso.demo
The problem is:
I need to specify ServiceProviderID in authenticators.xml (step no 3 on the link above).
Is there any way disabled this checking?
I found docs about IDP intitiated SSO in WSO2 IS. But haven't found anything about service provider initiated SSO.
Consider the scenario in which a local IS is used as a service provider which is connected to several externally hosted SAML IDP for outbound authentication.
Am I able to trigger a SP initiated login to one specific external IDP with a static link? Ideally with a relay state attribute which is evaluated after successful SAML sign on process.
I am using WSO2 IS 5.0.0 - but hints for 5.1.0 would also be appreciated.
IDP initiated login.
https://localhost:9443/samlsso?spEntityID=(Your SP Issuer ID)&fidp=(Your Home Realm Identifier if you have multiple IDP's)
https://localhost:9443/samlsso?spEntityID=myspissueid&fidp=myidp
OR
If you only have one IDP or don't need to skip selection page.
https://localhost:9443/samlsso?spEntityID=myspissueid
I believe if you get the fidp parameter in the SAML authnrequest then that will do the trick for the SP initiated one.
considering IDP is running over localhost
IDP init SSO : https://localhost:9443/samlsso?spEntityID=yourSPEntityName
SP init SSO: https://localhost:9443/samlsso
Whenever I perform logout in one of my service providers I always get the same error message:
Not a valid SAML 2.0 Request Message!
The message was not recognized by the SAML 2.0 SSO Provider. Please check the logs for more details.
Let's take salesforce for example... I have tried configuring it with https://myidpdomain:9443/samlsso and https://myidpdomain:9443/samlsso?wa=wsignout1.0 in the "Identity Provider Logout URL" setting.
The same with zendesk...
To both these service providers I have enabled the single logout checkbox in the SAML Inbound Authentication configuration.
The single sign on works fine.
Are you using SAML2 SSO Web browser or Passive STS ? In SAML2 SSO web browser profile, you can not send wa=wsignout1.0 for logout. It is not valid. Therefore above error has been generated. wa=wsignout1.0 is used in Passive STS profile not in SAML2 SSO. If you are using /samlsso end point in WSO2IS, It means that your are using SAML2 SSO. Therefore, you must send a proper logout request to the /samlsso end point. If you need to get more idea about SSO logout with SAML2 SSO, Please go through this.
I’ve made a new Identity Provider and setup it’s SAML2 authentication to our Shibboleth IDP. How do I “login” using this new setup?
The login link still goes to the IS login page, which is desirable because I need to login as admin to fix things, but is there another login link which will redirect to the IDP?
If you need to provide federated authentication for your applications. Your applications can be connected with Identity Server as service providers. Then you can defined your external IDPs a trusted IDP. Each service provider, you can select multiple IDPs as out-bound authenticators. There is some blog about that uses saleforce as trusted IDP, you can go through it as well
If what you want is to login to IS using Shibboleth as IDP, you should edit IS_HOME/repository/conf/security/authenticators.xml to enable SAMLSSOAuthenticator and configure it with the required details.
As best I can tell, there's not facility for testing an Identity Provider. The only way is to actually use it by setting up the full chain. In my case I setup API Manager as a Service Provider in the Identity Server, and selected the Identity Provider (mentioned in the original question) as Federated Authentication for that Service Provider. Then I changed the API Store to use SSO (pointed at the IS). Finally by attempting to open the store I was bounced to the IS, then immediately on to the Identity Provider.
Unfortunately there are a lot of steps in this chain and a lot of things that could be set wrong. I was hoping to find a method for testing this one part but as best I can tell there isn't such a capability.