I want to implement an SSO system with SAML 2.0 protocol using WSO2 IS as Identity Provider. I've analyzed the SSO sample https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0 to learn how to implement the Service Provider side to generate an SAML 2.0 authentication request. AFAIK another ways to implement the SAML SP would be using either OpenAM, OpenSAML or Shibboleth. But all those methods require programming knowledge from the Service Provider to implement it.
Thus my question:
Is there any Web Admin Service in WSO2 IS to ease the implementation of a SAML SP? I've find out the SAML2SSOAuthenticationService.wsdl but I'm not sure how it works and whether I need some other Admin Services in order to implement the desired solution.
You can use https://localhost:9443/services/IdentityApplicationManagementService admin service createApplication method to create the service provider.
or You can create service provider using configuration files.
please follow the setps below
1) Open the /repository/conf/security/sso-idp-config.xml file and add the following configuration to it. This adds the travelocity application as a service provider.
<ServiceProvider>
<Issuer>travelocity.com</Issuer>
<AssertionConsumerService>http://localhost:8080/travelocity.com/home.jsp</AssertionConsumerService>
<SignAssertion>false</SignAssertion>
<SignResponse>false</SignResponse>
<EnableAttributeProfile>true</EnableAttributeProfile>
<IncludeAttributeByDefault>true</IncludeAttributeByDefault>
<EnableSingleLogout>true</EnableSingleLogout>
<Claims>
<Claim>http://wso2.org/claims/givenName</Claim>
</Claims>
<LogoutUrl></LogoutUrl>
<EnableAudienceRestriction>false</EnableAudienceRestriction>
<ConsumingServiceIndex>2104589</ConsumingServiceIndex>
</ServiceProvider>
2) Create a file named travelocity.com.xml in the /repository/conf/identity/service-providers directory
3) Add the following configurations into the travelocity.com.xml file you created. This adds the necessary SAML configurations to the travelocity service provider
<ServiceProvider>
<ApplicationID>3</ApplicationID>
<ApplicationName>travelocity.com</ApplicationName>
<Description>travelocity Service Provider</Description>
<IsSaaSApp>true</IsSaaSApp>
<InboundAuthenticationConfig>
<InboundAuthenticationRequestConfigs>
<InboundAuthenticationRequestConfig>
<InboundAuthKey>travelocity.com</InboundAuthKey>
<InboundAuthType>samlsso</InboundAuthType>
<Properties></Properties>
</InboundAuthenticationRequestConfig>
</InboundAuthenticationRequestConfigs>
</InboundAuthenticationConfig>
<LocalAndOutBoundAuthenticationConfig>
<AuthenticationSteps>
<AuthenticationStep>
<StepOrder>1</StepOrder>
<LocalAuthenticatorConfigs>
<LocalAuthenticatorConfig>
<Name>BasicAuthenticator</Name>
<DisplayName>basicauth</DisplayName>
<IsEnabled>true</IsEnabled>
</LocalAuthenticatorConfig>
</LocalAuthenticatorConfigs>>
<FederatedIdentityProviders>
<IdentityProvider>
<IdentityProviderName>identityProviderIDP_IS</IdentityProviderName>
<IsEnabled>true</IsEnabled>
<DefaultAuthenticatorConfig>
<FederatedAuthenticatorConfig>
<Name>SAMLSSOAuthenticator</Name>
<DisplayName>samlsso</DisplayName>
<IsEnabled>true</IsEnabled>
</FederatedAuthenticatorConfig>
</DefaultAuthenticatorConfig>
</IdentityProvider>
</FederatedIdentityProviders>
<SubjectStep>true</SubjectStep>
<AttributeStep>true</AttributeStep>
</AuthenticationStep>
</AuthenticationSteps>
</LocalAndOutBoundAuthenticationConfig>
<RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs>
<InboundProvisioningConfig></InboundProvisioningConfig>
<OutboundProvisioningConfig></OutboundProvisioningConfig>
<ClaimConfig>
<AlwaysSendMappedLocalSubjectId>true</AlwaysSendMappedLocalSubjectId>
<LocalClaimDialect>true</LocalClaimDialect><ClaimMappings><ClaimMapping><LocalClaim><ClaimUri>http://wso2.org/claims/givenname</ClaimUri></LocalClaim><RemoteClaim><ClaimUri>http://wso2.org/claims/givenName</ClaimUri>ClaimUri></RemoteClaim><RequestClaim>true</RequestClaim></ClaimMapping></ClaimMappings></ClaimConfig>
<PermissionAndRoleConfig></PermissionAndRoleConfig>
</ServiceProvider>
please refer this link for more details
[1] https://docs.wso2.com/display/IS500/Adding+a+Service+Provider+and+Identity+Provider+Using+Configuration+Files
Related
After I installed WSO2 EEM (Enterprise Mobility Manger), I could add device to device management. But I couldn't open the Publisher/Store, all the page will jump to the https://localhost:9443/publisher/acs or https://localhost:9443/samlsso. Should I to install the WSO2 Identity Server or config the SSO for it?
You don't need to install any identity components or configure sso explicitely. They are already there in vanilla EMM. When you go to https://localhost:9443/publisher, it should be redirected to login page.
https://localhost:9443/authenticationendpoint/login.do
Then when you enter credentials it should redirect you in below urls.
1) https://localhost:9443/publisher/acs
2) https://localhost:9443/publisher
If this doesn't work for you, there should be exceptions in log file. Please check that.
There was a missing part in EMM documentation in the SSO configuration section[1]. Hope you are trying out this VM. Please follow the steps which are given in here in order to get publisher and store working properly.
The reason which you encountered becuase of app-manager.xml file that is in the /repository/conf directory didn't properly configure.
<SSOConfiguration>
<!-- URL of the IDP use for SSO -->
<IdentityProviderUrl>https://<EMM_HOST>:<EMM_HTTPS_PORT>/samlsso</IdentityProviderUrl>
<Configurators>
<Configurator>
<name>wso2is</name>
<version>5.0.0</version>
<providerClass>org.wso2.carbon.appmgt.impl.idp.sso.configurator.IS500SAMLSSOConfigurator</providerClass>
<parameters>
<providerURL>https://<EMM_HOST>:<EMM_HTTPS_PORT></providerURL>
<username>admin</username>
<password>admin</password>
</parameters>
</Configurator>
</Configurators>
</SSOConfiguration>
1.https://docs.wso2.com/display/EMM201/General+Server+Configurations
I have created a custom federated authenticator and configure it in an identity provider called 'kbank'.
How can I configure to have all Service Providers use this Identity Providers by default without having to individually specify it for each Service Providers. Since in API Manager, each application is created as Service Provider so there will be a lot and increasing Service Providers in our system.
In Service Provider configuration page I can see there is an option for "Default" but I don't how to specify the default.
Thank you very much.
You can specify the default authenticator or rather the default sequence using the application-authentication.xml found in IS_HOME/repository/conf/identity. You can change this using the <Sequences> section.
Here as shown below the default sequence is set as a single step authentication sequence using the BasicAuthenticator
<Sequences>
<!-- Default Sequence. This is mandatory -->
<Sequence appId="default">
<Step order="1">
<Authenticator name="BasicAuthenticator"/>
</Step>
</Sequence>
</Sequences>
You can modify it to use any authenticator as the default. You need to specify the name of the authenticator.
Thanks to this post, the solution for my problem is I have to modify <APIM_Home>\repository\conf\identity\service-providers\default.xml as follow
<ServiceProvider>
<ApplicationID>1</ApplicationID>
<ApplicationName>default</ApplicationName>
<Description>Default Service Provider</Description>
<InboundAuthenticationConfig>
<InboundAuthenticationRequestConfigs>
<InboundAuthenticationRequestConfig>
<InboundAuthKey>default</InboundAuthKey>
<InboundAuthType></InboundAuthType>
<Properties></Properties>
</InboundAuthenticationRequestConfig>
</InboundAuthenticationRequestConfigs>
</InboundAuthenticationConfig>
<LocalAndOutBoundAuthenticationConfig>
<AuthenticationSteps>
<AuthenticationStep>
<StepOrder>1</StepOrder>
<FederatedIdentityProviders>
<IdentityProvider>
<IdentityProviderName>kbank</IdentityProviderName>
<IsEnabled>true</IsEnabled>
<FederatedAuthenticatorConfigs>
<FederatedAuthenticatorConfig>
<Name>MyAuthenticator</Name>
<IsEnabled>true</IsEnabled>
</FederatedAuthenticatorConfig>
</FederatedAuthenticatorConfigs>
<DefaultAuthenticatorConfig>MyAuthenticator</DefaultAuthenticatorConfig>
<JustInTimeProvisioningConfig>
<UserStoreClaimUri></UserStoreClaimUri>
<ProvisioningUserStore>PRIMARY</ProvisioningUserStore>
<IsProvisioningEnabled>true</IsProvisioningEnabled>
</JustInTimeProvisioningConfig>
</IdentityProvider>
</FederatedIdentityProviders>
<SubjectStep>true</SubjectStep>
<AttributeStep>true</AttributeStep>
</AuthenticationStep>
</AuthenticationSteps>
</LocalAndOutBoundAuthenticationConfig>
<RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs>
<InboundProvisioningConfig></InboundProvisioningConfig>
<OutboundProvisioningConfig></OutboundProvisioningConfig>
<ClaimConfig>
<AlwaysSendMappedLocalSubjectId>true</AlwaysSendMappedLocalSubjectId>
</ClaimConfig>
<PermissionAndRoleConfig></PermissionAndRoleConfig>
</ServiceProvider>
What would be the URL for the newly set up SAML SSO's metadata URL, or how could I download this in XML format from WSO2 Identity Server (version 4.6.0) acting as IdP?
Thanks,
Tamas
WSO2 Identity server now hosts IDPSSODesriptor metadata file on this URL.
https://localhost:9443/identity/metadata/saml2
This feature is available from Identity Server version 5.3 onward.
AFAIK there is no option to auto-generate metadata files for IS. You have to manually write the metadata file. An example is as follows, taken from this blog post.
<md:entitydescriptor entityid="https://localhost:9443/samlsso" validuntil="2023-09-23T06:57:15.396Z" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<md:idpssodescriptor protocolsupportenumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:keydescriptor use="signing">
<ds:keyinfo>
<ds:x509data>
<ds:x509certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv
Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE
AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou
sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5
HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID
AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i
QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR
O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:x509certificate>
</ds:x509data>
</ds:keyinfo>
</md:keydescriptor>
<md:singlelogoutservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" location="https://localhost:9443/samlsso" responselocation="https://localhost:9443/samlsso">
<md:singlesignonservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" location="https://localhost:9443/samlsso">
<md:singlesignonservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" location="https://localhost:9443/samlsso">
</md:singlesignonservice></md:singlesignonservice></md:singlelogoutservice></md:idpssodescriptor>
</md:entitydescriptor>
Yes.. Identity Server does not support to generate a IDP information as metadata file. You may need to create it manually. But I guess it would be available with a future release. There is an open public jira for this. You can find a generated SAML2 metadata file from here. However you may need to configure it according to your configurations. If you have changed your keystore, you need to change the X509 certificate data. And also urls of the samlsso endpoint. By default saml sso end point is located at https://localhost:9443/samlsso. In your service provider config, you need to configure this url as IDP url (both login and logout). You must provide the wso2carbon certificate in to service provider for validating the signature.
I have a lot of proxies in WSO2 ESB that I have to securize. I need them to be securized using Username Token when deploy, instead of browsing to the dashboard and enabling it one by one.
Any help?
I guess currently, you need to use management console and do it. From the UI, it is calling a backend web service. You can automate process by automating this backend web service. This web service is exposed by following component [1]. You can use soapui or some client program to automate this web service.
[1] http://svn.wso2.org/repos/wso2/carbon/platform/trunk/components/security/org.wso2.carbon.security.mgt/
I had similar requirement, here is how I solved it
Apply Role security to WSO2 ESB Proxy using Java API
Also you can find the test case here on how to use the methods
http://svn.wso2.org/repos/wso2/tags/carbon/3.2.3/products/bps/2.1.1/modules/integration/org.wso2.bps.management.test/src/test/java/org/wso2/bps/management/SecurityTest.java
Well here how the code snippet goes to secure any proxy service with default security scenarios of WSO2 ESB. In WSO2 ESB "scenario1" signifies Usernametoken based security. Now if you wish to secure your proxy with scenario1 follow the below code snippet:
public void applySecurityOnService(String serviceName, String policyId,
String[] userGroups, String[] trustedKeyStoreArray,
String privateStore)
throws SecurityAdminServiceSecurityConfigExceptionException,
RemoteException {
ApplySecurity applySecurity;
applySecurity = new ApplySecurity();
applySecurity.setServiceName(serviceName);
applySecurity.setPolicyId("scenario" + policyId); //scenario1 i.e. for Usernametoken security policyId should be 1
applySecurity.setTrustedStores(trustedKeyStoreArray);
applySecurity.setPrivateStore(privateStore);
applySecurity.setUserGroupNames(userGroups);
stub.applySecurity(applySecurity);
_logger.info("Security Applied Successfully");
}
Here is how you may call this method from your client class:
applySecurityOnService("MyProxy", "1", new String[]{"TestRole"}, new String[]{"wso2carbon.jks"}, "wso2carbon.jks");
I am attempting to use Greg to hold endpoint URL's for services deployed into non-WSO2 containers (Weblogic/JBoss). I would like to use WSO2 ESB to perform mediation and routing of data through these endpoints.
However, when I look at the WSO2 ESB samples, it is not clear how I instruct the ESB to use WSO2's Greg. Below is the xml used to have the ESB use a registry deployed to the filesystem.
<definitions xmlns="http://ws.apache.org/ns/synapse">
<registry provider="org.wso2.carbon.mediation.registry.ESBRegistry">
<parameter name="root">file:./repository/samples/resources/</parameter>
<parameter name="cachableDuration">15000</parameter>
</registry>
</definitions>
My assumption is that the registry tag's provider element should probably be able to be overridden with a web-service address providing access to Greg.
When all is said and done, I would like to create simple BPMN configuration files that connect to Greg, obtain URI's and URL's for the services used by the file, and then to reference them as properties later in the BPMN route.
First question, is this a standard configuration, or is there a better way to integrate WSO ESB and Greg.
Second question, are there any examples I could refer to that will answer this question?
Please refer following documentation.
[1] http://wso2.org/library/tutorials/2010/04/sharing-registry-space-across-multiple-product-instances
[2]http://docs.wso2.org/wiki/display/ESB460/Storing+Various+WSO2+Enterprise+Service+Bus+Configurations
Those include how you can store and using WSO2 governance registry in highlevel.
If you need to manage endpoints through API in governance registry following will help.
[3] http://docs.wso2.org/wiki/display/Governance453/Endpoints+with+Governance+API
[4] http://docs.wso2.org/wiki/display/Governance453/Endpoint+Look-up+Sample
Futher this thread include some of the hints how you can access custom stored properties in Registry
[5]How to access system property from WSO2 ESB and Registry
WSO2 Governance Registry is a meta data repository, therefore you can use it to store the SOA artifacts (WSDL,Schems,Policies, Mediation configurations , customs artifacts ..etc) of your deployment. After that you can govern those artifacts through the Governance Registry. You can find more details in the ESB documentation[1].
[1]http://docs.wso2.org/wiki/display/ESB460/Config+and+Governance+Partitions+in+a+Remote+Registry
Thanks & Regards,
Ajith