Thursday, August 1, 2013

How to set up Single Sign-On between different Carbon instances

Hello all, I am back :)

Today we are going to look into a use case scenario where SAML2 Single Sign-On is enabled between two carbon instances.

Note : In this blog post I am using two WSO2 IS 4.0.0 instances for the setup. One instance we consider as the Identity Provider, and the other instance is the Identity Relying Party.

First of all download the WSO2 IS, and copy the binary file into two separate folders(ex:- Identity Provider and Identity Relying Party) that you have created, and extract the content.

We need these two instances to run in two different ports. 
Therefore, we need to select one of the instances and change the port. In order to do that go to the selected folder <productHome>\repository\conf and open the carbon.xml file.

Search for the <offset> tag and replace 0 with 1 to increment the default server running port by 1. 

In this example I selected the Identity Relying Party, and changed the default port. Therefore it will run on port 9444.

Now , start a new command line window and run the Identity Provider. (You can refer the post How to Start Up WSO2 Identity Server for help)

Get the Identity Provider server running port from the command prompt, and go to Identity Relying Party <productHome>\repository\conf\security. Open the authenticators.xml file and set the following settings.

Priority : This should be grater than five to be picked up as the highest priority authenticator.

Parameter LoginPage : default login page url of carbon

Parameter ServiceProviderID: This is the unique identifier for the carbon server in an SSO setup, and this value should be used as the value of the issuer in the Identity Single Sign-On provider configurations.

Parameter IdentityProviderSSOServiceURL: This is the url of the Identity Provider and this should be in the following format https://(host-name):(port)/samlsso

Now go and open the management console of the Identity Provider on the browser window, and Login using admin, admin for username and password respectively.

Run the Identity Relying party server, opening another command prompt window, and get the server running port.

From the left menu panel of the Identity Provider, select Main and click on SAML SSO, and enter the following configurations.

Assertion Consumer URL should be in the format of  https://(host-name):(port)/acs.

Now save the issuer, and log off from the management console of the Identity Provider.

Get the Identity Relying Party management console url and type it into your web browser.

Here you can see that you will be redirected to the Identity Provider with SAML2 SSO enabled, to enter the username and password.

Sign in using admin, admin as username and password respectively, and you will be redirected to your Identity Relying Party management console Home.

Thank you!


Aniket said...

Hi folks , just found some best google apps security services with sso single sign on service

santhoshi m said...

Good information on the single sign on products. Thanks for providing such great information.

Post a Comment