Thursday, June 26, 2014

SAML2 SSO with IS 5.0.0

Lets talk about the simple saml2 sso scenario with WSO2 IS 5.0.0 today.

Simple understanding of the concept can be grabbed with the following diagram.

WSO2 IS provides SAML2 Web browser based SSO acting as IdP or SP. In the above scenario the web app is the service provider and the IS is the identity provider. There is a pre defined trust relationship built between SP and the IdP when enabling SAML2 SSO.

How the above scenario works :-

1. The web app is registered as trusted SP in IS
2. Web app implements the saml2 sso and talks to IS using the assertion consumer url defined

NOTE :- If the authentication request / response signature validation is needed the proper importing / exporting of certificate to the trust-stores are needed.


1. User comes and tries to log into the web app
2. SAML2 Web browser based SSO is configured for the web app with WSO2 IS
3. User is redirected to the IS login page
4. User enters the login credentials
5. If the user exist in the user store of the trusted IdP (IS) user is allowed to log into the web app


Lets check on how to quickly demo this using an example app and WSO2 IS.

Required :-

1. Please download the IS 5.0.0. for the product page
2. Checkout the following sample travelocity app and build using maven


1. Take the .war file of the web app and deploy it on the tomcat server (version 7)
2. Startup WSO2 IS
3. Now lets register the SP in the IS
 A. Go to management console main - > Service Providers -> Add
 B. Give an unique name for the SP and click on register
 C. Then click on the Inbound Authentication Configuration -> Configure
 D. Fill on the details as follows :-

NOTE:- you can change these properties accordingly as expected by the SP. The properties for the webapp can be found at apache-tomcat-7.0.42\webapps\\WEB-INF\classes\ file

The filled in infor in the above example as follows :-

Issuer :-
Assertion Consumer URL :- http://localhost:8080/
User fully qualified username in the NameID :- TRUE
Enable SLO :- TRUE

Once configured click on update on the SAML2 config page as well as the SP information page that comes next. And you are good to go.

Now paste the following url on the browser http://localhost:8080/
and click on SAML login where you will be redirected to IS login page. When you enter admin, admin (the default super user of IS) TADA you are in :)

BYE BYE for now ;)

No comments:

Post a Comment