Single Sign-On Configuration

WSO2 Identity Server supports SAML2 based Single Sign-on. This implementation complies to the SAML2 Web Browser SSO profile and Single Logout Profile.

Figure 1: SSO Configuration

This page is used for Single Sign-on configuration. Service Providers can be added and removed from this page. Following points should be taken into consideration when adding a service provider.

Issuer - The issuer value specified in the SAML Authentication Request issued by the Service Provider
Assertion Consumer URL - The URL of the assertion consumer service of the service provider.
Enable Signature Validation in Authentication Requests and Logout Requests - Enabling this option will make sure that the integrity is protected in all the authentication and logout requests that WSO2 Cloud Identity SSO Service receives.
Certificate Alias - If the signature validation is enabled, the public key of the service provider is required to do the signature validation of the SAML Tokens. So the publlic key of the service provider should be imported to the keystore and point to that certificate using its alias.
Custom Logout URL - This URL will be used in Single Logout.

How to configure Single Sign-On across different Carbon Servers

With the SAML2 relying party capabilities of Carbon, it is possible to set up Single Sign-On between different Carbon instances where Identity Server acts as the Identity Provider while other Carbon Servers act as the relying party. Following is a guide to setup SSO between different Carbon Servers.

1. Installing the SAML2 relying party(SAML2 SSO Authenticator) feature in a Carbon Server.

SAML2 relying party components are not shipped with the default Carbon distribution. But these bundles are packages as a feature, which is available in the online hosted P2 repository. So it is possible to install this feature through the Carbon Feature Manager without much effort.

First add the WSO2 online P2 repository as a new repository. Usually the hosted P2 repository is available at the URL : http://dist.wso2.org/p2/carbon/releases/{Carbon-Release-Version}.

Figure 2: Adding a new P2 repository

Next search for the word 'authenticator'. Select 'SAML2 SSO Authenticator' from the result and Click Install.

Figure 3: Installing the SAML2 SSO Authenticator Feature

Then proceed through the wizard to complete the installation. After installation is complete, restart the server.

2. Configuring the Carbon Server to use the SAML2 based authentication instead of default username/password based authentication

After installing the SAML2 relying party components(SAML2 SSO authenticator), it is required to configure it to communicate with the Identity Server for user authentication.

This can be configured in the authenticators.xml file which is available in {$CARBON_HOME}/repository/conf/advanced directory.

This file will contain configurations for different authenticators. By default, it is shipped with a sample configuration for SAML2 SSO authenticator which requires minor modifications to get the setup working.

    <Authenticator name="SAML2SSOAuthenticator">
        <Priority>10</Priority>
        <Config>
            <Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter>
            <Parameter name="ServiceProviderID">carbonServer</Parameter>
            <Parameter name="IdentityProviderSSOServiceURL">https://localhost:9443/samlsso</Parameter>
        </Config>
    </Authenticator>

Priority - Priority of the authenticator. In the Carbon Runtime, the authenticator with the highest priority will be picked up. This value should be greater than 5 in order to supersede the default username/password based authenticator.

[Parameter] LoginPage - This is the default login page URL of Carbon. All the requests coming to this page will be intercepted for authentication. It is not required to change this value from the value given in the sample configuration.

[Parameter] ServiceProviderID - This is unique identifier for this Carbon Server in a SSO Set up. This value should be used as the value of Issuer at the identity Server configuration.

[Parameter] IdentityProviderSSOServiceURL - This is the Identity Server URL to which the users will be redirected for the authentication. It is of the form, https://{host-name}:{port}/samlsso

3. Configuring the Identity Server as the single sign-on provider

Finally, it is required to configure the Identity Server to act as the Single Sign-on provider. Each relying party should be registered as a service provider at the Identity Server end. Following is a sample configuration for registering a Carbon server as a service provider.

Figure 3: Registering the relying party as a service provider

Issuer : This should be equal to the ServiceProviderID value mentioned in the authenticators.xml of the relying party Carbon server.

Assertion Consumer URL : This is the URL to which the browser should be redirected after the authentication is successful. This is of the form https://{host-name}:{port}/acs

Select 'Enable Assertion Signing' to sign the SAML2 Assertions returned after the authentication. SAML2 Relying party components expect these assertions to be signed by the Identity Server.

Select 'Enable Single Logout' so that all the sessions will be terminated once the user signs out from one server.