Saturday, April 25, 2015

Setup Sample Web App with WSO2 Identity Server for SAML Authentication

This post demonstrates how to setup sample webapp which acts as a relying party for obtaining Identity from WSO2 Identity Server. Here I use the Identity Server 5.0.0 version and for authentication, SAML 2.0 is used. Here the Identity Server is running in localhost on port 9443.

First, login to the management console of the Identity Server as the admin. Then we need to create a Service Provider. Here I name the service provider as

Next step is to configure the ‘SAML2 Web SSO Configuration’ which is listed under the ‘Inbound Authentication Configuration’ in the Service Provider configuration.

Set the SAML2 configuration of the service provider as shown below.

Here I’m going to host the sample web app in Tomcat which runs in the port 8080. For the hostname localhost is used. Therefore the Assertion Consumer URL of the service provider is http://localhost:8080/ This is the URL where the Identity Server should redirect upon successful login to the travelocity app. After making the configuration as above, ‘Register’ the Service Provider.

Note :
Once the travelocity sample is hosted in tomcat, the properties file of the app can be found in following file path.
This property file defines the required properties in SAML2 protocol and some other protocols.
The corresponding property names related to SAML2 are shown in following image which are defined in this property file. The values for these properties in the file should match with the values given in the Service Provider in Identity Server. The above configuration in the Service Provider was done such that it match with the default SAML2 property values defined in the app’s property file so that you don’t need to make any change to these property values.

If the Identity Server is running on a different hostname/port number, following property in the properties file should be changed accordingly.  

The keystore of sample can be found in following path.

The public certificate of the Identity Server (default keystore) is already imported to the keystore of travelocity sample because the SAML2 response and the Assertion sent by the Identity Server are signed by the private key of the Identity Server with above Service Provider configuration.

After setting SAML2 Web SSO Configuration, ‘Update’ the Service Provider.

Now the configurations in Identity Server are complete. Next step is to host the sample webapp in Tomcat.

The source code of the sample can be downloaded from [1] and the built war file of the web app can be downloaded from [2]. Copy the to the <TOMCAT_HOME>/webapps and deploy the webapp.
After the webapp is successfully deployed, go to the index page with the following link.
Here Tomcat is running in localhost on port 8080.

Login to the webapp with SAML2.

Then the webapp redirects the browser to the Identity Server where the user has to login to the Identity Server.

Upon the successful login to the Identity Server, it redirects back to the travelocity webapp (to the Assertion Consumer URL) and now the user is logged into to the travelocity webapp.

Tharindu Edirisinghe
Identity Server Team

1 comment:

  1. This tavelocity app confused me more than it solved any problems

    i am looking for basic answers like how do we configure wso2 to say after OAuth and open id go to this page of some app

    and how do i pass the authentication information to the sp app ?

    from what i see in documentation is it can only communicate to sp apps via saml, openid, etc . which confuses me , if an app was ok to implement oauth spec for this WSO2 to App communication , why would it go for WSO2 in first place , can it not implement SAML or OAUTH directly with Google or SAML IDPS ?