Wednesday, January 14, 2015

How to Configure Identity Server SSO Sample for Tenants

whats covered: configuring the SSO sample app with Identity Server 5.

1) download and build the app

checkout and build the app. copy war to tomcat(there is a compatibility issue between some jars used in travelocity app and Application Server)


svn co http://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/products/is/5.0.0/modules/samples/sso/


2) exchange keys between app and IS


when encryption is enabled, the saml requests and responses are encrypted using the relevant parties private keys. In-order to decrypt these messages on the other end the two parties must have each others public keys.

The default key store of the travelocity app can be found in WEB-INF/classes, extract the public certificate associated with the private key used in the app as shown below,

keytool -export -alias wso2carbon -file <name_for_public_key> -keystore wso2carbon.jks

import this key to the tenants keystore using the key management feature(configure > keystores)

export the public key of the tenant using the key management feature.

import the download certificate of the tenant to the travelocitys keystore as shown below,
 

keystore -import -file <name of the tenants public cert> -alias <give alias to cert> -keystore wso2carbon  


3) configure SSO on the app side


modify travelocity.com/WEB-INF/classes/travelocity.property as follows,

SAML.IssuerID=travelocity.com@<tenant domain>

SAML.EnableResponseSigning=true

SAML.EnableAssertionSigning=true

SAML.EnableAssertionEncryption=true

SAML.EnableRequestSigning=true

SAML.IdPCertAlias=<alias of the tenant public key>  


4) register service provider in IS


register a service provider(main > identity > service providers > add) by giving a service provider name(e.g. TravelocityApp) and clicking register.

in the proceeding screen, expand inbound authentication > SAML 2 SSO Configuration and click on configure. configure SAML SSO for the service provider as shown below,


Issuer :  IssuerID found in the travelocity.properties file, minus the tenant domain

Assertion Consumer URL : the URL the Identity Server will send the SAML Response, find this URL in the travelocity.properties file.

Use fully qualified username in the NameID : enabled

Enable Response Signing : enabled

Enable Assertion Signing : enabled

Enable Signature Validation in Authentication Requests and Logout Requests : enabled

Enable Assertion Encryption : enabled

Select the public key of the travelocity app from the drop-down.




Thats it. Login with a user in the tenant used for service provider registration.  


common issues 

having conflicting configurations between the SP registered and the app. e.g. Single Logout(SLO) being enabled on application side while in SP registration it being disabled. 

not providing tenant domain with issue id on application side.


No comments:

Post a Comment