whats covered: configuring the SSO sample app with Identity Server 5.
1) download and build the app
checkout and build the app. copy war to tomcat(there is a compatibility issue between some jars used in travelocity app and Application Server)
svn co http://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/products/is/5.0.0/modules/samples/sso/
2) exchange keys between app and IS
when encryption is enabled, the saml
requests and responses are encrypted using the relevant parties
private keys. In-order to decrypt these messages on the other end the
two parties must have each others public keys.
The default key store of the travelocity app can be found in WEB-INF/classes, extract the public certificate associated with the private key used in the app as shown below,
keytool -export -alias wso2carbon -file <name_for_public_key> -keystore wso2carbon.jks
import this key to the tenants keystore
using the key management feature(configure > keystores)
export the public key of the tenant using the key management feature.
import the download certificate of the tenant
to the travelocitys keystore as shown below,
keystore -import -file <name of the
tenants public cert> -alias <give alias to cert> -keystore
wso2carbon
3) configure SSO on the app side
modify travelocity.com/WEB-INF/classes/travelocity.property as follows,
SAML.IssuerID=travelocity.com@<tenant domain>
SAML.EnableResponseSigning=true
SAML.EnableAssertionSigning=true
SAML.EnableAssertionEncryption=true
SAML.EnableRequestSigning=true
SAML.IdPCertAlias=<alias of
the tenant public key>
4) register service provider in IS
register a service provider(main > identity > service providers > add) by giving a service provider name(e.g. TravelocityApp) and clicking register.
in the proceeding screen, expand inbound authentication > SAML 2 SSO Configuration and click on configure. configure SAML SSO for the service provider as shown below,
Issuer : IssuerID found in the travelocity.properties file, minus the tenant domain
Assertion Consumer URL : the URL the Identity Server will send the SAML Response, find this URL in the travelocity.properties file.
Use fully qualified username in the NameID : enabled
Enable Response Signing : enabled
Enable Assertion Signing : enabled
Enable Signature Validation in Authentication Requests and Logout Requests : enabled
Enable Assertion Encryption : enabled
Select the public key of the travelocity app from the drop-down.
Thats it. Login with a user in the tenant used for service provider registration.
common issues
having conflicting configurations between the SP registered and the app. e.g. Single Logout(SLO) being enabled on application side while in SP registration it being disabled.
not providing tenant domain with issue id on application side.
