Wednesday, September 18, 2013

SAML 2.0 SSO with WSO2 IS 4.5.0

In this blog post, Suresh explains SAML 2.0 SSO behavior with WSO2 IS 3.2.3. WSO2 has released IS 4.5.0 recently and it contains many improvements to SSO. So here I'm going to explain the same scenario with IS 4.5.0.

Configure the web app

1. Check out the source.


2. Go to sso/SSOAgentSample (checked out folder) and build the sample with following command.


3. After successful build, sample war file can be found inside sso/SSOAgentSample/target folder.
sso/SSOAgentSample/target/travelocity.com

Now we need to deploy this sample web app on a web container. Let's use Tomcat server. Since this sample is written based on Servlet 3.0 it needs to be deployed on Tomcat 7.x.

4. Stop the Tomcat server if it's already running.

5. Copy travelocity.war file to TOMCAT_HOME/webapps folder.

6. Start the tomcat server.

Special Note :
travelocity.properties file inside travelocity.com/WEB-INF/classes folder can be used to change the properties like issuerID, consumer url and IdP url. For this sample I'm using default values. i.e.

#A unique identifier for this SAML 2.0 Service Provider application
SAML.IssuerID=travelocity.com

#The URL of the SAML 2.0 Assertion Consumer
SAML.ConsumerUrl=http://localhost:8080/travelocity.com/samlsso-home.jsp

#The URL of the SAML 2.0 Identity Provider
SAML.IdPUrl=https://localhost:9443/samlsso

Now we've deployed the web app successfully on a web container. The next set is to configure WSO2 IS 4.5.0 as IdP.

Configure WSO2 IS 4.5.0 as IdP

1. Start Identity Server and access management console using https://localhost:9443/carbon/

2. Login to management console using default credentials. (i.e. admin/admin)

3. Go to Main -> Manage -> SAML SSO

SAML SSO

4. Click on "Register New Service Provider"

5. Register new service provider, providing following values.
  • Issuer : travelocity.com
(Note : This values should be same as the SAML.IssuerID value specified inside travelocity.com/WEB-INF/classes/travelocity.properties file)
  • Assertion Consumer URL : http://localhost:8080/travelocity.com/samlsso-home.jsp
(Note : This value should be same as the SAML.ConsumerUrl value mentioned inside travelocity.com/WEB-INF/classes/travelocity.properties file)
  • NameID format : default value (i.e. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)
  • Use fully qualified username in the NameID : true (tick the checkbox) 
  • Enable Response Signing : true (tick the checkbox)
  •  Enable Assertion Signing : true (tick the checkbox)
  • Enable Signature Validation in Authentication Requests and Logout Requests : true (Certificate alias = wso2carbon)
  • Enable Single Logout : true (tick the checkbox)
After providing above values click register. Below I've attached an image with configured values.

Registered service provider

6. After successfully registering the service provider logout from management console.

We've finished configuring IS as IdP. Now lets run the sample.

Run the sample

1. Visit http://localhost:8080/travelocity.com and you'll be taken to following page.

travelocity.com landing page

2. Since we're going to use SAML2, click the firs link (Click here to login with SAML from Identity Server)

SAML 2.0 login

3. You'll be redirected to IS for authentication.

authentication

4. Enter default admin credentials (admin/admin). 
5. Now you are logged in and you can see the home page of travelocity.com app

travelocity.com home page


Special note : 
1) If you need to view the SAML request and response, please add following debug log to log4j.properties file found inside wso2is-4.5.0/repository/conf

log4j.logger.org.wso2.carbon.identity=DEBUG

2) Since single log out is enabled, if you click logout button in travelocity.com home page, you'll be successfully logged out.

9 comments:

  1. Hi it looks like the repo does not exist

    ReplyDelete
  2. Hi,
    When the response signing is enabled, we are getting org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Signature validation failed for SAML Response error. Travelocity.com signed the auth request, that got validated at IdP and sent us the SAML response. But SAMLSSOManager's validateSignature is trying to validate the signature of SAML response and throwing the above exception. Can you please help me how to overcome this issue?

    ReplyDelete
  3. I cannot get to the repo site. Getting a 404 Not found

    ReplyDelete
  4. Does WSO2 support a use case wherein its a SAML service provider instead of being an Identity provider?

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. The repo was renamed from 4.2.0 to turing - the new repo is located at https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/products/is/4.5.0/modules/samples/sso/

    ReplyDelete
  7. hey hi I am getting "SAML2 Assertion not found in the Response" but once I check the debug logs I am able to see the SAML assertion response.
    Can you help me here?

    ReplyDelete
  8. I am also getting "SAML2 Assertion not found in the Response", an idea how to resolve this?

    ReplyDelete
  9. Any help here for the "Signature validation failed for SAML2 Response"??

    --Subhash

    ReplyDelete