Login to OIDC supported SP with WS-Federation supported federated IDP configured in WSO2 IS.
WSO2 Identity Server support ‘WS-federation’ authentication mechanism. This blog will describe how to configure the WS- federation supported federated identity provider and login with a OIDC supported service provider
Setting up the Identity Providers
For the federate authentication we need an IDP to configure as the secondary identity provider (SecondaryIDP) and here I used another WSO2 Identity Provider as a secondary IDP.
Step 01: Download the product WSO2 Identity provider and get a copy of the it. Now we have two WSO2 Identity providers. Here on wards we name one downloaded WSO2 Identity Provider as ‘PrimaryIDP’ and the other as the ‘SecondaryIDP’. Extract both downloaded packs.
Step 02: Now we see how to start two WSO2 Identity Providers in same environment. For this, we have to change the offset of one IDP. Let’s change the secondary IDP offset value. Got to <IS_HOME_Secondary> /repository /conf directory and open carbon.xml file. Change the ‘offset’ value under the ‘ports’ configuration to 1. This change SecondaryIDP port to 9944 and by default ‘PrimaryIDP’s port is 9443. Now the port conflict is resolved !
We can start both WSO2 Identity providers in same environment. :)
Step 03: Start both identity severs. Execute following files according to the OS type in <IS_Home>/bin
For windows OS, execute wso2server.bat and for Ubuntu OS, execute wso2server.sh to start the servers.
Now we have two identity providers (‘PrimaryIDP’ and ‘SecondaryIDP’) up and running.
- PrimaryIDP access by https://localhost:9443/carbon
- SecondaryIDP access by https://localhost:9444/carbon
Configuring PrimaryIDP service provider in SecondaryIDP
If PrimaryIDP need to get the service from SecondaryIDP, PrimaryIDP have to configure as a service provider in the SecondaryIDP. Go to SecondaryIDP and configure the SP as below.
- Service provider Name: PrimaryIDP
- Passive STS Realm: PrimaryIDP
- Passive STS WReply URL: https://192.168.108.80:9443/commonauth
Configuring secondaryIDP as Identity provider in PrimaryIDP
To get the SecondaryIDP as a federated identification, SecondaryIDP haveto configure as an identity server in the PrimaryIDP.
- Identity Provider Name:Secondary_Achini
- Enable Passive STS: Enabled
- Passive STS Realm: PrimaryIDP (Same as the ‘Service provider Name’ in the PrimaryIDPs as a service provider in secondaryIDP)
- Passive STS URL: https://192.168.108.80:9444/passivests
If the SecondaryIDP is in a tenant domain,
- Additional Query Parameters: tenantDomain=abc.com
Certificate upload,
Go to SecondaryIDP management console >Main > Keystores >List directory and click on the Public Key to download the cert file. Once the file download, upload the file in to ‘Identity Provider Public Certificate’ and restart the PrimaryIDP server.
Playground deployment in Tomcat
Step 01: Download the WSO2 Identity Server and navigate to the product-is/modules/samples/oauth2/playground2/ directory.
Step 02: Open terminal and type ‘mvn clean install’ to build the project
Step 03: Navigate to the target folder and copy playground2.war file to <Tomcat_Home>/webapps and start the tomcat sever.
Step 04: Once the tomcat server update navigate to the <Tomcat_Home>/webapps/playground2/WEB-INF/classes and open playground2.properties file. Edit the following fields with necessary values.
- IdentityServerHostName=192.168.108.80
- IdentityServerPort=9443
- CallbackURL=http://localhost:8080/playground2/oauth2client
Here I have mentioned some sample values.
Step 05: Shutdown the tomcat server and restart the server again.
Setting up the application
Let’s setup OIDC supported SP to access the application, playground.
Step 01: Login to the PrimaryIDP Management console
Step 02: Navigate to the Home/Service provider
Step 03: Add OIDC service provider, ‘playground_Achini’
Step 04: Select ‘Inbound Authentication Configuration’ and fill the details as below image and click update
- Call Back url: http://localhost:8080/playground2/oauth2client
Configuring the federate authentication
WSO2 Identity server allows to configure advance authentication options (ex: application authentication can be proceed with several steps). Here we configure authentication with multiple choices within a single steps. There fore it’s configured federate authentication option as well for the customer.
Step 01: Login to the PrimaryIDP and navigate to the created Home/ Service providers/List/Local & outbound authentication configuration.
Step 02: Select Advanced configuration and add authentication steps.
Step 03: Select basic as the local authentication as the first option in steps 01 .
Step 04: Select ‘Secondary_Achini’ IDP as the federated authentication as the second option in step 01.
Step 05: Click update.
Test your scenario :)
Step 01: Search the playground application. http://localhost:8080/playground2/oauth2.jsp
Step 02: Add Client Id and click authentication button.
Step 03: Here we have to option to authentication to the application. Let’s select federate authentication option.Click Other login option, Secondary_Achini
Step 04: Add federated user credentials (User who has account in secondaryIDP) and authenticate as federate authentication.
References:
