Login to OIDC supported SP with WS-Federation supported federated IDP configured in WSO2 IS.

WSO2 Identity Server support ‘WS-federation’ authentication mechanism. This blog will describe how to configure the WS- federation supported federated identity provider and login with a OIDC supported service provider

Setting up the Identity Providers

For the federate authentication we need an IDP to configure as the secondary identity provider (SecondaryIDP) and here I used another WSO2 Identity Provider as a secondary IDP.

Step 01: Download the product WSO2 Identity provider and get a copy of the it. Now we have two WSO2 Identity providers. Here on wards we name one downloaded WSO2 Identity Provider as ‘PrimaryIDP’ and the other as the ‘SecondaryIDP’. Extract both downloaded packs.

Step 02: Now we see how to start two WSO2 Identity Providers in same environment. For this, we have to change the offset of one IDP. Let’s change the secondary IDP offset value. Got to <IS_HOME_Secondary> /repository /conf directory and open carbon.xml file. Change the ‘offset’ value under the ‘ports’ configuration to 1. This change SecondaryIDP port to 9944 and by default ‘PrimaryIDP’s port is 9443. Now the port conflict is resolved !

We can start both WSO2 Identity providers in same environment. :)

Step 03: Start both identity severs. Execute following files according to the OS type in <IS_Home>/bin

For windows OS, execute wso2server.bat and for Ubuntu OS, execute wso2server.sh to start the servers.

Now we have two identity providers (‘PrimaryIDP’ and ‘SecondaryIDP’) up and running.

Configuring PrimaryIDP service provider in SecondaryIDP

If PrimaryIDP need to get the service from SecondaryIDP, PrimaryIDP have to configure as a service provider in the SecondaryIDP. Go to SecondaryIDP and configure the SP as below.

PrimaryIDPs service provider configuration

Configuring secondaryIDP as Identity provider in PrimaryIDP

To get the SecondaryIDP as a federated identification, SecondaryIDP haveto configure as an identity server in the PrimaryIDP.

Secondary IDP configuration

If the SecondaryIDP is in a tenant domain,

Certificate upload,

Go to SecondaryIDP management console >Main > Keystores >List directory and click on the Public Key to download the cert file. Once the file download, upload the file in to ‘Identity Provider Public Certificate’ and restart the PrimaryIDP server.

Playground deployment in Tomcat

Step 01: Download the WSO2 Identity Server and navigate to the product-is/modules/samples/oauth2/playground2/ directory.

Step 02: Open terminal and type ‘mvn clean install’ to build the project

Step 03: Navigate to the target folder and copy playground2.war file to <Tomcat_Home>/webapps and start the tomcat sever.

Step 04: Once the tomcat server update navigate to the <Tomcat_Home>/webapps/playground2/WEB-INF/classes and open playground2.properties file. Edit the following fields with necessary values.

Here I have mentioned some sample values.

Step 05: Shutdown the tomcat server and restart the server again.

Setting up the application

Let’s setup OIDC supported SP to access the application, playground.

Step 01: Login to the PrimaryIDP Management console

Step 02: Navigate to the Home/Service provider

Step 03: Add OIDC service provider, ‘playground_Achini’

Add service provider name

Step 04: Select ‘Inbound Authentication Configuration’ and fill the details as below image and click update

OIDC application setting

Configuring the federate authentication

WSO2 Identity server allows to configure advance authentication options (ex: application authentication can be proceed with several steps). Here we configure authentication with multiple choices within a single steps. There fore it’s configured federate authentication option as well for the customer.

Step 01: Login to the PrimaryIDP and navigate to the created Home/ Service providers/List/Local & outbound authentication configuration.

Step 02: Select Advanced configuration and add authentication steps.

Step 03: Select basic as the local authentication as the first option in steps 01 .

Step 04: Select ‘Secondary_Achini’ IDP as the federated authentication as the second option in step 01.

Step 05: Click update.

Advance authentication configuration

Test your scenario :)

Step 01: Search the playground application. http://localhost:8080/playground2/oauth2.jsp

Step 02: Add Client Id and click authentication button.

Step 03: Here we have to option to authentication to the application. Let’s select federate authentication option.Click Other login option, Secondary_Achini

Step 04: Add federated user credentials (User who has account in secondaryIDP) and authenticate as federate authentication.

References: