Single Sign On (SSO) for Web services in WSO2 Application Server

This post is about configuring SSO for web services which are deployed in WSO2 AS. WSO2 IS use as Identity Provider.


  • WSO2 IS 5.0.0
  • WSO2 AS 5.3.0
  • Java: jdk 1.8
  • OS : Ubuntu 15.10

Note: In here use sample web app called bar-app in AS

Configure WSO2 AS as follows;

1. Navigate to <AS_HOME>/repository/conf/security/ and edit “” file

Change this if you have different host name/ value:


Change according to redirect you want after Single Log Out:

#Enable this if needed to automatically redirect from acs page after SLO

Uncomment “SAML.ConsumerUrl” and give relevant URL. (This should be the same URL which is going to give as “Assertion Consumer URL” in WSO2 IS)

#The URL of the SAML 2.0 Assertion Consumer

Other than these configurations, you have to make sure that you are giving same options in both IS and AS. For example you can enable “Response Signing” in IS.

Configuring Options in Service Provider

Then you have to configure “” file with “Response Sigining”

#Specify if SAMLResponse element is signed

Like wise you may have to have same configurations in both IS and AS (If not you may get some errors as IS can not retrieve relevant information via AS)

2. Navigate to <AS_HOME>/repository/conf/tomcat/ and edit “catalina-server.xml” file.

Add SAMLSSO valve, just after the CarbonStuckThreadDetection Valve.

<Valve className=”org.wso2.carbon.webapp.mgt.sso.SAMLSSOValve”/>

Configure WSO2 IS as follows;

  1. Add service pack to IS. Refer documentation if you are not familiar with installing Service Pack [1]. After adding Service pack, start IS server.
  2. You have to configure service providers for each web app you are going to use through AS. In this example, it only use one sample web app called “bar-app”. Therefore I created one service provider for that web app.

You can create Service provider from following steps:

  • Navigate to Service Providers and Click on “Add”
  • Give “Service Provider Name”
  • Configure “SAML2 Web SSO Configuration” in “Inbound Authentication Configuration”
Configure SAML2 Web SSO Configuration

Since the valve automatically determines the SSO issuer-id, the service provider issuer-id needs to be in the following format:

For web applications: issuer-id = webapp-name


  • When the bar.war web application is deployed for the Super Tenant, the issuer-id = bar.

Note: If you are configuring tenant based applications please refer documentation for additional changes [2]

Registering new Service Provider
After saving SAML2 Web SSO Configuration

3. Go to “Identity Providers” (Home > Identity > Identity Providers > List) and update the resident IDP “Entity Id” with the same value as the “EntityId”. (This will differ when you use different hostname or IPs)

Configure Web Applications as follows;

Note: In here used sample web application available in WSO2 AS and it was not needed to configure as follows. But still you need to add following configurations if you deploy new web application to WSO2 AS.

You must enable SSO for web applications by adding the following context parameter to the web application’s web.xml:


You are done with configurations. You can go to the web app deployed in AS.

Bar App deployed in AS

Click on go to “Go to URL” and you will navigate through WSO2 IS.