How to integrate a complex SAML application flow with WSO2 Identity Server

Consider this use case scenario:

The user wants to login into the Application. Here, he uses one identity provider to log in the system. After successfully logged in, he has multiple applications that need to be log in with different Identity Provider. At the same time, the first Identity Provider worked as a federated service provider for this second Identity Providers.

Here we are using WSO2 Identity Server as an Identity provider for the Explanation and SAML for all authentication requests.

Setting up the WSO2 Identity Server instances

1. Download the WSO2 Identity Server from here.
2. Extract the file to a dedicated directory. For the purposes of this scenario, this is referred to as <IS_HOME_PRIMARY> in this topic.
3. Make a copy of this folder in the same location and rename it. For the purposes of this scenario, this is referred to as <IS_HOME_SECONDARY> in this topic.
4. By default, the HTTPS port of the primary IS instance is 9443. Let this be left as it is. Go to the <IS_HOME_SECONDARY>/repository/conf directory and open the carbon.xmlfile. Change the <Offset> value under the <Ports> configuration to 2. This changes the HTTPS port in the secondary IS instance to 9445 to avoid conflicts with the primary IS instance.
5. Install and run the two Identity Server instances.

• Go to <IS_HOME_PRIMARY> and <IS_HOME_SECONDARY> in your command line and type the following command for each instance.
• On Windows: wso2server.bat --run
• On Linux/Solaris: sh wso2server.sh

6. The management console for the primary Identity Server can be accessed using the following URL: https://localhost:9443/carbon and the management console for the secondary Identity Server can be accessed using the following URL: https://localhost:9445/carbon.

Creating a Service Provider using primary WSO2IS and log in the first application

1. Go to the management console of the primary IS. Navigate to the Service Providers section in the Main menu and click Add. Add “FirstApp” as the Service Provider Name for this scenario.

2. In the form that appears, expand the Inbound Authentication Configuration and SAML2 Web SSO Configuration sections. Click Configure and give the necessary values.

3. Click Update and then click Register. The Sevice provider successfully initiated.

4. When you call the Application, the application will redirect you to the WSO2-IS. Then WSO2-IS authenticate the application as a Service provider. If the credential is correct then the WSO2-IS will redirect into the Application.

Log in the second application with secondary Identity server and Primary Identity server as a Federated Identity provider for secondary Identity server

1. Configure a SAML service provider in the Primary Identity server (Federated IDP).

• Go to the management console of the primary IS. Navigate to the Service Providers section in the Main menu and click Add. Add “SecoundApp” as the Service Provider Name for this scenario.
• In the form that appears, expand the Inbound Authentication Configuration and SAML2 Web SSO Configuration sections. Click Configure and give the mandatory values. (Assertion Consumer URL: https://localhost:9445/commonauth and Issuer: idp-sp)
• Click Update and then click Register. The Sevice provider successfully initiated.

2. Register the created SAML SP as the Federated IDP in the secondary Identity server.

• Go to the management console of the primary IS. Navigate to the Identity Providers section in the Main menu and click Add. Enter the Identity Provider Name for this scenario and click register to enter into the system.

• Expand the Federated Authenticators section and then expand the SAML2 Web SSOConfiguration section. Fill the necessary requirements.

Note: Server Provider Entity id should be same as the Issuer name given while creating primary identity server as a Federated Identity provider for secondary Identity server.

3. The second application must be set up as a service provider in the secondary Identity Server instance.

• Go to the management console of the primary IS. Navigate to the Service Providers section in the Main menu and click Add. Add “ThirdApp” as the Service Provider Name for this scenario.
• In the form that appears, expand the Inbound Authentication Configuration and SAML2 Web SSO Configuration sections. Click Configure and give the mandatory values.
• Expand the Local & Outbound Authentication Configuration section and select the created IDP name as the Federated IDP in the application as shown below.

• Click Update and then click Register. The Sevice provider successfully initiated.
• Call the second application using Idp initiated SSO request ( https://localhost:9445/samlsso?spEntityID=<issuer> ). When you call the second Application then the application will redirect you to the secondary WSO2-IS. Then secondary WSO2-IS redirect to the primary WSO2-IS (Federated Idp). The primary WSO2-IS authenticate the application. If the credential is correct then the primary WSO2-IS will redirect the response to secondary IS. Finally, the Secondary IS redirects it into the Application.
• ************************** End *****************************

WSO2 Identity Server is a fully open source, highly extensible IAM solution that’s used to federate and manage identities in enterprise and cloud service environment. You can try it out here.