Implementing Single-sign on using WSO2 Identity and Access Management System.
Nowadays digital organizations businesses dont use single monolithic applications within there organizations. They do use multiple heterogeneous applications within. So an employee has to log in to all these applications to manage their day to day work. But each of these applications has different user names passwords which are hard to track. Employees tend to use the same password for everything but they can’t do that because of different password policies of these applications. So how to manage these passwords? How to take off this burden of login into every system while maintaining security?
Single sign-on
This is the answer to the above questions. When you log in to one application, It will log you into all your other applications. It will know all your credentials and securely manage login and logout to all of your applications.
So in simple terms, single sign-on means, login into all the applications using one login attempt. WSO2 Identity and access management system helps you to implement a single sign-on very easily.
WSO2 Identity and access management system is a fully open-source, flexible product that is under the Apache 2.0 license. It has a componentized architecture that helps you to customize it easily according to your business needs.
You can easily download it and install it using the installer. Or else you can download the binary pack, run executables and start configuring for single sign-on. To refer to how to download and install please refer here.
Implementing single sign-on
When implementing a single sign-on you may need to define a service provider per your application.
For example, I want to login to the Travelocity app and salesforce with a single signing attempt. So I have to define two service providers.
First, you need to enable a single sign-on from that application’s end. then configure the service provider per application. and then we can add users with the right claims to check this scenario.
Enable Single sign-on
- Login to salesforce and sign up for an account.
- Go to force.com and log in using above account credentials
- Go to Home > Domain Management > My domain to create a domain.
- After the domain is registered click on “login”
- Go to Home > Security controls > Single sign-on settings and click on Edit
- Enable SAML SSO by ticking on the checkbox near to SAML SSO.
- Click New in SAML SSO Settings. and configure properties as below
Here to generate an Identity provider certificate, execute the following command after traversing to<IS_HOME>/repository/resources/security/ using a terminal.
Keytool -export -alias wso2carbon -file wso2.crt -keystore wso2carbon.jks -storepass wso2carbon
8. Go to Home > Domain Management > My domain, click Login and then click Deploy to users
9. Edit Authentication Configuration and select SSO as Authentication Service and Save.
Configure Service Provider
- In the management console, go to Main > Service Providers > Add to add a service provider.
- Provide a service provide a name and click on Register
- Select Upload SP Certificate in Select SP certification type. Copy and Paste application certificate content to the text area that appears.
To get the application certificate content, execute the following commands
keytool -export -alias wso2carbon -file wso2carbon.crt -keystore wso2carbon.jks (Export public key of the Keystore into a certification file)
keytool -printcert -rfc -file wso2carbon.crt (Retrieve certificate in X509 format)
Provide default Keystore password wso2carbon whenever you are prompted.
4. Go to Claim configuration and set subject claim to emailAddress
5. Go to Inbound Authentication Configuration >SAML2 Web SSO configuration > Configure and provide Issuer and Assertion consumer URL.
Issuer: https://saml.salesforce.com
Assertion consumer URL: Give the salesforce login URL
6. Enable following by ticking checkboxes. Enable response signing, Enable assertion encryption, Enable attribute profile, Include attribute in response always.
7. Click update.
In my previous article, I implemented multi-factor authentication for the Travelocity app. There I registered a Service Provider for Travelocity app. Please refer to it to set up the next service provider.
That Travelocity service provider uses two authentication steps. So if I am doing single sign-on using Travelocity and salesforce, and if login to salesforce first, you may still have one authentication step (SMS OTP step )to proceed to in Travelocity. But the first step will go away.
Creating a User
In the management console click on Main > Users and Roles,> Add to add a new user. and provide roles “Admin”, “Application/Travelocity”, “Application/salesforce” to that user. Next edit the same user profile to edit that user’s email address, mobile number, and first name.
Remember that we gave an email address as the subject claim to the salesforce and mobile number as the subject claim to the Travelocity app. So this user's mobile number should be the same as the mobile number you registered in the Nexmo. And this user's email address should be an email address of an existing salesforce user in your domain. So use the same email address you used to create the salesforce account.
Test
- Go to the salesforce login URL. URL of your domain. Click on SSO to login using the single sign-on. Now you will be redirected to the IAM login page. Insert the above-created user’s username and password. Now you will be logged in to Salesforce
- Now go to the Travelocity login page. You will now re-directed to the SMS OTP prompt page instead of redirecting it to the IAM username password login page. This username and password login phase is skipped as the user is already logged to another application using the same credentials. Now you will be redirected to the Travelocity page upon providing successful OTP.
If I remove the SMS OTP authentication step from the Travelocity service provider, it will be automatically logged in to the Travelocity application after the user logged in to the salesforce. This way user can add as many as applications as service providers and enable single sign-on with them. And you can add adaptive authentication or multi-factor authentication to some applications as I demonstrated, in case you need additional security.
Hope this article is useful to you. :)
Thank You
