Reputation: 27
WSO2 Identity Server: About SSO
I have a question about SSO configuration in WSO2 Identity Server (IS). Currently, the request will redirect the user to login page in WSO2 IS and user will provide their credentials right here. Did WSO2 IS already provide an endpoint for SSO authentication ? I would like to run WSO2 IS as background and invoke the endpoint to authenticate
How can i achieve that ?
Upvotes: 0
Views: 751
Answers (2)
Reputation: 1
We can achieve SSO mechanism as SAML2 SSO, OpenId, OpenID Connect etc.
Profile specification for SAML2 defines SSO base on a web browser. WSO2 Identity server act as an SAML2 SSO IDP. In SSO environment, we can use SAML base authentication to authenticate users to WSO2 Server.
We need to register web application as SAML2 SSO service provider. Web application is going to communicate with WSO2 Identity Server using SAML2 SSO web browser profile. So we need to configure WSO2 IS for service provider under Inbound authentication configuration. Refer 1 for SAML2 SSO IDP configuration.
By default end users can provide the username/password and authenticated with WSO2 IS. IDP authenticate the users with username/password by validating with IDP’s user store. Default authentication provided by the service provider.
Note: Under Local & Outbound Authentication configuration, we just keep it as default authentication type. By default local authenticator as “basic-auth” as Request Path Authentication Configuration under Local & Outbound Authentication configuration. Local authentication is the authentication enabled in the identity server. Otherwise you can add local authenticators. There are two type of local authenticators.
- OAuthrequestPath|Authenticator
- BasicAuthRequestPathAuthenticator
After all configuration are done, we can log in to web application. When try to login to web application it would be redirect to identity server SAML2 SSO login page. Following are the steps for SAML login request,
- Web browser send SAML request to “/samlsso” servlet endpoint
- “/samlsso” redirect request to ‘’/commonauth” servlet (http 302)
- Commonauth redirects request to “authenticationendpoint/login.do?” (http 302). Now we can see the login page.
Once we provide the valid credentials, we would be login to the web application.
Note: It agains call to “/commonauth” servlet endpoint. If successfully authenticate it will redirect to ACS URL (Assertion Consumer Service).
We can also configure IDP initiated SAML2 SSO with WSO2 IS.
To customize the authentication endpoint, all the login pages of SAML SSO, OAuth, OpenID and Passive STS are located inside the webapp named authenticationendpoint.
Eg: for samlsso
IS_Home/repository/deployment/server/webapps/authenticationendpoint/samlsso/samlsso_login.jsp
In the default web application, when a request comes to the login page it’s first served by AuthenticationEndpoint servlet. After checking this is a SAMLSSO related request it’s forwarded to SAMLSSOLogin servlet which finally forwards to the samlsso_login.jsp as I mentioned before. For customizing the login page refer this blog .
Thanks
Upvotes: 0
Reputation: 2510
Instead of using the login page of WSO2 you can configure a custom login page in your web application. Please refer following tutorial of how to customize login for SSO [1]
[1] https://docs.wso2.com/display/IS500/Customizing+Login+Pages
Upvotes: 1
Related Questions
- WSO2 Identity Server
- Are SSO capabilities already built in for the listed Service Providers in WSO2 Identity Server?
- WSO2 Identity Server as an IDP
- WSO2 Idp initiated SSO
- Single Sign On with WSO2 Identity server 5.1
- WSO2 single sign on with Identity Server
- WSO2 Identity Server Authentication
- OpenID based SSO with WSO2 Identity Server
- SAML and OpenID SSO with WSO2 Identity server
- WSO2 Identity Server and SSO for custom application