Single Sign On with WSO2 Identity server 5.1

Question

I am working on a project which contains a few applications. I have to implement Single Sign On with WSO2 Identity Server. I don't know how to set user authorization to let users login on Single Sign On page only if they have permissions to access certain application (service provider). Any idea?

Answer 1

You can setup the service provider configuration referring [1] for your client application. Then you can configure the claims in the Service Provider so that the SAML Response sent by the Identity Server contains the required claims. You can refer [2] for that. Then, you can include the role claim to be received in the SAML response as an attribute of the user [3]. Now from your client application, you can read the SAML response and get to know the roles that the user is granted. Based on the roles, your application should decide the authorization levels that this user is permitted.

[1] http://tharindue.blogspot.com/2015/04/setup-travelocitycom-sample-web-app.html

[2] http://tharindue.blogspot.com/2016/08/retrieving-user-claims-in-saml-response.html

[3] http://tharindue.blogspot.com/2016/09/saml-multi-valued-attributes-in-wso2.html

Answer 2

In WSO2 Identity server you can create service providers for each application. Then configure SAML2 SSO in all service providers, giving Assertion Consumer Service (ACS) URLs (i.e. callback url) for each application. That will enable SSO among those applications.

In each Assertion Consumer Service, you can read logged in user's username/roles etc. from SAML response, and decide if the user should be allowed to login to the application.