Any Identity Provider which is adhere to open standards like SAML, OIDC, WS-Fedration, OpenID can be registered as an Identity Provider in WSO2 Identity Provider. Here I explain how to register OpenAM as an Identity Provider in WSO2 Identity Server.
1. Download and configure OpenAM according to the instruction provided in [1]
2. Login to OpenAM management console with
username: amadmin
password: changeit
3. Select top level Realm
4. Select "SAMLv2 service providers"
5. Select "Create Hosted Identity Provider"
6. Fill Identity Provider information
Name: OpenAM_IDP
Sining Key: test
New Circle of Trust: CT1
Name in Assertion: http://wso2.org/claims/emailaddress
Local Attribute Name: mail
7. Register a Remote Service Provider
8. Fill Service Provider configurations
Upload below meta data file
<EntityDescriptor entityID="wso2" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://localhost:9443/commonauth"
ResponseLocation="https://localhost:9443/commonauth"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:9443/commonauth"
ResponseLocation="https://localhost:9443/commonauth"/>
<SingleLogoutService Binding="https://localhost:9443/commonauth"
Location="https://localhost:9443/commonauth"/>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:9443/commonauth"/>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://localhost:9443/commonauth"/>
</SPSSODescriptor>
<RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
xsi:type="query:AttributeQueryDescriptorType"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"></RoleDescriptor>
<XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"></XACMLAuthzDecisionQueryDescriptor>
</EntityDescriptor>
Name in Assertion: http://wso2.org/claims/emailaddress
Local Attribute Name: mail
9. Select Federation link
10. Select "WSO2" Service Provider
11. Add extra nameid-format "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
12. Create a new User in OpenAM
13. WSO2 Identity Server configuration
Create a Identity Provider --> Federated Authenticators --> SAML2 Web SSO Configuration
Identity Provider Entity Id: test (can be any name)
Service Provider Entity Id: wso2 (This should be same as Remote Service Provider meta data "entityID")
SSO URL: http://openam.example.com:8080/OpenAM-13.0.0/SSORedirect/metaAlias/idp (You can find this end point from Hosted Identity Provider "services" tab)
Logout Url: http://openam.example.com:8080/OpenAM-13.0.0/IDPSloRedirect/metaAlias/idp1 (You can find this end point from Hosted Identity Provider "services" tab)
14. Register a Service Provider and do SAML SSO configuration according to [2]. From claim configuration select "http://wso2.org/claims/emailaddress" as "Subject Claim URI"
15. Try to Log into travelocity sample application, you will be prompted OpenAM login page as below. Enter newly created user credentials so you can log into travelocity sample application.
[1] https://backstage.forgerock.com/#!/docs/openam/13/getting-started
[2] https://docs.wso2.com/display/IS510/Configuring+SAML2+Web+Single-Sign-On
1. Download and configure OpenAM according to the instruction provided in [1]
2. Login to OpenAM management console with
username: amadmin
password: changeit
3. Select top level Realm
4. Select "SAMLv2 service providers"
5. Select "Create Hosted Identity Provider"
6. Fill Identity Provider information
Name: OpenAM_IDP
Sining Key: test
New Circle of Trust: CT1
Name in Assertion: http://wso2.org/claims/emailaddress
Local Attribute Name: mail
7. Register a Remote Service Provider
Upload below meta data file
<EntityDescriptor entityID="wso2" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://localhost:9443/commonauth"
ResponseLocation="https://localhost:9443/commonauth"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:9443/commonauth"
ResponseLocation="https://localhost:9443/commonauth"/>
<SingleLogoutService Binding="https://localhost:9443/commonauth"
Location="https://localhost:9443/commonauth"/>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:9443/commonauth"/>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://localhost:9443/commonauth"/>
</SPSSODescriptor>
<RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
xsi:type="query:AttributeQueryDescriptorType"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"></RoleDescriptor>
<XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"></XACMLAuthzDecisionQueryDescriptor>
</EntityDescriptor>
Name in Assertion: http://wso2.org/claims/emailaddress
Local Attribute Name: mail
9. Select Federation link
10. Select "WSO2" Service Provider
11. Add extra nameid-format "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
12. Create a new User in OpenAM
13. WSO2 Identity Server configuration
Create a Identity Provider --> Federated Authenticators --> SAML2 Web SSO Configuration
Identity Provider Entity Id: test (can be any name)
Service Provider Entity Id: wso2 (This should be same as Remote Service Provider meta data "entityID")
SSO URL: http://openam.example.com:8080/OpenAM-13.0.0/SSORedirect/metaAlias/idp (You can find this end point from Hosted Identity Provider "services" tab)
Logout Url: http://openam.example.com:8080/OpenAM-13.0.0/IDPSloRedirect/metaAlias/idp1 (You can find this end point from Hosted Identity Provider "services" tab)
14. Register a Service Provider and do SAML SSO configuration according to [2]. From claim configuration select "http://wso2.org/claims/emailaddress" as "Subject Claim URI"
15. Try to Log into travelocity sample application, you will be prompted OpenAM login page as below. Enter newly created user credentials so you can log into travelocity sample application.
[1] https://backstage.forgerock.com/#!/docs/openam/13/getting-started
[2] https://docs.wso2.com/display/IS510/Configuring+SAML2+Web+Single-Sign-On
No comments:
Post a Comment