Facebook as a Federated Identity Provider in WSO2 Identity Server

Who will not like to use one username and password for all their logins? Today it is not necessary to memorize lot of usernames and passwords to login to different applications. Most of the applications/websites support Facebook/Google/Windows Live authentication so people can easily login to different applications from their Google authentication credentials or may be their Facebook credentials or may be their Windows Live credentials.

In this blog post my aim is to cover up how to login to an application using your Facebook credentials with WSO2 Identity Server.

Prerequsities :

Download WSO2 Identity Server 5.1.0 

Steps :

1. Configuring the Facebook App

2. Configuring the travelocity SSO sample

3. Configuring Identity Provider

4. Configuring Service Provider

5. Configuring Claim Mappings for Facebook

Configuring the Facebook App

Follow [1] to configure the Facebook App and get the App ID and secret generated for the application

[1]https://docs.wso2.com/display/IS500/Logging+into+the+Identity+Server+using+Facebook+Credentials#LoggingintotheIdentityServerusingFacebookCredentials-ConfiguringtheFacebookapp

Configure the travelocity SSO Sample

To obtain and configure the single sign-on sample, follow the steps below :

1. You can check out the repository of the SSO sample from GitHub. - https://github.com/wso2/product-is/tree/master/modules/samples/sso 

2. In your command line, navigate to <SAMPLE_HOME>/sso in the folder you checked out and build the sample using mvn clean install. You must have Apache Maven installed to do this.

After successfully building the sample, a .war file named travelocity.com can be found inside the <HOME>/sso/SSOAgentSample/ target folder. Deploy this sample web app on a web container. To do this, use the Apache Tomcat server.

3. Use the following steps to deploy the web app in the web container:

•   Stop the Apache Tomcat server if it is already running.
•   Copy the travelocity.war file to the <TOMCAT_HOME>/webapps folder.
•   Start the Apache Tomcat server. 

Configure Identity Provider

To configure Facebook as the Identity Provider, you have to Log into Identity Server, and in the main tab in the Identity Providers section, click Add

Provide a "Identity Provider Name" and Expand Federated Authenticators > Facebook Configuration and give the App ID and App secret of your Facebook application. User Information fields are some of the claims that are supported by Facebook and you should map them with Identity Server claims later on for Facebook authentication. Claim mappings will be done in further steps

Make sure to Tick both the check boxes to enable the Facebook authenticator.

Configure Service Provider

Go to Service Provider > Add, and create a service provider to register the travelocity application.  Give "travelocity.com" as the Service Provider Name and expand Inbound Authentication Configuration > SAML2 Web SSO Configuration and fill the following details :

Issuer : travelocity.com

Assertion Consumer URLs : http://localhost:8080/travelocity.com/home.jsp

Enable Response Signing

Enable Single Logout

Tick Enable Attribute Profile and Include Attributes in Response Always

Click on Update to save the changes and you will be directed back to the service provider page. Here expand Local & Outbound Authentication Configuration and select Federated Authentication radio button and select "Facebook" as the IDP. Save all the changes.

Configure Claim Mappings for Facebook

Go to the Identity Provider created for Facebook and expand Claim Configuration > Basic Claim Configuration

• Select Define Custom Claim Dialect
• Click Add Claim Mapping

Here Facebook has different attributes/claims that are supported to retrieve all the public information of the user. So these claims should be mapped with any Local Claim URI that is supported by WSO2 Identity server.

Some of the Facebook Supported Claims :

• id
• email
• name
• first_name
• last_name
• link
• gender
• locale
• age_range

Now you have to configure the requested claims for travelocity.com. Go to the Service Provider created for travelocity.com and expand the Claim Configuration.

Click "Add Claim URI" for Requested Claims, Here you should add the claims you mapped in the Identity Provider claim configuration. 

Select Subject Claim URI as email (To use email as the Subject Claim URI you have to Enable Email authentication. Please follow [2] )

[2] -http://nadeeshameegoda.blogspot.com/2015/07/how-to-enable-email-as-username-for.html

Now the configurations are done. To check how this works, access http://localhost:8080/travelocity.com

You will be directed to the travelocity application. When you click on to Login with SAML, you would be directed to Facebook authentication. Enter your Facebook credentials and log into the application.

How to Configure WSO2 Identity Server's Travelocity Sample Application in Tenant Domain

In this blog post my aim is to cover how to register the travelocity application in tenant domain.

Prerequsities :

Download WSO2 Identity Server 5.1.0 

Steps to Follow :

1. Configure the travelocity SSO web application
2. Configure the Service Provider in Tenant Domain
3. Configuring the travelocity SSO application properties file
4. Running the Sample

Configure the travelocity SSO web application

 

To obtain and configure the single sign-on sample, follow the steps below.

1. You can check out the repository of the SSO sample from GitHub. - https://github.com/wso2/product-is/tree/master/modules/samples/sso 
2. In your command line, navigate to <SAMPLE_HOME>/sso in the folder you checked out and build the sample using mvn clean install. You must have Apache Maven installed to do this.
3.  After successfully building the sample, a .war file named travelocity.com can be found inside the <HOME>/sso/SSOAgentSample/ target folder. Deploy this sample web app on a web container. To do this, use the Apache Tomcat server.
4. Use the following steps to deploy the web app in the web container:
       Stop the Apache Tomcat server if it is already running.
       Copy the travelocity.war file to the <TOMCAT_HOME>/webapps folder.
       Start the Apache Tomcat server. 

Configure the Service Provider in Tenant Domain 

The next step is to configure travelocity.com as service provider in tenant domain. For this you have to first create tenant domain using WSO2 Identity Server

Steps to Create Tenant Domain  :

1.Login to Identity Server with admin/admin credentials
2.Go to Configure Tab > Add New Tenant

Steps to Create the Service Provider in Tenant Domain :

1.Login to Identity Server with the tenant admin credentials ( tenant@wso2.com)

2.Next navigate to the Main menu and click Add under Service Provider 

3.Expand the Inbound Authentication Configuration section and then expand SAML2 Web SSO Configuration.  

 Issuer : travelocity.com
 Assertion Consumer URL : http://localhost:8080/travelocity.com/home.jsp
 Enable Response Signing
 Enable Single Logout 

4.Save the Service Provider Configuration.

5.Next you have to export the public certificate of the private key used at webapp side to sign the SAML Authentication Request. Following command can be used to export it.

keytool -export -alias travelocity -file travelocity -keystore <path to wso2carbon.jks> '''

6.Import the above exported public certificate to the tenant key store of the internal IDP, identity server as below. 

 7. After the import it will be listed as the following :

8. Edit the Service Provider Configuration and select "travelocity" as the Certificate Alias.

9. The configurations are mostly done to get the SSO scenario work with the webapp. We need to export the tenant public certificate to be imported to the trust store at webapp side. This is in order to verify the SAML Response/Assertion signed signature at the webapp side. We can export the certificate as below from the UI, using public key link.

 10. The exported key needs to be imported to webapp truststore(in this case wso2carbon.jks located inside the {Tomcat_Home}/webapps/travelocity.com/WEB_INF/classes

 keytool -import -alias <The given alias name. Here travel.com> -file <path to downloaded public certificate> -keystore <path to trust store of webapp. Here the wso2carbon.jks file> 

 Configuring the travelocity SSO application properties file

Now you have to change the following properties in the travelocity.properties file located in {Tomcat_Home}/webapps/travelocity.com/WEB_INF/classes

Approach 1 :

 
SAML2.SPEntityId=travelocity.com@wso2.com (Here you have to add the Service Provider issuer name appended with the tenant domain)

IdPPublicCertAlias=travel.com (This is the alias you gave when executing Step 10 in Configuring the Service Provider to import the tenant public certificate   to web app)

 Approach 2 :

Apart from the above their is another way that you can specify the tenant domain in travelocity properties file. You can try the above mentioned way, or either the below mentioned way. You can pass the tenant domain as QueryParams as follows:

Give the SAML2.SPEntityID = travelocity.com

Uncomment the following in the propertied file :

QueryParams=tenantDomain=wso2.co

IdPPublicCertAlias=travel.com


Now you can test the SSO with travelocity application and login with tenant domain.

Running the Sample

 

Visit http://localhost:8080/travelocity.com . You are directed to the following page:

Since you need to use SAML2 for this sample, click the first link, i.e., Click here to login with SAML from Identity Server. You are redirected to the Identity Server for authentication.

 Enter Tenant Admin credentials and you'd be able to successfully log in.

  
 

Configuring Single Sign-on with SAML 2.0 for WSO2 Dashboard Server 2.0

The Actual Configurations for SSO and How to get it Working..

 

Prerequisites :

 

Identity Server 5.1.0 (Download : http://wso2.com/products/identity-server/)
Dashboard Server 2.0.0 (Download : https://github.com/wso2/product-ds/releases/tag/v2.0.0-beta)

Configurations for both DS and IS to point to a common User database/store.

1. Create a MySQL database (e.g., ustore) and run the <DS_HOME>/dbscripts/mysql.sql script on it to create the required tables.
2.Open <DS_HOME>/repository/conf/datasources/master-datasources.xml file and add the datasource configuration for the database that you use for the shared user store and user management information. For example,

3. Open <DS_HOME>/repository/conf/user-mgt.xml file and point to jdbc/ustore.
<Property name="dataSource">jdbc/ustore</Property>
Note - DS will have the the jdbc user store as the default user store. So in the same file the jdbcUserStoreManager will be uncommented. Leave it as it is.

4.Open <IS_HOME>/repository/conf/datasources/master-datasources.xml file and add the USTORE datasource that you added to DS listed above. So now both IS and DS will point to the same database.

5. Open <IS_HOME>/repository/conf/user-mgt.xml and point to jdbc/ustore
<Property name="dataSource">jdbc/ustore</Property>
Note - IS will have the ldap user store as the default user store. So you have to comment out the ldap configuration and uncomment the jdbc user store in the same file. So both DS and IS will be accessing one common user store.

6. Open <IS_HOME>/repository/conf/identity/embedded-ldap.xml and disable the embedded ldap by setting  <Property name="enable">false</Property> within <EmbeddedLDAP> tags.

Now Both DS and IS will be pointing to one common user store..

7. Remember to copy the database driver into  <DS_HOME>/repository/components/lib> and <IS_HOME>/repository/components/lib and restart the servers

Now Let's Register the Dashboard Server portal as Service Providers in IS

1. Start the IS pack
2. Go to IS Management Console > Main > Service Providers > Add
3. Give a unique name for service provider and click Register
4. Click on Inbound Authentication Configuration > SAML2 Web SSO Configuration > Configure
5. Fill on the details as follows for the DS portal

Note - Assertion Consumer URL has my local/machine ip address. Configure it with your correct ip address and my Dashboard Server is running on port 9444 which I have stated the offset as 1. This will be done in the future steps.

Now the Service Provider is successfully registered.

Now Let's Do the Configurations for Dashboard Server to Enable SSO with WSO2 Identity Server

 

1. Open <DS_HOME>/repository/conf/carbon.xml and change the offset to 1
2. Open <DS_HOME>/repository/deployment/server/jaggeryapps/portal/configs/designer.json

"authentication": {
    "activeMethod": "sso",
    "methods": {
      "sso": {
        "attributes": {
          "issuer": "ues",
          "identityProviderURL": "https://10.100.7.57:9443/samlsso",
          "responseSigningEnabled": "true",
          "acs": "https://10.100.7.57:9443/portal/acs",
          "identityAlias": "wso2carbon",
          "useTenantKey": false
        }
      },
      "basic": {
        "attributes": {}
      }
    }
  }

Here the identityProviderURL will point to the IS and the issuer is given as "ues" since when we were adding the service provider for the Dashboard Portal we gave the issuer as "ues". Both should be the same.

Also "activeMethod" should be changed from "basic" to "sso"
"acs" is the Dashboard Server portal acs URL

Now We are Done with the Configurations!!

Start the DS server and Open up a Browser. Hit the portal URL (https://10.100.7.57:9444/portal). You should be directed to the IS login. Enter admin/admin username/password and sign in.

Following is the IS login page that you will be directed to :