Prerequsities :
Download WSO2 Identity Server 5.1.0
Steps to Follow :
1. Configure the travelocity SSO web application
2. Configure the Service Provider in Tenant Domain
3. Configuring the travelocity SSO application properties file
4. Running the Sample
Configure the travelocity SSO web application
To obtain and configure the single sign-on sample, follow the steps below.
- You can check out the repository of the SSO sample from GitHub. - https://github.com/wso2/product-is/tree/master/modules/samples/sso
- In your command line, navigate to <SAMPLE_HOME>/sso in the folder you checked out and build the sample using mvn clean install. You must have Apache Maven installed to do this.
- After successfully building the sample, a .war file named travelocity.com can be found inside the <HOME>/sso/SSOAgentSample/ target folder. Deploy this sample web app on a web container. To do this, use the Apache Tomcat server.
- Use the following steps to deploy the web app in the web container:
Stop the Apache Tomcat server if it is already running.
Copy the travelocity.war file to the <TOMCAT_HOME>/webapps folder.
Start the Apache Tomcat server.
Configure the Service Provider in Tenant Domain
The next step is to configure travelocity.com as service provider in tenant domain. For this you have to first create tenant domain using WSO2 Identity Server
Steps to Create Tenant Domain :
1.Login to Identity Server with admin/admin credentials
2.Go to Configure Tab > Add New Tenant
Steps to Create the Service Provider in Tenant Domain :
1.Login to Identity Server with the tenant admin credentials ( tenant@wso2.com)
2.Next navigate to the Main menu and click Add under Service Provider
3.Expand the Inbound Authentication Configuration section and then expand SAML2 Web SSO Configuration.
Issuer : travelocity.com
Assertion Consumer URL : http://localhost:8080/travelocity.com/home.jsp
Enable Response Signing
Enable Single Logout
4.Save the Service Provider Configuration.
5.Next you have to export the public certificate of the private key used at webapp side to sign the SAML Authentication Request. Following command can be used to export it.
keytool -export -alias travelocity -file travelocity -keystore <path to wso2carbon.jks> '''
6.Import the above exported public certificate to the tenant key store of the internal IDP, identity server as below.
7. After the import it will be listed as the following :
8. Edit the Service Provider Configuration and select "travelocity" as the Certificate Alias.
9. The configurations are mostly done to get the SSO scenario work with the webapp. We need to export the tenant public certificate to be imported to the trust store at webapp side. This is in order to verify the SAML Response/Assertion signed signature at the webapp side. We can export the certificate as below from the UI, using public key link.
10. The exported key needs to be imported to webapp truststore(in this case wso2carbon.jks located inside the {Tomcat_Home}/webapps/travelocity.com/WEB_INF/classes
keytool -import -alias <The given alias name. Here travel.com> -file <path to downloaded public certificate> -keystore <path to trust store of webapp. Here the wso2carbon.jks file>
Configuring the travelocity SSO application properties file
Now you have to change the following properties in the travelocity.properties file located in {Tomcat_Home}/webapps/travelocity.com/WEB_INF/classes
Approach 1 :
SAML2.SPEntityId=travelocity.com@wso2.com (Here you have to add the Service Provider issuer name appended with the tenant domain)
IdPPublicCertAlias=travel.com (This is the alias you gave when executing Step 10 in Configuring the Service Provider to import the tenant public certificate to web app)
Approach 2 :
Apart from the above their is another way that you can specify the tenant domain in travelocity properties file. You can try the above mentioned way, or either the below mentioned way. You can pass the tenant domain as QueryParams as follows:
Give the SAML2.SPEntityID = travelocity.com
Uncomment the following in the propertied file :
QueryParams=tenantDomain=wso2.co
IdPPublicCertAlias=travel.com
Now you can test the SSO with travelocity application and login with tenant domain.
Running the Sample
Visit http://localhost:8080/travelocity.com . You are directed to the following page:
Since you need to use SAML2 for this sample, click the first link, i.e., Click here to login with SAML from Identity Server. You are redirected to the Identity Server for authentication.
