everything I know

From the top of my mind…

Running SAML2 SSO sample with WSO2 IS

Leave a comment

What’s up people? 😀

Today I’m going to talk about how you can easily run the SAML2 based single-sign-on sample with WSO2 Identity Server. SAML stands for Security Assertion Markup Language and SAML2 is a version of the SAML standard for exchanging authentication and authorization data between security domains. You can read more about SAML2 here.

As a prerequisite, you’ll need to download a WSO2 IS setup first, from here. Apart from that, you’ll need a tomcat web server to deploy the sample applications. I’m using Ubuntu as my operating system, but you can run on Windows as well.

Let’s begin!

Setting up sample apps

Clone the WSO2 IS samples repository using below command.

 git clone https://github.com/wso2/samples-is.git 

Then navigate to saml2-sso-sample directory and build the two web apps.

 
cd samples-is/saml2-sso-sample
mvn clean install

While it’s building, extract the WSO2 IS zip file and start the server by executing below command from server home.


./bin/wso2server.sh

Let the server start and go to the folder you cloned and built the sample. If the build is finished, you can find two .war files in target directories as follows.


samples-is/saml2-sso-sample/components/SAML2/saml2-web-app-dispatch/target/saml2-web-app-dispatch.com.war

samples-is/saml2-sso-sample/components/SAML2/saml2-web-app-swift/target/saml2-web-app-swift.com.war

Now we need to copy these .war files into webapps directory of the tomcat server. You can use ps command to find the tomcat home directory if you don’t already know.


ps -ef | grep tomcat

This will show a set of details regarding your tomcat server and try the directories shown to find the webapps folder. Once you find the directory location, copy the two war files to there and restart the tomcat server using below command.


sudo service tomcat restart

Setup Identity Server

Now that we’ve deployed the web apps, we need to configure the identiy server instance to provide SAML2 SSO feature. To do that first login to the server using credentionals admin:admin and goto Identity > Service Providers > Add to add a new service provider.

Give a name to the service provider (Ex: DispatchSP) and click on Add. Then click on Inbound Authentication Configuration > SAML2 Web SSO Configuration and click on Configure.

Then provide following information and click on register to complete the creation of the service provider.

  • Issuer – saml2-web-app-dispatch.com
  • Assertion Consumer URLs – http://localhost.com:8080/saml2-web-app-dispatch.com/consumer

Follow the same steps to create another service provider for the swift application as well, with following information.

  • SP name – SwiftSP
  • Issuer – saml2-web-app-swift.com
  • Assertion Consumer URLs – http://localhost.com:8080/saml2-web-app-swift.com/consumer

Running the sample

Now we’ve configured the identity server to provide SAML2 single-sign-on for our sample web apps. Access the first application via the URL http://localhost.com:8080/saml2-web-app-dispatch.com. You’ll see a page as follows.

Click on Log in and then enter the credentials admin:admin once prompted. You can also add a separate users via the admin dashboard of WSO2 IS as well. After login, you’ll be redirected to a consent page where the SP asks for the users consent to use withing the dispatch app. Select Approve and then you’ll be redirected to dispatch app home which will look like follows.

Now access the second application via the URL http://localhost.com:8080/saml2-web-app-swift.com. Same home page will come up and once you click on login, notice that it won’t ask for your username and password, instead directly goes into consent page. Identity server uses your previous loggin session used for the dispatch app to log you into the swift app as well. Once you give the consent, swift home page will load.

You can also try loggin out from one application as well. Reloading the other will cause it to log off too. This is the basic use case of SAML2 based single-sign-on.

I hope you’ll get some idea about the topic and was successfully run the sample applications. Feel free to comment away your concerns and do share among friends! 😉

Advertisements

Author: vihangaliyanage

Fast Learner, code geek, dedicated software developer, always look forward to learn something new.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s