What’s up people? 😀
Today I’m going to talk about how you can easily run the SAML2 based single-sign-on sample with WSO2 Identity Server. SAML stands for Security Assertion Markup Language and SAML2 is a version of the SAML standard for exchanging authentication and authorization data between security domains. You can read more about SAML2 here.
As a prerequisite, you’ll need to download a WSO2 IS setup first, from here. Apart from that, you’ll need a tomcat web server to deploy the sample applications. I’m using Ubuntu as my operating system, but you can run on Windows as well.
Setting up sample apps
Clone the WSO2 IS samples repository using below command.
git clone https://github.com/wso2/samples-is.git
Then navigate to saml2-sso-sample directory and build the two web apps.
cd samples-is/saml2-sso-sample mvn clean install
While it’s building, extract the WSO2 IS zip file and start the server by executing below command from server home.
Let the server start and go to the folder you cloned and built the sample. If the build is finished, you can find two .war files in target directories as follows.
Now we need to copy these .war files into webapps directory of the tomcat server. You can use ps command to find the tomcat home directory if you don’t already know.
ps -ef | grep tomcat
This will show a set of details regarding your tomcat server and try the directories shown to find the webapps folder. Once you find the directory location, copy the two war files to there and restart the tomcat server using below command.
sudo service tomcat restart
Setup Identity Server
Now that we’ve deployed the web apps, we need to configure the identiy server instance to provide SAML2 SSO feature. To do that first login to the server using credentionals admin:admin and goto Identity > Service Providers > Add to add a new service provider.
Give a name to the service provider (Ex: DispatchSP) and click on Add. Then click on Inbound Authentication Configuration > SAML2 Web SSO Configuration and click on Configure.
Then provide following information and click on register to complete the creation of the service provider.
- Issuer – saml2-web-app-dispatch.com
- Assertion Consumer URLs – http://localhost.com:8080/saml2-web-app-dispatch.com/consumer
Follow the same steps to create another service provider for the swift application as well, with following information.
- SP name – SwiftSP
- Issuer – saml2-web-app-swift.com
- Assertion Consumer URLs – http://localhost.com:8080/saml2-web-app-swift.com/consumer
Running the sample
Now we’ve configured the identity server to provide SAML2 single-sign-on for our sample web apps. Access the first application via the URL http://localhost.com:8080/saml2-web-app-dispatch.com. You’ll see a page as follows.
Click on Log in and then enter the credentials admin:admin once prompted. You can also add a separate users via the admin dashboard of WSO2 IS as well. After login, you’ll be redirected to a consent page where the SP asks for the users consent to use withing the dispatch app. Select Approve and then you’ll be redirected to dispatch app home which will look like follows.
Now access the second application via the URL http://localhost.com:8080/saml2-web-app-swift.com. Same home page will come up and once you click on login, notice that it won’t ask for your username and password, instead directly goes into consent page. Identity server uses your previous loggin session used for the dispatch app to log you into the swift app as well. Once you give the consent, swift home page will load.
You can also try loggin out from one application as well. Reloading the other will cause it to log off too. This is the basic use case of SAML2 based single-sign-on.
I hope you’ll get some idea about the topic and was successfully run the sample applications. Feel free to comment away your concerns and do share among friends! 😉