In this post, we are going to explore how to federate between our Identity Server Bus (chosen as WSO2) and Microsoft Azure as our Identity Provider. We will be using WSO2 IS version 5.0.0. However, this should hold true for newer versions as well.
Steps
Step 1: Add External Identity Provider configuration in WSO2 IS
Copy the Federation Metadata Document URL and paste it into your browser.
Step 2: Add Service Provider Configuration in External IDP
Step 3: Configure Applications (Service Providers) for Federation
This step concludes to set up of federation
between WSO2 IS instance as your IDP and mod_auth_mellon powered web server as your Service Provider.
Testing
Steps
There are going to be 3 distinct steps required to set up
federation between WSO2 IS server and a SAML enabled external IDP (Microsoft Azure).
Step 1: Add External Identity Provider configuration in WSO2 IS
Identity Provider is the external client Identity Provider.
It must be set up in our Identity Server, which will be acting as a Service
Provider. Based on these definitions Microsoft Azure is going to be acting as the
Identity Provider IS while WSO2 IS – 1 is going to be acting as our Service
Provider IS.
Login to WSO2 IS – 1 management console and click Identity
Providers -> Add
You will need to provide the following metadata required on
the above html page.
Identity Provider Name: (This should be a unique field). In our
example we called this azureIDP_IS.
Display Name: (This field can be anything you’d like to call)
Home Realm Identifier: (This field will be used when you have
more than one federated IDP configured in WSO2. It will be used to properly
route users of different IDPs to their own providers). There is a special SAML
variable in WSO2 IS called “fidp”. It is used in conjunction with the value of
this identifier.
Identity Provider Public Certificate: (This filed allows you to
upload the token signing cert of the external IDP in pem format. You must get
this from the client or the system that you are integrating with). Since we are
using Azure as the external IDP, I used the management portal to get the key.
- 1. Login to portal.office.com with your credentials
- 2. Click Administration
- 3. Click Active Directory and Add an Application
- 4. Once the application is added, click View EndPoints.
Copy the Federation Metadata Document URL and paste it into your browser.
You will see an xml document showing you the
details.
Locate keyDescriptor -> KeyInfo ->
X509Data -> X509Certificate
Copy the context of the base64 string and create
a pem file. You will be using this pem file to upload into Identity Provider
configuration in WSO2 IS server. Once the pem file is created, go ahead and upload it in to WSO2 IS.
The next step is to add a Federated Authenticator. To do
this, click on “Federated Authenticators” link and select SAML2 Web SSO
Configuration. Since WSO2 IS supports many authenticators, you can choose
others depending on the federating IDP.
At this point you will be asked to provide metadata
information.
Identity Provider Entity Id: (This should be a unique value
identifying this Identity Provider configuration). Value in the Azure metadata file
can be safely used here.
Service Provider Entity Id: (This should be a unique value
identifying the service provider configuration. This value will be used when we
are setting up a Service Provider in the external IDP).
SSO URL: (This field should be pointing to the actual SAML 2.0
WEB SSO URL of the identity provider which is the external federating entity).
In our example, the value is set to https://login.microsoftonline.com/d54896c4-a35f-4d4b-827f-652843a40080/saml2.
Depending on security and logout requirements, you can
enable assertion signing and enable SSO logout.
This step should conclude setting up the external IDP as an
Identity Provider in our Service Provider IS.
In the next step, we will be setting up a
Service Provider configuration in the external IDP.
Step 2: Add Service Provider Configuration in External IDP
In this step, we will be working with the external IDP to
set up a configuration for our service provider. Since Azure is our external IDP, login
to its management console and click on the application that was previously
created.
You will have to provide some basic information here in
order to register a “Service Provider”.
Name: (This field will be set up by the client admin
personnel). It just needs to be a unique field identifying the Service
Provider).
Sign On URL: This should point to WSO2 IS SSO URL. (https://wso2iserver/samlsso)
APP ID URI: This is the unique issuer id and must match the
configuration in WSO2 Identity Provider configuration that took place in
the first half of this documentation.
REPLY URL: This acts as the assertion consumer URL. It must
point back to WSO2 IS commonauth endpoint.
Save your configuration changes.
This should complete this step.
Step 3: Configure Applications (Service Providers) for Federation
Now that we were able to set up external IDP in our Identity Server Bus and
set our IDP as an SP in the external IDP, we need to configure applications for federation.
Login to Identity Server Bus (WSO2 IS – 1) console and click on Service
Providers -> Add. Create a new service provider pointing to your
mod_auth_mellon agent deployed at your web server. Once its added, Click the Edit button and select “Local &
Outbound Authentication Configuration”.
Since we already set up the external client IDP as a
federated IDP in steps1 and 2, you will see that Federated Authentication is
available with the provided Identity Name.
You can select the radio box next to Federated
Authentication and click update. This will enable this Service Provider to use
the Federated IDP during authentication.
The Advanced Configuration allows you to chain
authentications. You can handle local as well as federated authentication.
To set up Advanced Configuration, click on “Advanced
Configuration”.
As you can see, local (basic) as well as Federated
Authenticator is configured. Click update to save your changes.
Testing
To test you must first try to login to a service provider
application that is being protected. We set up an application that is already set up as a service provider.
If you were to hit application's URL, you will see the following
page.
You can either login locally all use one of the other login types. In this case, Azure shows up as an external authenticator. Clicking on the Azure, WSO2 IS will for a SAML Request and submit it to Azure where you can login.
Comments