Skip to main content

Identity Federation with SAML 2.0 and Mod Mellon (PART 2)

In this post, we are going to explore how to federate between our Identity Server Bus (chosen as WSO2) and Microsoft Azure as our Identity Provider. We will be using WSO2 IS version 5.0.0. However, this should hold true for newer versions as well.


There are going to be 3 distinct steps required to set up federation between WSO2 IS server and a SAML enabled external IDP (Microsoft Azure).

Step 1: Add External Identity Provider configuration in WSO2 IS

Identity Provider is the external client Identity Provider. It must be set up in our Identity Server, which will be acting as a Service Provider. Based on these definitions Microsoft Azure is going to be acting as the Identity Provider IS while WSO2 IS – 1 is going to be acting as our Service Provider IS.

Login to WSO2 IS – 1 management console and click Identity Providers -> Add

You will need to provide the following metadata required on the above html page.

Identity Provider Name: (This should be a unique field). In our example we called this azureIDP_IS.

Display Name: (This field can be anything you’d like to call)

Home Realm Identifier: (This field will be used when you have more than one federated IDP configured in WSO2. It will be used to properly route users of different IDPs to their own providers). There is a special SAML variable in WSO2 IS called “fidp”. It is used in conjunction with the value of this identifier.

Identity Provider Public Certificate: (This filed allows you to upload the token signing cert of the external IDP in pem format. You must get this from the client or the system that you are integrating with). Since we are using Azure as the external IDP, I used the management portal to get the key.

  • 1.     Login to with your credentials
  • 2.     Click Administration
  • 3.     Click Active Directory and Add an Application
  • 4.     Once the application is added, click View EndPoints.


Copy the Federation Metadata Document URL and paste it into your browser.

      You will see an xml document showing you the details.
      Locate keyDescriptor -> KeyInfo -> X509Data -> X509Certificate
      Copy the context of the base64 string and create a pem file. You will be using this pem file to upload into Identity Provider configuration in WSO2 IS server. Once the pem file is created, go ahead and upload it in to WSO2 IS. 

The next step is to add a Federated Authenticator. To do this, click on “Federated Authenticators” link and select SAML2 Web SSO Configuration. Since WSO2 IS supports many authenticators, you can choose others depending on the federating IDP.

At this point you will be asked to provide metadata information.

Identity Provider Entity Id: (This should be a unique value identifying this Identity Provider configuration). Value in the Azure metadata file can be safely used here.

Service Provider Entity Id: (This should be a unique value identifying the service provider configuration. This value will be used when we are setting up a Service Provider in the external IDP). 

SSO URL: (This field should be pointing to the actual SAML 2.0 WEB SSO URL of the identity provider which is the external federating entity). In our example, the value is set to

Depending on security and logout requirements, you can enable assertion signing and enable SSO logout.

This step should conclude setting up the external IDP as an Identity Provider in our Service Provider IS.

In the next step, we will be setting up a Service Provider configuration in the external IDP.

Step 2: Add Service Provider Configuration in External IDP

In this step, we will be working with the external IDP to set up a configuration for our service provider. Since Azure is our external IDP, login to its management console and click on the application that was previously created. 

You will have to provide some basic information here in order to register a “Service Provider”.

Name: (This field will be set up by the client admin personnel). It just needs to be a unique field identifying the Service Provider).

Sign On URL: This should point to WSO2 IS SSO URL. (https://wso2iserver/samlsso)

APP ID URI: This is the unique issuer id and must match the configuration in WSO2 Identity Provider configuration that took place in the first half of this documentation.

REPLY URL: This acts as the assertion consumer URL. It must point back to WSO2 IS commonauth endpoint.

Save your configuration changes.

This should complete this step.

Step 3: Configure Applications (Service Providers) for Federation

Now that we were able to set up external IDP in our Identity Server Bus and set our IDP as an SP in the external IDP, we need to configure applications for federation.

Login to Identity Server Bus (WSO2 IS – 1) console and click on Service Providers -> Add. Create a new service provider pointing to your mod_auth_mellon agent deployed at your web server. Once its added, Click the Edit button and select “Local & Outbound Authentication Configuration”.

Since we already set up the external client IDP as a federated IDP in steps1 and 2, you will see that Federated Authentication is available with the provided Identity Name.

You can select the radio box next to Federated Authentication and click update. This will enable this Service Provider to use the Federated IDP during authentication.

The Advanced Configuration allows you to chain authentications. You can handle local as well as federated authentication.

To set up Advanced Configuration, click on “Advanced Configuration”.

As you can see, local (basic) as well as Federated Authenticator is configured. Click update to save your changes.

This step concludes to set up of federation between WSO2 IS instance as your IDP and mod_auth_mellon powered web server as your Service Provider.


To test you must first try to login to a service provider application that is being protected. We set up an application that is already set up as a service provider. 

If you were to hit application's URL, you will see the following page.
You can either login locally all use one of the other login types. In this case, Azure shows up as an external authenticator. Clicking on the Azure, WSO2 IS will for a SAML Request and submit it to Azure where you can login.