Wednesday, May 4, 2016

Setup SSO in WSO2 product with other Identity provider except WSO2IS

This blog post will provide instruction on how to setup SSO, WSO2 DAS server with WSO2 IS.

If you want to setup SSO in WSO2 product with different identity provider. you should consider the following.

Let's say we want to configure WSO2 Greg with ADFS.
1. Configure SSO in Greg updating following configurations in <GREG_HOME>/repository/deployment/server/jaggeryapps/publisher/config/publisher.json

2. Then configure SSO in ADFS and import the ADFS signing cert into the Greg's JKS.
3. Once we setup the SSO, when login to the Greg, it will redirect to the ADFS, then ADFS will authenticate the user and return the SAML assertion.
4. Then authorization should be happen in Greg side. But it will fail, since the user does not exist in Greg side.

to solve that issue I could find number of solutions assuming you can't share the ADFS user base with GREG:
a: We can create a replica of the user base of ADFS (without passwords/ with dummy password) and Greg pointing to the replica

b: When adding user to the ADFS side, add the same user (without passwords/ with dummy password) and roles to the Greg side. either via a provisioning app, script or manually.

c: Write a JIT provisioning extension to provision the user in GREG side (when the Greg receive the SAML assertion) and authorize to the application.

Hope this will help

No comments: