

Enable Single Sign-On for a SAML Web Application¶

This page guides you through configuring single sign-on authentication between two SAML web applications. This is demonstrated using two sample applications called Pickup Dispatch and Pickup Manager.

Scenario¶

Pickup is a cab company that has two SAML web applications called pickup-dispatch and pickup-manager. Both applications use MWARE IAM (IS) as the identity provider. When SSO is configured for both these applications, an employee is only required to provide their credentials to the first application and the user will be automatically logged in to the second application.

SAML SSO scenario

Follow the steps below to deploy two sample applications and see how this works.

Register the service providers¶

You need to register the two sample applications as service providers in MWARE IAM.

Pickup Dipatch¶

Log in to the Management Console (https://<IS_HOST>:<PORT>/carbon) using admin/admin credentials.
Navigate to Main > Identity > Service Providers and click Add.
Enter saml2-web-app-pickup-dispatch in the Service Provider Name text box, and click Register.
In the Inbound Authentication Configuration section, click Configure under the SAML2 Web SSO Configuration section.
1. Now set the configuration as follows:
  - Issuer: saml2-web-app-pickup-dispatch.com
  - Assertion Consumer URL: http://localhost.com:8080/saml2-web-app-pickup-dispatch.com/home.jsp
  Click Yes, in the message that appears.
2. Select the following checkboxes:
  - Enable Response Signing
  - Enable Single Logout
  - Enable Attribute Profile
  - Include Attributes in the Response Always
  - Enable Signature Validation in Authentication Requests and Logout Requests
Tip

For more information on the advanced configurations, see Advanced SAML Configurations.
Click Register to save the changes.

Pickup Manager¶

Access the MWARE IAM Management Console (https://<IS_HOST>:<PORT>/carbon).
Navigate to Main > Identity > Service Providers and click Add.
Enter saml2-web-app-pickup-manager in the Service Provider Name text box, and click Register.
In the Inbound Authentication Configuration section, click Configure under the SAML2 Web SSO Configuration section.
1. Now, set the configuration as follows:
  - Issuer : saml2-web-app-pickup-manager.com
  - Assertion Consumer URL : http://localhost.com:8080/saml2-web-app-pickup-manager.com/home.jsp
    
    Click Yes, in the message that appears.
2. Select the following check-boxes:
  - Enable Response Signing
  - Enable Single Logout
  - Enable Attribute Profile
  - Include Attributes in the Response Always
  - Enable Signature Validation in Authentication Requests and Logout Requests
Tip

For more information on the advanced configurations refer, Advanced SAML Configurations.
Click Register to save the changes.

(Optional) Configure claims¶

Additionally, you can also configure claims for the service providers.

On the Main menu of the management console, click Service Providers>List, and Edit the "pickup-dispatch" service provider.
Expand the Claim Configuration section in the service provider form.
You can select the claims that must be sent to the service provider. Select Use Local Claim Dialect and click Add Claim URI.
Add the following claims as Requested Claims.
1. http://wso2.org/claims/fullname
2. http://wso2.org/claims/emailaddress
Select http://wso2.org/claims/fullname as the Subject claim URI and click Update to save the service provider configurations.
Now, logout of the Pickup Dispatch and Pickup Manager applications.
Access http://wso2is.local:8080/saml2-web-app-pickup-dispatch.com on your browser and click Login.
Note that the user is now prompted for consent to share the Email Address claim value with the sample application.

Now you have successfully configured additional claims for your service provider.

Deploy the samples¶

Download Apache Tomcat 8.x from here and install. Tomcat server installation location will be referred as <TOMCAT_HOME> later in this guide.

Info

It is recommended that you use a hostname that is not localhost to avoid browser errors. Modify the /etc/hosts entry in your machine to reflect this. Note that wso2is.local is used in this documentation as an example, but you must modify this when configuring the authenticators or connectors with this sample application.
Download the following samples:
- saml2-web-app-pickup-manager.com.war
- saml2-web-app-pickup-dispatch.com.war
Copy the downloaded saml2-web-app-pickup-dispatch.com.war and saml2-web-app-pickup-manager.com.war files into the <TOMCAT_HOME>/apache-tomcat-<version>/webapps folder.
Start the Tomcat server.

You are now ready to try out SAML SSO with the Pickup Dispatch and Pickup Manager sample web applications.

Configure CORS¶

SAML2 POST Binding requires CORS configurations to be set up.

Before configuring the service provider, add the following configurations to the deployment.toml file found in <IS_HOME>/repository/conf/. Adding this configuration allows HTTP POST requests.

``` toml
[cors]
allow_generic_http_requests = true
allow_any_origin = false
allowed_origins = [
    "http://localhost:8080"
]
allow_subdomains = false
supported_methods = [
    "GET",
    "POST",
    "HEAD",
    "OPTIONS"
]
support_any_header = true
supported_headers = []
exposed_headers = []
supports_credentials = true
max_age = 3600
tag_requests = false
```

Try it¶

Navigate to http://wso2is.local:8080/saml2-web-app-pickup-dispatch.com on your browser and click Login.
You will be redirected to the login page of MWARE IAM. Log in using your MWARE IAM credentials (admin/admin). Provide the required consent. You will be redirected to the Pickup Dispatch application home page.
Now, if you navigate to http://wso2is.local:8080/saml2-web-app-pickup-manager.com and click Login, you can see that the user has been automatically logged in to this application without being prompted for user credentials.

You have successfully configured SAML single sign-on for two web applications using MWARE IAM as the identity provider.