WSO2 Identity Server (IS) is a good choice to Integrate WSO2 Identity Server with AEM for Single Sign On, as WSO2IS is open source and supports SAML 2.0, OpenID, OpenID Connect, OAuth 2.0, SCIM, XACML, and Passive Federation. The server also has in-built LDAP, in which we can set up users and their roles.
In this part, we address WSO2IS Installation & Configuration. In the next part (Part 2), we will look at AEM (Adobe Experience Manager) Side Configuration.
Steps for WSO2 Identity Server Installation & Configuration:
- Download the server from http://wso2.com/products/identity-server/ and install.
- Login to WSO2IS
- Login using the default credentials (username:admin and password:admin).
- Go to Main > Users and Roles > Add.
- Create a new user. This user will be used to login to the website and become authenticated by WSO2IS.
- Create a new Service Provider in order to let AEM use WSO2IS as an IDP.
- Go to Identity > Service Providers > Add.
- We need to specify a Service Provider name, and then configure the SAML Web SSO. For that, we must access Inbound Authentication Configuration > SAML2 Web SSO Configuration, and click Configure.
- Next, we need to provide the configuration for SAML SSO like in the image below:
Configuration for SAML SSO –
Issuer: aem
This is the entity ID for SAML2 service provider. This value should be the same as the SAML. IssuerID value will be specified inside the travelocity.com/WEB-INF/classes/travelocity.properties file.
This is the Assertion Consumer Service (ACS) URL of the service provider. The identity provider redirects the SAML2 response to this ACS URL and this value should be the same as the SAML. The ConsumerUrl value will be mentioned inside the travelocity.com/WEB-INF/classes/travelocity.properties file.
- NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:EmailAddress
The service provider and identity provider usually reciprocate with each other regarding a specific subject. That subject should be detected through a Name-Identifier (NameID), which should be in a format that simplifies identification by the other party. There are some formats that are defined by SAML2 specification. Enter the format’s default value here (i.e., urn:oasis:names:tc:SAML:1.1:NameID-format:EmailAddress).
- “Use fully qualified username in the NameID” option should be checked.
- “Enable Response Signing” option should be checked.
Set this as true by selecting the checkbox. This is used to sign the SAML2 Responses returned post authentication.
- “Enable Assertion Signing” option should be checked.
- “Enable Single Logout” option should be checked.
Set this as true by selecting the checkbox. Do this to sanguinely terminate all sessions once the user signs out from one server.
- “Enable Attribute Profile” option should be checked.
- “Include Attributes in the Response Always” option should be checked.
- Configure outbound authentication type as Default. This specifies that the identity provider authenticates the users by validating with the identity provider’s user store.
Save all the configurations.
Read the second part of the blog on AEM Side Configuration
