Thursday, November 27, 2014

In your Web App you will need to authenticate users using federated authenticators, IS supports many federated authenticators including, Google, Yahoo, Facebook, etc. So in this post I will explain how to add multiple federated authenticators to your web app, when multiple authenticators are added IS will render a intermediary page to the user to select the required authenticator, I will also explain you how to get rid of this page and how to directly authenticate from your webapp through WSO2IS

IS version I'm using is IS : 5.0

I will be using google and yahoo as federated authenticators and as the sample client (WebApp) I will be using example you can download it from here.

First Lets create necessary Identity providers.

First download and start the IS server. You can download WSO2 IS from here.

Step 1 - Starting the server

- Start the IS server by navigating to <IS_home>/bin/

Step 2 - Adding Google Authenticator

In order add Google as a federated authenticator you need to Register Google authenticator as a new IDP by following below steps;

Navigate to;

- Home > Identity > Identity Providers > Add

- Fill the Basic Information I will Give the Identity provider name as googleOpenID, you can enter any name you wish.

-  Now add "Home Realm Identifier" name as "google", make sure this name is unique.

- Then go to Federated Authenticators tab and select “Google Configuration” menu there. Enable the given options as shown in the below image.

 - Click on Register button.

Step 3 - Adding Yahoo as a authenticator

Now create a new IDP for yahoo. You can follow the above steps to do this, in the last step use yahoo as the federated authenticator.

The final configs will be as following,

Step 4 - Registering Service Provider

Next you need to register a service provider. you can follow the steps given below to do this.

- Home > Identity > Service Providers > Add

- Give a Service provider name hen click on “Register” button. i.e. Service provider Name as

- Then you will redirect to the registered Service Providers editable view.

- Tick on the Saas Application option given in the Basic information section and select the “Inbound Authentication Configuration” there. (When you select the saas option you can use the service provider from tenant domains as well.)

- Among the given options, select “SAML2 Web SSO Configuration” option and click on given “Configure” link.

- Then you will redirect to SSO configuration view.

- Fill the given fields accordingly.

Issuer :
Assertion Consumer URL : http://localhost:8080/

Tick on following options as well;

- Use fully qualified username in the NameID
- Enable Response Signing
- Enable Assertion Signing
- Enable Single Logout

- Then click on “Local & Outbound Authentication Configuration” tab and select “Advanced Configuration” 

- Now Add a new Authentication step

- Now add the federated authenticators you created as shown below,

And then click "Update" and then on “Register” button.

Step 5 - Adding the Client Application to Tomcat

- Placed the webapplication file inside the webapp folder of the tomcat server and start the tomcat server (version 7. +). (Get the travelocity sample svn checkout from here.)

- Access the webapp using following link.

- Since we have configured our service provider for a SAML request, select the SAML option as shown in the given image.

- Now it will redirect you to the IS login page and from there you will have to select the Login type. In the Next step I will explain you how to get rid of this login page.

- If you select the Google option it will be redirected to google.


- Once you have entered valid Google credentials you will get authorized and get permitted to access the requested travelocity webapp. 

By-parsing the IS authenticator selection page

In most cases you will not require IS to render a intermediary page when authenticating with multiple federated authenticators. In order to by parse the Authenticator selection screen the SAML request should tell IS which federated authenticator to use.

For this you can add a new parameter in the SAML request header. The parameter name is "fidp" this should be equal to the "Home Realm Identifier" defined in the step 2 when creating IDPs, The authenticator will be identified by this name by the IS.

- Inorder to simulate this with application stop the tomcat server.

- Navigate to <TOMCAT_HOME> > webapps > > WEB-INF > classes >

- Go to the end of the file add the following parameter.


The final content will look like following

The above will add the "fidp" parameter to the SAML request header. You can enable SSO tracing and look into this. The final SAML request will look like following,

- Now if you go to the travelocity App and click on the SAML request, you will be directed to the yahoo login page.

- Now you can change the "fidp" parameter to google and do the same, It will be directed to the google page.


In your web-application, depending on the users selection; "fidp" should be generated dynamically. So IS will direct the request to the correct authenticator.

If you have any queries please feel free to drop a comment. :)

Subscribe to RSS Feed Follow me on Twitter!