Here the requirement is to have a single sign on across Web application and Web Services. In more detail once the user is authenticated to access a WepApp he should not only be able to access other WepApps but those WebApps also should be able to access a set of back-end services with the logged in user's access rights with no further authentication. Here the back-end services can also be configured to authorize the user based on different user claims (E.g. email).
In the situation we can assume:
Step 1,
Download and deploy WSO2 IS 4.0.0 from http://wso2.org/products/identity-server/
Step 2
Download WSO2 ESB 4.5.1 from http://wso2.com/products/enterprise-service-bus/.
When deploying ESB change the port offsets by 1, by editing
<ESB_HOME>/repository/conf/carbon.xml file, and change the Offset element as follows
<Offset>1</Offset>
Step 3,
Download and deploy Apache Tomcat
Step 4,
Checkout https://svn.wso2.org/repos/wso2/people/suho/sso-webapp-ws sso-webapp-ws
This contains all the artifacts needed for this sample
Step 5,
Setup WSO2 IS for SSO for Web Apps
I would like to thank the WSO2 forks; Suresh Attanayake, Prabath Siriwardena, & Balachandiran Ajanthan for helping me on this.
In the situation we can assume:
• trust relation between Identity Server and Resource Server (ESB Proxy),The communications are:
• trust relation between Identity Server and Resource Client (Web App)
This is tested with;
- User connect to the Web App with is the “Resource Client”
- WebApp finds out user is not authenticated and redirects to the SAML2 IdP.
- SAML2 Idp checks whether the user has an authenticated session - if not will prompt for credentials, once authenticated there ,user will be redirected back to WebApp (Resource Client) with a SAML token, with the set of claims requested by the WebApp.
- Now, the WebApp (Resource Client) needs to access a back-end web service with the logged in user's access rights. WebApp process the “SAML assertion token” and creates the STSToken from which it calls the Proxy Service (Resource server).
- Proxy Service (Resource server) checks the “SAML assertion token” and allows access to the backend Web Service.
• WSO2 Identity Server 4.0.0Steps,
• WSO2 Enterprise Service Bus 4.5.1
• Apache Tomcat 7.0.25
• Apache Subversion 1.6.12
• Apache Maven 3.2.3
• Java 1.6.0_26
Step 1,
Download and deploy WSO2 IS 4.0.0 from http://wso2.org/products/identity-server/
Step 2
Download WSO2 ESB 4.5.1 from http://wso2.com/products/enterprise-service-bus/.
When deploying ESB change the port offsets by 1, by editing
<ESB_HOME>/repository/conf/carbon.xml file, and change the Offset element as follows
<Offset>1</Offset>
Step 3,
Download and deploy Apache Tomcat
Step 4,
Checkout https://svn.wso2.org/repos/wso2/people/suho/sso-webapp-ws sso-webapp-ws
This contains all the artifacts needed for this sample
Step 5,
Setup WSO2 IS for SSO for Web Apps
- Login to IS
- Click SAML SSO from the management console
- Add SSO details
For the avis.com WebApp
Issuer: http://localhost:8081/avis.com/consumer
Assertion Consumer URL: http://localhost:8081/avis.com/consumer
Check “Enable Attribute Profile” and add the following claims
http://wso2.org/claims/givenname
http://wso2.org/claims/emailaddress
For the travelocity.com WebApp
Issuer: http://localhost:8081/travelocity.com/consumer
Assertion Consumer URL: http://localhost:8081/travelocity.com/consumer
Check “Enable Attribute Profile” and add the following claims
http://wso2.org/claims/givenname
http://wso2.org/claims/emailaddress
When successfully added you will get Consumer Index for each entry
Now the SSO setup in the WSO2 IS is done.
Step 6,
Configuring the WebApps
- You can add these by editing the war file or edit in the src-dist and build that.
- Edit the WEB-INF/web.xml of each WebApp and add the appropriate “Consumer Index” returned by the WSO2IS as the param-value for AttributeConsumingServiceIndex.
- Edit the WEB-INF/classes/filepath.properties of each WebApp and add the appropriate
properties. You can find all the necessary files in the resources directory.
E.g.
keystore.file=/<path>/sso-webapp-ws/resources/keystore/wso2carbon.jks
repo.directory=/<path>/sso-webapp-ws/resources/repo
bearerpolicy.file=/<path>/sso-webapp-ws/resources/bearer-policy.xml
service.endpoint=http://localhost:8281/services/echoProxy
Step 7,
Add the proxy service
- Login to ESB
- Click on Add Proxy Service from the management console
- Create a Pass Through Proxy
- Add the proxy name and endpoint
Proxy Service Name: echoProxy
Target Endpoint: “Enter URL”
Target URL: http://localhost:8281/services/echo
And click “Create”
Here the echo service (Endpoint service) is deployed on ESB by default
Step 8,
Add the policy to the registry to secure the Proxy Service
- Click on Registry from the ESB management console
- Navigate to /_system/config/repository and click on the repository
- Under “Entries” click on the add recourses to add policy file
- Now browse and add the bearer-policy.xml. This will be in the resources folder you
checked out. Click “Add” to add the file.
Step 9,
Securing the proxy service
- Click on List under services from the ESB management console, and click on “Unsecured” link next to the echoProxy service entry.
- Select “yes”
- From the “Policy From Registry” section, click in Configuration registry to add policy from the cofig registry.
- Browse for the added “bearer-policy.xml” and click “OK”
- Click “Next”, then click on the “admin” and “wso2carbon.jks” checkboxes, select the private key store as “wso2carbon.jks” and click on “Finish” to Activate Security.
Step 10,
Deploy the webapps in Tomcat
Step 11,
- Enter following in the redirected page
User Name: admin
Password: admin
With successful login you will be redirected to the home page, where the Web App will be call the proxy using the “SAML assertion token” received at the SSO login. - With successful login at the Proxy Service you will get the following page
Note: Here the Web Service Response will be as “Hi WSO2” - If the login at the Proxy Service fails you will get the following page
Note: Here the Web Service Response will be as “’Hi WSO2’ expected but, no response from the web service”
I would like to thank the WSO2 forks; Suresh Attanayake, Prabath Siriwardena, & Balachandiran Ajanthan for helping me on this.