Saturday, June 29, 2013

Enabling SAML2 SSO for WSO2 Carbon Server, OpenSSO/OpenAM as the IDP

WSO2 Carbon products comes with in-built web-SSO authenticators. Within minutes, you can enable web-SSO for any WSO2 Carbon server using WSO2 Identity Server as the IDP. In this blog post we are using, OpenSSO/OpenAM as the IDP and do the configuration.

Pre-requisites


1. Download and install openAM/openSSO [download the war file from here]
2. Download the WSO2 product.

Setting up the environment

Configuring OpenSSO/OpenAM


openSSO provides two mechanisms to register an service provider,
  • Creating a SP fedlet
  • Setting up a SP using a meta file called sp.xml
In this post I'm using the latter approach.

  1. Configure the sp.xml file.

  • The given sp.xml sample file uses, https://localhost:9443/acs as the redirection URL. Configure it according to your environment. https:///acs
  • EntityID element of the sp.xml should match the corresponding value of ‘ServiceProviderID’ in the authenticators.xml file
  









urn:oasis:names:tc:SAML:2.0:nameid-format:transient







   


2. Go to Common Tasks -> Register Remote Service Provider link and select the sp.xml as the file    to uploaded and select a Circle of Trust.




   


3. Go to Federation ­> entity providers in the openSSO management console and select the
newly registered service provider.Select/tick response signing attribute.






















Under name ID format list, make sure you specify, ‘transient’ and ‘unspecified’ name ID
formats.

Setting up WSO2 Carbon Server

1. Enable the SSO authenticator and configure the IDP URL in authenticators.xml found under
$CARBON_HOME/repository/conf/security/authenticators.xml

10

/carbon/admin/login.jsp
https://localhost:9443/acs
http://localhost:8080/opensso/SSOPOST/metaAlias/idp<
/Parameter>
opensso





Change the following params accordingly,
  • ServiceProvideID - This can be any identifier. Doesn’t have to be a URL. However the configured value should be equal to the value we configured in the ‘’ in sp.xml
  • IdentityProviderSSOServiceURL - The URL of your IDP
  • idpCertAlias - This is the certificate that get used during response validation from the IDP. OpenSSO servers’ public key should be imported to the Carbon servers keystore with the alias name ‘opensso’

Exporting/Importing Certificates

Add the public key of the selected circle of trust in to the Carbon keystore(wso2carbon.jks) found
under $CARBON_HOME/resources/security/wso2carbon.jks. You can use Java keytool to do that.

-Exporting a public key

Here we will be using the default shipped openSSO keystore certificate. It has the alias name of ‘test’
and typically located in /home/opensso/opensso/keystore.jks. The default password is ‘changeit’. To
export the public key of ‘test’,

keytool -export -keystore keystore.jks -alias test -file test.cer

The public key will get stored in ‘test.cer’ file. you can view the certificate content with the command,

keytool -printcert -file test.cer

- Importing a public key to the wso2carbon.jks

Now import the ‘test.cer’ into Carbon key stores found under $CARBON_HOME/repository/resources/security/wso2carbon.jks

keytool -import -alias opensso -file test.cer -keystore wso2carbon.jks

view the imported certificate using the command
keytool -list -alias opensso -keystore wso2carbon.jks -storepass wso2carbon

Testing the Environment


Try accessing the carbon management console. (eg. https://localhost:9443/carbon) The call will
redirect you to IDP (openSSO login page). Enter username and the password in the openSSO login
page. Once you properly authenticated you will redirect back you to the WSO2 Carbon product login
page as a logged in user.
Please note: The authenticated user has to be in the Carbon servers’ user-store for authorization
(permission) purposes. Since the above described test environment does not share the same user
store between IDP (openSSO server) and SP (Carbon server) i created a user called ‘amAdmin’ in
Carbon server user store. Otherwise there will be a authorization failure during the server login.

"[2013-06-17 10:22:04,601] ERROR
{org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticator} - Authentication
Request is rejected. Authorization Failure."

Please Note: As of this writing, there are interop issues with released version of Carbon servers and OpenSSO. I have created a JIRA here, along with the patch to rectify the issue. Future Carbon releases will fix this issue.