Configuring SAML SSO for WSO2 IS Management Console
In this post let’s see how we can enable SAML Single Sign On for the WSO2 Identity Server Management Console.
WSO2 Identity Server uses a cookie based username/password login to access the management console. WSO2 Identity Server management console can be accessed via https://<hostname>:9443/carbon URL. Let’s see how we can change this to a SAML SSO based login with a UI based service provider.
We highly discourage configuring SAML SSO for WSO2 IS Management Console even though it can be done. This is due to the security vulnerabilities it can cause. As the management console is intended to be used by administrative users and not allowed to used by other users, it is bad to have a SSO configuration for it. Configuring the management console with SSO might enable unauthorized users to access the management console in case when the administrative user forgets to log out from the console. We need to consider human error factor and prevent intruder accesses by requesting for username/password each time to login, thus not enabling SSO.
Login to the Identity Server management console and create a service provider named WSO2_IS with SAML SSO inbound authentication.
Configure the following with the SAML SSO Service Provider
Now that we have created a UI based SAML SSO Service Provider let’s configure it to be used in the management console login flow.
Modify the <IS_HOME>/repository/conf/security/authenticators.xml file as the following.
<Authenticator name="SAML2SSOAuthenticator" disabled="false">
<Priority>10</Priority>
<Config>
<Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter>
<Parameter name="ServiceProviderID">WSO2_IS</Parameter>
<Parameter name="IdentityProviderSSOServiceURL">
https://localhost:9443/samlsso
</Parameter>
<Parameter name="NameIDPolicyFormat">
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</Parameter>
<Parameter name="AssertionConsumerServiceURL">
https://localhost:9443/acs
</Parameter>
</Config>
</Authenticator>By default the SAML2SSOAuthenticator is disabled (disabled=true) as we are using username/password based authentication. We have enabled SAML2SSOAuthenticator to use the SAML SSO service provider we created using the UI.
Now restart the server and try to access the management console and you will be redirected to the https://localhost:9443/authenticationendpoint/login.do endpoint to do SAML SSO login. Now can login to the management console using the admin credentials.
Now if you try to login to the IS dashboard via the https://localhost:9443/dashboard URL you will get the error message with You are not authorized to login. Following error will be printed the wso2carbon.log file
ERROR{org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticator} - Authentication Request is rejected. SAMLResponse AudienceRestriction validation failed.In order to resolve this issue and successfully login to the IS dashboard, modify the Audience property in the <IS_HOME>/repository/conf/identity/sso-idp-config.xml file to the UI based service provider’s issuer name as below.
<SSOIdentityProviderConfig>
<ServiceProviders>
<ServiceProvider>
<Issuer>wso2.my.dashboard</Issuer>
...
<EnableAudienceRestriction>true</EnableAudienceRestriction>
<AudiencesList>
<Audience>WSO2_IS</Audience>
</AudiencesList>
</ServiceProvider>
</ServiceProviders>
</SSOIdentityProviderConfig>Now restart the server and login to the management console, try to access the dashboard and you will be logged in without requesting for the credentials with the SSO.
Try this out and feel free to comment if you encounter any issues.
References :
https://docs.wso2.com/display/IS500/Enabling+SSO+for+WSO2+Servers
