Over a million developers have joined DZone.

Service Provider Grouping with WSO2 Identity Server

Learn about configuring your WSo2 for service provider grouping. Here's how to properly setup your config, proxy server, and more.

Evolve your approach to Application Performance Monitoring by adopting five best practices that are outlined and explored in this e-book, brought to you in partnership with BMC.

When WSO2IS is used as SSO IDP, end user (single browser agent) can have only one SSO session with WSO2IS. This session can not be based on the service provider or tenant domain or any other parameter. It means that once end user is authenticated to WSO2IS using given SP, all other SPs which are registered with WSO2IS, would be authenticated through SSO. We can not group the SP such as there must use SSO or there must not.

But there are some requirements which you need to achieve the SSO between only given service provider set. Lets say there are three service providers called SP1, SP2 & SP3. Also there is another set called SP4, SP5. Your requirement would be to have SSO only between SP1/SP2/SP3 service provider group. Also, you need to have SSO between SP4/SP5 as well. Service provider grouping is not supported by the WSO2IS default. But there is some workaround to achieve it.
WSO2IS set a cookie in to the end user browser called “commonauthid.” This cookie is set for the hostname of the WSO2IS. If we can pretend the WSO2IS as two hostnames, Then two “commonauthid” cookies can be set for end user’s browser. In theory; two cookies means two SSO sessions in WSO2IS. Therefore we can create two SSO session for same end user. So; we can keep single WSO2IS node (or cluster) and expose it as different hostname using another proxy server. We can use any proxy server and we have easily configured this using virtual host configuration of Apache HTTP server.

Lets try out this.

Step 1. Install WSO2IS in your environment. Configure the SP1/SP2/SP3/SP4/SP5 in WSO2IS.

Step 2. Please make sure to configure hostname entries in the /repository/conf/carbon.xmlfile properly. This must be the hostname of the server which WSO2IS has installed.

<HostName>{IS_Server_Host_Name}</HostName>

<MgtHostName>{IS_Server_Host_Name}</MgtHostName>

Step 3. Configure proxy server such as Apache HTTP server with virtual host configuration. Let assume that we need to expose WSO2IS instance as two different hostname called foo.com and bar.com. Then following would be the virtual host configuration.

<IfModule mod_proxy.c>

<VirtualHost *:443>
ServerAdmin techops@wso2.com
ServerName foo.com
ServerAlias foo.com

ProxyRequests Off

SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/apache2/credential/server.crt
SSLCertificateKeyFile /etc/apache2/credential/server.key
SSLCACertificateFile /etc/apache2/credential/ca.crt

ProxyPass / https://{IS_Server_Host_Name}:{IS_Server_Port}/
ProxyPassReverse / https://{IS_Server_Host_Name}:{IS_Server_Port}/

</VirtualHost>

<VirtualHost *:443>
ServerAdmin techops@wso2.com
ServerName bar.com
ServerAlias bar.com

ProxyRequests Off

SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/apache2/credential/server.crt
SSLCertificateKeyFile /etc/apache2/credential/server.key
SSLCACertificateFile /etc/apache2/credential/ca.crt

ProxyPass / https://{IS_Server_Host_Name}:{IS_Server_Port}/
ProxyPassReverse / https://{IS_Server_Host_Name}:{IS_Server_Port}/

</VirtualHost>

</ifModule>

Step 4.  Configure IDP url in server providers

In one service provider group (SP1/SP2/SP3), we can configure IDP url as https://foo.com/

In other service provider group (SP4/SP5), we can configure IDP url as https://bar.com/

Step 5. Now, try out login to service provider group SP1/SP2/SP3 and verify the SSO. Also try out same for other group as well.

You can see SSO is happening only within SP1/SP2/SP3 group or within SP4/SP5 group.

Learn tips and best practices for optimizing your capacity management strategy with the Market Guide for Capacity Management, brought to you in partnership with BMC.

Topics:
security ,xacml ,authentication

Published at DZone with permission of Asela Pathberiya, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}