Friday, December 13, 2013

Enabling SAML SSO for web apps hosted in WSO2 Application Server via a Tomcat Valve


When a user tries to access a web application hosted on WSO2 Application Server (AS) he should be authenticated by WSO2 Identity Server via SAML SSO, and also his roles should be sent back in the SAML Response. Then the web application should be able to get the authentication and authorization details from the request's UserPrincipal object (i.e. principal name and check isUserInRole).

Later, when the user tries to access another web app on the same AS server, he should be auto logged in without presenting a login page.

I have created a sample to demonstrate this usecase. We can set it up and execute by following the below steps.

Configuring the Application Server side

1. Download WSO2 Application Server 4.5.0 [1] and extract it (

2. Copy org.wso2.carbon.sample.tomcat.valve.samlsso-1.0.0.jar [bin][src] to wso2as-5.2.0/repository/components/lib

3. Copy org.wso2.carbon.identity.sso.agent-1.0.0.jar [bin][src] to wso2as-5.2.0/repository/components/lib

4. Modify wso2as-5.2.0/repository/conf/tomcat/catalina-server.xml by adding following under "Host" section:
<Valve className="org.wso2.carbon.sample.tomcat.valve.samlsso.SAMLSSOValve"/>

5.  Copy foo-app.war [bin][src] and bar-app.war [bin][src] to wso2as-5.2.0/repository/deployment/server/webapps.

6. Open them in an archive manager and change the "saml2.config.file.path"  context param in /WEB-INF/web.xml to point to the location of the properties file that contains the configurations. By default this file is located in /WEB-INF/classes directory.

7. Also, in those same property files, change the value: KeyStore=[path to]/wso2as-5.2.0/repository/resources/security/wso2carbon.jks

8. Change the port "offset" to "1" in wso2as-5.2.0/repository/conf/carbon.xml.

9. Run the server by executing wso2as-5.2.0/bin/ if on a Unix based systems, or /bin/wso2carbon.bat if on Windows.

Configuring the Identity Server

1. Download WSO2 Identity Server 4.5.0 [2] and extract it (

2.  Run the server by executing wso2is-4.5.0/bin/ if on a Unix based systems, or /bin/wso2carbon.bat if on Windows.

3. On the home page, under Manage section, click "SAML SSO" and then click "Register New Service Provider".

4. Fill following details on the registration page:

* Issuer: foo-app
* Assertion Consumer URL: https://localhost:9444/foo-app/acs
* Select Enable Response Signing
* Select Enable Assertion Signing 
* Select Enable Single Logout
* Select Enable Attribute Profile 
* Add claim: "".
* Select Include Attributes in the Response Always

Finally click "Register".

5. bar-app should be also registered in the same manner. Just replace "bar" with "foo" in the above configurations.

Let's test this...

1. Access foo-app deployed in the AS via the web browser: https://localhost:9444/foo-app/

2. It gets redirected to IS login page. Give "admin":"admin" (username:password) and click "Sign In"

3. Browser gets redirected back to the web app; we have successfully authenticated via SAML SSO.

4. Now try to access https://localhost:9444/bar-app/. Though it gets redirected to IS, login page is not displayed since IS already has a session regarding this user.

User gets successfully authenticated to the bar-app also..



Dess Budi said...

Hi, I've been trying this sample using latest wso2 products but still no luck. IS console said: invalid assertion consumer https://localhost:9444/foo-app/acs and I don't know why suddenly this acs URL come up. There's no servlet in the foo-app.war that point to /acs.

nagiosExplorer said...

Nice post, and it worked.
However, when I used soapUI to embed saml response from wso2is to request my webapps, it re-directs me to login page. I suppose with valid saml assertion, I should get my apps. By reading your source code, did not find any place to retrieve valid saml assertion. Is there a way to do it?