Friday, August 14, 2015

Accessing a single WSO2 Identity Server instance with different domain names

A quick note on the $subject :)

Usecase:

FooSP calls IS as proxy1.com

GET http://localhost:8080/travelocity.com/index.jsp
GET https://proxy1.com/samlsso
GET https://proxy1.com/commonauth
GET https://proxy1.com/authenticationendpoint/login.do

BarSP calls IS as proxy2.com

GET http://localhost:8080/travelocity.com/index.jsp
GET https://proxy2.com/samlsso
GET https://proxy2.com/commonauth
GET https://proxy2.com/authenticationendpoint/login.do

This could be achieved simply by using two Virtual hosts and reverse proxies.

A simple ApacheDS config that would do this is:

<IfModule mod_proxy.c>
<VirtualHost *:443>
 ServerAdmin techops@wso2.com
 ServerName proxy1.com
 ServerAlias proxy1.com

 ProxyRequests Off

 SSLEngine On
 SSLProxyEngine On
 SSLCertificateFile /etc/apache2/credential/server.crt
 SSLCertificateKeyFile /etc/apache2/credential/server.key
 SSLCACertificateFile /etc/apache2/credential/ca.crt

 ProxyPass / https://localhost:9443/
 ProxyPassReverse / https://localhost:9443/

</VirtualHost>

<VirtualHost *:443>
 ServerAdmin techops@wso2.com
 ServerName proxy2.com
 ServerAlias proxy2.com

 ProxyRequests Off

 SSLEngine On
 SSLProxyEngine On
 SSLCertificateFile /etc/apache2/credential/server.crt
 SSLCertificateKeyFile /etc/apache2/credential/server.key
 SSLCACertificateFile /etc/apache2/credential/ca.crt

 ProxyPass / https://localhost:9443/
 ProxyPassReverse / https://localhost:9443/

</VirtualHost>
</ifModule>

Please note that the above config doesn't contain load balancing.

Problems in allowing access using different domain names are:
  • SAML SSO destination validation will fail if request signing validation is enabled. Because, IS compares the destination with the value given in <IdentityProviderURL> in identity.xml. There's no way to define multiple values.
  • If federates to outside, redirect URLs will contain the same response URL. We can't have "https://proxy1.com/commonauth" and "https://proxy2.com/commonauth". Response URL is built using the carbon.xml's defined hostname.
  • If someone wants to access the Management Console also by using different domains, there's no way to display different URLs in the Resident IdP UI.