Configuring JIT (Just In Time) provisioning with WSO2 Identity Server (v. 5.0.0)

Recent WSO2IS 5.0.0 release compromised authenticating users through many federated authenticators such as Google, Facebook, Yahoo, Windows live, etc. Here I'm going to explain how to configure Google authenticator to enable the users who has Google accounts to get authenticated to access their web applications via WSO2IS. Meanwhile I will explain how to configure JIT provisioning which allows to create user accounts automatically for the sign-on users in the Identity Server.

Prerequisites

 - Download the WSO2IS 5.0.0 from here. 

Step 1

- Since Google authenticator is going to use email as a claim, we need to Enable Email as a UserName attribute which is at {IS_home}/repository/conf/carbon.xml.

<EnableEmailUserName>true</EnableEmailUserName>  

- Start the WSO2IS server ({IS_home}/bin/wso2server.sh)

Step 2

In order to do allow user authenticating using Google authenticator you need to Register Google authenticator as a new IDP following below steps;

- Home > Identity > Identity Providers > Add

-  Fill the Basic information 

- Click on Claim Configuration tab and select “Use Local Claim Dialect" as claim mapping dialect. Also select email address as the User ID claim URI.

 - Then go to Federated Authenticators tab and select “Google Configuration” menu there. Enable the given options as shown in the below image.

- Then you can configure JIT provisioning to automatically create users in the specified User Store Domain as show in the below image.

- I have specified my secondary User Store (created in MySql database) from the domain list as I need to add users in to the secondary User Store.

 
 - Click on Register button.

Step 3

Next you need to register a service provider following the steps given below.

- Home > Identity > Service Providers > Add

- Give a Service provider name and a description then click on “Register” button. i.e. Service provider Name as travelocity.com.

- Then you will redirect to the registered Service Providers editable view.

- Tick on the Saas Application (Software as a Service) option given in the Basic information section and select the “Inbound Authentication Configuration” there. (So you can use the travelocity.com service provider from tenant domains as well.)

- Among the given options, select “SAML2 Web SSO Configuration” option and click on given “Configure” link.

- Then you will redirect to SSO configuration view.

- Fill the given fields accordingly.

  

Issuer - travelocity.com

Assertion Consumer URL - http://localhost:8080/travelocity.com/home.jsp

Tick on following options too;

- Use fully qualified username in the NameID

- Enable Response Signing

- Enable Assertion Signing

- Enable Single Logout

- Then click on “Local & Outbound Authentication Configuration” tab and select “Federated Authentication” as the Authentication type. Select the created IDP from the available drop down menu.

 

And then click on “Register” button.

Step 4

- Placed the travelocity.com.war file inside the webapp folder of the tomcat server and start the tomcat server (version 7. +). (Get the travelocity sample svn checkout from here.)

- Access the travelocity.com webapp using following link.

http://localhost:8080/travelocity.com/index.jsp

- Since we have configured our service provider for a SAML request, select the SAML option as shown in the given image.

- Then it will redirect you to Google sign in page as shown below.

 
















- Once you have entered valid Google credentials you will get authorized and get permitted to access the requested travelocity webapp. 

Step 5

- Once you have logged in to the travelocity web app, you can go back to your Identity server management console and follow the below link.

Home -> Configure -> Users and Roles -> Users

- then verify whether the Google sign-on user account has created in the selected User Store in the Identity server.