1

How to integrate WSO2 am 1.10.0 with PingFederate SAML 2.0? Any instructions?

From WSO2 web site, I only saw docs on how to set up SSO among WSO2 products: https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 . But I did not see documentation on how to enable WSO2 AM 1.10.0 with external identity providers such as PingFederate via SAML2.

Any help is appreciated.

*** UPDATE:

I followed the instructions here https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 - just assuming WSO2 IS as PingIdentity. For the mojority part it's working, but I cannot generate keys when subscribing to an API. It says "invalid credentials" even if I have logged into applications and subscriptions and can create applications from /store UI.

J D
  • 274
  • 3
  • 17

2 Answers2

1

I can confirm that this can be done without adding a separate wso2 IS server into the picture. I fixed several issues (Cannot generate keys, cannot publish APIs, etc..) by: What I did to fix the issue was to 1) add admin user inside ApiKeyValidaor in api-manager.xml also into admin user via management console and into user-mgt.xml; 2) Inside api-manager.xml:

Change the following:

https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/

to: https://[FQDN_OF_HOST}:${mgt.transport.https.port}${carbon.context}/services/

Reason is my server certificate only recorded the domain name, not ip address.

The solution was also mentioned here: wso2 am 1.10.0 API Store: "Error occurred while executing the action generateApplicationKey" with " Invalid credentials provided."

Community
  • 1
  • 1
J D
  • 274
  • 3
  • 17
0

Basically, you can do this by adding PingFederate as an IDP in WSO2 AM and configuring federated SAML SSO configurations. An example of how to achieve this with Shibboleth is given in [1]. You can follow the same steps to do any configurations according to your requirement.

Refer [2] for configuring SAML SSO Federated authenticator in general

[1] https://docs.wso2.com/display/IS510/How+To%3A+Configure+Shibboleth+IdP+as+a+Trusted+Identity+Provider

[2] https://docs.wso2.com/display/IS510/Configuring+SAML+2.0+Web+SSO

farasath
  • 2,961
  • 2
  • 15
  • 16
  • Thanks. I followed the instructions here https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 and just assume WSO2 IS as PingIdentity. For the mojority part it's working, but I cannot generate key when subscribing to an API, It says invalid credentials even if I have logged into applications and subscriptions and can create applications in /store UI. – J D Jul 07 '16 at 20:45
  • Also I try NOT to add wso2 Ientity Server unless it's necessary. Your docs are all from IS side, but what I wanted is to integrate saml2 with wso AM product, preferrably without IS. Thanks for your reply anyway. – J D Jul 07 '16 at 20:50
  • You can achieve the above without a WSO2 IS at all. All WSO2 products have a common Carbon Server on top of which we install features and call them by different names. SO you can basically install the identity features on APIM and get your use case done without running a separate IS. :) – farasath Jul 09 '16 at 11:00