Hi,
When integrating Google Apps with Identity Server, it is required to have
same user set in both sides. But the authentication credentials are
maintained only at Identity Server.
In Standalone Identity Server, the default key pair is used for signing
SAML2 assertions. So you can extract the default public key(which has the
alias 'wso2carbon') from the wso2carbon.jks (which is available in
${IS_HOME}/resources/security) using the keytool. Or else, you can save it
from the browser, when you are accessing IS management console.
For Cloud Identity Server, a slightly different approach is used for signing
the assertions. For each and every tenant, a separate key pair is generated
and it will be used to sign the assertions. You can download this public key
from the SAML-SSO configurations page. It is generated when the first RP
service provider is added.
Hope this helps.
Thanks,
Thilina
2010/6/17 Víctor Álvarez <spa...@gmail.com>
> i've notice i'm missing a step comparing with the Cloud Identitiy Server
> SSO with google apps :
> http://wso2.org/library/articles/integrate-google-apps-wso2-cloud-identity
>
> i'm not importing the public key certificate, but i cant' find the User
> Management Menu on my Local Identity Server,
>
> How can i generate this publik key .cert ?
>
> Thanks
>
> 2010/6/17 Víctor Álvarez <spa...@gmail.com>
>
> Hello again,
>>
>> I've configured Identity Server to work against a local LDAP, and seems to
>> works as i can see the LDAP users on the Identity Server.
>>
>> Now i'm trying to configure SAML2.0 SSO with Google Apps as said on
>> Thilina Blog:
>> http://blog.thilinamb.com/2010/04/saml-20-based-single-sign-on-with-wso2.html
>>
>> i've configured Google Apps and Identity server, but now when i try with a
>> non admin user to go to http://docs.google.com/a/midomain.com it
>> correctly redirects to my Local Identity Server.
>> But there , i can't login withou any user.
>>
>> The user to log in... I understand it should be a LDAP user?
>> or it may be Google Apps User?
>>
>> I've tested on both cases and can't login,
>>
>> Any ideas?
>>
>> 2010/6/14 Víctor Álvarez <spa...@gmail.com>
>>
>> Lot Of thanks for your help.
>>>
>>> Waiting for the new release then!
>>>
>>>
>>> On Sun, Jun 13, 2010 at 7:03 AM, Thilina Mahesh Buddhika <
>>> thili...@wso2.com> wrote:
>>>
>>>> In Identity Server 3.0.0 release, we started supporting SAML 2.0 based
>>>> SSO identity provider feature. But we did not include SAML 2.0 consumer
>>>> feature which enables other Carbon products acting as SAML 2.0 based SSO
>>>> relying parties.
>>>>
>>>> Currently, we are working on SAML 2.0 consumer components, and this
>>>> feature will be available in our next release. With this feature, it will
>>>> be
>>>> possible to achieve single sign-on across all our products. In 2-3 weeks
>>>> time, the implementation will be completed, and you can try this in a
>>>> nightly build taken from our trunk.
>>>>
>>>> But still, pointing to the same user-store will allow you to support
>>>> unified login, where all the user information is maintained at a single
>>>> point.
>>>>
>>>> WSO2 Identity Server currently supports 2-legged and 3-legged OAuth.
>>>> Also the Gadget Server supports OAuth based authentication for gadgets. So
>>>> the 2-legged OAuth support of Identity Server can be used to authenticate
>>>> gadgets hosted in Gadget Server. We are currently testing
>>>> the interoperability between these two entities.
>>>>
>>>> We will update you with the progress of these tasks.
>>>>
>>>> Thanks,
>>>> Thiliina
>>>>
>>>> On Sun, Jun 13, 2010 at 9:01 AM, Sanjiva Weerawarana
>>>> <sanj...@wso2.com>wrote:
>>>>
>>>>> I think the problem is that we are still not supporting SAML 2..0 in
>>>>> the Gadget Server .. once that's done the single login should propagate.
>>>>> There was a thread on this a while ago but can't remember the details!
>>>>> Maybe
>>>>> Thilina or Prabath can explain the situation and plans to fix it properly
>>>>> (including supporting 2-legged OAuth in GS).
>>>>>
>>>>> Sanjiva.
>>>>>
>>>>> 2010/6/12 Víctor Álvarez <spa...@gmail.com>
>>>>>
>>>>> Thanks Thilina!
>>>>>>
>>>>>> But if I connect Gadget Server with the LDAP directly i wouldn't have
>>>>>> Single Sign On for the Gadget Server, so ures may have to make login
>>>>>> again,
>>>>>> if they already have a logged session on identity server.
>>>>>> Is there another way to enable Single Sign On?
>>>>>>
>>>>>> Thanks in advance
>>>>>>
>>>>>>
>>>>>> On Sat, Jun 12, 2010 at 5:44 AM, Thilina Mahesh Buddhika <
>>>>>> thili...@wso2.com> wrote:
>>>>>>
>>>>>>> Hi Victor,
>>>>>>>
>>>>>>> This user guide [1] explains the necessary steps to configure
>>>>>>> Identity Server to use an external user store like LDAP. This user
>>>>>>> guide is
>>>>>>> applicable for Carbon 3.0.0 based products, like Identity Server 3.0.0,
>>>>>>> Gadget Server 1.1.0, etc.
>>>>>>>
>>>>>>> For step 2, You can configure the Gadget Server to talk to the same
>>>>>>> LDAP which is used by the Identity Server.(You can follow the same
>>>>>>> steps as
>>>>>>> in [1])
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Thilina
>>>>>>>
>>>>>>> [1] -
>>>>>>> http://wso2.org/project/solutions/identity/3.0.0/docs/user-core/admin_guide.html
>>>>>>>
>>>>>>>
>>>>>>> 2010/6/11 Víctor Álvarez <spa...@gmail.com>
>>>>>>>
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> Im devoping a project where i should be capable to integrate a ws2o
>>>>>>>> Gadget Server with Google Apps and a external User Store based on
>>>>>>>> LDAP...
>>>>>>>>
>>>>>>>> I need the integration piece, and wso2 Identity Server seems a good
>>>>>>>> choice.
>>>>>>>>
>>>>>>>> If planned to do this steps:
>>>>>>>>
>>>>>>>> 1 - Google Apps through Identity Server
>>>>>>>>
>>>>>>>> In order to provide Single Sign On, Identity Server seems to be
>>>>>>>> easily configurated as User Store throught SAML 2.0 as exposed on:
>>>>>>>>
>>>>>>>> http://blog.thilinamb.com/2010/04/saml-20-based-single-sign-on-with-wso2.html
>>>>>>>>
>>>>>>>> 2 - Gadget Server through Identity Server
>>>>>>>> I think it's possible, but can't find any documentation about
>>>>>>>> integration.
>>>>>>>>
>>>>>>>> Identity Server can act lik a LDAP isn it, how to configure it then?
>>>>>>>>
>>>>>>>> Then i would provide Gadget server with external LDAP user store
>>>>>>>> pointing to Identity Server
>>>>>>>>
>>>>>>>> 3 - Identity Server with LDAP external user store.
>>>>>>>>
>>>>>>>> Identity Server can be configured against a LDAP server by User
>>>>>>>> Management Configuration, but i can't find this option on the menu!!!
>>>>>>>> I already found a configuration xml for User Management
>>>>>>>>
>>>>>>>> [[Documentacion Configuración |
>>>>>>>> http://wso2.org/project/solutions/identity/3.0.0/docs/user-core/admin_guide.html]]
>>>>>>>> <!-- UserStoreManager
>>>>>>>>
>>>>>>>> class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager">
>>>>>>>> <Property
>>>>>>>> name="ConnectionURL">ldap://localhost:10389</Property>
>>>>>>>> <Property
>>>>>>>> name="ConnectionName">uid=admin,ou=system</Property>
>>>>>>>> <Property name="ConnectionPassword">admin123</Property>
>>>>>>>> <Property name="UserSearchBase">ou=system</Property>
>>>>>>>> <Property
>>>>>>>> name="UserNameListFilter">(objectClass=person)</Property>
>>>>>>>> <Property name="UserNameAttribute">uid</Property>
>>>>>>>> <Property name="ReadLDAPGroups">false</Property>
>>>>>>>> <Property name="GroupSearchBase">ou=system</Property>
>>>>>>>> <Property
>>>>>>>> name="GroupSearchFilter">(objectClass=groupOfNames)</Property>
>>>>>>>> <Property name="GroupNameAttribute">cn</Property>
>>>>>>>> <Property name="MembershipAttribute">member</Property>
>>>>>>>> </UserStoreManager -->
>>>>>>>> <!-- Active directory configuration follows -->
>>>>>>>> <!-- UserStoreManager
>>>>>>>>
>>>>>>>> class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager">
>>>>>>>> <Property
>>>>>>>> name="ConnectionURL">ldap://10.100.1.211:389</Property>
>>>>>>>> <Property
>>>>>>>> name="ConnectionName">cn=Administrator,cn=users,dc=wso2,dc=lk</Property>
>>>>>>>> <Property name="ConnectionPassword">admin123</Property>
>>>>>>>> <Property
>>>>>>>> name="UserSearchBase">cn=users,dc=wso2,dc=lk</Property>
>>>>>>>> <Property
>>>>>>>> name="UserNameListFilter">(objectClass=person)</Property>
>>>>>>>> <Property
>>>>>>>> name="UserNameAttribute">sAMAccountName</Property>
>>>>>>>> <Property name="ReadLDAPGroups">true</Property>
>>>>>>>> <Property
>>>>>>>> name="GroupSearchBase">cn=users,dc=wso2,dc=lk</Property>
>>>>>>>> <Property
>>>>>>>> name="GroupSearchFilter">(objectcategory=group)</Property>
>>>>>>>> <Property name="GroupNameAttribute">cn</Property>
>>>>>>>> <Property name="MemberOfAttribute">memberOf</Property>
>>>>>>>> </UserStoreManager -->
>>>>>>>>
>>>>>>>> Then it should be "easy" to configure a ldap server on this params.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Did anyone of you make something similar ?
>>>>>>>>
>>>>>>>> I'm on the right way for the solution?
>>>>>>>>
>>>>>>>> Can anyone help me on Step 2?
>>>>>>>>
>>>>>>>>
>>>>>>>> Lot of thanks to all!
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Víctor Álvarez
>>>>>>>> Incoming IT www.incomingIT.com
>>>>>>>> www.twitter.com/incomingIT
>>>>>>>> Escribiendo en y sobre Accesibilidad Web:
>>>>>>>> http://accesibilidad.blogspot.com
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Víctor Álvarez
>>>>>>>> Incoming IT www.incomingIT.com
>>>>>>>> www.twitter.com/incomingIT
>>>>>>>> Escribiendo en y sobre Accesibilidad Web:
>>>>>>>> http://accesibilidad.blogspot.com
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Víctor Álvarez
>>>>>>>> Incoming IT www.incomingIT.com
>>>>>>>> www.twitter.com/incomingIT
>>>>>>>> Escribiendo en y sobre Accesibilidad Web:
>>>>>>>> http://accesibilidad.blogspot.com
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Carbon-dev mailing list
>>>>>>>> Carbon-dev@wso2.org
>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Thilina Mahesh Buddhika
>>>>>>> Senior Software Engineer
>>>>>>> WSO2 Inc. ; http://wso2.com
>>>>>>> lean . enterprise . middleware
>>>>>>>
>>>>>>> phone : +94 77 44 88 727
>>>>>>> blog : http://blog.thilinamb.com
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Carbon-dev mailing list
>>>>>>> Carbon-dev@wso2.org
>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Víctor Álvarez
>>>>>> Incoming IT www.incomingIT.com
>>>>>> www.twitter.com/incomingIT
>>>>>> Escribiendo en y sobre Accesibilidad Web:
>>>>>> http://accesibilidad.blogspot.com
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Carbon-dev mailing list
>>>>>> Carbon-dev@wso2.org
>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Sanjiva Weerawarana, Ph.D.
>>>>> Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/
>>>>> email: sanj...@wso2.com; phone: +1 408 754 7388 x51726; cell: +94 77
>>>>> 787 6880 | +1 650 265 8311
>>>>> blog: http://sanjiva.weerawarana.org/
>>>>>
>>>>> Lean . Enterprise . Middleware
>>>>>
>>>>> _______________________________________________
>>>>> Carbon-dev mailing list
>>>>> Carbon-dev@wso2.org
>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Thilina Mahesh Buddhika
>>>> Senior Software Engineer
>>>> WSO2 Inc. ; http://wso2.com
>>>> lean . enterprise . middleware
>>>>
>>>> phone : +94 77 44 88 727
>>>> blog : http://blog.thilinamb.com
>>>>
>>>> _______________________________________________
>>>> Carbon-dev mailing list
>>>> Carbon-dev@wso2.org
>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>>>>
>>>>
>>>
>>>
>>> --
>>> Víctor Álvarez
>>> Incoming IT www.incomingIT.com
>>> www.twitter.com/incomingIT
>>> Escribiendo en y sobre Accesibilidad Web:
>>> http://accesibilidad.blogspot.com
>>>
>>>
>>>
>>
>>
>> --
>> Víctor Álvarez
>> Incoming IT www.incomingIT.com
>> www.twitter.com/incomingIT
>> Escribiendo en y sobre Accesibilidad Web:
>> http://accesibilidad.blogspot.com
>>
>>
>>
>
>
> --
> Víctor Álvarez
> Incoming IT www.incomingIT.com
> www.twitter.com/incomingIT
> Escribiendo en y sobre Accesibilidad Web:
> http://accesibilidad.blogspot.com
>
>
>
> _______________________________________________
> Carbon-dev mailing list
> Carbon-dev@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>
>
--
Thilina Mahesh Buddhika
Senior Software Engineer
WSO2 Inc. ; http://wso2.com
lean . enterprise . middleware
phone : +94 77 44 88 727
blog : http://blog.thilinamb.com
_______________________________________________
Carbon-dev mailing list
Carbon-dev@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
