Sample WS-Federation web app

By following this guide, you will be able to deploy a WS-Federation-based web application and enable login for it using the Passive Security Token Service (Passive STS) of Asgardeo.

Info

Asgardeo uses its passive security token service (Passive STS) as its WS-Federation implementation. Passive STS is capable of issuing SAML 1.1 and 2.0 security tokens. To request a SAML 2.0 security token, the Request Security Token (RST) should be sent to the passive STS endpoint with the token type, SAMLV2.0. If no RST is specified, Asgardeo issued a SAML 1.1 token by default.

Prerequisites

• Download Apache Tomcat 8.x and install it. Tomcat server installation location will later be referred to as <TOMCAT_HOME> in this guide.

• It is recommended that you use a hostname that is not localhost to avoid browser errors. Modify your machine's /etc/hosts entry to reflect this.

• Download the Passive STS Sample application from the latest release assets.

Deploy the sample app

To deploy the sample web app on a web container:

1. Copy the application's downloaded .war file into the webapps directory of the Tomcat folder.

2. Start the Tomcat server.

Configure sample properties

To configure additional properties for the sample application:

1. Add the following configurations to the web.xml file in <TOMCAT_HOME>/apache-tomcat-<version>/webapps/PassiveSTSSampleApp/WEB-INF.

   • Specify Asgardeo Passive STS URL as idpUrl.

     <init-param>
             <param-name>idpUrl</param-name>
             <param-value>https://api.asgardeo.io/t/<organization_name>/passivests</param-value>
     </init-param> 
     

   • Specify the replyURL as the URL of the web app.

     <init-param>
             <param-name>replyUrl</param-name>
             <param-value>http://localhost:8080/PassiveSTSSampleApp/index.jsp</param-value>
     </init-param>
     

   • Specify the realm as a unique identifier for the web app.

     <init-param>
             <param-name>realm</param-name>
             <param-value>PassiveSTSSampleApp</param-value>
     </init-param> 
     

2. Restart the tomcat server.

Configure the application in Asgardeo

1. On the Asgardeo Console, go to Applications.

2. Click New Application and select Standard-Based Application.

3. Enter the following details:

   

   Name	An unique name to identify your application. e.g.:PassiveSTSSampleApp
   Protocol	WS-Federation.
   Realm	An unique identifier for the web app. Provide the same realm name given to the web app you are configuring WS-Federation for. e.g.:PassiveSTSSampleApp
   Reply URL	URL of the web app you are configuring WS-Federation for. This endpoint URL will handle the token response. http://localhost:8080/PassiveSTSSampleApp/index.jsp

4. Click Register to complete the registration.

5. Go to the Protocol section of the application, configure the following and click Update to save the changes.

   Reply Logout URL

   This endpoint in your application handles the logout response from Asgardeo. http://localhost:8080/PassiveSTSSampleApp/index.jsp

6. Go to the User Attributes tab and click Add User Attribute, and add the following attributes:

   • http://wso2.org/claims/username
   • http://wso2.org/claims/emailaddress

7. Select http://wso2.org/claims/emailaddress as the Subject attribute.

8. Click Update to save your configurations.

Try it out

Info

When redirecting your users to Asgardeo Passive STS endpoint, the following (optional) parameters are sent in the request from the sample application.

• wa=wsignin1.0: specifies whether Asgardeo should issue a token for the relying party (this is the default action).
• wa=wsignout1.0: specifies whether Asgardeo should log the user out.
• wreply={replyUrl}: specifies where the response should be sent.

Using a Network tracer such as a SAML tracer is recommended to analyze the HTTP request and responses in this scenario. With a tracer, you will be able to view the parameters mentioned above and also see the SAML token that is issued from Asgardeo.

1. Access one of the following links on your browser and click Login.

   • To get a SAML 1.1 token: http://localhost:8080/PassiveSTSSampleApp/index.jsp
   • To get a SAML 2.0 token: http://localhost:8080/PassiveSTSSampleApp?samlv=2-0

2. Login using your credentials.

3. Provide the required consent. You will be redirected to the Asgardeo WS-Federation Service and then redirected back to the configured replyUrl.

You will see the WS-Federation response with the requested claims on the screen.