Menus

Friday, December 4, 2015

Enable Tenant Dropdown in Single Sign On (SSO) loginpages - WSO2 Identity Server (5.1.0)

When you have multiple tenants in the same Identity Server instance, it is hard to remember which domain you should use with username, to login. When you use Single Sign On to login you will be redirected to the SSO login page. Since SP1 of WSO2 Identity Server 5.0.0 new feature was introduced to help users to select the tenant domain easily from a dropdown in the SSO login page. This feature is not default. In this post you will be able to enable this feature in IS - 5.1.0. Method is almost same in IS - 5.0.0 SP1. For demonstration we will use the IS dasboard at https://localhost:9443/dasboard. Go to this link, you will be redirected to SSO login page.


Here you can enter the username as username+@+tenantdoamin, and login.

We are going to load the tenants into a dropdown and give the ability of select the domain from the dropdown. After this you will not need to enter the tenantdomain. Just the username will be enough.

Procedure :
  1. Open the file at path {IS_Product_Home}/repository/conf/identity/EndpointConfig.properties. Set tenantListEnabled=true.

  2. Open the file at path {IS_Product_Home}/repository/conf/identity/application-authentication.xml.  Add following before </ApplicationAuthentication> element. 

  3. <TenantDomainDropDownEnabled>true</TenantDomainDropDownEnabled>
       <TenantDataListenerURLs>
            <TenantDataListenerURL>/authenticationendpoint/tenantlistrefresher.do</TenantDataListenerURL>
       </TenantDataListenerURLs>


  4. Open the file at path {IS_Product_Home}/repository/conf/tomcat/catalina-server.xml. Set clientAuth = "want", in the Connector for port : 9443 (what ever the port used by identity server management console)
If you are using IS 5.0.0 you will have to add following to the file at {IS_Product_Home}/repository/conf/security/authenticators.xml.

<Authenticator name="MutualSSLAuthenticator" disabled="false">
  <Priority>5</Priority>
  <Config>
      <Parameter name="UsernameHeader">UserName</Parameter>
      <Parameter name="WhiteListEnabled">false</Parameter>
      <Parameter name="WhiteList"/>
  </Config>
</Authenticator>

This should be set default in IS 5.1.0. However better to check this also. 

After setting all these start the IS server and go to the dashboard at https://localhost:9443/dasboard.
You will redirected to SSO loginpage with tenant dropdown. 


Select the tenant domain from the dropdown. Now you can login just by typing the username (don't have to append domain name) and password.

5 comments:

  1. Hi Hareendra,

    I am using identity server 5.1 and followed the same configuration as above but still am not able to see tenant dropdown list on the login page



    ReplyDelete
    Replies
    1. Hi Amzad,
      Do you get any error log at the back end. I can help you to solve this. Please provide the error stack, if there is an error log.

      Delete
    2. Hi Ramzad,
      Please check whether you correctly done the second (2nd) step in procedure. You have to add the suggested phrase just before the tag. Note that this is the end of "ApplicationAuthentication" element. Not the start. This is the END of the application-authentication.xml. Normally the suggested phrase is there commented. Uncommenting it should work.

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Hi Amzad,

    I am getting the dropdown and only value i can see is super tenant.
    while fetching the tenants configured getting SSLHandshake exception.

    ERROR {org.wso2.carbon.identity.application.authentication.endpoint.util.MutualSSLClient} - Calling url : https://test.domain.com:9443/services/TenantMgtAdminService/retrieveTenantsfailed.
    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching test.domain.com found
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)

    Could you please suggest me.

    Thanks in advance.

    ReplyDelete