WSO2 Identity Server samlsso service url exposed via WSO2 API Manager

Question

I successfully configured WSO2 API Manager 1.8.0 [e.g. https://wso2am.com:9443] and WSO2 Identity Server 5.0.0 SP1 [IS] acting as Key Manager [e.g. https://wso2is.com:9443] in a clustered setup on 2 different servers.

I also configured a Service Provider in the IS using a SAML SSO Inbound Authenticator and tested it with travelocity.com sample app. The sample app builds the SAML request in the right way, but https://wso2am.com:9443/samlsso?SAMLRequest=[base64stuff] returns an HTTP Status 405 - HTTP method GET is not supported by this URL.

Changing the url in https://wso2is.com:9443/samlsso?SAMLRequest=[base64stuff] leads to successful authentication.

Basically I want to be redirected to wso2am login page and not wso2is login page. In this way, I could deploy in DMZ WSO2AM only, leaving WSOIS in the internal network.

How can I do? Thanks

Harshan Liyanage Harshan Liyanage · Accepted Answer · 2015-05-19T12:13:25

In this scenario I think your authentication request must be directed to IS server, not APIM. The IS server is the one who does the authentication. Hence it acts as the IDP. APIM is just a service provider (SP). Even if you succeeded (even it's not the correct behaviour) with sending a SAML request to https://wso2am.com:9443/samlsso endpoint, it will redirect you to the login page in IS server. So you have to send the SAML request to the https://wso2is.com:9443/samlsso endpoint for successful authentication & for the correct behavior.

WSO2 Identity Server samlsso service url exposed via WSO2 API Manager

1 Answers