Adding SAMLSSO provider config to service provider using SOAP API

0
votes

While I create the service provider and add the Inbound Authentication Config -> SAML2 Web SSO Configuration via Web UI of Identity Server admin panel everything works and I see the SAMLSSO provider in the expanded tab later.

Now I get stuck with creating the Service Provider and adding the SAMLSSO provider via API.

I am using the following services to do the work:

IdentityApplicationManagementService?wsdl - for creating service provider.

IdentitySAMLSSOConfigService?wsdl - for creating SAMLSSO provider.

I send the following request in order:

Firstly create the SAMLSSO provider:

    POST /services/IdentitySAMLSSOConfigService.IdentitySAMLSSOConfigServiceHttpsSoap11Endpoint/ HTTP/1.1
    Host: test.com
    Connection: Keep-Alive
    User-Agent: PHP-SOAP/5.6.11-1ubuntu3.4
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "urn:addRPServiceProvider"
    Content-Length: 1228
    Authorization: Basic *****

    <?xml version="1.0" encoding="UTF-8"?>
    <SOAP-ENV:Envelope
        xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:ns1="http://dto.saml.sso.identity.carbon.wso2.org/xsd"
        xmlns:ns2="http://org.apache.axis2/xsd">
        <SOAP-ENV:Body>
            <ns2:addRPServiceProvider>
                <ns2:spDto>
                    <ns1:assertionConsumerUrl xsi:nil="true"/>
                    <ns1:assertionConsumerUrls>https://test.shib/Shibboleth.sso/SAML2/POST</ns1:assertionConsumerUrls>
                    <ns1:attributeConsumingServiceIndex xsi:nil="true"/>
                    <ns1:certAlias xsi:nil="true"/>
                    <ns1:defaultAssertionConsumerUrl>https://test.shib/Shibboleth.sso/SAML2/POST</ns1:defaultAssertionConsumerUrl>
                    <ns1:digestAlgorithmURI xsi:nil="true"/>
                    <ns1:idpInitSLOReturnToURLs xsi:nil="true"/>
                    <ns1:issuer>https://tesh.shib/shibboleth</ns1:issuer>
                    <ns1:loginPageURL xsi:nil="true"/>
                    <ns1:nameIDFormat xsi:nil="true"/>
                    <ns1:nameIdClaimUri xsi:nil="true"/>
                    <ns1:requestedAudiences xsi:nil="true"/>
                    <ns1:requestedClaims xsi:nil="true"/>
                    <ns1:requestedRecipients xsi:nil="true"/>
                    <ns1:signingAlgorithmURI xsi:nil="true"/>
                    <ns1:sloRequestURL xsi:nil="true"/>
                    <ns1:sloResponseURL xsi:nil="true"/>
                </ns2:spDto>
            </ns2:addRPServiceProvider>
        </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>

Then I create the Service Provider with Inbound authentication config set with the SAMLSSO provider as mentioned here:

    POST /services/IdentityApplicationManagementService.IdentityApplicationManagementServiceHttpsSoap11Endpoint/ HTTP/1.1
    Host: test.com
    Connection: Keep-Alive
    User-Agent: PHP-SOAP/5.6.11-1ubuntu3.4
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "urn:createApplication"
    Content-Length: 1934
    Authorization: Basic ****


    <?xml version="1.0" encoding="UTF-8"?>
    <SOAP-ENV:Envelope
        xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
        xmlns:ns1="http://model.common.application.identity.carbon.wso2.org/xsd"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:ns2="http://org.apache.axis2/xsd">
        <SOAP-ENV:Body>
            <ns2:createApplication>
                <ns2:serviceProvider>
                    <ns1:applicationName>tect_com</ns1:applicationName>
                    <ns1:claimConfig xsi:nil="true"/>
                    <ns1:description>Test SP</ns1:description>
                    <ns1:inboundAuthenticationConfig>
                        <ns1:inboundAuthenticationRequestConfigs>
                            <ns1:friendlyName xsi:nil="true"/>
                            <ns1:inboundAuthKey>https://test.shib/shibboleth</ns1:inboundAuthKey>
                            <ns1:inboundAuthType>samlsso</ns1:inboundAuthType>
                            <ns1:properties xsi:nil="true"/>
                        </ns1:inboundAuthenticationRequestConfigs>
                        <ns1:inboundAuthenticationRequestConfigs>
                            <ns1:friendlyName xsi:nil="true"/>
                            <ns1:inboundAuthKey></ns1:inboundAuthKey>
                      <ns1:inboundAuthType>openid</ns1:inboundAuthType>
                            <ns1:properties xsi:nil="true"/>
                        </ns1:inboundAuthenticationRequestConfigs>
                        <ns1:inboundAuthenticationRequestConfigs>
                            <ns1:friendlyName xsi:nil="true"/>
                            <ns1:inboundAuthKey></ns1:inboundAuthKey>
                            <ns1:inboundAuthType>passivests</ns1:inboundAuthType>
                            <ns1:properties xsi:nil="true"/>
                        </ns1:inboundAuthenticationRequestConfigs>
                    </ns1:inboundAuthenticationConfig>
                    <ns1:inboundProvisioningConfig xsi:nil="true"/>
                    <ns1:localAndOutBoundAuthenticationConfig xsi:nil="true"/>
                    <ns1:outboundProvisioningConfig xsi:nil="true"/>
                    <ns1:owner>
                        <ns1:tenantDomain>user.com</ns1:tenantDomain>
                        <ns1:userName>user</ns1:userName>
                        <ns1:userStoreDomain xsi:nil="true"/>
                    </ns1:owner>
                    <ns1:permissionAndRoleConfig xsi:nil="true"/>
                    <ns1:requestPathAuthenticatorConfigs xsi:nil="true"/>
                    <ns1:saasApp>true</ns1:saasApp>
                    <ns1:spProperties xsi:nil="true"/>
                </ns2:serviceProvider>
            </ns2:createApplication>
        </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>

Both request are accepted. I can see the Service Provider in Web UI, but the section with SAML Web SSO Configuration is empty.

If I try to authenticate with my new SP everything works.

If I try add the same SAML SSO Config via Web UI it gives me an error that it already exists.

The table SP_INBOUND_AUTH is empty while creating SAMLSSO Config using API. But if I create the SAML Configuration using Web UI, I can see the record in SP_INBOUND_AUTH table.

What am I missing?

1
wso2wso2is
What is the Identity server version you are using?pulasthi7

1 Answers

3
votes

When creating the Service provider, it should be done in two steps.

  1. creating a service provider for the given application name and the description (createApplication).
  2. update it with other configurations (updateApplication).

So in your case, createApplication should be invoked only with application name and description. Then you have to invoke updateApplication operation and configure its inbound authentication, etc.

[1] https://docs.wso2.com/display/IS510/Using+the+Service+Provider+API#UsingtheServiceProviderAPI-createApplication