WSO2 in a federated/trusted SAML2 and OAuth2 scenario

0
votes

We have a large migration project where SSO is realized with SAML2. One WebLogic 10.3.6 container is acting as an identity provider (idp) and all other weblogic containers are configured as service provider (sp). We want to leave that scenario unchanged. New or migrated applications use a SSO scenario with WSO2 as identity provider with OAuth2 for SSO services.

Is it possible to define the old (weblogic) SAML2 idp in WSO2 as a trusted idp and to realize an overall SSO scenario with SAML2 and OAuth2 - leaving the weblogic idp and sp unchanged?

If this is not possible another solution might be extracting the idp from the old scenario and configure WSO2 as SAML2 idp and for OAUth2 services and exchanging/transforming the tokens vice versa. But then all old weblogic service providers have to be touched (for using WSO2 SAML2 idp)....

Any help is appreciated ;-) Cheers Tom

1
oauth-2.0wso2saml-2.0

1 Answers

0
votes

Is it possible to define the old (weblogic) SAML2 idp in WSO2 as a trusted idp and to realize an overall SSO scenario with SAML2 and OAuth2 - leaving the weblogic idp and sp unchanged?

In most of the cases it is possible. For SAML it's much easier as it's a very rigidly defined standard, so until you define correct subject name, subject name format and assertions, you are good to go.

Please note - the Service Providers will need to change the endpoint configurations, as the SSO/SLO endpoints will be different. However I consider that as configuration, not really changing the service provider application

The problem may be with OAuth. The token service and user info service responses are not so rigidly defined (or implemented). You will have to check if your SP could consume the responses without problems (in most of the cases I've seen you will need to add some user attributes to the userinfo service)