WSO2 Identity Server as OpenID Provider

Let see how we can use Openid issued by WSO2IS in an actual environment. Here I am using Liferay portal as Openid consumer and assume that Liferay portal and Identity server have been setup in different hosts in a LAN.

Step 1. First  download WSO2IS server from here and you can extract in to a directory in your file system. Lets call as CARBON_HOME

Step 2. You can start Identity server by running  wso2server.sh (in unix) or wso2server.bat (in windows)  file in the CARBON_HOME/bin directory

Identity server will be started with default configuration. if you examine openid url of  a user(default admin username is admin) in identity server. It will look like

https://localhost:9443/openid/admin

But this openid url can not be accessed by other hosts in your network. So Lets change our host name.

Step 3. Lets assume we want to configure host name as “wso2identity” (or any ip address).  First configure following parameters in carbon.xml which can be found in CARBON_HOME/conf .

<HostName>wso2identity</HostName>
 <MgtHostName>wso2identity</MgtHostName>

configure following parameters in identity.xml which can be found in same location

  <OpenIDServerUrl>https://wso2identity:9443/openidserver</OpenIDServerUrl>
 <OpenIDUserPattern>https://wso2identity:9443/openid/</OpenIDUserPattern>

Step 4. Restart identity server. Now openid url

https://wso2identity:9443/openid/admin

Step 5. Download latest version of Liferay portal from here and you can extract in to a directory in your file system. Lets call as LIFERAY_HOME

Step 6. Set CATALINA_HOME =LIFERAY_HOME/tomcat_dir

Step 7. Start Liferay portal by running  catalina.sh run (in unix) or calalina.bat file in CATALINA_HOME/bin directory.

Step 8. Create a user account in Liferay and configure an openid  that is issued by identity server  which is https://wso2identity:9443/openid/admin

Step 9. Now try to sign in by providing your openid

Step 10. You will probably get following error message.    Because there are one configuration to do, if we use default keystore, wso2carbon.jks for identity server.

Liferay use java cacerts as its trust-store. But wso2carbon.jks contains self signed certificate. So public key should be imported to the cacerts that is used by Liferay. Then Liferay can trust the Openid provided by wso2identity server.

Step 11. Import Identity server public certificate to the cacerts

first export wso2carbon cert from wso2carbon.jks which can be found in CARBON_HOME/resources/security directory. sample keytool command

> keytool -export -keystore wso2carbon.jks -file carbon.cert -alias localhost -keypass wso2carbon

Then import it to cacerts in JAVA_HOME/jre/lib/security

> keytool -import -keystore cacerts -file carbon.cert -alias carbon -keypass changeit

Step 12. Then restart Liferay portal. Now you can sign in to Liferay portal using  WSO2IS server’s Openid………!!!

Discuss this article on Stack Overflow