Service provider grouping with WSO2 Identity Server

When WSO2IS is used as SSO IDP, end user (single browser agent) can have only one SSO session with WSO2IS. This session can not be based on the service provider or tenant domain or any other parameter. It means that once end user is authenticated to WSO2IS using given SP, All other SPs which are registered with WSO2IS, would be authenticated through SSO. We can not group the SP such as there must use SSO or there must not.

But; there are some requirements which you need to achieve the SSO between only given service provider set. Lets say; there are three service providers called SP1, SP2 & SP3. Also there is another set called SP4, SP5. Your requirement would be to have SSO only between SP1/SP2/SP3 service provider group. Also, you need to have SSO between SP4/SP5 as well. Service provider grouping is not supported by the WSO2IS default. But there is some workaround to achieve it.
WSO2IS set a cookie in to the end user browser called “commonauthid”. This cookie is set for the hostname of the WSO2IS. If we can pretend the WSO2IS as two hostnames, Then two “commonauthid” cookies can be set for end user’s browser. In theory; two cookies means two SSO sessions in WSO2IS. Therefore we can create two SSO session for same end user. So; we can keep single WSO2IS node (or cluster) and expose it as different hostname using another proxy server. We can use any proxy server and we have easily configured this using virtual host configuration of Apache HTTP server.

Lets try out this.

Step 1. Install WSO2IS in your environment. Configure the SP1/SP2/SP3/SP4/SP5 in WSO2IS.

Step 2. Please make sure to configure hostname entries in the /repository/conf/carbon.xml file properly. This must be the hostname of the server which WSO2IS has installed.

<HostName>{IS_Server_Host_Name}</HostName>
<MgtHostName>{IS_Server_Host_Name}</MgtHostName>

Step 3. Configure proxy server such as Apache HTTP server with virtual host configuration. Let assume that we need to expose WSO2IS instance as two different hostname called foo.com and bar.com. Then following would be the virtual host configuration.

<IfModule mod_proxy.c>
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName foo.com
ServerAlias foo.com
ProxyRequests Off
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/apache2/credential/server.crt
SSLCertificateKeyFile /etc/apache2/credential/server.key
SSLCACertificateFile /etc/apache2/credential/ca.crt
ProxyPass / https://{IS_Server_Host_Name}:{IS_Server_Port}/
ProxyPassReverse / https://{IS_Server_Host_Name}:{IS_Server_Port}/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName bar.com
ServerAlias bar.com
ProxyRequests Off
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/apache2/credential/server.crt
SSLCertificateKeyFile /etc/apache2/credential/server.key
SSLCACertificateFile /etc/apache2/credential/ca.crt
ProxyPass / https://{IS_Server_Host_Name}:{IS_Server_Port}/
ProxyPassReverse / https://{IS_Server_Host_Name}:{IS_Server_Port}/
</VirtualHost>
</ifModule>

Step 4.  Configure IDP url in server providers

In one service provider group (SP1/SP2/SP3), we can configure IDP url as https://foo.com/

In other service provider group (SP4/SP5), we can configure IDP url as https://bar.com/

Step 5. Now, try out login to service provider group SP1/SP2/SP3 and verify the SSO. Also try out same for other group as well.
You can see SSO is happening only within SP1/SP2/SP3 group or within SP4/SP5 group.

Thanks for reading…!!!