To authenticate with SAML rather than the basic auth:
-
Create the Identity Server image. Options:
- Build from scratch
- Download the existing image (GSA only)
-
Unarchive and load the image.
gunzip wso2-image.tar.gz docker load -i wso2-image.tar
-
Start the Identity Server.
make identity
-
Set up SAML Provider.
- Visit WSO2 console.
- Click through the certificate warning in your browser.
- Log in with username and password of
admin. - Add a Service Provider with the Name
localhost. - Go into the
Inbound Authentication Configuration->SAML2 Web SSO Configurationsection, then clickConfigure. - Fill out the form.
- Issuer:
localhost - Assertion Consumer URLs:
http://localhost:3000/auth/saml/callback, then clickAdd - Uncheck everything but
Enable Response Signing - Check
Enable Single Logout, no need to set SLO request or response URLs
- Issuer:
-
Copy the certificate.
-
Expand
Inbound Authentication Configuration, thenSAML2 Web SSO Configuration. -
Click
Download SAML Metadata. -
Open up the resulting SAML Metadata XML file that gets downloaded, and copy the contents of the
<X509Certificate>element. -
Save that in
api/wso2.crt.-----BEGIN CERTIFICATE----- <contents> -----END CERTIFICATE-----
-
Enable SAML on the "client" side.
- Make sure your
.envhas theSAML_*defaults from.env.example. - In your
.env, setBASIC_ENABLED=andSAML_ENABLED=1.
- Make sure your
-
In another terminal, start the server (or restart, if already running).
make run
-
Visit http://localhost:8080.
-
Log in with PIV/CAC, with username and password ofadmin.
Note this is using an off-the shelf WSO2 server, which won't match production in that:
- It's not hardened
- Using an embedded database rather than an external one
- NOTE: If you delete the SAML server container the SAML Provider data will be lost along with the embedded database
- The WSO2 verison may not match
- etc.