Saturday, June 7, 2014

Application Authentication using IWA with WSO2 IS 5.0

WSO2 Identity Server is an open source Identity and Entitlement management server. It supports a wide array of authentication and authorization mechanisms. One of its' new features is the application authentication framework, which is capable of translating between heterogeneous authentication protocols and transforming and mediating any identity assertion.

Integrated Windows Authentication (IWA) is an authentication mechanism introduced by Microsoft to authenticate users in Microsoft Windows NT based operating systems. IWA authentication provides an easier way for users to log in to web applications that use Windows Active Directory as an user store. It is a popular choice of authentication among Windows server users and administrators, since it eliminate the need of remembering extra credentials to the users and, reduces the authentication overhead for the server administrators.

In this post I will explain how to configure WSO2 Identity Server to authenticate users to web applications using Integrated Windows Authentication. I will use the “Travelocity.com” sample application that is available in WSO2 Identity Server samples, for the demonstration.



  • Login to a Windows server machine with an Active Directory (AD) setup.
  • Download, build and deploy the "travelocity.com" sample which is available here. In this example I use tomcat to deploy the web app. If you got it successfully deployed, you will be getting a home page as below
    Figure 1 : Travelocity.com home page 
  • Download the WSO2 Identity Server 5.0 from here, and extract it if you haven't already. I will refer the extracted location as [IS_HOME] here on. But do not start it, we need to configure it to use active directory as user store.  
  • Follow this document to configure IS to use active directory as the primary user store. Edit the property values according to your active directory parameters. Following are the configuration, according to my AD parameters.
    Figure 2 : user-mgt.xml configuration for Active Directory
  • Start WSO2 Identity Server using [IS_HOME]/bin/wso2server.bat. If you made the configurations correctly, you should not be able to log in to the management console from https://localhost:9443 as the admin.
Now we need to register our web app at WSO2 IS, to do that,
  • Go to "Service Providers" ->  "Add" and register travelocity.com web app.
  • Now, in the "Inbound authentication configuration" -> "SAML2 Web SSO Configuration" section, click edit and, provide the required parameter as in here.
    Figure 3 : Click edit here to configure SAML
    Figure 4 : Provided the required SAML configurations here
  • Now, Expand the "Local and Outbound authentication configuration" section. Select the authentication type as "Local authentication" and from the drop down, select "iwa".
    Figure 5 : Select IWA as the local authenticator
  • Now go to the "Travelocity.com" web app home page (In my case it's http://localhost:8080/travelocity.com/index.jsp) and click on the link to login using SAML (See figure 1).
Note: Most of the modern browsers (IE 7+, Firefox, Chrome) support IWA authentication. But, the browser need to be configured to trust WSO2 IS for IWA authentication. You can find resources in internet on how to enable IWA for each browser. You might be prompted for credentials or get an "unauthorized" response if your browser is not correctly configured.

That's it. If you have enabled IWA authentication in your browser, you should be see the following screen where you have authenticated to the web application, without any prompt for a credential ! (provided that you are already logged in as a active directory user to the windows domain who have necessary permission)

Figure 6 : Logged in to the app with IWA

WSO2 IS 5.0 also offers multi-factor authentication, and multi-option authentication You can configure IWA in any of those as well, based on your requirements.

Further Reading:
[1] WSO2 Identity Server 5.0 documentation: https://docs.wso2.org/display/IS500/WSO2+Identity+Server+Documentation
[2] Integrated Windows Authentication with WSO2 Identity Server: http://wso2.com/library/articles/2013/04/integrated-windows-authentication-wso2-identity-server/
[3] Configuring SAML SSO: https://docs.wso2.org/display/IS500/Configuring+SAML2+SSO

1 comment: