Friday, December 4, 2015

SAML SSO with GoogleApps using WSO2 Identity Server

We are going to be using WSO2 Identity Server as the SAML provider for Google Apps. This is a valid scenario where an Organization's identity provider is an independent third party. Here is the scenario we are going to support.

Setup SAML SSO in your domain by following google documentation.

 The Sign-in page URL is in the form of, https://host:port/samlsso. The change password URL is pointed to the portal where employees use to change the password.

At WSO2 Identity Server Side, go to Main->Service Providers->Add. Now add the following configuration.
  • The ACS URL is
  • Since we have ticked the "Use a domain specific Issuer" above, our issuer is ""
  • NameId format is "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
  • Enable Assertion signing (The corresponding certificate has been uploaded in the previous step into GoogleApps)
  • Enable Single Logout and Attribute Profile

Note - needs to be replaced by your actual domain name.

SAML SSO with Concur and WSO2 Identity Server

As of today, Concur supports IdP initiated SSO only. It has integration with many existing Identity providers such as OneLogin, Okta and etc .. Concur can easily work with WSO2 Identity Server (or any other SAML Provider) as well. This blog post will tell you how to configure WSO2 Identity Server with Concur Expense Management system.

Before you begin you need to get in touch with a technical contact from Concur side that will help to setup your certificate at concur side.  This is a manual step that cannot be done via online means. You MUST need the help of the technical contact at Concur side. Once you got the technical contact, here are the steps to integrate WSO2IS with Concur.

1 - Download and install the Identity Server according to the docs here. You can setup Identity Server with your cooperate LDAP store according to docs here.

2 - Now setup the Service Provider as follows.

Now the SSO should work! But you can go further to have a better integration with Concur.

Steps to go an extra mile.

3 - How can you publish a URL to the outside world as follows. Here you can add this to the internal app store of your organization and the problem is solved.

4 - If you want to provide authentication by federation only, then you can ask the technical contact to scramble the passwords and put up a banner in the page. The banner will appear like this.

5 - You can also allow users to register with authorization, but upon clicking on registration link then, the Concur admin can authorize and setup manager and additionally scramble the passwords themselves.

6 - If you want the Email link to work then the technical contact will update the link in the email so that the approvals will go the IdP first. The link will be something as follows. Please note the "hpo" and "cte" values.$s78jMIcZE$..........OVKaiBzTI25SrSFKhSwQ7OPlB

The requirement is to insert the above values as
Authorization Decision in SAML statement.

Then at the Identity Server side, I gave written an extension for SAMLAssertionBuilder to add authorization decision. What is the result? The approver will be redirected to the correct case on Approval page.