As part of WSO2 identity server 6.0.0, SOAP APIs are deprecated and recommended to use REST-based APIs. We are using RemoteUserStoreManagerService.wsdl and UserIdentityManagementAdminService.wsdl SOAP APIs in our project, want to replace the SOAP APIs with recommended REST APIs. Can you help us to find the list of REST APIs to replace RemoteUserStoreManagerService.wsdl and UserIdentityManagementAdminService.wsdl SOAP APIs. The APIs document is not clear.
We are unable to find the replacement for the claim management APIs which are specific to user.The APIs which are provided for the Claim management are not user specific, we want to retrieve/create/delete the claims by passing username or userid in the request payload.
Can you please provide the details that are such APIs available for the claim management.
The REST API that you have mentioned matches the ClaimMetadataManagementService.wsdl https://is.docs.wso2.com/en/5.11.0/develop/managing-claims-with-apis/
The only available REST API to manage user claims (retrieving, updating, deleting) is SCIM 2.0 Users APIs https://is.docs.wso2.com/en/latest/apis/scim2-rest-apis/#/Users%20Endpoint/getUser
The thing you have to keep in mind is that SCIM is a protocol that is used for user management. Even though you directly used the local claim URIs in SOAP services to manage user claims, in SCIM API calls you to have to use the respective SCIM claim that is mapped to the local claim.
Check the SCIM Claim Dialects by navigating to management console -> Main -> Identity -> Claims -> List.
There you can find the SCIM claim to local claim mapping
eg:
Get Specific user's name, username claims. Required attributes should be added to attributes param based on the SCIM protocol:
GET https://localhost:9443/scim2/Users/<user-id>?attributes=username,name
Add user claims:
Refer https://is.docs.wso2.com/en/latest/apis/scim2-patch-operations/#add-user-attributes
and https://medium.com/p/1c43bb218658
Delete user claims:
Refer https://is.docs.wso2.com/en/latest/apis/scim2-patch-operations/#remove-user-attributes
and https://medium.com/p/1c43bb218658
A similar issue was raised here. Check the first answer.
The doc that you have referred is to manage the claims in general. Refer to the introduction paragraph.
The API overview page contains all the information about all the APIs you need. The following image shows the APIs needed to mange users, roles and groups (More than what you have asked in the question).
NOTE: Better not to use SCIM1.1
Related
Describe the issue:
As part of WSO2 identity server 6.0.0, SOAP APIs are Deprecated and Recommended to use REST-based APIs. We are using RemoteUserStoreManagerService.wsdl and UserIdentityManagementAdminService.wsdl SOAP APIs in our project, want to replace the SOAP APIs with recommended REST APIs. Can you help us to find the list of REST APIs to replace RemoteUserStoreManagerService.wsdl and UserIdentityManagementAdminService.wsdl SOAP APIs. The APIs document is not clear.
Am referring the below document from wso2
https://is.docs.wso2.com/en/latest/references/about-this-release/#removed-features
https://is.docs.wso2.com/en/latest/apis/overview/
Expected behavior:
Can you help us to find the list of REST APIs to replace RemoteUserStoreManagerService.wsdl and UserIdentityManagementAdminService.wsdl SOAP APIs.
Both RemoteUserStoreManagerService.wsdl and UserIdentityManagementAdminService.wsdl has user management operations.
So you should be able to find all REST APIs matching to your SOAP APIs under the user Management section of https://is.docs.wso2.com/en/latest/apis/overview/
RemoteUserStoreManagerService.wsdl service:
For user-related CRUD operations (creation, read, update and delete), you can use SCIM2.0 /Users API
https://is.docs.wso2.com/en/latest/apis/scim2-rest-apis/
For role-related CRUD operations, you can user SCIM 2.0 /Roles API https://is.docs.wso2.com/en/latest/apis/scim2-rest-apis/
UserIdentityManagementAdminService.wsdl service:
For user's identity claim management, you can use SCIM 2.0 /Users API. You have to change the payload with the relevant scim attributes mapped to the identity claims
For the user's challenge question answers management, this API can be used
https://is.docs.wso2.com/en/latest/apis/challenge-rest-api/
We have a vendor supplied solution that requires a username and password to utilize their APIs exposed as a web service. They are to be included in the actual xml of the call. We obviously don't like that.
Does anyone know of any product, system, whatever, that we can have calling systems authenticate to with token based security, which would then inject the username password and forward the request in a secure zone accessible by the product but not the outside callers. And of course return the response through.
For example:
The Authentication/Proxy service has a name - Security Token Service (STS). oAuth token exchange working draft has a good summary of STS and its purpose:
A Security Token Service (STS) is a service capable of validating
security tokens provided to it and issuing new security tokens in
response, which enables clients to obtain appropriate access
credentials for resources in heterogeneous environments or across
security domains.
Web Service clients have used WS-Trust [WS-Trust]
as the protocol to interact with an STS for token exchange. While
WS-Trust uses XML and SOAP, the trend in modern Web development has
been towards RESTful patterns and JSON. The OAuth 2.0 Authorization
Framework [RFC6749] and OAuth 2.0 Bearer Tokens [RFC6750] have emerged
as popular standards for authorizing third-party applications' access
to HTTP and RESTful resources.
The conventional OAuth 2.0 interaction
involves the exchange of some representation of resource owner
authorization for an access token, which has proven to be an extremely
useful pattern in practice. However, its input and output are
somewhat too constrained as is to fully accommodate a security token
exchange framework.
Most STSes (incl. the type specified by oAuth token exchange draft) do not deal with heterogeneous tokens as your use case requires beyond, say, oAuth to SAML or vice versa. The solution to your use case is most likely going to involve a custom-coded STS. We've implemented STSes that translate oAuth/SAML to anything (e.g. SOAP with a custom credentials header like yours) for our clients using a variety of products/stacks/platforms/etc.
We often use Salesforce as the platform, it provides a lot of plumbing that helps with this use case. To be fair, similar plumbing is available in quite a few platforms and stacks - from the big 3 (AWS/GCP/Azure) to Java/Python/Ruby/Node/Go with appropriate libraries to identity & access management products such as Keycloak.
I would go for the #identigral STS proposal. As #identigral mentioned, the recommendation is to use some Identity Management (IdM) such as Keycloak to provide the OAuth 2.0 tokens and in the near future convince your vendor to use some IdM. To see an example on how to generate Keycloak tokens check this repo and also this Stackoverflow question. For your use case I see three possible solutions:
If you are developing things with Java I would go for an API Gateway such as Netflix Zuul. Spring framework supports Zuul and apply OAuth 2.0 tokens to Zuul is a very good option. For the config part again Spring provides Cloud Config to store global configuration for your component and it can be easily connected with Zuul.
Use some commercial tool such as Google Apigee. Take a look at it, everything described in point 1.) can be configured using Apigee at an API level covering multiple programming languages.
You can also use a reverse proxy as Proxy API Gateway with Security such as Nginx or Traefik.
Any solution can be good for you, it depends on your specific use case.
We want to use WSO2 as IAM framwork for our Internal and external applications.
We have below 3 main requirements.
WSO2 should be able to Authenticate user using LDAP (Active
Directory for Internal Employees ) or other data source for external
users.
We want to configure API access level in WSO2 example : ROLE based Authorization (or Policy based ) where we can configure who can access which
web API with Http verb.
We should be able dynamically add/update/delete users , update Authorization policies/ roles through WSO2 API.
Please let me know if this is out of box supported in community edition or we have to buy any licenses for the same.
Note: I have installed the server and playing around as well.
Yes these requirements are possible with WSO2 IS (Product stack)
You can easily plug an existing LDAP user store to WSO2 IS. (https://docs.wso2.com/display/IS530/Configuring+a+Read-write+LDAP+User+Store)
I am not 100% clear about what you are asking here. But if you are talking about IS APIs (Which specified in point number 3) you can do them solely with IS by little customization or else you can use WSO2 ESB with entitlement mediator to add XACML policies.
There are SOAP admin services(Non standard but able to update authorization polices etc) and REST services. (Standard SCIM 2.0 for user operations)
https://docs.wso2.com/display/IS530/Calling+Admin+Services
https://docs.wso2.com/display/IS530/SCIM+1.1+APIs
I have downloaded the new version of API Manager 1.0.0 GA.
I am confused about publishing the WSDLs, since that has not a related API KEY, everyone can access it.
For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB (even if I have configured an external JDBC db for both APIManager and ESB user-mgt.xml).
So, is there a way to create an API key for WSDLs as well from the API Manager? Or How do I control the access to the published WSDLs in the API store?
Many thanks
EDIT:
From the ESB I have added security to the service by using the built-in security scenarios, in my case I have used "UsernameToken". This authenticates users based on roles defined in the ESB "admin/everyone..." and only accepts users defined in the ESB's user store "admin/admin" (and others you might have created).
I have ESB and AM configured to share the same mysqlDB for user store, but that does not work in my Security Scenario described before: if I create a user "apicreator" inside AP and I create "usertest" inside ESB, they store the users inside the same MySQL db, but under different "tentant", i.e. "apicreator" is not a valid user to authenticate in my Security Scenario (UsernameToken). I hope this description helps to clarify the problem. thanks
With WSO2 API Manager, you couldn't control the access to a published WSDL in API Store.Currently there's no way of creating an API key for WSDLs as well from the API Manager.But that controlling has to be done through your back-end service. How-ever when creating an API from WSO2 API Manager ,giving the Wsdl url as an input is not a required field,but an optional field.
Apart from that I'm not clear about your following phrase."For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB".Can you explain a bit more what you mean by "add access token from ESB"?
Thanks;
/Lalaji
We've Installed Pre-Packaged Identity Server 5.1.0 with API Manager 1.10.0 and use sqlserver as a data store.
We use OAUTH2 to authorize our API's and we want to map our local claims to a service provider (an application?). Behind the API we have a .Net Wcf Service with some logging where we read the header with WebOperationContext.Current.IncomingRequest.Headers["assertion"] and print the claims which are present.
The Claims which are returned are:
{"iss":"wso2.org/products/am"
"exp":1462357259751
"wso2url/claims/subscriber":"Sjaak"
"wso2url/claims/applicationid":"1003"
"wso2url/claims/applicationname":"DefaultApplication"
"wso2url/claims/applicationtier":"Medium"
"wso2url/claims/apicontext":"/Test/v1.0"
"wso2url/claims/version":"v1.0"
"wso2url/claims/tier":"Silver"
"wso2url/claims/keytype":"PRODUCTION"
"wso2url/claims/usertype":"APPLICATION"
"wso2url/claims/enduser":"Sjaak#carbon.super"
"wso2url/claims/enduserTenantId":"-1234"
"wso2url/claims/emailaddress":"sjakie#chocola.nl"
"wso2url/claims/givenname":"Sjakie"
"wso2url/claims/lastname":"van de Chocoladefabriek"
"wso2url/claims/role":"Internal/subscriber
Internal/everyone
Application/Sjaak_DefaultApplication_PRODUCTION"}
Where wso2url is http://wso2.org, but we cannot post this, because I don't have 10 reputation points...:(
The information in these claims is good, but only we want to use our own uri, so not wso2.org, but myorg.com. And we want to add other claims, with for example our own userId and some other stuff.
Among other things we have followed the guide for configuring claims for a service provider but had no success with this. We have made the assumption that an application is a service provider for which we can use the claims.
Has anyone got an idea what we are doing wrong? What do we need to do to add custom claims?
Thanks in advance!
[Added on 9th may]
Maybe this can point us in the right direction?
When we add a subscription to an application and we generate a new key than there is no new Service provider in the list:
The list of service provider without a new one for user Sjaak, so there is missing: Sjaak_CalculatorApp_PRODUCTION
But even when we do this for user admin the claims are not coming through. We have the following claim configuration and in my logging still the same claims as described above are there, no new ones, so no claim named accountnaam and no voogd.com uri:
Service Provider(SP) - It provides services to some end users and relies on a trusted Identity provider(IDP) to handle authentication and authorization for them. SP may use multiple protocols(Oauth2, SAML2, etc.) to communicate with IDP.
Claims are defined for SP, since same claims can be send over different protocols. In the default case, Identity server uses wso2 claim dialect(start with wos2.com) for claims. If you want a different claim dialect than this, use "Define Custom Claim Dialect" option in the service provider configuration. In there you can map wso2 claims(Local Claim) to your own claims(Service Provider Claim).