WSO2 APIM 4.1.0: multi-tenancy with custom OIDC identity provider - wso2

I am using WSO2 API Manager 4.1.0 and I am trying to configure it with a custom OAuth2 authenticator to provide different users to different tenants.
By following this guide, meant for Okta, I was able to make logging in and token claim-to-role mapping work, with some adjustments to the configuration to adapt to the custom IdP. Users can successfully login with the custom IdP, are assigned roles correctly, and can act accordingly in the publisher and developer portals.
However, I cannot figure out if there is any way to assign users to any tenant other than carbon.super.
The custom IdP I am working with uses e-mail addresses as usernames and, when enable_email_domain=true in the configuration file deployment.toml, users are created in APIM with said e-mail as their names, but if that setting is false (or commented), only the part before # is used. I thought this could be used to assign them to other tenants, but even if the e-mail domain is an existing tenant, the user is created in carbon.super.
I've noticed, when logging into carbon as admin, in the Service Providers section, under Local & Outbound Authentication Configuration for apim_devportal and apim_publisher, the Use tenant domain in local subject identifier setting. I am unsure what exactly this option entails, but checking it does not seem to change anything.
This article in the documentation talks about tenants, but does not cover this scenario.
Does anyone know how (if it's even possible) to assign a user to a specific API Manager tenant, instead of carbon.super, upon logging in via custom IdP (not Okta or Identity Server)?

same question here, i use Keycloak as Idp and not found solutions yet for multitenancy schema implementation

Related

Is there any OpenID Connect Identity Provider that can delegate autentication to other OpenID Connect IdPs?

I'm facing the following scenario:
There are several companies each one with its own OpenID Connect Identity Provider (IdP) which federates users from their respetive LDAP servers. These providers are used to perform SSO in the context of each company.
There's a requirement to create an application that offers a common login for all the users of those companies.
The idea is to provision or use an existing cloud solution (AWS Cognito, Google Cloud Identity, etc., ...) that offers a shared login screen but delegates/federates the actual login to each of the company IdPs.
Are there any solutions that allows this?
Could you point at any documentation/guide to implement it?
This is just standard OAuth and OpenID Connect behaviour, with these 3 roles:
Application, uses OIDC to redirect to ...
An Authorization Server, which you own, and which redirects to ...
An Identity Provider
So you need a standards based authorization server and to configure your app as an OAuth Client. Then include the openid scope so that OpenID Connect is used. SAML based identity providers can also be supported in this flow, even though your app only uses OIDC.
The way to manage this with best usability, is for the authorization server to present a usernane authenticator, which captures a user identifier first, such as an email. It then runs some custom logic, such as a user lookup, to determine which IDP to route the user to. The user then authenticates at the IDP.
After authentication, the IDP issues tokens to the authorization server, which validates them, then issues its own tokens to the application. In particular the app gets an access token whose scopes and claims you can control. Your app can then send these to your APIs, which can authorize access to business data correctly.
Aim for behaviour similar to that above, or adjust it based on your preferences. Then trial it, eg with a cloud or Docker based authorization server, and ensure that you select one with sufficient extensibility to meet your requirements.
Note also that Stack Overflow answers should not recommend particular vendors, so I have not done so.
There is a solution called cloudpods using which you can manage both on-prem and public cloud resources. Cloudpods supports integration with multiple cloud providers like aws, GCP, azure, alibaba and etc.,
Is there any OpenID Connect Identity Provider that can delegate autentication to other OpenID Connect IdPs?
Yes. https://github.com/apereo/cas is one. You can set it up as an OIDC identity provider and have it then delegate to as many OIDC Identity providers as you want.

Finding the correct SAML Identity provider to authenticate a user

I am trying to configure Google Cloud Identity Platform to use multiple SAML identity providers. Still, I'm stuck at the point of selecting the right IdP for every person attempting to log in.
I have read about SAML v2 IDP Discovery Service but I don't really understand how it works since I am a novice in SAML.
So does it have to be a programmatic solution or does GCIP have something that I can configure to automatically select the right IdP for each user?
If it has to be a programmatic solution can someone point me to a good explanation of SAML v2 IDP Discovery Service?
Yes, you can set up Google Cloud Identity Platform (GCIP) to automatically select the appropriate identity provider (IdP) for each user. A protocol known as SAML v2 IDP Discovery Service enables users to select their IdP from a drop-down menu. Its purpose is to make it unnecessary for users to remember which IdP they should use.
You will need to configure the service in your GCIP project in order to put this into action. Each provider's metadata and any additional parameters that the IdP may require must be provided to the IdP. The user will be able to select their IdP from a drop-down menu on their login page following the completion of the configuration. The official Google documentation provides additional details on how to use SAML v2 IDP Discovery Service.
Refer to this how to enable multi-tenancy for Identity Platform and Creating a sign-in page for multiple tenants

Can I connect my own credentials database with Google Identity Platform to build custom Identity Provider for SSO - OpenID Connect authentication?

I have my own SQL Server database which contains usernames/passwords for authentication. I'd like to build a custom Identity Provider based on this database with an Identity Management provider so the other applications can be registered and their users can be authenticated with OIDC.
I researched some tutorials and they says that some Identity Management providers such as: OneLogin, Okta... can integrate with our own credentials database. But for Google Identity Platform, I cannot find any links show how to do such a thing so far.
Could you please tell me if it is possible to integrate our own database with Google Identity Platform? Is there any resource links mention about this? If it is impossible, is there any alternates for integrating the database with Cloud Platform (e.g. Azure or AWS) or we have to build our own Identity Provider from scratch?
Thank you.
You can use Cloud Identity Platform. You can define external identity provider and even a custom identity provider.
However, this solution implies that your own SQL database is behind an Identity Provider OIDC compliant.
In addition, you will be able to authenticate your users to access to your application. You can't use this authentication to interact directly with Google Cloud API, only with YOUR application.
You can use the Identity Platform Admin SDK to manage Security Assertion Markup Language (SAML) 2.0 and OpenID Connect (OIDC) provider configurations programmatically. You can explore the details of OpenID Connect here.
I would also suggest you to explore the best practices and guidance that help you set up federation consistently and securely. The guidance builds on the best practices for using Cloud Identity or G Suite with Google Cloud.
You might be interested in Connecting to Cloud SQL from external applications running outside of Google Cloud.
Use keycloak to expose your existing database as an open Id connect (OIDC) identity provider.
Then you can tell google identity platform to use your new identity provider as a federated provider as the other answers are telling you.
To do that, you need some code. You need to help keycloak translates common user patterns like get a user, list users, check password, get groups, roles etc into your database. This is done implementing a StorageProvider with the capabilities (user lookup, password update, user creation etc) you need.
There is an JDBC provider ready, where you only provide the correct queries. Check keycloak documentation. You only need to implement the ones you need (eg: don’t implement user creation through keycloak if you don’t need to create users through keycloak admin interface; don’t implement password change if your users manage their passwords via your existem infrastructure; and so on). For this use case (google authentication) user lookup and password validation are enough.
Okta will not help you here, but that was possible directly with Auth0 (custom database connector).
So you either implement your own OIDC (open if connect) with keycloak or look for a cloud identity solution capable of custom database connection and them expose it to google.

Authorizing user using saml response from Single Sign On in APIM Publisher

I have successfully integrated external IDP (keycloak) with publisher to do saml based single sign-on. After authentication, it says user is not authorized. From the investigations, For authorization
User DB need to be shared with external idp - this is not possible for my usecase
Sending user roles via saml response - is it possible?, if so what are the claims need to be sent and related configurations
pointing identity server for authorization - how to do it?
also I dont want to integrate IS server
I want answer for above unknown concerns?
it says user is not authorized
which version are you using?
is there anything preventing the authorization, such as required scopes
User DB need to be shared with external idp - this is not possible for my usecase
Usually you need a userstore to manage users and roles, in case of SAML I believe that us not needed. However - you can setup a JDBC userstore and inbound user provisioning (all logged in users will be stored in the database with their attributes and roles)
Sending user roles via saml response - is it possible?, if so what are the claims need to be sent and related configurations
I believe WSO2AM 2.1.0 (other version I don't know) do not read roles directly from the SAML response (there is a environmental property where you could enable that, I cannot find it right now, so just search a little)
However - together with the inbound provisioning it should work (the roles should be stored and updated in the database on each login)
pointing identity server for authorization - how to do it?
What do you mean by that? You could setup an WSO2IS as KM (key manager) where you could do additional authorization (I am still not sure what are you asking here)

How to test WSO2 Identity Server federated Authentication

I’ve made a new Identity Provider and setup it’s SAML2 authentication to our Shibboleth IDP. How do I “login” using this new setup?
The login link still goes to the IS login page, which is desirable because I need to login as admin to fix things, but is there another login link which will redirect to the IDP?
If you need to provide federated authentication for your applications. Your applications can be connected with Identity Server as service providers. Then you can defined your external IDPs a trusted IDP. Each service provider, you can select multiple IDPs as out-bound authenticators. There is some blog about that uses saleforce as trusted IDP, you can go through it as well
If what you want is to login to IS using Shibboleth as IDP, you should edit IS_HOME/repository/conf/security/authenticators.xml to enable SAMLSSOAuthenticator and configure it with the required details.
As best I can tell, there's not facility for testing an Identity Provider. The only way is to actually use it by setting up the full chain. In my case I setup API Manager as a Service Provider in the Identity Server, and selected the Identity Provider (mentioned in the original question) as Federated Authentication for that Service Provider. Then I changed the API Store to use SSO (pointed at the IS). Finally by attempting to open the store I was bounced to the IS, then immediately on to the Identity Provider.
Unfortunately there are a lot of steps in this chain and a lot of things that could be set wrong. I was hoping to find a method for testing this one part but as best I can tell there isn't such a capability.