Sometime I receive Security Advisory Email from WSO2 Security Team like below.
Security is one of our highest priorities.That’s why we proactively
look for ways to improve it. We have identified a few critical
vulnerabilities for the following product and would like to share the
recommendation in order to mitigate the issue.
I don't know what are all the basic steps required to apply this security in WSO2 Product like WSO2 EI etc.
Reference Link from Email:
WSO2 EI Security Advisory 1
WSO2 EI Security Advisory 2
Can any WSO2 Expert share the useful guideline for this?
If you have the WSO2 Subscription you can use Update 2.0 to get the latest security updates and it will provide a summary of the applied updates. The summary contains information about the updates and instructions if you need to make any configuration changes to the specific WSO2 product.
Related
Application I inherited uses WSO2 Identity server which I have't used before. I might need to support multiple tenants in this application and I need to research if WSO2 IS will support this. Documentation is not helping me unfortunately. I want all tenants to have same, shared roles. Adding new tenant should mean adding it's users and assigning them already existing roles.
So in my head solution should be rather simple. Just add new field to user profile - tenantId, and then return it as a claim in token. When I have it in token then it's up to code to use it. First of all is this possible at all? If it is it a good idea?
There are two other possible solutions I was considering.
Service Provider has SASS checkbox but I don't understand yet how it works.
You can add tenants to WSO2 IS itself. But to me it looks like it is multitenancy on WSO2 IS side (to share WSO2 IS) and it's not a feature to support multitenancy in my application. I was told that in this case each tenant would have to have roles defined again and that even those roles would have to be named differently.
WSO2 Identity Server do have the IDP level tenant separation but it does not have an OOB SP level tenant separation mechanism. However, your proposed solution can be done. It is a simple configuration to add an extra claim to the user [1](Assumes that the underlying user store supports it).
Answers for your other questions,
It is for IDP level tenant separation and if you need to share SP between those tenants, you can use this check box.
Correct.
This will do a clear separation in the IS side so data will be contained to each tenant. However, you can share user stores between each tenant.
[1] https://docs.wso2.com/display/IS580/Adding+Claim+Mapping
I would like to implement WSO2 as Identity and Access Management on a server to control some small business users. It's a project for the vocational school. It would be possible for free? I'm sorry but I'm a bit lost with all this.
Thank you very much in advance,
WSO2 as Identity and Access Management on a server to control some small business users
Indeed WSO2 Identity Server (wso2is) is intended for that. The applications on the server will have to use an authorization protocol (SAML, OAuth, ..) to enforce the user access.
Without any more specific questions / information about your case you probably won't get any more specific answer.
It would be possible for free?
It depends.
Indeed, WSO2 products are open source, so you can use them freely and update them as you wish.
On the other hand some institutions require to have supported all deployed products, so you should check what rules apply to your case.
As well you may consider subscription to help you stay current with patches and updates, however it depends on your policies and budget.
Is there a way to inactivate a user in WSO2 identity server 5.0.0?
Inactivating should mean that the user cannot login to other applications which are SSO integrated into the IS.
Removing roles/permissions seems not to do the trick.
WSO2 IS supports account lock feature to cater your requirement from IS 4.5.0 onwards. Please follow this document.
Account disable functionality is not yet implemented and we have already reported a jira to track it in future releases.
What is the current, recommended way to setup a WSO2 API manager to use SSO against a Shibboleth IDP?
Our organization has an existing SSO infrastructure built around Shibboleth’s IDP which we would like to integrate into our API Manager installation. Ideal Use Case:
User navigates to API Manager Store.
User is redirected to Shibboleth IDP Login page.
If one doesn’t exist, an API Manager Account is created and assigned the Subscriber role.
User is returned to API Manager and logged in. “Signed-in-as:” renders a reasonable user name (i.e. not a GUID).
I’m aware that there is an included SAML2 authenticator component to the API Manager but it is limited in features, specifically it does not handle Encrypted Assertions, Using specific attributes for username/display name and automatic user creation.
I understand that we could write a custom authenticator, however we would rather avoid creating another code base that needs to be maintained and doesn’t have community support. If a simpler solution cannot be determined then this will likely be what we do.
What I am currently investigating is delegating all user management for the API Manager to a WSO2 Identity Server. It IS would delegate authentication to Shibboleth and auto provision users before returning to the AM. The IS seems like it could address all of the issues mentioned above.
Firstly, is this an appropriate strategy? If so, how is it recommended that the AM and IS be configured?
Should the IS and AM both point to the same JDBC Database or should the AM point to the IS’s LDAP server?
Regarding the AM authenticator which is pointed to the IS, should I use SAML or OAuth, or is there a better/simpler one?
Shibboleth IDP v2.4 – SAML2 with Attribute Push preferred.
WSO2 API Manager v1.6.0
WSO2 Identity Server v5.0.0
Here's the results of my research, for anyone interested:
1) This is an appropriate strategy. The new features in the 5.0 release of Identity Server are mainly centered around this scenario. And the 1.7 release of AM also includes features to facility this setup. Finally I've heard from the developers that they intend to push this integration even further in the next few releases.
2) As of AM 1.6 there was a bug which made it almost required to share the same Primary JDBC user store. As of 1.7 it should be more open.
There does not seem to be a preference from the people at WSO2 between LDAP and JDBC (except that the default H2 DB is not designed for production environments), however if you are choosing between installing a DB or Open LDAP for this, a LDAP server seems more suited to the choice.
3) It's best to use SAML for communicating between the two when the goal is to present the user with a UN/PW screen. When the goal is to login with pre-issued tokens then OAuth. The API Manager and IS use both protocols behind the scenes, but the answer to this particular question seems to be SAML.
In the future WSO2 plans to expand the "Trusted IDP" feature of their products, which will streamline this process (and use SAML behind the scenes).
We are using WSO2 products ESB and IS in our product. We have configured MySql datasource for user stores and registry in Identity Server. We also have tenant specific user stores configured in Identity Server.
We would like to configure ESB to use the same user stores that are of Identity Server.
We have tried configuring the datasources and user-mgt.xml with the same user stores. When ESB is being launched we're getting some exceptions.
Kindly advise the following:
If we want to share registry and user stores, can we just add the datasources in master-datasources.xml and refer them in respective xml in ESB? Or, anything different?
Thanks in advance!
Yes. You can just share same user-mgt.xml and master-datasources.xml file with both ESB and IS. If you want to point to the same user store, user management database and same registry. (if registry.xml file has not been changed). But there can be issues, if ESB and IS are not release with same carbon platform. Because there can be slightly different between the user kernel implementation of two different carbon versions. Could you let us know the ESB and IS version that you are using? Also errors that you see in ESB startup?