Good, I would like to create a scenario where Orion has several entities, and from a request to WSO2 to check that the user or agent has authorization with a series of policies. And in case it has authorization redirect the WSO2 request to Orion.
Would it be possible and how?
Would it be possible to integrate as PIP of Authzforce to WSO2?
Thank you!!
Related
I want to have a server that visualize api data from my wso2 api manager
can anyone help me pls?
Thanx
`enter code here`
You can deploy the WSO2 API Manager in a single server and the Analytics in another server and configure both API Manager and Analytics TOML/Yaml configurations to communicate and send data.
Follow the Standard Setup steps provided in WSO2 API Manager Docs for more detailed steps and configurations.
We're attempting to configure a relatively complicated WSO2 setup in which Identity Server (5.7.0 with KM) authenticates through an OAuth Service Provider, uses the token to secure API Manager (2.6.0) Endpoints, which then cycles through the Enterprise Integrator (6.5.0).
I've followed the steps to configure IS as the Key Manager (https://docs.wso2.com/display/AM260/Configuring+WSO2+Identity+Server+as+a+Key+Manager). This appears to be working, as I can see users in APIM that were configured in IS.
The problem is in the application. In IS I've created an OAuth POC that federates to another authentication provider. I want APIM to understand that application, and be able to use it to subscribe to APIs through the store for users that IS has given roles to. The application doesn't appear in APIM's applications, and I can't figure out how to link the two. I'd like for APIM to understand the token, figure out that it's for the OAuth POC in IS, and then if the user has that role, let them in, else return a 401 or something equivalent. Haven't been able to find someone else with a tutorial or guidance on this setup specifically.
Linking an Oauth2 provider from IS to an APIM application is called by WSO2 as "Out-of-Band provisioning". This guide may bring you a step further in your POC: https://docs.wso2.com/display/AM260/Provisioning+Out-of-Band+OAuth+Clients
Such as two factor authentication, 3rd party OAuth, Connecting to LDAP.
I have added the above security to Wso2 Identity Server. But please help me achieve the same with Wso2 ESB.
Thanks
Where you want to add the security? What you want to secure?
I see two parts where the user security may play role in ESB:
For the carbon (management) console, I may disappoint you, that may not be so simple. See the Custom carbon authentication . It seems you need to enable other authenticators or add your own (see the file authenticators.xml, they are disabled by default) and "patch" the carbon to use it. However - for our best practices the management console (and the management services) should be not accessible from untrusted network .
If you're talking about securing the web services, this is not something an end user (person) is accessing. Ok - excluding the REST services. There are multiple options available to secure web services. From basic authentication (and username token), to STS (security token service), signing and encrypting the payload. See Securing web services, however here we assume some knowledge about the service security.
I am new in security. I have downloaded wso2 sso sample and executed it. Now I want to configure xacml into this project.
My requirement is when user logged in with sso I want to restrict them to access some particular jsp pages. Please give me some suggestion how to implement it and how I can send xacml request.
thank you
[1] is a comprehensive blog written by Asela Pathberiya on XACML and how you can leverage XACML on the wso2 identity server. Please read the blog to clarify different use cases you might have and how you can achieve them using wso2 identity server.
Basically, WSO2 uses Balana - XACML implementation on top of Sun XACML which supports XACML 3.0 specification.
You can use WSO2 Identity Server as a XACML policy decision point (PDP) quite easily. You can leverage the SOAP client or the thrift client to send XACML request to WSO2 Identity Server Entitlement Service and receive the decisions. There are samples that suit you exact use case at [2]
So basically you can do the following to achieve what you want to do,
Configure XACML policies in WSO2 Identity Service using policy editor
Call the Entitlement Service via SOAP or thrift from you app to get the entitlement decisions [3].
[1] http://xacmlinfo.org/category/xacml/
[2] https://github.com/wso2/balana/tree/master/modules/balana-samples
[3] https://github.com/wso2/carbon-identity-framework/tree/master/components/entitlement/org.wso2.carbon.identity.entitlement/src/main/java/org/wso2/carbon/identity/entitlement
I am trying to use wso2 identification server as authorization center:
there are several system, they share same user information
I want them to utilize identification server to perform authentication and authorization
In current research, I have found the API which I can use to perform authentication, and also soap api to perform user/group/permission management soap api
But I could not find the api which I can use to perform authorization request? So far those code are written in AuthrozationMgrJDBCImpl, there is no soap API expose those API.
Is there anybody know such API?
Yes.. WSO2 Identity Server can be used as centralized authorization management. There are two approaches
Use XACML capabilities of the WSO2IS. This is the standard way. WSO2IS can act as XACML PDP. You can create policies for different appolications. PDP is exposed as web service API, Application can call this web service API to receive authorization decision based on the policies. You can see the WSDL by pointing to https://localhost:9443/services/EntitlementService?wsdl. You can find more details on XACML and WSO2IS from here.
Use "AuthorizationAdminService" services. This is a custom way that you have referred. WSO2IS stores permission data in its own database and manage it through JDBCAuthorizationManager. However it only supports for RBAC. (in XACML you can use ABAC). you can see the WSDL by pointing to https://localhost:9443/services/AuthorizationAdminService?wsdl.
Note : You can see the WSDL of this service. But it is not exposed by default. Please go through this OS question. Also "AuthorizationAdminService" service available only after WSO2IS 450 version.