I Have a Service Provider with openId/Auth2 like this picture:
I just want Role1 to be able to use the serviceProvider1, but Role2 can not use the same service.
You can configure role-based adaptive authentication for Service Provider1 https://is.docs.wso2.com/en/5.9.0/learn/configuring-role-based-adaptive-authentication/ and allow only the users who have Role1 to access Service Provider1.
Related
Using Auth0 as an example of what I want to achieve, it is possible to create an Auth0 application and configure a SAML trust relationship to a service provider by downloading Auth0's Identity Provider Metadata from a Auth0 SAML2 Web App and supplying that to the service provider, and also uploading the Service Provider metadata to Auth0. Supplying some other configuration options such as application callback URL to Auth0 then allows federation to be achieved into the test service provider via SP initiated SSO.
I would like to understand if it is possible to build such a relationship with AWS Cognito using either SAML or OIDC, where Cognito would be acting as the Identity Provider. There seems to be a lot of documentation available providing instructions on how to use SAML to create a relationship to a third-party identity provider for a user pool, but I'm struggling to find any documentation or options within the console to configure SSO to a test service provider, for example no reference to Cognito Identity Provider metadata. The assumption that I am making is that Cognito is a service only for authorisation with your own applications (such as user login) and does not support SSO into other services in the way that I describe, and that if you wanted to use Cognito as a Identity Provider then I would have to connect my user pools to a service such as Auth0 to then build out the SSO relationship. Am I correct in this assumption? and if not, please help me to understand where in the documentation/console I should be looking.
I'm also aware that AWS SSO exists and that I could potentially link a Cognito user pool to that, however the user pool will be made up of clients, and my assumption is that AWS SSO serves to specifically support (internal/affiliate) employee access to AWS services and resources, and should not be used as a way to enable SSO to another service for customers.
WSO2 Identity Server have service provider.
I have multiple service provider and multiple user role.
I want:
Role1 access and use Service Provider1.
Role2 access and use Service Provider2.
Role3 access and use Service Provider3.
How can config service provider for role management and role access management.
I hope you want a specific user role to access the specific SP. In that case, you can use adaptive authentication[1]. In each Service provider, you have to write an adaptive script to check whether the user has specific roles or not. There is a sample template for role-based authentication scenario[2]
[1]https://docs.wso2.com/display/IS570/Adaptive+Authentication
[2]https://docs.wso2.com/display/IS570/Configuring+Role-Based+Adaptive+Authentication
Can anyone help me out with a guideline to configure a specific Service Provider to a specific Tenant only, i.e. exclude all tenants from accessing the specific Service Provider.
I tried creating Service Provider using the guidelines from:
https://docs.wso2.com/display/IS530/Configuring+a+Service+Provider
by the way I used oauth2 with Implicit flow.
Then I created multiple tenant domains like:
abc.com
xyz.com
I created rob under abc.com tenant and sam under xyz.com.
when I use url(https://localhost:9443/oauth2/authorize?response_type=token&client_id=my_client_id_was_here&redirect_uri=my_redirect_uri_was_here) to login, login page showed up but I was ABLE to login using both rob and sam credentials.
What I want is to do is to restrict users of only one specific domain/tenant to access my service provider.
Thanks in advance
To restrict a service provider to a specific tenant, you have to create that service provider inside that tenant. So to create a SP inside "abc.com". Log into that tenant using a tenant user (rob#abc.com) and create the service provider inside it.
I'm using Google Federated Authenticator as IDP and i have problem with Jit provisioning.
After successful login account is created in User Store witch i choose, but created user doesn't have role that i set in claim configuration.
Logs from Identity Server:
http://pastebin.com/7Rd7mrV2
How to configure IDP to set a role to accounts created with Jit?
I have created a tenant 'A' in wso2 IS and added my ldap user store in it. In the tenant 'A', I have configured a 'test' service provider with oauth2 as inbound authentication. As of now, I am successful with authenticating all the user in store with oauth2 service provider configuration.
But I could not find any configuration to restrict user from authentication against the service provider 'A'.
I have searched a lot but could not find a documentation for it. Need help in sorting this issue.
Whether we need to map our service provider role and local role somewhere?
This feature is not currently supported by WSO2 Identity Server. We will add this to future releases. Users permission does not check for authentication rather service provider's role is used for this purpose.
This could be achieved with the support of extension points which totally depends on the use case and grant type.