We have to federate our WSO2 Identity Server with external (government) SAML IDP. Their new requirement from 2021 is to separate encryption keys from signing keys. Does WSO2 IS support it? Any advice?
You can configure separate keystores with one for data encryption and other for message signing like SAML. Please find more details from [1].
[1] https://is.docs.wso2.com/en/5.11.0/administer/configuring-keystores-in-wso2-products/
Related
I have an instance of WSO2 using CAS and SAML. They are both working and pull from the same identity source, Active Directory. I have multiple service providers, some use CAS and some use SAML. There is one thing stopping this from being a true SSO system. CAS and SAML don't work together.
If someone logs in with CAS, they have access to all CAS service providers (until timeout anyway). If they log in to a SAML service provider, they have access to all SAML service providers (< timeout). They do not have access to the other identity providers. If you log in with CAS, you have to log in again with a SAML identity provider, and the reverse.
Is there a way to log in with one and be authorized for both?
Let me echo your question again, just to verify whether I got it correctly.
You have WSO2 Identity server instance. There are multiple service providers(for your applications) configured. Part of them use SAML to authenticate. Rest use CAS.
If above is correct, true SSO should already be supported in WSO2 Identity Server. They had the feature lacking for SLO though, but I believe latest versions do have it.
What is the version you are using?
I have successfully integrated external IDP (keycloak) with publisher to do saml based single sign-on. After authentication, it says user is not authorized. From the investigations, For authorization
User DB need to be shared with external idp - this is not possible for my usecase
Sending user roles via saml response - is it possible?, if so what are the claims need to be sent and related configurations
pointing identity server for authorization - how to do it?
also I dont want to integrate IS server
I want answer for above unknown concerns?
it says user is not authorized
which version are you using?
is there anything preventing the authorization, such as required scopes
User DB need to be shared with external idp - this is not possible for my usecase
Usually you need a userstore to manage users and roles, in case of SAML I believe that us not needed. However - you can setup a JDBC userstore and inbound user provisioning (all logged in users will be stored in the database with their attributes and roles)
Sending user roles via saml response - is it possible?, if so what are the claims need to be sent and related configurations
I believe WSO2AM 2.1.0 (other version I don't know) do not read roles directly from the SAML response (there is a environmental property where you could enable that, I cannot find it right now, so just search a little)
However - together with the inbound provisioning it should work (the roles should be stored and updated in the database on each login)
pointing identity server for authorization - how to do it?
What do you mean by that? You could setup an WSO2IS as KM (key manager) where you could do additional authorization (I am still not sure what are you asking here)
i am newbie to the WSO2 identity server 5.0 service pack one.
I've been so confused lately that, what is different between identity provider and an outbound authentication?
How can i usage each of them ?
if i define a custom user store authentication, when must be used a custom authentication in Authentication endpoint? what is difference and usage each of them?
Identity providers are providing identity for users to interact with a system. As an example here in wso2 identity server we can configure Facebook as an Identity Provider(IDP). By doing this we can allow users to be logged into Service Providers using facebook credentials. you can follow the blog in [1] to test Wso2 IS with facebook IDP. Otherthan facebook we can use google, Live, Yahoo, etc. as IDP with IS.
[1] http://prasadtissera.blogspot.com/2014/04/login-with-facebook-for-wso2-identity.html
Thanks
The basic topology is like this:
WSO2 IS as my service provider and takes care of authorization via XACML, our existing internal IdP takes care of corporate authentication (SAML, Oauth2).
I'd like to receive a guidance about best practice how to configure an outbound Federation using the WSO2 IS as a proxy for SAML protocol. Is it correct to separate the user ID domain, by creating so a called "tenant" in order to route the SAML requests though an outgoing STS connection to an external primary IdP? Is this configured under Identity Provider - add Identity Provider - Federated Authenticators - WS Federation Passive Configuration?
Domains and Tenants?
As an example, I would like to configure an account like this. ID = falb#red.com, where the federated lookup will forward my request to the IdP responsible for the domain "#red.com". Is there any discovery, or smart routing mechanism available that is able to identify the "red.com" domain, without need of creating a tenant?
XACML Access?
In a more advanced scenario, once we have a federation between the WSO2 server and and external IDP, is a service provider, a web application server, able to dispatch a PEP request by attaching a SAML token, without use of preceding entitlement routines, like passage of login and password. Is there an entitlement routine in place that accepts SAML tokens at the PDP side and validates it though the SSO federation mechanism?
Thanks in advance for your guidance.
Regards
Claude
I can not understand the difference between identity provdier and resident identity provider.
Following blog(http://blog.facilelogin.com/2014/10/wso2-identity-server-500-resident.html) said that "If you are a service provider and wants to send an authentication request or a provisioning request to the Identity Server
(say, via SAML, OpenID, OpenID Connect, SCIM, WS-Trust) - what matters for you is the resident identity provider configuration.".
Identity Provider provide Federated Authenticators which has OpenID, SAML, Facebook and etc configuration.
But, resident identity provider also provide Inbound Authentication Configuration which it provides OpenID, SAML2, OAuth and WS-Trust configuration.
Of course, i know that resident identity provider's Inbound Authenticator just provide metadata (simple url and so on). But identity provider's Federated Authenticator have many option.
Because same configuration is existing, read only the WSO2 IS document or blog, i don't know the need of resident identity provider.
I want to know the difference and actual example.
I guess, it would be simple. Same as Resident Service Provider. WSO2IS also would acts a Identity Provider. Basically as a SAML2 SSO IDP, OpenID, OAuth2 Authorization Server and so on. Then configurations that are related them, can be found at Resident Identity Provider. As an example, if you take WSO2IS as SAML2 SSO IDP. Think, about the configurations that are related to the SAML2 SSO IDP. One thing is that, IDP url, issuer name and etc. There must be some place that we can configure those. Resident Identity Provider provide some UI configuration for it. However, Resident Identity Provider configuration does not contain all the configurations that are needed. But it provides some important/few configs. If you need to find out more configurations that are related to SAML2 IDP, you can find them in the identity.xml configuration file. identity.xml file contains the all the configuration that are related to the Identity Provider.