WSO2 - IS - Synchronize Users from WSO2 to a Service Provider - wso2-identity-server

I want to create a user in Wso2 (version 5.8) Identity Server and then populate it into my Service Providers automatically.
At this moment, after user registration in my Wso2, then I need to register the same user manually in each Service Providers (in my case, a SP is M-Files tool which provides a way to create user described here)
I am not sure if wso2 offers an automatic way to do this. I read the following documentation
Inbound provisioning: This approach is used for the opposite goal. Create a user in a Service Provider and with SCIM API I can create it into my wso2.
Outbound provisioning: This approach is very close that I want to but require relating the Service Provider with an Identity Provider (which must implement SCIM) and I dont want to use my Service Provider as an Identity Provider.
User store: I think it is not what I looking for. I think wso2 queries the external user store searching if the user which attempt to login is valid or not. I dont want my Service Provider act like a Identity Provider
Thanks

Outbound provisioning: This approach is very close that I want to but require relating the Service Provider with an Identity Provider (which must implement SCIM) and I dont want to use my Service Provider as an Identity Provider.
This is the approach you should be using. You don't have to use it as an Identity Provider. Just register it as an Identity Provider so that WSO2 can provision users to M-Files.
Regarding provisioning to M-Files, WSO2 support standard user management SCIM2 rest APIs. But if (I couldn't find any reference) M-files doesn't support such, you might have to find the API format that M-files support and then you can write a simple Java extension (Custom outbound provisioning Connector) to WSO2 Identity Server, so that it can provision users to M-files in a way that it prefers.
Documentation for customization

Related

Is there any OpenID Connect Identity Provider that can delegate autentication to other OpenID Connect IdPs?

I'm facing the following scenario:
There are several companies each one with its own OpenID Connect Identity Provider (IdP) which federates users from their respetive LDAP servers. These providers are used to perform SSO in the context of each company.
There's a requirement to create an application that offers a common login for all the users of those companies.
The idea is to provision or use an existing cloud solution (AWS Cognito, Google Cloud Identity, etc., ...) that offers a shared login screen but delegates/federates the actual login to each of the company IdPs.
Are there any solutions that allows this?
Could you point at any documentation/guide to implement it?
This is just standard OAuth and OpenID Connect behaviour, with these 3 roles:
Application, uses OIDC to redirect to ...
An Authorization Server, which you own, and which redirects to ...
An Identity Provider
So you need a standards based authorization server and to configure your app as an OAuth Client. Then include the openid scope so that OpenID Connect is used. SAML based identity providers can also be supported in this flow, even though your app only uses OIDC.
The way to manage this with best usability, is for the authorization server to present a usernane authenticator, which captures a user identifier first, such as an email. It then runs some custom logic, such as a user lookup, to determine which IDP to route the user to. The user then authenticates at the IDP.
After authentication, the IDP issues tokens to the authorization server, which validates them, then issues its own tokens to the application. In particular the app gets an access token whose scopes and claims you can control. Your app can then send these to your APIs, which can authorize access to business data correctly.
Aim for behaviour similar to that above, or adjust it based on your preferences. Then trial it, eg with a cloud or Docker based authorization server, and ensure that you select one with sufficient extensibility to meet your requirements.
Note also that Stack Overflow answers should not recommend particular vendors, so I have not done so.
There is a solution called cloudpods using which you can manage both on-prem and public cloud resources. Cloudpods supports integration with multiple cloud providers like aws, GCP, azure, alibaba and etc.,
Is there any OpenID Connect Identity Provider that can delegate autentication to other OpenID Connect IdPs?
Yes. https://github.com/apereo/cas is one. You can set it up as an OIDC identity provider and have it then delegate to as many OIDC Identity providers as you want.

Finding the correct SAML Identity provider to authenticate a user

I am trying to configure Google Cloud Identity Platform to use multiple SAML identity providers. Still, I'm stuck at the point of selecting the right IdP for every person attempting to log in.
I have read about SAML v2 IDP Discovery Service but I don't really understand how it works since I am a novice in SAML.
So does it have to be a programmatic solution or does GCIP have something that I can configure to automatically select the right IdP for each user?
If it has to be a programmatic solution can someone point me to a good explanation of SAML v2 IDP Discovery Service?
Yes, you can set up Google Cloud Identity Platform (GCIP) to automatically select the appropriate identity provider (IdP) for each user. A protocol known as SAML v2 IDP Discovery Service enables users to select their IdP from a drop-down menu. Its purpose is to make it unnecessary for users to remember which IdP they should use.
You will need to configure the service in your GCIP project in order to put this into action. Each provider's metadata and any additional parameters that the IdP may require must be provided to the IdP. The user will be able to select their IdP from a drop-down menu on their login page following the completion of the configuration. The official Google documentation provides additional details on how to use SAML v2 IDP Discovery Service.
Refer to this how to enable multi-tenancy for Identity Platform and Creating a sign-in page for multiple tenants

Can I connect my own credentials database with Google Identity Platform to build custom Identity Provider for SSO - OpenID Connect authentication?

I have my own SQL Server database which contains usernames/passwords for authentication. I'd like to build a custom Identity Provider based on this database with an Identity Management provider so the other applications can be registered and their users can be authenticated with OIDC.
I researched some tutorials and they says that some Identity Management providers such as: OneLogin, Okta... can integrate with our own credentials database. But for Google Identity Platform, I cannot find any links show how to do such a thing so far.
Could you please tell me if it is possible to integrate our own database with Google Identity Platform? Is there any resource links mention about this? If it is impossible, is there any alternates for integrating the database with Cloud Platform (e.g. Azure or AWS) or we have to build our own Identity Provider from scratch?
Thank you.
You can use Cloud Identity Platform. You can define external identity provider and even a custom identity provider.
However, this solution implies that your own SQL database is behind an Identity Provider OIDC compliant.
In addition, you will be able to authenticate your users to access to your application. You can't use this authentication to interact directly with Google Cloud API, only with YOUR application.
You can use the Identity Platform Admin SDK to manage Security Assertion Markup Language (SAML) 2.0 and OpenID Connect (OIDC) provider configurations programmatically. You can explore the details of OpenID Connect here.
I would also suggest you to explore the best practices and guidance that help you set up federation consistently and securely. The guidance builds on the best practices for using Cloud Identity or G Suite with Google Cloud.
You might be interested in Connecting to Cloud SQL from external applications running outside of Google Cloud.
Use keycloak to expose your existing database as an open Id connect (OIDC) identity provider.
Then you can tell google identity platform to use your new identity provider as a federated provider as the other answers are telling you.
To do that, you need some code. You need to help keycloak translates common user patterns like get a user, list users, check password, get groups, roles etc into your database. This is done implementing a StorageProvider with the capabilities (user lookup, password update, user creation etc) you need.
There is an JDBC provider ready, where you only provide the correct queries. Check keycloak documentation. You only need to implement the ones you need (eg: don’t implement user creation through keycloak if you don’t need to create users through keycloak admin interface; don’t implement password change if your users manage their passwords via your existem infrastructure; and so on). For this use case (google authentication) user lookup and password validation are enough.
Okta will not help you here, but that was possible directly with Auth0 (custom database connector).
So you either implement your own OIDC (open if connect) with keycloak or look for a cloud identity solution capable of custom database connection and them expose it to google.

WSO2 Api Manager Vs Ideniity Server

Can someone please clarify when to use API Manager and when to use Identity Server. I see that API Manager comes with Key Manager. Isn't that sufficient. I am really confused. Any help would be helpful.
Many thanks....
I hope this explaination will help you out,
WSO2 Identity Server
WSO2 Identity Server is a fully fledged Identity Management Solution which supports Authentication, Authorization, Single Sign-On and Identity Federation to name a few capabilities. WSO2 Identity Server supports almost all major identity protocols such as SAML, OAuth2, OpenID Connect etc.Take a look at this page to get an idea about the capabilities of WSO2 Identity Server.
WSO2 API Manager
WSO2 API Manager, on the other hand, focuses on managing your APIs. Managing life cycle of your APIs, Authorization, Throttling, applying policies on API consumers are some of the functionalities handled by API manager. API manager has several components such as publisher, store, gateway, key manager, traffic manager that clearly separates different aspects of API Management.
So the Key manager component is responsible for managing OAuth applications, generate, validate and revoke OAuth2 Tokens. API has an inbuilt key manager component to handle these functionalities.
API Manager also offers the flexibility to use an external key manager instead of its inbuilt one should you require to do so. This external key manager needs to confirm to an interface specified by API manager. By default, API has an implementation of this interface that allows WSO2 Identity Server to used an external key manager.
So whether or not you want to use Identity Server or any other external key manager is totally dependent on your use case and the API traffic.
You can use WSO2 Identity Server for all the authentication/authorization stuff:
XACML Architecture solution.
SSO with anothers webapps or WSO2 tools.
Implement a Oauth2 autorization mechanish
Federate authentication
etc....
You can uso WSO2 API Manager for expose unsecure resultful apis or webservices as secure apis using Oauth with monitoring and billings functionallities
The key manager functionallity properly decouples the operations for creating OAuth applications and validating access tokens so that you can even plug in a third party-authorization server for key validations.
In a DEV enviroment you can work with WSO2 API Manager without the WSO2 Identity Server at all.
In a production enviroment it's recommended to use a separate WSO2 API Manager as a Key Manager or use the WSO2 Identity Server as the Key Manager

How to test WSO2 Identity Server federated Authentication

I’ve made a new Identity Provider and setup it’s SAML2 authentication to our Shibboleth IDP. How do I “login” using this new setup?
The login link still goes to the IS login page, which is desirable because I need to login as admin to fix things, but is there another login link which will redirect to the IDP?
If you need to provide federated authentication for your applications. Your applications can be connected with Identity Server as service providers. Then you can defined your external IDPs a trusted IDP. Each service provider, you can select multiple IDPs as out-bound authenticators. There is some blog about that uses saleforce as trusted IDP, you can go through it as well
If what you want is to login to IS using Shibboleth as IDP, you should edit IS_HOME/repository/conf/security/authenticators.xml to enable SAMLSSOAuthenticator and configure it with the required details.
As best I can tell, there's not facility for testing an Identity Provider. The only way is to actually use it by setting up the full chain. In my case I setup API Manager as a Service Provider in the Identity Server, and selected the Identity Provider (mentioned in the original question) as Federated Authentication for that Service Provider. Then I changed the API Store to use SSO (pointed at the IS). Finally by attempting to open the store I was bounced to the IS, then immediately on to the Identity Provider.
Unfortunately there are a lot of steps in this chain and a lot of things that could be set wrong. I was hoping to find a method for testing this one part but as best I can tell there isn't such a capability.