WSO2 IS - Oauth SP + UserStore restriction - wso2

I have an OAuth2 service provider with password credentials in WSO2 IS and I need that just users from a userStore can get a token. I have tried using XACML policies with now success.
Is it possible to deny the OAuth token request per userStore?
Cheers.

In order to support userstore preference during the authentication flow, you can use application-authentication extension explained here https://medium.com/#anuradha.15/how-to-configure-your-preferred-user-stores-to-authenticate-users-for-a-service-provider-in-wso2-cdadf43f9366. However, this feature is supported WSO2-IS 5.9.0 onwards. Hope this will satisfy your requirement.

Related

configuration only auth in Wso2

i m new learner for wso2
wso2 - oauth, user Management and my other service available in predix.
so i have used wso2 identity server for oauth and user management.
Problem :
1) how to integrate predix(idp)
2) how to used this things using REST API
For your first question, I understood that you need to integrate the mentioned Idp as federated Identity Provider in WSO2 Identity Server. Doc - https://docs.wso2.com/display/IS570/Configuring+Federated+Authentication guides the steps to configure federated authentication.
Currently, WSO2 IS don't have a build in authenticator for the Prefix. But as the Prefix support OIDC flow, you should be able to WSO2 OIDC federated authenticator. Steps can be found here
I haven't got the chance to test with Prefix. But it needs to work

How to implement OAuth2 authorization with WSO2 API Manager

I have created and published API with WSO2 API Manager. API client get access through OAuth2 and client credentials grant, sending consumer key and consumer secret to request access token. But now I need to implement authorization by means of authorization code grant. I have to use client_id and client_secret of WSO2 APIM and user login form of my backend application, not WSO2 APIM user.
Can anybody tell if it is possible and how it can be implemented???
Documentation of WSO2 does not describe this flow and all examples I have found describe authorization process (OAuth2, authorization_code) only for user of WSO2 APIM.
now I need to implement authorization by means of authorization code grant.
I have to use client_id and client_secret of WSO2 APIM and user login form of my backend application, not WSO2 APIM user.
If you want to use your own (application) authentication form, the simplest option is to leverage the password grant type where your application sends the token request along application and user credentials through a backend service
Using a code grant you suppose to use an authorization endpoint https://gateway:8243/authorize with parameters described in the documentation and indeed the default login form is used when the user is not yet authenticated
(I still have an urge to downvote the question for not searching the documentation)
If you still want to use the code grant type with your own authentication form, you may either customize the default logon form of the wso2 api gateway or customize an authenticator to use form of your application (this is quite advanced topic requiring configuring your own implementation and out of scope of the question/answer)
You have 2 options here without any customizations.
1) If your backend has a userstore, it can be configured as a secondary userstore for APIM. Then you can use any user in that userstore for authentication.
See https://docs.wso2.com/display/ADMIN44x/Configuring+Secondary+User+Stores
2) If above option is not possible, and if your backend IDP supports any federation SSO protocols such as SAML2 or OIDC, you can configure federation using WSO2 IS.
See https://docs.wso2.com/display/IS550/Single+Sign-On+and+Identity+Federation

confused in concept of identity provider and outbound authentication in wso2 identity server

i am newbie to the WSO2 identity server 5.0 service pack one.
I've been so confused lately that, what is different between identity provider and an outbound authentication?
How can i usage each of them ?
if i define a custom user store authentication, when must be used a custom authentication in Authentication endpoint? what is difference and usage each of them?
Identity providers are providing identity for users to interact with a system. As an example here in wso2 identity server we can configure Facebook as an Identity Provider(IDP). By doing this we can allow users to be logged into Service Providers using facebook credentials. you can follow the blog in [1] to test Wso2 IS with facebook IDP. Otherthan facebook we can use google, Live, Yahoo, etc. as IDP with IS.
[1] http://prasadtissera.blogspot.com/2014/04/login-with-facebook-for-wso2-identity.html
Thanks

Configuring Multi-factor authentication

In Identity Server features I see "Multi-factor authentication" but I don't see how to configure it in the product ! All I see is configuring a local authentication with either login/password or IWA...
WSO2IS does not support for multi-factor authentication by default. It has capabilities to support it. Because you can implement and plug custom authenticators for WSO2IS. However there is no any multi-factor authenticator which is shipped with it. But there is some plan to ship a FIDO authenticator with WSO2IS next release. Git from here. However, WSO2IS can easily support multi-step authentication. It means that you can configure to authenticate the user from multiple IDPs as multiple steps.(Authenticate with FB and Google both)
To have multi-factor authentication, add multiple identity providers to a single service provider. An example of this is detailed here. In that example, Asela shows how to set multiple federated providers as a choice, but they can be employed sequentially by adding additional 'authentication steps'.

WSO2 Identity server - Restricting access to SSO service

My understanding of SAML and WSO2 is very basic so sorry in advance. I'm wondering if access to a SSO service can be restricted to a subset of users?
Yes you can restrict the access to a SAML SSO Service Provider to a subset of users. This is an authorization requirement indeed. When the service provider redirects the user to the Identity Provider (in this case to the WSO2 Identity Server), the service provider can request claims about the user from the Identity Server (claims such as Role, Email, Age, Country etc). Then after successful authentication of the user at the Identity Provider, the Identity Provider will send those claim values to the SSO Service Provider along with the SAML Response message. The SSO Service provider can read these claims and can decide if should let the user access the service or not. (For example by looking at the Role claim, if use has a particular role then SSO Service Provider allows the user, if not refuse)
I think that according the SAML specification, Identity provider can return error state. It has an element in SAMLResponse dedicated to this -> Status. But WSO2 Identity Server (up to 5.0.0), as far as I know, doesn't automatically support this behavior. One should change WSO2 authorization code to achieve this behavior...
Source:
SAML 2.0 Overview - line 1131, chapter: 3.2.2.2 Element
<samlp:Response
...<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<samlp:Status>
<samlp:StatusCode
**Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>**
</samlp:Status>
<saml:Assertion ...
Instead of Success IdP can return:
urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
or similar... see:
SAML2.0 handling SSO error