I'm using WSO2 Identity Server 5.10.
We need to provide authentication for the user or by using credentials (username/password) or by presenting a X509Certificate generated by a trusted CA.
The situation is that it can happen that the user presenting the X509Certificate will not be present in any of the user stores configured in WSO2.
What I'd like to obtain is a kind of "external" IdP behaviour. What I mean is that when the user clicks on "Sign In With x509 Certificate" WSO2 IS will only checks if the X509Certificate is valid and if it's valid it allows the user's authentication
If this feasible by using the X509Authenticator module?
Related
The basic topology is like this:
WSO2 IS as my service provider and takes care of authorization via XACML, our existing internal IdP takes care of corporate authentication (SAML, Oauth2).
I'd like to receive a guidance about best practice how to configure an outbound Federation using the WSO2 IS as a proxy for SAML protocol. Is it correct to separate the user ID domain, by creating so a called "tenant" in order to route the SAML requests though an outgoing STS connection to an external primary IdP? Is this configured under Identity Provider - add Identity Provider - Federated Authenticators - WS Federation Passive Configuration?
Domains and Tenants?
As an example, I would like to configure an account like this. ID = falb#red.com, where the federated lookup will forward my request to the IdP responsible for the domain "#red.com". Is there any discovery, or smart routing mechanism available that is able to identify the "red.com" domain, without need of creating a tenant?
XACML Access?
In a more advanced scenario, once we have a federation between the WSO2 server and and external IDP, is a service provider, a web application server, able to dispatch a PEP request by attaching a SAML token, without use of preceding entitlement routines, like passage of login and password. Is there an entitlement routine in place that accepts SAML tokens at the PDP side and validates it though the SSO federation mechanism?
Thanks in advance for your guidance.
Regards
Claude
I am trying to use the OpenID framework supported by Paypal to tie the credentials in with the AWS Cognito service.
If I compare the configuration from Salesforce
https://login.salesforce.com/.well-known/openid-configuration
to the configuration at Paypal
https://www.paypal.com/.well-known/openid-configuration
the Paypal configuration is missing the jwks_uri element which is a REQUIRED element of the OpenID Provider metadata per OIDC specification and AWS uses the keys at that URI to verify the id tokens.
Is there a different url I should be using for login with Paypal to work with OpenID?
Is there any other way to get Login with Paypal to work with the AWS Cognito service with works well with other OpenID providers?
Paypal is not OpenID Connect compliant:
as you mention the Discovery document lacks required entries, but:
the ID token is signed with a symmetric key this means that no JWKS URI is actually needed since no public/private keys are used (and publishing the symmetric key on that URI defeats the purpose)
but apparently it is not the client secret that is used to sign the ID token as verification with that fails
there's no sub claim in the ID token
the exp claim is not set to an absolute timestamp but a relative timeout
Since Amazon Cognito works with OpenID Connect compliant providers, Paypal is not going to work.
I need to secure a SOAP web service (based on Axis2) with this configuration:
Client tries to consume the service
Client is redirected to an authentication server for authentication
If the client authenticates properly, the Authentication Server gives client a SAML token with his attributes (basically a role)
There is a XACML policy (client can use an operation provided by the web service only if has a proper role) which is evaluated based on the role included in the SAML token.
So I have thought about using WSO2 Identity Server coupled with rampart (I also need WS-Security for encryption and signature). Is it possible to do so? Can you suggest me how?
You can either go with WSO2 IS STS (which is WS-*) or Web Browser SSO of SAML. Depends on the nature of your application (Web browser based or not), you can pick any one of the above methods. You can get user roles from the SAML Response.
However, if you are using XACML, you do not need to get the user roles over SAML. Simply create a policy in WSO2 IS (with the required role and other conditions). Then create a PEP module to validate service requests. WSO2 IS will get the username and read user roles from LDAP/userstore and do the validation.
Earlier I was in assumption that, WSS4J is not compatible with SAML, but as I see this http://jaminhitchcock.blogspot.in/2014/05/creating-and-validating-saml-assertions.html , I hope to give a try. But I want to use a Identity Provider(WSO2) to generate SAML token. So I should be able to configure WSS4J with a SecurityPolicy.xml file which verifies the token from Identity Provider. Please let me know where can I start looking for it?
Thanks
There are two ways that you can generates SAML tokens with Identity Server.
Use Identity Server as SAML2 SSO IDP that implements SAML2 SSO web browser based profile.
Use Identity Server as STS (Security Token Server) with WS-Trust specification.
I think, It is more likely that you are hoping to use Identity Server as STS. With STS, Identity Serve provides a web service to retrieve SAML tokens. This STS web service can be secured with WS-Security mechanism by default. As an example, you can secure STS service with user name token. Then client needs to send the RST request with user name token. Once user it authenticated, client would be received a SAML token. I think, you can find some information about STS service from here
It is possible to authenticate users with Facebook account, google account, twitter etc... through Oauth? (In the case of a web application try to access to a protected ressource)
I understood that WSO2 Identity Server can act as an authorization server and provides its own access token but it is possible to authenticate user if facebook or google provide access token after user authorize retrieving its info?
Oauth is supported in identity server, but I doubt if it is necessary to have two of this authentication server together :) ?