We want to merge two accounts in IdP. For example, if there are two accounts on Apps xyz as IdP (Account 1 = zan, Account 2 = liy), can the customer log in to Account 1 and merge with Account 2? How can we identify that both accounts are actually the same customer?
any advice? thank you
We want to merge two accounts in IdP
By IdP do you mean the WSO2 Identity Server or a federated Idp configured in the WSO2 Identity Server.
If you want to merge two accounts inside the WSO2 Identity Server, a user can do it via the user-portal like this https://is.docs.wso2.com/en/latest/learn/user-portal/#linked-accounts
If you want to give that functionality through your application you can use this REST API https://is.docs.wso2.com/en/latest/develop/association-rest-api/#/me/post_me_associations Which is also the one used in the above-mentioned user-portal for account linking.
But if you are looking to associate accounts from a federated IDP configured in the WSO2 Identity Server then this answer should do https://stackoverflow.com/a/61907398/4256000
You can link a user account in a third party application. To read more about how to do that please refer this blog.
Currently, in the user portal, we don't validate if the linked accounts belong to the same user.
Also if you need further clarifications regarding the WSO2 identity server or its features, please feel free to join our slack channel and we'll be happy to assist you with any question you have regarding the product.
Related
I have implemented SSO for my application. I am using AWS Cognito as Service Provider and Azure AD as Identity Provider. IdP is configured through SAML in Cognito. Below is the URL generated
https://<my_custom_domain>.auth.us-east-1.amazoncognito.com/oauth2/authorize?identity_provider=<IdP_Name>&redirect_uri=<Callback_url_passed_in_Cognito>&response_type=TOKEN&client_id=<Client_Id>&scope=aws.cognito.signin.user.admin%20email%20openid%20profile&state=transit
In my application, when a user tries to log in initially with their MS 365 account it asks for user credentials.
But after logout from the app, if the user attempts to log in again with a different account, it is not asking the user to enter credentials or pick up an existing account. It directly makes the app login for the previous account.
Note: If in my browser there are multiple MS 365 accounts signed-in then only my app asks for which account to use. If there is a single MS 365 account present then my app uses that one without asking the user to Sign-in with a different account.
Since you have specifically mentioned SAML for Cognito and Azure AD integration, this answer is based on that.
When SAML service provider (SP) initate a SAML auth request with Azure AD, it can specify ForceAuthn param as true. With that Azure AD should always prompt user to authenticate. Please refer this document. So that is supported in Azure AD.
But as far as I know, Cognito doesn't support to include that parameter in the SAML AuthnRequest. Same concern has raised in this question as well.
Even though I haven't tried, I think you should be able to use Sign-out flow in Cognito SAML configuration along with Azure AD single sign-out. So I believe it should sign out the user from Microsoft and should prompt for the credentials when user try to sign in again.
I tried to reproduce the same in my environment and got the below results:
Note that:
SSO allows users to authenticate once and access applications without re-entering credentials.
Single Sign-On allows users log in only once to access application without having to enter the login information each time.
Hence, if there is only a single MS 365 account present then it doesn't ask user to pick an account.
For sample, I configured SSO and tried to access below endpoint:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
&client_id=XXXX
&response_type=code
&redirect_uri=redirecturi
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
The browser prompted to Pick an account when there were multiple accounts only like below:
Alternatively, you can make use of prompt=login in the authorize endpoint and enter the credentials to access the application. The prompt will be appear like below:
Otherwise, to ensure the Pick an account screen try creating a conditional policy which requires multi-factor MFA) or device compliance when user try to access the Application.
Reference:
Single sign-on - Microsoft Entra | Microsoft Learn
I'm trying to understand the relationship between Cognito user pools, and external identity providers via SAML.
What I have at the moment
I have ReactJS application which uses the Amplify library, backed by AWS Cognito. The application is multi-tenanted, and users from different tenants belong in the same user pool. They are separated by their group, and a custom attribute. I use CloudFormation and serverless framework to deploy my stack.
Currently, I have custom login forms, which communicate with the Amplify library to log in the user.
The goal
In addition to giving clients the option to make their own accounts on my platform, I want to provide an option to authenticate via SAML from an external identity provider. The goal is to allow each client to log the web-application using their own Single Sign On.
My prior research
I've seen AWS's example on how to actually deploy a user pool supporting SAML.
I've read Azure's guide on integrating with Cognito.
I have an understanding of the SAML authentication flow.
The question
Is it possible to attach each of these external identity providers to the same user pool, or will I have to deploy a new user pool for each new client I want to onboard?
Thank you very much
Yes, it is possible to add multiple external IDPs to a user pool.
But, there is upper limit of 1000 Identity providers per user pool. So you can add up to 1000 customers. And if you are go with user pool per customer, then there is limit of 10 000 user pools per AWS account.
So we can consider those limits when you are choosing an option.
One other option is to support login with IDPs like Google, Microsoft and etc. So companies(customers) who use them as their IDPs, can rely on that, without specifically configuring SSO. (You can group the users based on the domain).
I am pretty new to the WSO2 IS and my object is to understand how ( whether its possible ) to enable simultaneous login of 2 different service provider applications.
For instance : token from one service provider is to be accessed and used to login to the other app.
Any help on this topic is appreciated.
how ( whether its possible ) to enable simultaneous login of 2 different service provider applications.
From this question, I understand that you want to try Single Sign on with Identity server. WSO2 Identity Server enables users to access multiple applications using the same set of credentials. For an example, if users log into application A, they would automatically have access to application B as well for the duration of that session without having to re-enter their credentials. WSO2IS provides the capability for SSO using different protocols such as OpenIDConnect, SAML, etc.
If this is your requirement, you can refer to this doc to know about Single sign-on. If you use OAuth apps you can get access tokens. Refer to this doc to know about SSO with OpenID Connect.
In my web application, I want to allow users to log in using 2 possible providers (Facebook, Google) and retrieve credentials using AWS Cognito.
From what I understand, if a user (john#domain.com) logs in using his Facebook account, the Cognito IdentityId will not be the same as if he had logged in using his Google account.
Assuming that the user uses the same email address (john#domain.com) to log in for both his Facebook and Google accounts, how can I make sure that that user has a single, unique IdentityId in Cognito?
I would not want the user to have 2 different IdentityId's. It would be nice if I could associate john#domain.com to a single IdentityId.
Cognito doesn't know about the email with which an account was registered. If the same user authenticates on two different devices using facebook on one and google on the other, it will give two different ids.
However, it can be told that they're linked. If that same user were to log in to facebook on one device, they'd get identity A. If they were to then link identity A to their google account by including the login token for both when communicating with Cognito, then Cognito would know they're associated, and any future authentication with one of the two providers would give the same id.
That deviates a bit if both Facebook and Google had already been linked to an id before Cognito was told to link them - in that case, the id that is used could be either of the two.
I’ve made a new Identity Provider and setup it’s SAML2 authentication to our Shibboleth IDP. How do I “login” using this new setup?
The login link still goes to the IS login page, which is desirable because I need to login as admin to fix things, but is there another login link which will redirect to the IDP?
If you need to provide federated authentication for your applications. Your applications can be connected with Identity Server as service providers. Then you can defined your external IDPs a trusted IDP. Each service provider, you can select multiple IDPs as out-bound authenticators. There is some blog about that uses saleforce as trusted IDP, you can go through it as well
If what you want is to login to IS using Shibboleth as IDP, you should edit IS_HOME/repository/conf/security/authenticators.xml to enable SAMLSSOAuthenticator and configure it with the required details.
As best I can tell, there's not facility for testing an Identity Provider. The only way is to actually use it by setting up the full chain. In my case I setup API Manager as a Service Provider in the Identity Server, and selected the Identity Provider (mentioned in the original question) as Federated Authentication for that Service Provider. Then I changed the API Store to use SSO (pointed at the IS). Finally by attempting to open the store I was bounced to the IS, then immediately on to the Identity Provider.
Unfortunately there are a lot of steps in this chain and a lot of things that could be set wrong. I was hoping to find a method for testing this one part but as best I can tell there isn't such a capability.