Is there any options/configurations available in WSO2 Identity Server to configure password minimum age in minutes?
As part of our requirement we need to configure password minimum age in minutes, so we have verified the WSO2 IS document and we did not found any configuration to fix the problem.
Version - WSO2 IS 5.7.0
The default authenticator only supports 'in days'. But as this is an extension, you can just customize this default authenticaor's code re-build the artifact.
Git
Related
By default, Resident key Manager is selected for the try-out console ->
If I disable Resident Key Manager in the WSO2 admin console, It does not allow me to create any token ->
Is there any configuration available to use the Custom/Keycloak key manager for the try-out console ??
If you disable the resident KM you can configure a 3rd party KM. Since you are interested in Keycloak please refer to https://apim.docs.wso2.com/en/latest/administer/key-managers/configure-keycloak-connector/
Please note that this is for APIM 4.1.0. Depending on your APIM version you can select the relevant document version.
I've got WSO2 IS running and a service provider that has SAML inbound authentication set up. I've enabled the "Enable Signature Validation in Authentication Requests and Logout Requests" checkbox for the SAMl service provider.
If I send an AuthnRequest that is not properly signed, it will error. However, if I send a LogoutRequest with no signature (or with a signature made from a completely different cert/key), it will log my user out without error. How can I enable actual signature validation WSO2 IS?
I'm running the latest WSO2 Docker Container. I believe that is IS 5.7.0 according to this startup logging:
Starting WSO2 Carbon...
Operating System : Linux 4.9.93-linuxkit-aufs, amd64
Java Home : /home/wso2carbon/java/jre
Java Version : 1.8.0_144
Java VM : Java HotSpot(TM) 64-Bit Server VM 25.144-b01,Oracle Corporation
Carbon Home : /home/wso2carbon/wso2is-5.7.0
Java Temp Dir : /home/wso2carbon/wso2is-5.7.0/tmp
Seems the signature validation [1] is skipping in the logout request due to an issue in the code. Please refer the git issue [2] to track this.
[1] https://github.com/wso2-extensions/identity-inbound-auth-saml/blob/ee338982c1add8f75f1132a6b3bacb30cee7989b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java#L130
[2] https://github.com/wso2/product-is/issues/4048
We recently migrated (registry and user store) from WSO2 IS 5.0 to WSO2 IS 5.1 as per instructions at WSO2 migration guide. After migrating and successfully bringing up the WSO2 IS server, when we are trying to authenticate existing user with /oauth2/token endpoint the authentication is failing. We can see user along with user attributes in user store.
On WSO2 server we are seeing error -
{org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler} - Token request with Password Grant Type received. Username : <username>#carbon.superScope : openid, Authentication State : false
This is migrated user so we can not change the user name. I tried googling to disable the multi tenancy with 5.1 as we do not use that feature, but no luck.
This is blocking us from moving to newer version of WSO2.
Has Any one fixed this?
Modified the SP to disable domain name as per instructions from Gusto2 -
enter image description here
But still same results.
on the duo identity provider configuration page, under federated authenticators, put "true" in the "disable tenant domain" box
This solution may help. You can go to your identity server and navigate to the service. Now click on edit button of your target service and go to Local & Outbound Authentication Configuration section and uncheck following options-
Use tenant domain in local subject identifier
Use user store domain in local subject identifier
I am showing in the image. Follow the red mark box -
I'm trying to add a service provider in the Identity Server 5.1 .
The problem is that when I try to configure an authentication with Kerberos, I have to create the service principal. When I am creating the password for that service I always get this error msg:
Password does not meet system requirements. Must be at least 6 characters long.
I tried a lot of passwd's but always get this message.
Any ideas??
Looks like a bug in the code of IS 5.1.0. Checked the code and this( [\\\\S]{5,30} )[1] is the default regex used to validate the password. I tried a password like "SSSSSS" and worked :).
BTW this is fixed in IS 5.2.0. You can try out the WSO2 Identity Server 5.2.0-beta2 from [2]
[1] https://github.com/wso2/carbon-identity/blob/master/components/directory-server-manager/org.wso2.carbon.directory.server.manager/src/main/java/org/wso2/carbon/directory/server/manager/internal/LDAPServerManagerConstants.java#L29
[2] https://github.com/wso2/product-is/releases/download/v5.2.0-beta2/wso2is-5.2.0-beta2.zip
We have an issue with WSO2 Identity Server Version 4.5.0 where we have swapped out the default embedded Apache DS and replaced it with OID (Oracle Internet Directory).
We have updated the user-mgt.xml and other configuration files the way we think they should be.
However, we cannot write users/roles back to LDAP from WSO2.
We can write create users/roles directly in LDAP when logged in through Directory Studio.
We can view users/roles in WSO2.
We can also delete a user in WSO2.
We have gone through the user docs on configuring the user store: https://docs.wso2.org/display/IS450/Configuring+Primary+User+Stores#ConfiguringPrimaryUserStores(Carbon4.2.0v2)-ConfiguringanexternalLDAPorActiveDirectoryuserstore
It is only the writing to LDAP through WSO2 that is not working so it must be a WSO2 configuration issue. I have the UserStoreManager configured to ReadWriteLDAPUserStoreManager
Again - reading, and deleting works fine through WSO2.
Does anyone have any ideas/suggestions on where to look to solve this problem?
We discovered the problem. We switched out the default LDAP for an external LDAP but the schema definitions were off a bit and we had SCIM enabled in user-mgt.xml.
There's a good explanation here:
http://sureshatt.blogspot.com/2013/06/scim-user-provisioning-with-wso2.html