I`m trying to automate the following process. Currently i am adding roles to existing user (Users and Roles -> list -> user -> Assign Roles), after that I go to Service Providers -> add -> Inbound Authentication Configuration -> OAuth/OpenID Connect Configuration and send created OAuth Client Key and OAuth Client Secret to requester.
Is there any way to automate all this process or is there any API's or app for that? Thanks.
I think you can use SOAP API for this flow.
For role management, you can use RemoteUserStoreManager and for Service Provider IdentityApplicationManagementService, you can found more information in this documentation:
https://docs.wso2.com/display/IS530/Using+the+Service+Provider+API
https://docs.wso2.com/display/IS560/Managing+User+Stores+with+APIs
Related
I am trying to configure Google Cloud Identity Platform to use multiple SAML identity providers. Still, I'm stuck at the point of selecting the right IdP for every person attempting to log in.
I have read about SAML v2 IDP Discovery Service but I don't really understand how it works since I am a novice in SAML.
So does it have to be a programmatic solution or does GCIP have something that I can configure to automatically select the right IdP for each user?
If it has to be a programmatic solution can someone point me to a good explanation of SAML v2 IDP Discovery Service?
Yes, you can set up Google Cloud Identity Platform (GCIP) to automatically select the appropriate identity provider (IdP) for each user. A protocol known as SAML v2 IDP Discovery Service enables users to select their IdP from a drop-down menu. Its purpose is to make it unnecessary for users to remember which IdP they should use.
You will need to configure the service in your GCIP project in order to put this into action. Each provider's metadata and any additional parameters that the IdP may require must be provided to the IdP. The user will be able to select their IdP from a drop-down menu on their login page following the completion of the configuration. The official Google documentation provides additional details on how to use SAML v2 IDP Discovery Service.
Refer to this how to enable multi-tenancy for Identity Platform and Creating a sign-in page for multiple tenants
I am trying to implement SAML Extension Grant by following the instructions in https://apim.docs.wso2.com/en/latest/Learn/APISecurity/OAuth2/GrantTypes/saml-extension-grant/ but got a blank screen when I tried to configure the service provider:
Sign into the Management Console
Select Service Providers > Add
After I registered the service provider, click Inbound Authentication Configuration > SAML2 Web SSO Configuration.
Click Configure. A blank screen appears.
There is already a similar issue reported in APIM 3.0.0. Please refer to the git issue here
Inbound SAML2 Web SSO Authentication will not work in APIM OOTB as the relevant Identity feature is not available. If you need to use this, you need to use WSO2 IS or WSO2 IS-KM.
Refer to WSO2AM documentation, I understand that we can set the authentication type for each API to one of following values.
None
Application
Application User
Application and Application User
However, is it possible to specify that an API will support only a specific OAuth2 grant type?
For example, I want an API to allow only "Authorization Code" and "Implicit", but not allow "Password" grant types.
Thank you very much in advanced.
Thanks to #harsha89 for the solution. This can be configured in carbon admin console under Service Providers -> Inbound Authentication Configuration -> OAuth/OpenID Configuration, then click "Edit".
I have created a tenant 'A' in wso2 IS and added my ldap user store in it. In the tenant 'A', I have configured a 'test' service provider with oauth2 as inbound authentication. As of now, I am successful with authenticating all the user in store with oauth2 service provider configuration.
But I could not find any configuration to restrict user from authentication against the service provider 'A'.
I have searched a lot but could not find a documentation for it. Need help in sorting this issue.
Whether we need to map our service provider role and local role somewhere?
This feature is not currently supported by WSO2 Identity Server. We will add this to future releases. Users permission does not check for authentication rather service provider's role is used for this purpose.
This could be achieved with the support of extension points which totally depends on the use case and grant type.
I need to secure a SOAP web service (based on Axis2) with this configuration:
Client tries to consume the service
Client is redirected to an authentication server for authentication
If the client authenticates properly, the Authentication Server gives client a SAML token with his attributes (basically a role)
There is a XACML policy (client can use an operation provided by the web service only if has a proper role) which is evaluated based on the role included in the SAML token.
So I have thought about using WSO2 Identity Server coupled with rampart (I also need WS-Security for encryption and signature). Is it possible to do so? Can you suggest me how?
You can either go with WSO2 IS STS (which is WS-*) or Web Browser SSO of SAML. Depends on the nature of your application (Web browser based or not), you can pick any one of the above methods. You can get user roles from the SAML Response.
However, if you are using XACML, you do not need to get the user roles over SAML. Simply create a policy in WSO2 IS (with the required role and other conditions). Then create a PEP module to validate service requests. WSO2 IS will get the username and read user roles from LDAP/userstore and do the validation.