Logging in to an application using federated IDPs such as Google or Facebook with protocol OIDC/SAML
what we need to prepare for it, any advice?
example
XYZ application is an IdP (Identity Provider) like Google or Facebook
1. XYZ application will be central user identity provider
2. Log in to another application with XYZ login credential
3. Log in to another application directly in the same browser (i.e. without being redirected to XYZ application)
4. we are using WSO2 IS version 5.10
According to the description, XYZ is a Identity provider similar to Google or facebook. This XYZ has the user identities and you want to login to an application using this XYZ idp through the WSO2 IS.
WSO2 IS supported federated authentication using standard protocols such SAML, OIDC and WSFederation.
You can refer to this documentation to understand further on this identity federation. You can use the default OIDC authenticator or SAML authenticator to add the XYZ as a federated IDP to WSO2 IS.
Related
I am trying to configure Google Cloud Identity Platform to use multiple SAML identity providers. Still, I'm stuck at the point of selecting the right IdP for every person attempting to log in.
I have read about SAML v2 IDP Discovery Service but I don't really understand how it works since I am a novice in SAML.
So does it have to be a programmatic solution or does GCIP have something that I can configure to automatically select the right IdP for each user?
If it has to be a programmatic solution can someone point me to a good explanation of SAML v2 IDP Discovery Service?
Yes, you can set up Google Cloud Identity Platform (GCIP) to automatically select the appropriate identity provider (IdP) for each user. A protocol known as SAML v2 IDP Discovery Service enables users to select their IdP from a drop-down menu. Its purpose is to make it unnecessary for users to remember which IdP they should use.
You will need to configure the service in your GCIP project in order to put this into action. Each provider's metadata and any additional parameters that the IdP may require must be provided to the IdP. The user will be able to select their IdP from a drop-down menu on their login page following the completion of the configuration. The official Google documentation provides additional details on how to use SAML v2 IDP Discovery Service.
Refer to this how to enable multi-tenancy for Identity Platform and Creating a sign-in page for multiple tenants
i m new learner for wso2
wso2 - oauth, user Management and my other service available in predix.
so i have used wso2 identity server for oauth and user management.
Problem :
1) how to integrate predix(idp)
2) how to used this things using REST API
For your first question, I understood that you need to integrate the mentioned Idp as federated Identity Provider in WSO2 Identity Server. Doc - https://docs.wso2.com/display/IS570/Configuring+Federated+Authentication guides the steps to configure federated authentication.
Currently, WSO2 IS don't have a build in authenticator for the Prefix. But as the Prefix support OIDC flow, you should be able to WSO2 OIDC federated authenticator. Steps can be found here
I haven't got the chance to test with Prefix. But it needs to work
Currently our apps integrate (service provider) with WSO2 IS v5.1.0 with multitenancy. We are using SAML2 Web SSO Authentication. There is an requirement to do profile update, change password, manage user from service provider.
I found 1 sample apps that use SAML2 token for authentication
https://github.com/firzhan/saml2.sso.demo
The problem is:
I need to specify ServiceProviderID in authenticators.xml (step no 3 on the link above).
Is there any way disabled this checking?
i am newbie to the WSO2 identity server 5.0 service pack one.
I've been so confused lately that, what is different between identity provider and an outbound authentication?
How can i usage each of them ?
if i define a custom user store authentication, when must be used a custom authentication in Authentication endpoint? what is difference and usage each of them?
Identity providers are providing identity for users to interact with a system. As an example here in wso2 identity server we can configure Facebook as an Identity Provider(IDP). By doing this we can allow users to be logged into Service Providers using facebook credentials. you can follow the blog in [1] to test Wso2 IS with facebook IDP. Otherthan facebook we can use google, Live, Yahoo, etc. as IDP with IS.
[1] http://prasadtissera.blogspot.com/2014/04/login-with-facebook-for-wso2-identity.html
Thanks
My understanding of SAML and WSO2 is very basic so sorry in advance. I'm wondering if access to a SSO service can be restricted to a subset of users?
Yes you can restrict the access to a SAML SSO Service Provider to a subset of users. This is an authorization requirement indeed. When the service provider redirects the user to the Identity Provider (in this case to the WSO2 Identity Server), the service provider can request claims about the user from the Identity Server (claims such as Role, Email, Age, Country etc). Then after successful authentication of the user at the Identity Provider, the Identity Provider will send those claim values to the SSO Service Provider along with the SAML Response message. The SSO Service provider can read these claims and can decide if should let the user access the service or not. (For example by looking at the Role claim, if use has a particular role then SSO Service Provider allows the user, if not refuse)
I think that according the SAML specification, Identity provider can return error state. It has an element in SAMLResponse dedicated to this -> Status. But WSO2 Identity Server (up to 5.0.0), as far as I know, doesn't automatically support this behavior. One should change WSO2 authorization code to achieve this behavior...
Source:
SAML 2.0 Overview - line 1131, chapter: 3.2.2.2 Element
<samlp:Response
...<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<samlp:Status>
<samlp:StatusCode
**Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>**
</samlp:Status>
<saml:Assertion ...
Instead of Success IdP can return:
urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
or similar... see:
SAML2.0 handling SSO error