Should passwords be decrypted in gigya and imported into wso2 is to encrypt new ones? The risk is to drag passwords in the clear.
Should we extract the passwords with the hash and import them as such in WSO2 IS?
Are there other methods knowing that the base to migrate from Gigya to WSO2 IS about 3 million customers?
The easiest and best option to migrate users from gigya is run time user migration to WSO2 userstore.
For that you can do the following,
Plug the Giya userstore as a secondary userstore in WSO2 Identity Server
Let the PRIMARY userstore as the userstore where gigya users should migrated.
Write a custom userstore, which will first check whether user is available in PRIMARY userstore, if there authenticate from PRIMARY userstore.
If the user is not available in PRIMARY, authenticate user from secondary userstore and if user is successfully authenticated, create the same user in the PRIMARY userstore.
We can use this custom userstore and the secondary userstore till all the users migrated to the PRIMARY userstore of WSO2 Identity Server. Once all done we can remove the secondary userstore as well as the custom userstore.
Step three of my blog explains this : https://medium.com/#gdrdabarera/user-migration-to-wso2-identity-server-is-simple-and-easy-now-da7ac7052d31
Moreover, if you need help you can post your questions in our slack channel. So our developers can help you ASAP
https://join.slack.com/t/wso2is/shared_invite/enQtNzk0MTI1OTg5NjM1LTllODZiMTYzMmY0YzljYjdhZGExZWVkZDUxOWVjZDJkZGIzNTE1NDllYWFhM2MyOGFjMDlkYzJjODJhOWQ4YjE
Related
I am using wso2 apimanager and I am creating new user claims via the carbon interface.
The claims are added on the database api manager IDN tables but not on the user management database.
I have 2 different key manager only one of them is able to recuperate claims from the AM database.
The 2 key manager have same user-mgt configuration and master datasource configuration.
My question is why one is able to recuperate claims and not the other and also why claims are stored on the api management database and not the user management database.
Need to create a secondary custom UserStore using JDBCUserStoreManager, I have a usertable with username and password as coloumns,
I need to configure the datasource , and then customer Userstore Manager class and using the username and password from the usertable I should be able to login to WSO2 IS 5.9
Thanks,
Subhash
You can follow this doc to write a custom userstore manager
You have to extend JDBCUserStoreManager class and overide the
methods.
Then can build the source code and deploy the artifact
into dropins folder as mentioned in thedoc.
When you are configuring the secondary userstore manager, you can point to the custom userstore manager. Please folow these two docs (doc1, doc2) to configure secondary userstores
We are using WSO2 IS 5.2.0
We have integrated it with AD/LDAP (using LDAPUserStoreManager). We had userA from AD as our super administrator. Using this user we have registered all our apps under “Service Providers”.
Now because of some organisation changes we have to connect to different LDAP server for user authentication. We have changed the LDAP configuration manually in the user-mgt.xml file to point to new AD/LDAP server and userB from new LDAP is our new super admin.
Problem: We are not able to see the list of APPs that we had registered under “Service Providers” when we login as “userB”.
Question how can we transfer the list of apps (ownership) to new administrator?
We tried to update SP_APP table from backend but it is still not solving the problem.
(e.g. update SP_APP set username='userB' where APP_NAME='TestApp';)
Can someone please help us to know how can we transfer the list of apps under service provider so that it will be visible to new administrator?
When you create a Service Provider (SP), a role is created with it. If the name of the SP is "SomeName", a role is created is "Application/SomeName". Users with this particular role can see (and do any operation) that particular application.
So you need to assign these roles to the new admin user (or any other user that need to see the application) to make the applications visible to the new admin user.
See more information about creating service providers in WSO2 Identity Server in https://docs.wso2.com/display/IS541/Adding+and+Configuring+a+Service+Provider#AddingandConfiguringaServiceProvider-Addingaserviceprovider
I have wso2 IS 5.3.0 with several user stores. I want to connect my app to the embebed ldap and access the user in the secondary user stores, but I only see the users in the primary user store.
How I can see the user in the secondary user stores con connect an application to the WSO2 IS ldap?
The aim is to have serveral user stored merged in just one, the IS ldap, and connect legacy applications to that merged LDAP. Is this approach wrong?
Please follow this documentation[1] to configure multiple secondary user stores with WSO2 IS 5.3.0. Yes you can add multiple user stores to Identity Server and let the applications from outside see those as a single user store through Identity Server.
[1] https://docs.wso2.com/display/IS530/Configuring+Secondary+User+Stores
May I use some specific configuration to connect to the ldap to can see the whole set of users?
Multiple user stores are completely separate, their own users, realm name, etc. In theory - your application you could use WSOIS API to access user information (with the realm prefix, such as usenr identity is userstore_realm\username
But as it is already mentioned in the comments, you don't see multiple LDAP stores as a single LDAP
The aim is to have serveral user stored merged in just one, the IS ldap, and connect legacy applications to that merged LDAP. Is this approach wrong?
What could you do is "inbound" user provisioning. Effectively when a user is authenticated (using an external IS, secondary userstore, ...), the user could be provisionined ( imported ) to the primary userstore
Though it is possible, I won't recommend this approach as you will have duplicates out of control (e.g. when reseting the password)
We would like to move the users from a one Identity system to WSO2 IS. Both userstores reside on a SQL DB. We would use SELECT INTO (INSERT INTO SELECT) at the database level to move the users from the old Identity Store to WSO2 IS. Will this cause any issues with the data integrity? Or should we just use the WSO2 IS APIs instead?
You have your users in separate user DB (say foo user store) and you need to move all users in to WSO2IS user store schema..? It mostly depends on the how user's password has been stored in the foo user store.
If password is stored as plain text (or encrypted as it can be decrypted), you can WSO2IS APIs to add users which is mostly the best option. You can write some tool to read from foo DB and call the API of WSO2IS. User Mgt API can be used for it. More details from here
If password is stored as hashed, then we can not use the APIs and we need to use some database level migration. You can move to username and user's password in to UM_USER table and user's attributes in UM_ATTRIBUTE tables.
But, please note, if your foo DB has used some different password hashing schema which is not supported by WSO2IS, above migration also would not be success out of the box. By default WSO2IS supports for SHA-1, SHA-2 hashing methods only. If it is not, you may need to do some customization.
However, why you are trying migrate it to WSO2IS schema? Can't you write a custom user store manager implementation for your foo DB and connect WSO2IS in to your existing user store ? I guess, it is more convenient than migrating.