I just really want to understand the configuration of the identity server without a tenant and how it handles the users and their login. Please help.
Multi tenancy is introduced to logically separate data (which belong to different organizations), despite being stored with the same Identity Server and in the same database.
Say that you are handling Identities for a group of companies where the existence of Company A shouldn't be known to Company B. In this case you can consider A and B as two different tenants.
Regarding the users and login :
In WSO2 the default tenant is carbon.super and you can define your own tenants as well (i.e. abc.com, xyz.com). In the IS(Identity Server), we are storing users in the user stores (LDAP, AD, JDBC). There's a Primary user store (Defined in the user-mgt.xml file) and you can define your own secondary user stores.
When you create a secondary user store (business_users) in tenant abc.com (in any tenant) and add user John there, that user john is only available within that tenant. Also that secondary user store business_users is not visible from any other tenant beside the one in which it has configured.
But this PRIMARY user store (one that is defined in user-mgt.xml file) is visible to all the tenants. But not all the users there are shared with all the tenants. Means, from xyz.com tenant, you can add user John to the PRIMARY user store. You can again add user John from tenant abc.com as well. These users will be treated as two different users through out the server. One's existence is independent of, and unknown to the other. Fully qualified user names of these users inside the WSO2 IS server would be as John#xyz.com and John#abc.com.
Therefore, if you are performing a login to a service provider created in the xyz.com tenant, you can only login with the users who are visible (or defined within) that tenant it self.
P.S. You can define a shared Service Provider (SaaS app) if you want users from all the tenants to be able to login to your application.
Related
i am planning a web application with multiple tenants (or i call it companies).
Every model in django has a foreign key to a specific company, to separate the data. It is possible that a user has access to multiple companies.
You can see this in the following diagram:
The user can login over a login page and then the user sees all companies he related to. Now he can choose one of the company to work with the data.
Up to this point i have no problem.
Some of the companies would like to use their own active directory or other systems to synchronize theirs users with my web application and authenticate them.
I found keycloak during my search and it looks like good for my plan because i also would like to split my web application in smaller services in a kubernetes cluster.
But i can't find informations about if keycloak work with my plan and the requirement for linking multiple active directories or other systems.
I think keycloak would have to check the username (email address) and decide from the domain if an external service is configured for the domain or the normal login page is used.
For example for domain abc.de is configured a active directory and for domain example.com another active directory. If User 3 or User 2 try to log in they should redirect to the active directory of their domain.
But User 1 should still login over the normal login page with username and password.
But is that possible with keycloak?
I need to map one social account (created on a Django server with django-oauth-toolkit) to several different logins in a Django website. I already managed to connect and the server passes all allowed accounts so that the client connects as one of them.
I'd like to add the possibility to prompt for the choice of which of the accounts should be used. I'm currently connecting the user in the pre_social_login method of the account adapter.
The only idea I have is to persist in the session the available accounts and redirect to a page to select the preferred one. I'd like to understand if there's a better way.
I have wso2 IS 5.3.0 with several user stores. I want to connect my app to the embebed ldap and access the user in the secondary user stores, but I only see the users in the primary user store.
How I can see the user in the secondary user stores con connect an application to the WSO2 IS ldap?
The aim is to have serveral user stored merged in just one, the IS ldap, and connect legacy applications to that merged LDAP. Is this approach wrong?
Please follow this documentation[1] to configure multiple secondary user stores with WSO2 IS 5.3.0. Yes you can add multiple user stores to Identity Server and let the applications from outside see those as a single user store through Identity Server.
[1] https://docs.wso2.com/display/IS530/Configuring+Secondary+User+Stores
May I use some specific configuration to connect to the ldap to can see the whole set of users?
Multiple user stores are completely separate, their own users, realm name, etc. In theory - your application you could use WSOIS API to access user information (with the realm prefix, such as usenr identity is userstore_realm\username
But as it is already mentioned in the comments, you don't see multiple LDAP stores as a single LDAP
The aim is to have serveral user stored merged in just one, the IS ldap, and connect legacy applications to that merged LDAP. Is this approach wrong?
What could you do is "inbound" user provisioning. Effectively when a user is authenticated (using an external IS, secondary userstore, ...), the user could be provisionined ( imported ) to the primary userstore
Though it is possible, I won't recommend this approach as you will have duplicates out of control (e.g. when reseting the password)
Is it possible to distinguish whether the user is from the primary userstore or a secondary user store? I would like to prevent the user from modifying his profile if he is from a secondary userstore.
If the user is from secondary user store, his user name will contain the user store domain he contains.
The username follows following format,
userstore/username#tenantdomain
You can get user store domain from this.
In primary user store users, userstore part will not be contained in username.
As explained in the above answer if you have a secondary user store set up with the name "WSO2.COM" and a user with name user#tenant1.com. Actual username to be used to login should be "WSO2.COM/user#tenant1.com". You can find more information on how to set up the secondary user store please refer to links [1],[2]. If would like to prevent user to modifying the profile. Please enable the read-only mode as explained in [2].
[1] https://medium.com/#pubududp/how-to-use-active-directory-as-a-secondary-user-store-in-tenant-mode-for-wso2-products-f49ac4829e41#.2ujax4wud
[2] http://pushpalankajaya.blogspot.com/2013/09/how-to-write-custom-user-store-manager.html
Cheers,
Pubudu.
Is possible to set a Service Provider to use a specific user store?
Ex.: I have a secondary user store, foo.com that uses JDBC, and other secondary user store, foo.net that uses LDAP.
I have two service providers, I want tha first SP called mobile uses the foo.com user store only to authenticate via oauth2, and the other SP foo.net uses the foo.net user store.
Thats is possible?
Thank you.
This is really what I want to know. Multiple tenant is a solution. Make this two service providers belong to different tenants.Then service providers can use different user store.
However, I think there should be other solutions.
For authenticate functionality you don't have to bind Service Provider with specific User store. In mobile application scenario it will recursively go through all user stores and user will be authenticated against foo.com user store. In order to provide comprehensive answer can please provide what are the protocols you are using in both service providers like in first SP oauth, saml and second SP saml, scim.