Trying to find out whether WSO2 Identity Server (IS) requires case-sensitivity by default when evaluating challenge question answers in password reset requests. If not, is there a configuration flag to enable/disable case-sensitivity or any other configuration to enforce or not require case-sensitive challenge question answers?
In the code level, the answer user provide will be converted to lowercase and then hashed[1] This hashed value will be compared with the stored value. So as an answer to your question challenge question answers of the user is not case-sensitive.Also, there is no configuration to make it so OOTB.
[1].https://github.com/wso2-extensions/identity-governance/blob/824fa6505eeabcf50de13bb2272e586f7e34ff25/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/ChallengeQuestionManager.java#L760
Related
We are currently using WSO2 IS 5.10.
We are storing all the challenge questions as showing below
/_system/config/repository/components/org.wso2.carbon.identity.mgt/questionCollection
We are using getChallengeQuestionsOfUser SOAP(UserIdentityManagementAdminService.wsdl) API for retrieving the challenge questions of a particular user by passing username as input parameter and getting only three security questions as response.
getChallengeQuestionsOfUser(userName)
The API is returning only 3 security Questions, is there any configuration to retrieve more than 3?
Fist verify the questionSetId property value of the questions stored at location /_system/config/repository/components/org.wso2.carbon.identity.mgt/questionCollection.
If you wish to set more than 3 challenge question for a user, there should be questions in more than 3 questionSetIds at this location. Prior to that you should have created a local claim URI for each questionSetId.
Let's say this is the user's selected question from each questionSetId. and called setChallengeQuestionsOfUser API.
Verify the set challenge questions for the user from the above soap API. Mark supported by default true for the challenge question-related claims under local claims and check on user profile.
The challenge question claim values set for the user, will be returned when getChallengeQuestionsOfUser SOAP API is invoked
If I answer to your question of
The API is returning only 3 security Questions
It should be because the user has set only 3 challenge question answers. May be you have questions at /_system/config/repository/components/org.wso2.carbon.identity.mgt/questionCollection with some otherquestionSetId. but that particular tested user has picked only challenge questions from only 3 questionSetIds
we need to implement the "Update Challenge Questions of a user" functionality through WSO2 IS. We have an application UI from where post login, user can update his challenge questions as well as answers. I found that with the "setChallengeQuestionsOfUser" operation in the "UserIdentityManagementAdminService?wsdl", we can save the challenge questions and answers of a user. Do we have any operation for update scenario?
If i use the same operation, it saves the questions and answers to WSO2 IS for that user, but it does not remove old questions.
No, update challenge question operation is not available via rest or soap endpoints.
I created my own dialect using the manaement console Configure-->Claim Management. After doing this, I wanted to configure my Service Provider to be associated with these claims, so I edited my SP and went to the Claim Configuration section. The issue I am running into is the only Local Claim claims which show up are the default wso2 ones. So you only ever see ones starting with http://wso2.org/claims/.
With that said, I don't believe choosing Define Custom Claim Dialect is an appropriate alternative since I defined a dialect already. It would make zero sense to go an map that back to the default dialect, so I'm assuming this would not be the route.
Is there some configuration setting to list values from other defined dialects? Besides the one I created, there a quite a few that come OOB anyway. Is this a bug? I would assume my dialect along with all the other OOB ones would be Local Claim Dialects.
The Claims Management in the docs is just way to general to discern is there's some funny requirement. https://docs.wso2.com/display/IS500/Claim+Management
WSO2 Identity Server 5.0.0
I created a workaround, which works for my situation.
Once again, this is with IS 5.0.0. In my situation, no claims or dialects preconfigured fit my needs and I want my own special URIs defined ONLY.
So here's what I did:
In the Management Console, went to Configure-->Claim Management.
Edited the "http://wso2.org/claims" dialect.
Added each claim I wanted to this dialect. I was able to enter whatever URI I pleased, even though the dialect had a different URI (that's a good thing!) along with the property name I wanted it associated with. e.g., http://example.com/claims/claimname1
Then I went to configure the claims / attributes I wanted to be communicated to a particular Service Provider by editing its Claim Configuration...
Selected "Use Local Dialect".
For each claim I wanted to add, clicked "Add Claim URI" at "Request Claims", and selected a URI I created.
(OPTIONAL) I deleted all non-custom URIs in the "http://wso2.org/claims" dialect, because I found in my custom user store that getUserPropertyValues() was still getting passed every single claim attribute to resolve. It was trying to resolve more than 20 properties at every login. Some performance help! :)
I am working on wso2is4.6.
I am new to wso2is. Maybe this is a stupid question, but I am still blocked.
The first question: when there are multiple claim dialect in system, which claim dialect will be used? Which conditions will make system to choose this dialect instead of another dialect?
The second question: I install wso2is4.6, and install apacheds 2.0 with default (no customization). where can I find corresponding claim mapping?
I know I need to correct the claim mapping, but I don't know how can I find the correct mapping. Can somebody provide the workable claim-mgt.xml base on wso2is4.6 and apache2.0?
Adding more info to Dulanja's answer,
Q1. In WSO2 Identity server, internally it always uses a claim dialect together with a claim URI to identity a unique claim. Different components uses different dialects to get its claims. Fr an example when adding a new user using management console, relevant(user-manager) component would use WSO2 default claim dialect mentioned above. Similarly if you are doing SCIM related operations, relevant components will use SCIM dialect.
Q2. As mentioned in Q1, makes the unique claim and where we store that claim's value can be configured in two ways.
i. You can use claim-config.xml in /repository/conf/ folder and you can edit claim-to-ldapAttribute mapping by changing <AttributeID> which is given under every element.
ii. Or you can change claim mappings at runtime using the Claim Management page in management console. Please refer [1] for more info.
[1] http://docs.wso2.org/display/IS460/Claim+Management
Thanks,
Question 1:
The default claim dialect of WSO2 products is http://wso2.org/claims. This is the underlying dialect of the User Profile view - currently you cannot change this to use a different dialect.
Other dialects are used in different scenarios. As an example http://schema.openid.net/2007/05/claims is used when IS acts as an OpenID Provider. OpenID relying parties (clients) requests attributes using the claim uris specified under this dialect. Other examples are SAMLSSO and Passive-STS flows. In them you have the option to select the dialect that you want to use to send back the attributes to the client.
Question 2:
Are you facing a claim-mapping related problem with the new ApacheDS 2.0 LDAP? As far as I know, since WSO2 IS embedded LDAP is also based on ApacheDS, if you point (via user-mgt.xml) to such an LDAP the existing claim-mapping should work without any problem
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 4 years ago.
Improve this question
CORS is a great thing.
Especially when we have webservices that are called from a cloud-based CRM that doesn't contain our domain name.
BUT, it is it an unalloyed good?
I am feeling pressure to make all resources from our ReST-ish webservices serve out CORS headers.
I'm nervous that CORS may expose a 'hole' in our design... And my instinct is that information-hiding is what makes programming not devolve into spaghetti code.
Is there any literature about when CORS-ifying your resources goes too far? (I haven't found any, but I may not be looking in the right places)
According to the WhatWG, using Access-Control-Allow-Origin: * is safe so long as your app is not behind a firewall:
Even if a resource exposes additional information based on cookie or HTTP authentication, using the above header will not reveal it. It will share the resource with APIs such as XMLHttpRequest, much like it is already shared with curl and wget.
Thus in other words, if a resource cannot be accessed from a random device connected to the web using curl and wget the aforementioned header is not to be included. If it can be accessed however, it is perfectly fine to do so.
My understanding is that auth/cookies are not sent unless the request is made with the withCredentials flag set, and if the withCredentials flag is set, wildcarding the resource is not allowed.
In other words, auth credentials are never supplied if Access-Control-Allow-Origin doesn't have the sending domain whitelisted.
As with most things in software engineering (and in life), the answer depends on context. Specifically the context of what the API is serving and who is accessing the API.
What type of data is the API serving? Is it specific to a particular user? Is it user-sensitive or time-sensitive? Does it require authentication?
Who is accessing the API? Is it open to everyone, or is it only a single person/organization? What client libraries will users use to to access the API? Is access from a web browser and JavaScript important?
This last question is the most important: if your user has no need to access data from a web browser, then CORS may not be the right fit for your API.
Think of a chart with "users" on the x-axis and "data" on the y-axis, with each axis ranging from "restricted" to "open":
^ Open
|
|
|
|
|
USERS <------------------->
Restricted | Open
|
|
|
|
v Restricted
DATA
The more open your data and users needs are (upper right quadrant), the better fit CORS is for your API. However this is only a general rule, and you will need to evaluate your own API based on the questions above.