Is tenant functionality useful for a saas web application? In wso2 docs the tenants are useful for multiple departments, but in my case I have multiple clientes with your own users.
How can I share my saas application between multiple tenant, if this tenant are isolated?
What’s the best way of use the wso2 capabilities for saas apps, using roles and access attributes (abac) ?
You can use the tenant functionality for your requirement. You can configure a service provider as the SaaS application, then that application can be access by all other tenant members.
By default, the SaaS Application check box is disabled, which means the web application is not shared among tenants so only users in the current tenant (the one you use to define the service provider) will be allowed to log into the web application. Alternatively, if you enabled the SaaS Application check box, that means this web application is shared among tenants so users from any tenant will be allowed to log into the web application.
You can refer here for more info
What’s the best way of use the wso2 capabilities for saas apps, using roles and access attributes (abac) ?
If you meant to configure the authentication mechanism for the saas apps using roles and access attributes, you can use the Adaptive Authentication feature. This feature will allow you to control the authentication/ authorization flow using simple javascript
Related
I am trying to create a web application. This app is a B2B PAS model.
One of the features of the app is, an organization using GSuite, can onboard our system and then all its users can log in to our software using their org's google ids. However, in the application, one user can assign task to another user in org. So our application should be able to list all users of the org too.
How can both these features be achieved?
I have tried the SAML approach, by creating a custom app from Gsuite admin console. However, can SAML be extended to also list users from the organizations which the SAML app belongs to? (Basically trying to use the Google Cloud Directory API)
What other alternative approaches should I look for if pure SAML doesn't work out?
P.S tech stack I'm using is Nest JS for backend and Angular for frontend
If I am understanding properly you are looking for the way to populate all users/ID from organization to your SAML App. Single sign-on (SSO) allows users to sign in to enterprise cloud applications using their managed Google account credentials, more details here in set up your own custom SAML application. It is also possible to Set up SSO using 3rd party IdPs.
However, Google supports several industry standard protocols like OAuth 2.0, OpenID Connect 1.0 and SAML 2.0 for handling authentication, authorization, and single sign-on. You can take a look at authenticating corporate users in a hybrid environment for more details.
I am currently doing a PoC on WSO2 API manager (v2.6.0). I am already having a Web application (Ex: Pizza booking) and also registered customers (end users) who is using the application for pizza booking. Now I wanted to bring the backend services of the pizza booking app such as,
Choose store location,
Book pizza,
Track order, etc.
as APIs into the WSO2 API Manager. For this, I would create the required apis in API manager. Then I wanted to bring my existing web application users (end users) into the API manager and provide access to those apis.
What would be the best way to implement this?
Bring my users under WSO2 identity server and use identity server as a key manager to my API manager?
Bring my users under secondary user store/ use custom user store of API manager?
Out in that case, how would I provide access to particular API's (subscribing to API's) without logging to API manager store and subscribing manually for every user?
Also,
What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?
What can I do with this application?
Is this same as the application we create before subscribing to an API in API manager store?
Can I add users to this application and grant access to them in common?
Can I subscribe to API's using this application so that all users under this application will have access to it?
You can do it either way. Using IS as Key manager (if you already using IS), or adding as a secondary user store.
So, if you are already using WSO2 Identity Server in your deployment, configuring it as key manager (by sharing user stores), will automatically enable all the users in IS (with proper permission) to access the apis.
If you do not use the IS currently, the best option is to add as a secondary user store to the existing APIM deployment.
Please find the answers to the other questions below.
What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?
What can I do with this application?
Is this same as the application we create before subscribing to an API in API manager store?
Can I add users to this application and grant access to them in common?
Can I subscribe to API's using this application so that all users under this application will have access to it?
Answer
The Service Provider is created automatically when an Oauth application is created and generate keys. But, there are different aspects of these two entities.
The Service provider is generally used for generating application keys to get an access token to invoke the apis.
OAuth Application (when you create through API store) has several other uses such as subscribing to APIs, enforcing throttling policies for subscriptions etc.
In order to use the token generated by an Application, the respective API should be subscribed by the application. Otherwise, you will not be able to invoke that API although you have a valid access token.
You can subscribe to an API only from the OAuth application created through the API Store.
Your users can use the same OAuth application (which is created via Store portal and subscribed to an API) to generate an access token for them. That is by providing them with the application keys and using password grant type, they can generate token for them
Refer this documentation for more info on the token API and grant types. https://docs.wso2.com/display/AM260/Token+API
Adding to what #Menaka has explained.
Your end-users don't have to subscribe to APIs. Only the application developer has to subscribe and embed the consumer key/secret to their app. Then the application should generate tokens for the end-users using those keypair+end user credentials.
I am pretty new to the WSO2 IS and my object is to understand how ( whether its possible ) to enable simultaneous login of 2 different service provider applications.
For instance : token from one service provider is to be accessed and used to login to the other app.
Any help on this topic is appreciated.
how ( whether its possible ) to enable simultaneous login of 2 different service provider applications.
From this question, I understand that you want to try Single Sign on with Identity server. WSO2 Identity Server enables users to access multiple applications using the same set of credentials. For an example, if users log into application A, they would automatically have access to application B as well for the duration of that session without having to re-enter their credentials. WSO2IS provides the capability for SSO using different protocols such as OpenIDConnect, SAML, etc.
If this is your requirement, you can refer to this doc to know about Single sign-on. If you use OAuth apps you can get access tokens. Refer to this doc to know about SSO with OpenID Connect.
I am trying to develop a data integration service which will be used in multi-tenant mode. We are exploring different solutions available, and WSO2 is one of them. I am using WSO2 EI 6.1.1 (Carbon).
I have created two tenants from superuser's management console, and deployed the *.car file from each tenant's login.
My understanding of multi-tenancy was that single deployement is done, and multiple tenants/users of the system access the same deployed service without interferring each other or getting blocked.
But here, I have to deploy the same carbon application for each tenant (twice in my case) from management console. How is it multi-tenant then?
I think you have didn't clearly understand the what is an tenant. Consider tenant as a separate organization. For e.g if you take Alphabet, you have Google, Youtube, Maps, etc... Those are your tenants. So each tenant can have their own set of apps.
If you want all the tenant users to access a particular app I think you can mark that as a SaaS app. That way any user from any tenant can access that particular app.
Hope that gives you a clear idea.
You can refer to https://docs.wso2.com/display/AM200/Multi-tenant+Architecture for more details about tenancy concept in WSO2
I've seen that the WSO2 API manager version 1.4.0 offer the multi tenant capability, but apart from creating a new tenant in the carbon dashboard how can I have the different store and publisher applications for the different tenants.
My expectation is that I can have two different looks for the two tenants (even just applying different theme to the jaggery application), but I'm loosing where do I have to configure the existance of the tenant and How can I operate as a admin#tenant1 or admin#tenant2 to publish and consume in the store the API.
Thanks
Different theme support is not available. But when you publish an API as a tenant, it will be available in that particular tenant store.
If you create a tenant, it will be a tenant admin. And for that tenant, you can create tenant users with different permissions. (That is login as tenant from management console and create users/roles etc..)
I think you can't change the look and feel for each tenant. In multitenancy you can create multiple tenants and each tenant can publish their APIs, so that will affect and available to only that tenant.
You can log into publisher and store using tenant username and tenant password.