I use WSO2 identity server, i can´t understand in documentation how works roles to my application (service provider), i understand the roles works for make changes into wso2 platform, but i don´t know how this help me to get roles and permissions to my app.
For example, i need it create a role with the name writer and other role supervisor, the role writer can edit and create new docs, but supervisor only can read docs and mark for edit by editors.
When i create this rol in wso2 and i have to mark permissions only can see permissions for wso2 management.
The permissions that you can see in the WSO2 management console are only to set the permission levels for WSO2 identity server functionalities.
If you need to implement any permission levels based on the user roles in your application side, it needs to be handled by yourself.
You can retrieve the available roles of the authenticated user to your application from the WSO2 identity server via a SAML response, an ID token, etc based on the authentication protocol that you use.
After that, you will have to implement the permission levels in your application side based on your requirements.
Related
I am using WSO2 API Manager 4.1.0 and I am trying to configure it with a custom OAuth2 authenticator to provide different users to different tenants.
By following this guide, meant for Okta, I was able to make logging in and token claim-to-role mapping work, with some adjustments to the configuration to adapt to the custom IdP. Users can successfully login with the custom IdP, are assigned roles correctly, and can act accordingly in the publisher and developer portals.
However, I cannot figure out if there is any way to assign users to any tenant other than carbon.super.
The custom IdP I am working with uses e-mail addresses as usernames and, when enable_email_domain=true in the configuration file deployment.toml, users are created in APIM with said e-mail as their names, but if that setting is false (or commented), only the part before # is used. I thought this could be used to assign them to other tenants, but even if the e-mail domain is an existing tenant, the user is created in carbon.super.
I've noticed, when logging into carbon as admin, in the Service Providers section, under Local & Outbound Authentication Configuration for apim_devportal and apim_publisher, the Use tenant domain in local subject identifier setting. I am unsure what exactly this option entails, but checking it does not seem to change anything.
This article in the documentation talks about tenants, but does not cover this scenario.
Does anyone know how (if it's even possible) to assign a user to a specific API Manager tenant, instead of carbon.super, upon logging in via custom IdP (not Okta or Identity Server)?
same question here, i use Keycloak as Idp and not found solutions yet for multitenancy schema implementation
I want to create a user in Wso2 (version 5.8) Identity Server and then populate it into my Service Providers automatically.
At this moment, after user registration in my Wso2, then I need to register the same user manually in each Service Providers (in my case, a SP is M-Files tool which provides a way to create user described here)
I am not sure if wso2 offers an automatic way to do this. I read the following documentation
Inbound provisioning: This approach is used for the opposite goal. Create a user in a Service Provider and with SCIM API I can create it into my wso2.
Outbound provisioning: This approach is very close that I want to but require relating the Service Provider with an Identity Provider (which must implement SCIM) and I dont want to use my Service Provider as an Identity Provider.
User store: I think it is not what I looking for. I think wso2 queries the external user store searching if the user which attempt to login is valid or not. I dont want my Service Provider act like a Identity Provider
Thanks
Outbound provisioning: This approach is very close that I want to but require relating the Service Provider with an Identity Provider (which must implement SCIM) and I dont want to use my Service Provider as an Identity Provider.
This is the approach you should be using. You don't have to use it as an Identity Provider. Just register it as an Identity Provider so that WSO2 can provision users to M-Files.
Regarding provisioning to M-Files, WSO2 support standard user management SCIM2 rest APIs. But if (I couldn't find any reference) M-files doesn't support such, you might have to find the API format that M-files support and then you can write a simple Java extension (Custom outbound provisioning Connector) to WSO2 Identity Server, so that it can provision users to M-files in a way that it prefers.
Documentation for customization
I am using OIDC Authentication with WSO2 IS (5.7.0) in an Angular Application, and passing the OAuth2 Access Token (JWT) through to the backend REST APIs for Authentication (Identity Propagation) and Authorization.
I have configured the Service Provider in WSO2 so that the Roles assigned to a User are included in the Groups Claim (groups) in the Access Token (via the oidc Scope), but I'm not sure how I can determine which Permissions the User has inherited from those Roles so that I can apply some coarse-grained Authorization (RBAC) logic within my Angular App / REST APIs. Specifically, I am interested in custom Permissions added to the Service Provider.
I don't particularly want to use WSO2 IS as an XACML PDP for this coarse-grained Authorization at the boundary, but am considering using it for more fine-grained Authorization (ABAC) nearer to data access / manipulation - where we want to take attributes of the data into account. However, I'm not even sure if these Permissions can be used in XACML policies as they are not direct attributes of a User, which is the same reason they are not returned as Claims in an OAuth2 Access Token.
Is there a way to include the inherited Permissions as Claims in the OAuth2 Access Token?
Alternatively, is there a separate WSO2 IS Endpoint I can call with the Access Token to retrieve a list of Permissions - possibly even as Claims returned in a separate Token (JWT)?
From reading the documentation and searching online, there appears to be a complete disconnect between OAuth2 (Scopes/Claims) and RBAC (Roles/Permissions) in WSO2 IS. There's detail on how to Configure Users, Roles and Permissions (RBAC) in WSO2 IS, but nothing on how to then access and use that data to enforce Authorization.
This is possible with an extension.
Check https://github.com/wso2-incubator/samples-is/tree/master/custom-permission-claim-handler out.
I guess this is exactly what you are looking for.
I have successfully integrated external IDP (keycloak) with publisher to do saml based single sign-on. After authentication, it says user is not authorized. From the investigations, For authorization
User DB need to be shared with external idp - this is not possible for my usecase
Sending user roles via saml response - is it possible?, if so what are the claims need to be sent and related configurations
pointing identity server for authorization - how to do it?
also I dont want to integrate IS server
I want answer for above unknown concerns?
it says user is not authorized
which version are you using?
is there anything preventing the authorization, such as required scopes
User DB need to be shared with external idp - this is not possible for my usecase
Usually you need a userstore to manage users and roles, in case of SAML I believe that us not needed. However - you can setup a JDBC userstore and inbound user provisioning (all logged in users will be stored in the database with their attributes and roles)
Sending user roles via saml response - is it possible?, if so what are the claims need to be sent and related configurations
I believe WSO2AM 2.1.0 (other version I don't know) do not read roles directly from the SAML response (there is a environmental property where you could enable that, I cannot find it right now, so just search a little)
However - together with the inbound provisioning it should work (the roles should be stored and updated in the database on each login)
pointing identity server for authorization - how to do it?
What do you mean by that? You could setup an WSO2IS as KM (key manager) where you could do additional authorization (I am still not sure what are you asking here)
I have created a tenant 'A' in wso2 IS and added my ldap user store in it. In the tenant 'A', I have configured a 'test' service provider with oauth2 as inbound authentication. As of now, I am successful with authenticating all the user in store with oauth2 service provider configuration.
But I could not find any configuration to restrict user from authentication against the service provider 'A'.
I have searched a lot but could not find a documentation for it. Need help in sorting this issue.
Whether we need to map our service provider role and local role somewhere?
This feature is not currently supported by WSO2 Identity Server. We will add this to future releases. Users permission does not check for authentication rather service provider's role is used for this purpose.
This could be achieved with the support of extension points which totally depends on the use case and grant type.