I am pretty new to the WSO2 IS and my object is to understand how ( whether its possible ) to enable simultaneous login of 2 different service provider applications.
For instance : token from one service provider is to be accessed and used to login to the other app.
Any help on this topic is appreciated.
how ( whether its possible ) to enable simultaneous login of 2 different service provider applications.
From this question, I understand that you want to try Single Sign on with Identity server. WSO2 Identity Server enables users to access multiple applications using the same set of credentials. For an example, if users log into application A, they would automatically have access to application B as well for the duration of that session without having to re-enter their credentials. WSO2IS provides the capability for SSO using different protocols such as OpenIDConnect, SAML, etc.
If this is your requirement, you can refer to this doc to know about Single sign-on. If you use OAuth apps you can get access tokens. Refer to this doc to know about SSO with OpenID Connect.
Related
I'm facing the following scenario:
There are several companies each one with its own OpenID Connect Identity Provider (IdP) which federates users from their respetive LDAP servers. These providers are used to perform SSO in the context of each company.
There's a requirement to create an application that offers a common login for all the users of those companies.
The idea is to provision or use an existing cloud solution (AWS Cognito, Google Cloud Identity, etc., ...) that offers a shared login screen but delegates/federates the actual login to each of the company IdPs.
Are there any solutions that allows this?
Could you point at any documentation/guide to implement it?
This is just standard OAuth and OpenID Connect behaviour, with these 3 roles:
Application, uses OIDC to redirect to ...
An Authorization Server, which you own, and which redirects to ...
An Identity Provider
So you need a standards based authorization server and to configure your app as an OAuth Client. Then include the openid scope so that OpenID Connect is used. SAML based identity providers can also be supported in this flow, even though your app only uses OIDC.
The way to manage this with best usability, is for the authorization server to present a usernane authenticator, which captures a user identifier first, such as an email. It then runs some custom logic, such as a user lookup, to determine which IDP to route the user to. The user then authenticates at the IDP.
After authentication, the IDP issues tokens to the authorization server, which validates them, then issues its own tokens to the application. In particular the app gets an access token whose scopes and claims you can control. Your app can then send these to your APIs, which can authorize access to business data correctly.
Aim for behaviour similar to that above, or adjust it based on your preferences. Then trial it, eg with a cloud or Docker based authorization server, and ensure that you select one with sufficient extensibility to meet your requirements.
Note also that Stack Overflow answers should not recommend particular vendors, so I have not done so.
There is a solution called cloudpods using which you can manage both on-prem and public cloud resources. Cloudpods supports integration with multiple cloud providers like aws, GCP, azure, alibaba and etc.,
Is there any OpenID Connect Identity Provider that can delegate autentication to other OpenID Connect IdPs?
Yes. https://github.com/apereo/cas is one. You can set it up as an OIDC identity provider and have it then delegate to as many OIDC Identity providers as you want.
I want to create a user in Wso2 (version 5.8) Identity Server and then populate it into my Service Providers automatically.
At this moment, after user registration in my Wso2, then I need to register the same user manually in each Service Providers (in my case, a SP is M-Files tool which provides a way to create user described here)
I am not sure if wso2 offers an automatic way to do this. I read the following documentation
Inbound provisioning: This approach is used for the opposite goal. Create a user in a Service Provider and with SCIM API I can create it into my wso2.
Outbound provisioning: This approach is very close that I want to but require relating the Service Provider with an Identity Provider (which must implement SCIM) and I dont want to use my Service Provider as an Identity Provider.
User store: I think it is not what I looking for. I think wso2 queries the external user store searching if the user which attempt to login is valid or not. I dont want my Service Provider act like a Identity Provider
Thanks
Outbound provisioning: This approach is very close that I want to but require relating the Service Provider with an Identity Provider (which must implement SCIM) and I dont want to use my Service Provider as an Identity Provider.
This is the approach you should be using. You don't have to use it as an Identity Provider. Just register it as an Identity Provider so that WSO2 can provision users to M-Files.
Regarding provisioning to M-Files, WSO2 support standard user management SCIM2 rest APIs. But if (I couldn't find any reference) M-files doesn't support such, you might have to find the API format that M-files support and then you can write a simple Java extension (Custom outbound provisioning Connector) to WSO2 Identity Server, so that it can provision users to M-files in a way that it prefers.
Documentation for customization
I have my own SQL Server database which contains usernames/passwords for authentication. I'd like to build a custom Identity Provider based on this database with an Identity Management provider so the other applications can be registered and their users can be authenticated with OIDC.
I researched some tutorials and they says that some Identity Management providers such as: OneLogin, Okta... can integrate with our own credentials database. But for Google Identity Platform, I cannot find any links show how to do such a thing so far.
Could you please tell me if it is possible to integrate our own database with Google Identity Platform? Is there any resource links mention about this? If it is impossible, is there any alternates for integrating the database with Cloud Platform (e.g. Azure or AWS) or we have to build our own Identity Provider from scratch?
Thank you.
You can use Cloud Identity Platform. You can define external identity provider and even a custom identity provider.
However, this solution implies that your own SQL database is behind an Identity Provider OIDC compliant.
In addition, you will be able to authenticate your users to access to your application. You can't use this authentication to interact directly with Google Cloud API, only with YOUR application.
You can use the Identity Platform Admin SDK to manage Security Assertion Markup Language (SAML) 2.0 and OpenID Connect (OIDC) provider configurations programmatically. You can explore the details of OpenID Connect here.
I would also suggest you to explore the best practices and guidance that help you set up federation consistently and securely. The guidance builds on the best practices for using Cloud Identity or G Suite with Google Cloud.
You might be interested in Connecting to Cloud SQL from external applications running outside of Google Cloud.
Use keycloak to expose your existing database as an open Id connect (OIDC) identity provider.
Then you can tell google identity platform to use your new identity provider as a federated provider as the other answers are telling you.
To do that, you need some code. You need to help keycloak translates common user patterns like get a user, list users, check password, get groups, roles etc into your database. This is done implementing a StorageProvider with the capabilities (user lookup, password update, user creation etc) you need.
There is an JDBC provider ready, where you only provide the correct queries. Check keycloak documentation. You only need to implement the ones you need (eg: don’t implement user creation through keycloak if you don’t need to create users through keycloak admin interface; don’t implement password change if your users manage their passwords via your existem infrastructure; and so on). For this use case (google authentication) user lookup and password validation are enough.
Okta will not help you here, but that was possible directly with Auth0 (custom database connector).
So you either implement your own OIDC (open if connect) with keycloak or look for a cloud identity solution capable of custom database connection and them expose it to google.
I am currently doing a PoC on WSO2 API manager (v2.6.0). I am already having a Web application (Ex: Pizza booking) and also registered customers (end users) who is using the application for pizza booking. Now I wanted to bring the backend services of the pizza booking app such as,
Choose store location,
Book pizza,
Track order, etc.
as APIs into the WSO2 API Manager. For this, I would create the required apis in API manager. Then I wanted to bring my existing web application users (end users) into the API manager and provide access to those apis.
What would be the best way to implement this?
Bring my users under WSO2 identity server and use identity server as a key manager to my API manager?
Bring my users under secondary user store/ use custom user store of API manager?
Out in that case, how would I provide access to particular API's (subscribing to API's) without logging to API manager store and subscribing manually for every user?
Also,
What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?
What can I do with this application?
Is this same as the application we create before subscribing to an API in API manager store?
Can I add users to this application and grant access to them in common?
Can I subscribe to API's using this application so that all users under this application will have access to it?
You can do it either way. Using IS as Key manager (if you already using IS), or adding as a secondary user store.
So, if you are already using WSO2 Identity Server in your deployment, configuring it as key manager (by sharing user stores), will automatically enable all the users in IS (with proper permission) to access the apis.
If you do not use the IS currently, the best option is to add as a secondary user store to the existing APIM deployment.
Please find the answers to the other questions below.
What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?
What can I do with this application?
Is this same as the application we create before subscribing to an API in API manager store?
Can I add users to this application and grant access to them in common?
Can I subscribe to API's using this application so that all users under this application will have access to it?
Answer
The Service Provider is created automatically when an Oauth application is created and generate keys. But, there are different aspects of these two entities.
The Service provider is generally used for generating application keys to get an access token to invoke the apis.
OAuth Application (when you create through API store) has several other uses such as subscribing to APIs, enforcing throttling policies for subscriptions etc.
In order to use the token generated by an Application, the respective API should be subscribed by the application. Otherwise, you will not be able to invoke that API although you have a valid access token.
You can subscribe to an API only from the OAuth application created through the API Store.
Your users can use the same OAuth application (which is created via Store portal and subscribed to an API) to generate an access token for them. That is by providing them with the application keys and using password grant type, they can generate token for them
Refer this documentation for more info on the token API and grant types. https://docs.wso2.com/display/AM260/Token+API
Adding to what #Menaka has explained.
Your end-users don't have to subscribe to APIs. Only the application developer has to subscribe and embed the consumer key/secret to their app. Then the application should generate tokens for the end-users using those keypair+end user credentials.
I’ve made a new Identity Provider and setup it’s SAML2 authentication to our Shibboleth IDP. How do I “login” using this new setup?
The login link still goes to the IS login page, which is desirable because I need to login as admin to fix things, but is there another login link which will redirect to the IDP?
If you need to provide federated authentication for your applications. Your applications can be connected with Identity Server as service providers. Then you can defined your external IDPs a trusted IDP. Each service provider, you can select multiple IDPs as out-bound authenticators. There is some blog about that uses saleforce as trusted IDP, you can go through it as well
If what you want is to login to IS using Shibboleth as IDP, you should edit IS_HOME/repository/conf/security/authenticators.xml to enable SAMLSSOAuthenticator and configure it with the required details.
As best I can tell, there's not facility for testing an Identity Provider. The only way is to actually use it by setting up the full chain. In my case I setup API Manager as a Service Provider in the Identity Server, and selected the Identity Provider (mentioned in the original question) as Federated Authentication for that Service Provider. Then I changed the API Store to use SSO (pointed at the IS). Finally by attempting to open the store I was bounced to the IS, then immediately on to the Identity Provider.
Unfortunately there are a lot of steps in this chain and a lot of things that could be set wrong. I was hoping to find a method for testing this one part but as best I can tell there isn't such a capability.