I've created two roles in WSO2 IS v5.7.0. The 1st one '_login' is in 'Primary' domain. The 2nd one 'Manager' is in 'Application' domain. I try to search the group by display name like this. The first query is OK, but the 2nd query returns empty response. Could you help?
1st query: curl -v -k --user admin:xxx 'https://localhost:9444/scim2/Groups?filter=displayName+eq+_login'
2nd query:curl -v -k --user admin:xxx 'https://localhost:9444/scim2/Groups?filter=displayName+eq+Application/Manager'
Roles starting from Application/ are special kind of Internal role dedicated to represent service providers.
EX: Suppose you create a service provider with name xxx. There will be a automatically created role Application/xxx. Service provider xxx will be visible to only users belong to Application/xxx role.
It's a good practice to keep roles starting Application/ away from general user management stuff.
Related
I've generated a server key in the API Manager and attempted to execute the following on my Mac:
curl 'https://sheets.googleapis.com/v4/spreadsheets/MySheetID?ranges=A1:B5&key=TheServerKeyIGeneratedInAPIManager'
But this is what it returns:
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
What am I doing wrong here?
To solve this issue, try to:
Create a service account: https://console.developers.google.com/iam-admin/serviceaccounts/
In options, create a key: this key is your usual client_secret.json - use it the same way
Make the role owner for the service account (Member name = service account ID = service account email ex: thomasapp#appname-201813.iam.gserviceaccount.com
Copy the email address of your service account = service account ID
Simply go in your browser to the Google sheet you want to interact with
Go to SHARE on the top right of your screen
Go to advanced settings and share it with an email address of your service account ex: thomasapp#appname-201813.iam.gserviceaccount.com
I know it is a little late to answer but for other people struggling with the same issue.
Just change the permission of the sheet to public on your drive so it can be accessed without authentication via API calls.
To change access:
Open sheet in google drive
On top right corner, click share
On bottom of prompt window, click advanced
Change permission to public or people with link (no signin required)
Send API request to fetch data from sheets without authentication.
Note: if the sheet contains sensitive data then it is not safe to make it public and rather do it with Authenticated access.
Make sure to pay attention to #KishanPatel's comment:
Also, you can share this sheet with specific email Ex. your service
account (project) email. "client_email":
"XXXXX#northern-gasket-XXXX.iam.gserviceaccount.com", This will allow
to access sheet by your script.
Visual Simplification of the Answers:
Option 1 - Turn the file into public (if sheets the sheet contains sensitive data)
Option 2 - Share file with Service Account Email (IAM & Admin -> Service Accounts -> Details -> Email)
The easiest way is to fix using gcloud cli. More docs here https://cloud.google.com/pubsub/docs/quickstart-cli#before-you-begin
install gcloud
sudo apt-get install google-cloud-sdk
then call
gcloud init
then check your active project and credentials
gcloud config configurations list
If it is not ok, make sure you are authenticated with the correct account:
gcloud auth list
* account 1
account 2
Change to the project's account if not:
gcloud config set account `ACCOUNT`
Depending on the account, the project list will be different:
gcloud projects list
- project 1
- project 2...
Switch to intended project:
gcloud config set project `PROJECT NAME`
Then Create Application Default Credentials with gcloud auth application-default login, and then google-cloud will automatically detect such credentials.
My 10 cents... A simple example to read the sheet using Java.
private Credential getCredentials() throws IOException {
final InputStream accessKey = new ByteArrayInputStream("<credential json>");
final GoogleCredential credential = GoogleCredential.fromStream(accessKey)
.createScoped(Collections.singleton(SheetsScopes.SPREADSHEETS_READONLY));
return credential;
}
private HttpTransport httpTransport() {
try {
return GoogleNetHttpTransport.newTrustedTransport();
} catch (GeneralSecurityException | IOException e) {
throw new SpreadSheetServiceException(e);
}
}
Sheets service = new Sheets.Builder(httpTransport(), JSON_FACTORY, getCredentials())
.setApplicationName("app-name")
.build();
ValueRange response = service.spreadsheets().values()
.get("<spread_sheet_id>", "A1:A")
.execute();
In my case, solving this problem turned out to be trivial. You just have to:
Enter the google sheet that we want to remotely edit.
In the upper right corner, set - anyone who has the link can enter
Most importantly - on the right side you need to set permissions for people who have the link as 'editor'
if you still do not have permission, it means that you have to go to the website:
https://console.developers.google.com/iam-admin/iam/ then select your project, then select "Service accounts" and create a new one as role "owner" or" editor" for the project for example (or use one that already exists and click "create new key")
The "key" is a json file that will be downloaded when you create the account (or use "create new key" there).
I am following link https://www.ibm.com/developerworks/websphere/library/techarticles/1505_kumar/1505_kumar.html for SOAP web-service consumer. Same method I am applying for SOAP web-service provider.
I want to access username and password in esql to authenticate both consumer and provider. Is there any way to access user name and password of provider from SecurityProfiles Configurable Service in ESQL so it can be validate with Consumer credentials .
User Name and Password is plan text .
I have done following things
1. Created Policy
2. Created Bindings
3. Created User ID & security profile
mqsisetdbparms SBBROK -n SecurityID -u sbuser -p sb.123456
mqsicreateconfigurableservice SBBROK -c SecurityProfiles -o
WSSecurityProfile -n
"propagation,idToPropagateToTransport,transportPropagationConfig" -v
"TRUE,STATIC ID,SecurityID"
Configured Bar file & sets(Policy, Binding & security Profile) on SOAPInput node.
Deploy My Flow
After that, I assumed that, on these provider polices,binding, profile. provider can authenticate consumer user name and password.
I am using iib version 10.0.0.15.
I'm not sure I fully understood the question.
All I can tell you is the following: The credential provided by the one calling your service will be stored on this location : Properties/IdentitySourcePassword and Properties/IdentitySourceToken right after your input node.
IF not set to static, the SOAP Request you are doing will use the credentials at this location as well. Otherwise, it will use the defined user password in the mqsisetdbparms command.
So you can access the input credentials in your ESQL code like this :
SET callerUser=InputRoot.Properties.IdentitySourceToken;
SET callerPassword=InputRoot.Properties.IdentitySourcePassword;
For the credentials stored via the mqsisetdbparms, I don't know any way to access it and to be honest I don't see the point.
A solution, if you really need this, is to change your static user / password by a dynamic one, and set it directly in your ESQL at these locations with something like this :
SET myUser = 'Username'
SET myPassword = 'Password123'
SET callerUser=InputRoot.Properties.IdentitySourceToken;
SET callerPassword=InputRoot.Properties.IdentitySourcePassword;
##The comparison you want to do here
SET OutputRoot.Properties.IdentitySourcePassword = myPassword
SET OutputRoot.Properties.IdentitySourceToken= myUser
Of course hardcoding the user / pass is not the right solution, it is just an exemple, but you can easily store it on a database and retrieve if from the ESQL
We migrated few SharePoint 2010 site collections to SharePoint 2013 but had to use classic authentication to preserve the users that were already in groups.
We have 2 AD domains one-way trust.
The problem now is that people picker in these site collections only show, existing users from the trusted domain and for new users, only {trusted domain}{user id} is possible for adding new user from the trusted domain.
So I performed:
STSADM.exe -o setapppassword -password <>
STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "forest:Main.local, main\me,myPassword; domain:second.local, main\me,myPassword" -url https://sites.contoso.com/
Now I could not even add users using {trusted domain}{user id}. No way to add any users from the trusted domain
I checked the properties Peoplepicker_peopleeditoronlyresolvewithinsitecollection
and Peoplepicker_onlysearchwithinsitecollection they are either 'No' or do not exist.
What else can I do to support the secondary domain?
couple of pointers
1. For first domain there is no need to specify the password, Appliction pool service account should be part Domain Users and able to query its own domain.
2. As you have one way trust you cannot use account from your main forest to authenticate against one-way trust domain.
So your command should look like:
STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "forest:Main.local; domain:second.local, second.local\me,myPassword" -url https://sites.contoso.com/
There is one more thing that may happen and that is lack of the permission on registry keys. Fire up the process monitor from system internals (on all FrontEnds) filter by access denied.
You might see access denied against the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\15.0\Secure
Add the WSS_WPG with the read permission to that key.
We are working with WSO2 IS 5.1 with LDAP (embedded, in this time) as user store.
We would like to represent our organizational structure by group objects in LDAP (member attributes).
In SCIM API I add a user to group members properly, but when I try add group object to members of another group, IS interprets group id as user id and, of course, answers that there aren't any user with such id.
How could I add group to members of another group by SCIM API? Is it possible?
To creating a group with users, you need to have that user already existing in the user store and provide its unique id. For an example, to create a new group named: 'engineer' with user 'adam' as a member, you can invoke the following request
curl -v -k --user admin:admin --data "{"displayName": "engineer","members": [{"value":"6b14c23d-4811-4bbd-b653-04fcda2df266","display": "adam"}]}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups
Is there any SCIM endpoints to add users with the groups? I already gone through the article, But i couldn't able to add user with group. Also i need to edit that user and update the group, Is there any SCIM endpoints for these two tasks ?
I tried with the following cURL command
curl -v -k --user admin:admin --data "{"schemas":[],"name":{"familyName":"gunasinghe","givenName":"hasinitg"},"userName":"hasinitg","password":"hasinitg","groups":[{"value":"a0612e1e-d8c7-47dd-b9ee-4218291945c8","display":"groupname"}]}" --header "Content-Type:application/json" https://example.com:9443/wso2/scim/Users
At the current implementation it is not supported to add an user to an existing group, and this requirement is captured for the Identity Server road map.
Currently you can update the group with the newly added user, but the operation is PUT operation. Therefore it will replace the existing group with new data. Therefore you need to provide all the users at each PUT request with the new user.
Patch operation is suitable for your requirement there you don't need to send entire user list in order to assign single user to a group. Patch operation will be supported with upcoming WSO2 IS releases very soon so keep in touch.