I have 3 application (microservice spring) configured as service provider. I set the OAuth2 auth. and works perfectly.
Now I want to have a SSO between these 3 application/service providers. How can I configure it? (I want to login to one application/service provider ad re-user the auth with other applications/service provider)
Thanks!
There is nothing special you need to configure to have SSO between those 3 applications. As 3 of them are registered as service providers in WSO2 Identity Server, they will automatically SSO between them whenever you use the same browser session. When a user logins to one of these application through Identity Server, there will be session created for that user inside the Identity Server and same session will be used whenever the same user (Same browser session) tries to login to any other registered application.
Related
SSO established between wso2 identity server and wso2 api manager. Added API_Publisher and API_Store as a service provider in identity server.
Created 2 tenants in Identity server, as citizen.in and business.in and created users under those tenants. When i try to login to API-M Publisher with API-URL/Publisher the page redirects to Identity server for authentication but the authentication fails.
"Login failed! Please recheck the username and password and try again."
Also checked the users in the tenants are showing in OpenLDAP
Looks like you have not enabled SaaS Application option in the service providers you created.
Ref: https://docs.wso2.com/display/AM260/Configuring+Identity+Server+as+IDP+for+SSO
We are trying to use WSO2 IS 5.3 as IdP to perform SAML2 Web SSO for a multitenant SaaS app.
We’d like to host a single instance of the app, register app as a service provider in WSo2 IS , create/manage tenants in WSo2 IS and configure different authentication means for each tenant.
In the POC we can successfully register our app as SaaS service provider and users from different tenants can login into App as soon as users are listed in the tenant’s primary or secondary user stores.
However we cannot find info on how to configure ADFS based authentication on per- tenant basis (i.e. each tenant has its own IdP configured with ADFS based Federated authenticator. When user logs into app , WSO2 IS, based on customer’s domain name, would use IdP from corresponding tenant)
We followed this link and can set ADFS based authentication for superuser tenant and it works fine. (i.e. ADFS is configured as IdP for superuser tenant and we use Federated authentication in service provider associated with our app) ….
Question is how can we achieve the same but enable/configure ADFS based authentication on per-tenant basis?
Thank you in advance for comments/ideas !
Update:
we were able to configure ADFS on per customer basis(following steps from blog https://omindu.wordpress.com/2015/06/19/setting-ad-fs-3-0-as-federated-authenticator-in-wso2-identity-server/ ) and used tenantDomain parameter to differentiate b/w tenants during authentication.
In the final solution we made web app available to different tenants under different URLs . The app, based on the URL used to access it , would reconstruct and include tenantDomain parameter (as specified in WSO2 IS documentation ) into SAML request and that would effectively instruct WSO2 to use IdPs/auth means configured for that specific tenant for authentication
I am using the identity server of wso2 wso2is-5.3.0 as an idp in order to autenticate my app (test app).
now when we logged into our app, the login page on the identity server will show to enter the credentials
what we are looking to is if there is any way to list all authenticated users in our test app and try to managing them?
You can leverage the analytics capabilities of the Identity Server to monitor the sessions, set alerts, terminate sessions etc. For more information, refer analytics documentation for IS 5.3.0.
I am new to WSO2 API Manager. I have installed it to proxy my REST endpoints and to do access management via oAuth2.
Great! I managed to get access to my backend REST implementation through the oAuth2 process of API Manager (via API console). Now I want to setup the complete roundtrip starting from a user authentication process where identity is verified with corresponding roles. So...
Next I want to create a single page app and bring an authentication step by either redirect the user to a login page (authentication service) or let the user interact with single app page directly and let the single app page do the login to some authentication service.
Question:
Can I use the Key Manager component of the API Manager to handle user authentication (oAuth2 based) or do I need to install the WSO2 Identity Server to handle the authentication?
I see that WSO2 API Manager can host Users and Roles, a User Store and an endpoint to handle (authz) token requests, but can it also handle a login (authentication) request from my single app?
You can use APIM with OAuth2 Authorization code grant type. See this sample in identity server docs, but use below endpoints of APIM instead of IS endpoints.
https://localhost:8243/authorize
https://localhost:8243/token
Environment :
wso2 API-M + wso2 Identity server (Key manager) and they shared the
same user store.
2 service providers(publisher and store) and 2 identity
providers(Google and Facebook) in the carbon.super tenant.
APIM SSO service is enabled and issuer IDs follow above.
Enable OAuth2.0 users(Google and Facebook) to login.
3 tenants (carbon.super , TA and TB) in the environment.
Publisher SP and Store SP are both in SaaS mode.
Question:
How can user get his access token by API with his account and password?
I try to refer the document : https://docs.wso2.com/display/AM1100/Token+API
but it seems need consumer key and secret, is there other way without consumer key pair to get user access token?
Thanks
Tom
Yes you need to have consumer/key secret pair to get access token. For user authentication you can use different grant flows(SAML2, Authorization code etc) but to verify client OAuth application you must pass application details(because you can have multiple applications in system and Oauth server need to know what application you are referring).
Thanks
sanjeewa.