I am new to WSO2. I want to use wso2is to authentication using OIDC and SAML process. And how to access and display user-profile information in web page.
To try out OpenID connect you could follow the steps mentioned in [1] and to try out a sample you could refer[2]. To get user-profile information you should send a request to user info endpoint or else you could get the user-profile information using the id token. You could refer the doc [2] point 6 for more information.
To use SAML you could refer [3], to get user-profile information you need to enable "Enable Attribute Profile" in your service provider configuration. Please refer doc [3] point 9 " Click here for more information on each attribute" section.
[1] https://docs.wso2.com/display/IS570/Configuring+OAuth2-OpenID+Connect+Single-Sign-On
[2] https://docs.wso2.com/display/IS570/Basic+Client+Profile+with+Playground
[3] https://docs.wso2.com/display/IS560/Configuring+Single+Sign-On
Related
I'm trying to customize the login pages for the dev portal and publisher and I'm referring to the below documentation.
https://apim.docs.wso2.com/en/latest/reference/customize-product/customizations/customizing-login-pages-for-dev-portal-and-publisher/
The 1st step tells to download the Identity Server and in the 2nd step, it says to start up the server using api-manager.sh which could be a mistake.
However, I have the following questions related to the scenario.
In order to customize the login pages in APIM, should I start up the IS as a key manager as well?
Can't we customize the login pages just by using the JSP files readily available in the authentication endpoint in APIM?
I guess the documentation should be updated. You can use the existing jsp files in the authentication endpoint if you use OAuth2/OpenID. If you are using SAML, then you have to use WSO2 IS as the IDP with WSO2 API Manager.
Some samples can be found in [1].
By default API Manager uses OAuth2/OpenID. You can do the service provider configurations in API Manager. OAuth2/OpenID and SAML use the jsp files used in the authentication endpoint.
[1] - https://github.com/wso2/samples-is/tree/master/re-branding-the-default-login-page
I need this feature in WSO2 Publisher or Devportal:
I have one api that need dynamic access token and Also I have another api with static Basic Authentication to provide that dynamic Access Token. Unfortunately I could not solve this with mediation. The policy is simple But I don't know whether WSO2 has this simple feature or not?
process: token api with basic Auth ==> provide dynamic access token ==> use access token in main api body and send.
Main API is our Endpoint in WSO2 API.
I could not solve this with Endpoint Security(Oauth2) and mediation(XML).
Version of WSO2-AM is 4.1.0 and this version is latest now.
Have you thought about using a vault, such as Hashicorp Vault, to fetch the the basic auth credentials.
From there use a custom sequence [2] that gets the token (step 1 in your diagram) and then get the token check results you need (step 2).
[1] https://apim.docs.wso2.com/en/latest/install-and-setup/setup/mi-setup/security/using-hashicorp-secrets/
[2] https://apim.docs.wso2.com/en/latest/reference/mediators/sequence-mediator/
I am fairly new to wso2is.
I added an SP with oauth/oidc and got the client credentials.
But when I call the token endpoint to generate an access token (client_credentials flow), I get a guid/reference token. How do I get a self-contained JWT?
Also, the discovery endpoint and introspection not available in 5.2.0?
TIA.
As of now there are is no out of the box solution to get self-contained JWT as an access token from WSO2 Identity Server. However, we have an extension point[1] to write one to suit your requirements.
If I give you the steps in short,
Write an accessToken issuer class implementing this interface. Instead of the GUID, you return the signed JWT.
Create jar and add it to IS_HOME/repository/components/dropins
Add the fully qualified classname to IS_HOME/repository/conf/identity/identity.xml by adding a <IdentityOAuthTokenGenerator> tag under <OAuth> section.
Check out the default accessTokenIssuer code to get an idea[2]. Discovery endpoint and Introspection endpoint have been added in IS 5.3.0. Try out the alpha version from [3]
[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/676c4d845842556a560874804373a422940492a9/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/OauthTokenIssuer.java#L25-L25
[2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/676c4d845842556a560874804373a422940492a9/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/OauthTokenIssuerImpl.java
[3] https://github.com/wso2/product-is/releases/download/v5.3.0-alpha/wso2is-5.3.0-alpha.zip
Update
Follow this blog post https://medium.com/#hasinthaindrajee/self-contained-access-tokens-with-wso2-identity-server-82111631d5b6#.s0q3xt6od to get your use case done :)
How to integrate WSO2 am 1.10.0 with PingFederate SAML 2.0? Any instructions?
From WSO2 web site, I only saw docs on how to set up SSO among WSO2 products: https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 . But I did not see documentation on how to enable WSO2 AM 1.10.0 with external identity providers such as PingFederate via SAML2.
Any help is appreciated.
*** UPDATE:
I followed the instructions here https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 - just assuming WSO2 IS as PingIdentity. For the mojority part it's working, but I cannot generate keys when subscribing to an API. It says "invalid credentials" even if I have logged into applications and subscriptions and can create applications from /store UI.
I can confirm that this can be done without adding a separate wso2 IS server into the picture. I fixed several issues (Cannot generate keys, cannot publish APIs, etc..) by: What I did to fix the issue was to 1) add admin user inside ApiKeyValidaor in api-manager.xml also into admin user via management console and into user-mgt.xml; 2) Inside api-manager.xml:
Change the following:
https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/
to: https://[FQDN_OF_HOST}:${mgt.transport.https.port}${carbon.context}/services/
Reason is my server certificate only recorded the domain name, not ip address.
The solution was also mentioned here: wso2 am 1.10.0 API Store: "Error occurred while executing the action generateApplicationKey" with " Invalid credentials provided."
Basically, you can do this by adding PingFederate as an IDP in WSO2 AM and configuring federated SAML SSO configurations. An example of how to achieve this with Shibboleth is given in [1]. You can follow the same steps to do any configurations according to your requirement.
Refer [2] for configuring SAML SSO Federated authenticator in general
[1] https://docs.wso2.com/display/IS510/How+To%3A+Configure+Shibboleth+IdP+as+a+Trusted+Identity+Provider
[2] https://docs.wso2.com/display/IS510/Configuring+SAML+2.0+Web+SSO
Could you please explain why the WSO2 Travelocity test application requests a "Domain Name" input field in the sign-in screen, when the WSO2 is configured to use, beside basic auth, also a federated authentication mode (WS Release 5.1 - Advanced Configuration). What is the reason to request the domain name part, as for external authentication, for example by use of SAML protocol, I expect to see a redirect onto the external IdP login screen. Apparently the Login redirect is rejected due to this missing input field at the Domain Name. Is there a sample configuration and use case available for setup of outgoing IdP federation?
Further Details from Testings
I've updated the IdP configuration following the WSo2 setting which describes the federation effort with help of Shibboleth products (see below). After this change now I see a login screen from the external IdP ("zee") as well as an interchange of messages between the browser and the external IdP. I also see a SAML POST message in the SSO protocol tracer plugin of the Browser, displaying a long list of claim assertion data, which signals that Login was successfully processed, returning the profile data of my account.
At the Travelocity service provider (SP), now I see the following error message at the screen:
"The entity name must immediately follow the '&' in the entity reference."
I've validated the SAML feedback data and its XML format consistency using an online XML validator, which passed successfully for SAML response XSD format. Such type of XML parser errors are often caused by use of special characters, but its not the case at the current assertions and tests.
The issue happens inside the Travelocity which has difficulties to read the SAML assertion data.
Suggestions from the community how to parse the SAML feedback data using the Travelocity tool, are welcome.
Refer https://docs.wso2.com/display/IS510/Configuring+Single+Sign-On for configuring Basic scenario with travelocity app
To configure federated authenticators:
https://docs.wso2.com/display/IS510/Federated+Authentication
For Advanced Configuration with Multiple Authenticators
https://docs.wso2.com/display/IS510/Configuring+Local+and+Outbound+Authentication+for+a+Service+Provider
Refer https://docs.wso2.com/display/IS510/How+To%3A+Configure+Shibboleth+IdP+as+a+Trusted+Identity+Provider as an example use case.
It seems that you have custom authentication since you have domain name filed at the login prompt.