We have a multi tenant application and some tenants need a data pre processing to modify incoming data from third party modules.
Therefore we use tenant specific bpm's like in the image below tenant specific bpmn
There we need a callActivity to call an internal dataPreProcess which have no tenant defined.
The problem is, how i can set the tenant id to 'no tenant' so that the multi-tenant specific workflow is called?
Information:
We don't have a chance to deploy the internal data pre process as a tenant specific bpm, because the tenants are dynamic.
After i post the question it was so easy....
In the groovy script 'LF011' set a variable like
execution.setVariable('tenant', null)
So in the callActivity you can use '${tenant}' as the Tenant id, that's it....
Related
In my WSO2 Identy Server (v5.8.0), i have added one custom attribute named XXX.
Then, in my web client application, I invoke /scim2/Users service to create new user inside IDS.
I successfully create user with correct name, surname, email, phone number and so on, but my custom field is not updated in my user content store.
By other hand, if I update field by data entry and read my user from IDS, I can see my custom attribute XXX correctly.
Can someone help me ?
One of the following reasons could be caused not to update custom attributes via scim2/Users endpoint.
Once you add a new local claim and if you want to access/modify its value using SCIM endpoint it should be mapped to scim claim dialect. Follow the steps in extending scim user claims doc in https://docs.wso2.com/display/IS580/Extending+SCIM+2.0+User+Schemas
If the above step is correctly configured, check the request payload whether the attribute is correctly defined in the payload. If the attribute is not defined in the expected format, WSO2 IS ignores those attributes.
When you trying to update the value via login to the management console and view the user profile through the management console doesn't involve the SCIM APIs. You are directly updating the local claim in the WSO2 local claim dialect. If you have followed the doc mention is step 1 and that attribute has a value, GET /scim2/Users/{user-id} should return the attribute in the response.
I have my web application. Now i want to integrate salesforce into my web app so that i can push data from my app to any salesforce org after the authentication(OAuth).
I found 2 ways:
1. Connected Apps
2. via wsdl generation file and use
I created a connected app from my developer account and i authenticated using consumer key, cusumer secret key(from my connected app) and username of user and secret token of the user account.
I tried with another free trail account, It's validating and fetching the details and post data also working.
My question is, shall i deploy my connected app into app exchange, then only i caan use REST APIs ?
generating wsdl and coding around is the better option than the above ?
Is there a option, only one time authentication enough for any number of sessions and use the REST APIs?
Please suggest me a best way to proceed.
You're mixing up a couple of independent issues here.
If you're going to authenticate via OAuth, you must have a Connected App.
A SOAP API login() call requires you to store a username and password, which is undesirable.
There is no way to "permanently" authenticate, i.e., to get a session id that never expires. Your app must always be ready to get a new access token via the OAuth refresh token it obtains and stores (via, for example, the Web Server OAuth flow), or to reauthenticate via JWT flow.
Connected Apps are global metadata in most cases. You don't need to deploy a Connected App into a target org in order to authenticate using its Client Id and Secret into that org. The only exception I'm aware of is if you want to use the JWT flow with a certificate and preauthorized Profiles and Permission Sets.
Based on what you've shared, I don't see any reason for the AppExchange to be involved.
Using scope functionality in WSO2 API Manager, I am able to limit access to my back-end APIs like http://mydomain/context/students(GET - list of all students),http://mydomain/context/student/S101 (GET - details of student S101) or http://mydomain/context/student/create (POST) only to users who are assigned specific roles. That much fine-grained control, I am able to implement.
But I want to implement more detailed filtering : User U101 is allowed to view details of students S101 to S110 only. So http://mydomain/context/student/S111 should be blocked for him and http://mydomain/context/students should only return details of S101 to S110. Can I implement this filtering in WSO2 API manager?
(I have an RDBMS table (part of back-end, not in WSO2) with the mapping of users to the list of students, whose details the user is allowed to access.)
In API Manager, any modification to the response content are done via mediation scripts. In you scenario, the role - content mapping should be stored in API Manager in order to filter the content. For this you can use a class mediator to filter the respose content.
In the mediator you have to get the role - content mapping. You can either define it in the class itself or retrieve it from your database.
Please follow documentation[1] and [2] for how to write a class mediator and how to use it.
[1] https://docs.wso2.com/display/EI600/Class+Mediator
[2] https://docs.wso2.com/display/AM210/Adding+Mediation+Extensions
I would like to share web service which is deployed in super tenant to other tenants. As far as I know everyone can access the super admin services if they are using http:// localhost :8280/services/echo?wsdl url. But I do not want just to access super tenant application, I would also like to see request count on correct tenant. Should I have to deploy the same application to every tenant and call service with proper url (http:// localhost .com:8280/services/t/tenantname/echo?wsdl) to collect the request counts?
Is there any other way to do this? For example maybe I could put header variable to my request which is showing, which tenant is calling the application etc., and with this kind of approach, I do not have to deploy my service to other tenants.
You can use a code something like,
int tenantId = MultitenantUtils.getTenantId(this.getConfigContext());
to get the tenant ID of the current tenant and send it either in the message itself or in the header. Then you can record the tenants accessed in the server side, by counting the tenant IDs.
This will help you to get the tenant ID.
One possibility is to deploy the application at each tenant. Then you get a separate URL for each.
Or else you can make your service multi tenant aware. For this you need to make the service secured. When log into the service, we can determine the tenant using the user name. For an example foo user should be a super tenant user while foo#bar.com should belongs to bar.com tenant. In this case carbon framework, does this authentication and set the tenant details to carbon context. You can access that at the service level. eg. CarbonContext.getCurrentContext().getTenantID() or with the method Maninda has mentioned.
org.wso2.carbon.tomcat.ext.internal.Utils class has a function which name is getTenantDomain.
I have changed this methods to find tenant domain from headers, so it is working like a charm :)
I think WSO2 also thinks to customize this method.
I have downloaded the new version of API Manager 1.0.0 GA.
I am confused about publishing the WSDLs, since that has not a related API KEY, everyone can access it.
For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB (even if I have configured an external JDBC db for both APIManager and ESB user-mgt.xml).
So, is there a way to create an API key for WSDLs as well from the API Manager? Or How do I control the access to the published WSDLs in the API store?
Many thanks
EDIT:
From the ESB I have added security to the service by using the built-in security scenarios, in my case I have used "UsernameToken". This authenticates users based on roles defined in the ESB "admin/everyone..." and only accepts users defined in the ESB's user store "admin/admin" (and others you might have created).
I have ESB and AM configured to share the same mysqlDB for user store, but that does not work in my Security Scenario described before: if I create a user "apicreator" inside AP and I create "usertest" inside ESB, they store the users inside the same MySQL db, but under different "tentant", i.e. "apicreator" is not a valid user to authenticate in my Security Scenario (UsernameToken). I hope this description helps to clarify the problem. thanks
With WSO2 API Manager, you couldn't control the access to a published WSDL in API Store.Currently there's no way of creating an API key for WSDLs as well from the API Manager.But that controlling has to be done through your back-end service. How-ever when creating an API from WSO2 API Manager ,giving the Wsdl url as an input is not a required field,but an optional field.
Apart from that I'm not clear about your following phrase."For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB".Can you explain a bit more what you mean by "add access token from ESB"?
Thanks;
/Lalaji