I want to create a simple GeoXACML policy which would grant access to files only when the user is present inside a polygon (coordinates) using WSO2 Identity Server. But I cannot find the location-based access control option on the panel. How can I implement that?
Thanks in advance.
GeoXACML is an optional profile of the XACML standard. I'm not sure WSO2 implements it. Have a look at the GeoXACML Implementation website to figure out where you can get your hands on it.
Related
I currently use WSO2is 5.9, but I want to be more thorough, when creating rules of access to resources of my web application, limit the action to a certain button within my application for example.
I have read the documentation of WSO2is and other resources, everything guides me that I must use XACML to apply such restrictions within my application.
Is there another alternative to XACML? I see a very high complexity in using this proposal.
For now in OIC claims I get the role but I don't see how to limit to functionality.
You can use adaptive authentication scripts also for having some access control in the service provider level instead of using XACML. Please refer to this documentation on Adaptive Authentication script.https://is.docs.wso2.com/en/5.9.0/learn/adaptive-authentication/https://is.docs.wso2.com/en/5.9.0/learn/adaptive-authentication/
For example, if you want to have some role-based access control, you can use the adaptive script by referring here: https://is.docs.wso2.com/en/5.9.0/learn/configuring-role-based-adaptive-authentication/.
There are some pre-default scenarion, and you can refer them as well. https://is.docs.wso2.com/en/5.9.0/learn/adaptive-authentication-scenarios/
Application I inherited uses WSO2 Identity server which I have't used before. I might need to support multiple tenants in this application and I need to research if WSO2 IS will support this. Documentation is not helping me unfortunately. I want all tenants to have same, shared roles. Adding new tenant should mean adding it's users and assigning them already existing roles.
So in my head solution should be rather simple. Just add new field to user profile - tenantId, and then return it as a claim in token. When I have it in token then it's up to code to use it. First of all is this possible at all? If it is it a good idea?
There are two other possible solutions I was considering.
Service Provider has SASS checkbox but I don't understand yet how it works.
You can add tenants to WSO2 IS itself. But to me it looks like it is multitenancy on WSO2 IS side (to share WSO2 IS) and it's not a feature to support multitenancy in my application. I was told that in this case each tenant would have to have roles defined again and that even those roles would have to be named differently.
WSO2 Identity Server do have the IDP level tenant separation but it does not have an OOB SP level tenant separation mechanism. However, your proposed solution can be done. It is a simple configuration to add an extra claim to the user [1](Assumes that the underlying user store supports it).
Answers for your other questions,
It is for IDP level tenant separation and if you need to share SP between those tenants, you can use this check box.
Correct.
This will do a clear separation in the IS side so data will be contained to each tenant. However, you can share user stores between each tenant.
[1] https://docs.wso2.com/display/IS580/Adding+Claim+Mapping
I am new to this software. From what I know, the WSO2 Enterprise Integrator is come with Enterprise Service Bus inside it. But the Identity Server (IS) is not bundled with the EI.
For my current and new project, we going to be used both of it inside the architecture. Please see below diagram for more information.
Part of my project architecture
Based on the diagram, when the user is using the portal to login. The EI is serve as the middle-ware between the portal and the IS to connect to the LDAP.
Looking at the documentation, there is way to connect from IS to the other product but not vice-versa.
My question right here is how to allow the ESB to communicate to the IS and return back the message/request to the Portal.
Thank you.
Yoy did not describe your use case what do you want to achieve so I will assume you want to authenticate the portal user or manage users.
WSO2IS (and effectively any wso2 product) exposes admin services, some are common, some specific to the product. The services require basic authentication.
please see https://medium.com/#maheeka/wso2-admin-services-c61b7d856272
Another service to authenticate a user is a token service with password grant (that may be more appropriate to authenticate users and authorize requested scopes)
Just a note:
If you want to use the whole setup only only to authenticate users, then IMHO you rather may use OAuth or SAML with the IS, not passing passwords in ESB
So reading up on the docs about Scim Api I see that it shows some UI that i can seem to be able to access from somewhere.
How do access this UI or how do i enable it if i have to?
This is not something that resides in WSO2 IS. It's just some JSON editor demonstrating the SCIM user object representation.
I am actually trying to develop a SAML SSO+ Wso2 identity server authentication implementation. Everything is fine till the time I realized that there are only specific UserStoreManager's like LDAP/JDBC. I have a requirement to use an external web-service as a UserStore and perform the authentication based on the webservice.
I actually realized that I need to create a new UserStoreManager Implementation() . Can you please suggest if you have any references?
Thanks,
Anil Talla
You can refer to the already implemented user store managers and write your own custom user store manager. Look at the AbstractUserStoreManager class which is extended by both JDBC and LDAP based user managers. Extend this class and override the the methods as needed.
Following blog might be of help to you, [1].
Since you are trying to consume an external web-service as a user store, it will be helpful to have a look at remote user store manager as well, which is shipped with the product and shown in user store management menu of mgt console of IS.
[1] - http://pushpalankajaya.blogspot.com/2013/09/how-to-write-custom-user-store-manager.html