I have WSO2 API Manager federated setup with Azure AD. I can use the implicit and code grant type to generate the access tokens.
Now I want to use the WSO2 API Manager scope functionality to limit the access on certain API resources. I have created the role in API manager and added the scope on API publisher for the API resource. But when I generate the access token using scope value, it doesn't return the token with correct scope. But if I assign the local user to that role and generate the access token it works fine.
I wonder if WSO2 API manager support scope management for Federated users.
Any help would be appreciated.
By defaut roles are checked against the userstore managers, therefore if federated users are not findable in a local userstore manager, it is difficult to assign roles to them.
You have several options:
if you are using SAML, you can specify -DcheckRolesFromSamlAssertion=true it was quite tricky to find this one
create a secondary local (e. g. jdbc) userstore and setup the outbound provisioning for federated users. This way all federated users and their roles will be mirrored in a local userstore and their roles will be findable by the scope provider
Related
I have read about AWS cognito and I understand that User pools is an identity provider that is used to authenticate users to your mobile app, website and manage users. Then there is Identity pools that are used to authorize users to give access to your aws resources such as IAM, S3 and etc.
So my question is: Are identity pools used for the app management like by devs, dev-ops or anyone who needs to manage/update the apps? Is that the work of identity pools?
Identity pools are not (necessarily) used for app management. I can tell you about how my team used them at my last job. (There are probably other use cases, but I suspect ours was a fairly common one.)
We were building an app where users needed to upload and download files that we would store in S3. For various reasons, we wanted the client to interact directly with S3 for file transfer (as opposed to pushing files through an API layer that we would have to maintain). Identity Pools were made for exactly this sort of scenario. Basically they allow a client to exchange an identity token for a set of temporary IAM credentials (access_key_id + secret_access_key + session_token). The temporary IAM credentials are what the client needs to interact with an AWS SDK or create a signed HTTP request for one of AWS's native services.
The identity token that gets exchanged for credentials could be provided by Cognito User Pools, but it could also come from a different identity provider. We used Auth0 as an identity provider, for example. But we still wanted our client to interact directly with S3 and for that we needed Cognito Identity Pools.
One really cool feature of Identity Pools that we took advantage of was what Cognito calls Principal Tag Mapping, which is the ability to map claims (attributes) in the Auth0-provided identity token to session tags, which are kind of like environment variables that are attached to the temporary credentials' session. You can then write IAM policies that incorporate session tags to do attribute-based access control. We wrote S3 bucket policies that provided fine-grained access control where each user was only allowed to read and write to a prefix that contained their own user id.
I have to say that the distinction between User Pools and Identity Pools in Cognito confuses everyone and AWS's documentation isn't always as helpful as it could be on this point.
I have a use case where I have 2 apps:
React SPA frontend, running on web.myportal.example
Node Express backend, exposing a REST api on api.myportal.example
Both apps are deployed into GCP Compute Engine and are accessible from the Internet. I was able to configure IAP to prevent unauthorized access. I can specify a list of email accounts that are allowed to use the UI and API.
What I need is autorization capability from GCP IAP. Does it have one?
Simple example - some of the API endpoints should only be accessible to folks with a specific group/role membership. How can I extract that from IAP? The only thing IAP leaves me is a GCP_IAAP_AUTH_TOKEN cookie, which I cant even use due to it's definition.
You may try to put an LB in front of each service (one for API, another for an APP) and configure IAP to use them and grant access accordingly.
When an application or resource is protected by IAP, it can only be
accessed through the proxy by members, also known as users, who have
the correct Identity and Access Management (IAM) role. When you grant
a user access to an application or resource by IAP, they're subject to
the fine-grained access controls implemented by the product in use
without requiring a VPN. When a user tries to access a IAP-secured
resource, IAP performs authentication and authorization checks.
But it's not possible to configure IAP to grant different access-level to an API methods based on who logged in. It doesn't look like at allows such fine-grained authorisation management - only you get access or no;
After authentication, IAP applies the relevant IAM policy to check if
the user is authorized to access the requested resource. If the user
has the IAP-secured Web App User role on the Cloud Console project
where the resource exists, they're authorized to access the
application.
I am setting up an AWS Account, the account will be used by an organization of employees for EC2 use/experimentation. Obviously, I do not want to distribute the root login info or set up one single IAM user for everyone to use. Unfortunately, I do not have the time to manage creating individual IAM users for everyone on a regular basis.
So, is there a way to auto-create IAM users based on a given email's domain on their first login attempt? The users should have read-only roles to begin, then an Administrator could give more roles as needed to each user. I am open to suggestions, perhaps lambda functions or linking to an identity provider?
Keep in mind that these new IAM users need to have access to the AWS Management Console, this is not necessarily intended for login to applications hosted on AWS.
Update:
Moving forward using this AWS Management Console Federation Proxy Sample found in Amazon's code reference, using with Microsoft Exchange hosted email.
If your existing identity provider supports SAML2 Federation, you can set it up to login to the AWS Management Console.
For more details refer Enabling SAML 2.0 Federated Users to Access the AWS Management Console.
Else you can implement a custom Federation Broker to return an URL to the user, after they authenticate with their corporate credentials.
For more details refer Creating a URL that Enables Federated Users to Access the AWS Management Console (Custom Federation Broker).
we trying to add structure for SSO using WSO2, In WSO2 we need to create general Roles and connect this roles with Service provider (Please note service provider doesn't has custom roles so connection will be on service provider level with WSO2 general roles) , in WSO2 we found way to mapping SP roles with WSO2 roles but that not help us, and ,the structure in image below :
Beleive you are saying that your SP application does not persist or maintain the roles, rather you want WSO2 server to do so.
And you want to control authorization based on the availability of these roles for an user.
In that case, WSO2 server has no value nor need to know of the permissions you've assigned to these roles. You just define all the roles you want in the WSO2 server. Then (given that you use Oauth) by using scopes (mapped against each or multiple roles) to define access levels, you can issue access tokens to the users with the relevant scopes (defines access levels) after checking for the roles assigned to them.
On the resource server, it can validate the scopes of the provided access token against the Identity Server and grant or deny resource availability.
Cheers
Is it possible to turn off authentication so that users don't need to provide username/password retrieving XML schemas using the schema URL of the WSO2 GREG? It doesn't help configuring the role everyone to be able to list schemas.
I want to do this until I have configured LDAP integration. Now I have to create a temporary user which I distribute.
You can use "wso2.anonymous.role. Add that role to schema resource in resource browser.
"The "wso2.anonymous.role" is a special role that represents a user that has not logged into the WSO2 Governance Registry Management Console. Granting "Read" access to resources for this role would mean that you do not require authentication to access resources using the respective Permalinks. The "everyone" role is a special role that represents a user that has logged into the WSO2 Governance Registry Management Console
Refer http://docs.wso2.org/wiki/display/Governance460/Managing+Role+Permissions