Using groups or roles in WSO2 IS AWS SAML - amazon-web-services

Does anybody knows how can I use WSO2 IS Roles or AD groups (throught WSO2 IS) to map AWS ARNs?
https://medium.com/#gayanmadusanka_80721/login-to-aws-console-from-wso2-identity-server-cb05d4d12ff5
I would like to use active directory groups or WSO2 IS roles instead of using mapping claims individually on each user.

Related

unable to get scim 2.0 wso2 is api for get Roles under secondary user store

I have a secondary userstore (JDBC) created in wso2 IS 5.11.0.
2 roles are added under the userstore.
I am using the below SCIM 2.0 api to get the roles.
https://{IS_IP}:(PORT}/t/carbon.super/scim2/Roles, but only the roles created under primary user store is listed in the response.
Under the claims list -> http://wso2.org/claims -> Role -> Mapped attributes, I have added the secondary user store to the list. still not getting the response.
Is there any other configuration to be done to get it via scim api?
Since WSO2 IS-5.11.0 Groups and Roles are considered separately. Refer [1]
https://{IS_HOST}:(PORT}/scim2/Groups endpoint lists out the userstore groups (both primary and secondary user stores' groups)
https://{IS_HOST}:(PORT}/scim2/Roles endpoint lists out the Roles (Roles are basically Internal and Application Roles. You won't see any prefix for Internal roles in the list)
In your case, since you have added a userstore group, it need to be managed via https://{IS_HOST}:(PORT}/scim2/Groups.

How to map a SAML Attribute from your IdP to an AWS Elastic Search Role?

The recently added SAML support for AWS Elastic Search solution:
https://aws.amazon.com/about-aws/whats-new/2020/10/amazon-elasticsearch-service-adds-native-saml-authentication-kibana/
Lists in its documentation that backend roles are supported:
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/saml.html
In Okta, for example, you might have a user, jdoe, who belongs to the group admins. If you add jdoe to the SAML master username field, only that user receives full permissions. If you add admins to the SAML master backend role field, any user who belongs to the admins group receives full permissions.
If you want to use backend roles (recommended), specify an attribute from the assertion in the Role key field, such as role or group. This is another situation in which tools like SAML-tracer can help.
But some users have problems finalizing the configuration once they are done with the AWS Console.
The answer lies beyond the AWS Console and must be completed within the Elastic Search cluster with the Master User that you created either within the cluster as an Internal User, via an IAM role or by using the Master User field in the SAML configuration section of the Modify Authentication Wizard in the AWS console for Elastic Search.
You must:
Create a Backend role that matches your SAML attribute value
Create a Mapping between the new backend role and an actual Elastic Search Role
After you're done configuring your IdP by creating a custom Attribute/Claim like roles or groups and after you've configure SAML authentication integration in the Elastic search cluster.
1.-Log into Kibana using your master user
2.-Go to OpenDistro -> Security -> Roles -> The Role you want to grant access to, i.e. readall
3.-Go to the Mapped Users tab under the role screen
4.-On the Backend Roles field type the VALUE of the Azure Claim you created by following these steps: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management
For reference the claim value is: user.assignedroles.
The claim key is whatever you configure your Azure Enterprise application as.
You'll have a key value pair of "Your chosen Claim Name": user.assignedroles
5.-Save the Mapping in Kibana
Using the Azure IdP log into Kibana using users with different Azure Claim assigned to them. The Open Distro Security plugin will parse the SAML token attribute find the field for user.assignedroles and map that as a Kibana Backend Role to the actual Elastic Search roles.

How to manage users roles in WSO2 MI (EI-7)?

in former versions of WSO2 Enterprise Integrator we could manage lists of roles by users via the manager web console.
With WSO2 EI-7 micro-integrator and wso2mi-dashboard I find no means to manage any roles. All we can do is manage users, not a word about roles. So what ?
Thanks,
Bernard

WSO2 IS SSO structure

we trying to add structure for SSO using WSO2, In WSO2 we need to create general Roles and connect this roles with Service provider (Please note service provider doesn't has custom roles so connection will be on service provider level with WSO2 general roles) , in WSO2 we found way to mapping SP roles with WSO2 roles but that not help us, and ,the structure in image below :
Beleive you are saying that your SP application does not persist or maintain the roles, rather you want WSO2 server to do so.
And you want to control authorization based on the availability of these roles for an user.
In that case, WSO2 server has no value nor need to know of the permissions you've assigned to these roles. You just define all the roles you want in the WSO2 server. Then (given that you use Oauth) by using scopes (mapped against each or multiple roles) to define access levels, you can issue access tokens to the users with the relevant scopes (defines access levels) after checking for the roles assigned to them.
On the resource server, it can validate the scopes of the provided access token against the Identity Server and grant or deny resource availability.
Cheers

How do I turn off authentication for retrieving XML schemas from the WSO2 GREG?

Is it possible to turn off authentication so that users don't need to provide username/password retrieving XML schemas using the schema URL of the WSO2 GREG? It doesn't help configuring the role everyone to be able to list schemas.
I want to do this until I have configured LDAP integration. Now I have to create a temporary user which I distribute.
You can use "wso2.anonymous.role. Add that role to schema resource in resource browser.
"The "wso2.anonymous.role" is a special role that represents a user that has not logged into the WSO2 Governance Registry Management Console. Granting "Read" access to resources for this role would mean that you do not require authentication to access resources using the respective Permalinks. The "everyone" role is a special role that represents a user that has logged into the WSO2 Governance Registry Management Console
Refer http://docs.wso2.org/wiki/display/Governance460/Managing+Role+Permissions