WSO2 IS SSO structure - wso2

we trying to add structure for SSO using WSO2, In WSO2 we need to create general Roles and connect this roles with Service provider (Please note service provider doesn't has custom roles so connection will be on service provider level with WSO2 general roles) , in WSO2 we found way to mapping SP roles with WSO2 roles but that not help us, and ,the structure in image below :

Beleive you are saying that your SP application does not persist or maintain the roles, rather you want WSO2 server to do so.
And you want to control authorization based on the availability of these roles for an user.
In that case, WSO2 server has no value nor need to know of the permissions you've assigned to these roles. You just define all the roles you want in the WSO2 server. Then (given that you use Oauth) by using scopes (mapped against each or multiple roles) to define access levels, you can issue access tokens to the users with the relevant scopes (defines access levels) after checking for the roles assigned to them.
On the resource server, it can validate the scopes of the provided access token against the Identity Server and grant or deny resource availability.
Cheers

Related

How to get user groups or roles from Identity Aware Proxy in a MERN stack app

I have a use case where I have 2 apps:
React SPA frontend, running on web.myportal.example
Node Express backend, exposing a REST api on api.myportal.example
Both apps are deployed into GCP Compute Engine and are accessible from the Internet. I was able to configure IAP to prevent unauthorized access. I can specify a list of email accounts that are allowed to use the UI and API.
What I need is autorization capability from GCP IAP. Does it have one?
Simple example - some of the API endpoints should only be accessible to folks with a specific group/role membership. How can I extract that from IAP? The only thing IAP leaves me is a GCP_IAAP_AUTH_TOKEN cookie, which I cant even use due to it's definition.
You may try to put an LB in front of each service (one for API, another for an APP) and configure IAP to use them and grant access accordingly.
When an application or resource is protected by IAP, it can only be
accessed through the proxy by members, also known as users, who have
the correct Identity and Access Management (IAM) role. When you grant
a user access to an application or resource by IAP, they're subject to
the fine-grained access controls implemented by the product in use
without requiring a VPN. When a user tries to access a IAP-secured
resource, IAP performs authentication and authorization checks.
But it's not possible to configure IAP to grant different access-level to an API methods based on who logged in. It doesn't look like at allows such fine-grained authorisation management - only you get access or no;
After authentication, IAP applies the relevant IAM policy to check if
the user is authorized to access the requested resource. If the user
has the IAP-secured Web App User role on the Cloud Console project
where the resource exists, they're authorized to access the
application.

WSO2 API Manager Scopes for Federated Users

I have WSO2 API Manager federated setup with Azure AD. I can use the implicit and code grant type to generate the access tokens.
Now I want to use the WSO2 API Manager scope functionality to limit the access on certain API resources. I have created the role in API manager and added the scope on API publisher for the API resource. But when I generate the access token using scope value, it doesn't return the token with correct scope. But if I assign the local user to that role and generate the access token it works fine.
I wonder if WSO2 API manager support scope management for Federated users.
Any help would be appreciated.
By defaut roles are checked against the userstore managers, therefore if federated users are not findable in a local userstore manager, it is difficult to assign roles to them.
You have several options:
if you are using SAML, you can specify -DcheckRolesFromSamlAssertion=true it was quite tricky to find this one
create a secondary local (e. g. jdbc) userstore and setup the outbound provisioning for federated users. This way all federated users and their roles will be mirrored in a local userstore and their roles will be findable by the scope provider

Using groups or roles in WSO2 IS AWS SAML

Does anybody knows how can I use WSO2 IS Roles or AD groups (throught WSO2 IS) to map AWS ARNs?
https://medium.com/#gayanmadusanka_80721/login-to-aws-console-from-wso2-identity-server-cb05d4d12ff5
I would like to use active directory groups or WSO2 IS roles instead of using mapping claims individually on each user.

WSO2 IS 5.4: Add a custom ROLE to Service Provider level

WSO2 IS 5.4: In order to have a custom ROLE to Service Provider level, like ROLE_NAME=AUTH_VALUE and ROLE_VALUES=[SERVICE_1;SERVICE_2], I understand that mechanism could be implemented using Configuring Roles and Permissions for a Service Provider se here by
Adding Role Mapping button.
Could someone help/explain if that are right and if yes, which value must be entered into the fields "Local Role" and "Service Provider Role"
Any help/ideas is much appreciated, as I'm quite stumped with this.
The document that you have linked explain how you can map internal Identity Server roles (Or roles that Identity Server can access through user stores) to a custom role that is in the service provider side. For example let's say you have role named "admin" in Identity Server side, but when you send it to the service provider side, you want it to be "owner". So you can do the mapping in this section for "admin" -> "owner" so Identity Server will do the relevant conversions before the claims sent to service provider (Depends on the protocol used to communicate with service provider)
Local role means the role that is in the Identity Server side, according to above example "admin". Service provider role is the role that be used when communicate with the service provider. "owner" according to the above example.

How do I turn off authentication for retrieving XML schemas from the WSO2 GREG?

Is it possible to turn off authentication so that users don't need to provide username/password retrieving XML schemas using the schema URL of the WSO2 GREG? It doesn't help configuring the role everyone to be able to list schemas.
I want to do this until I have configured LDAP integration. Now I have to create a temporary user which I distribute.
You can use "wso2.anonymous.role. Add that role to schema resource in resource browser.
"The "wso2.anonymous.role" is a special role that represents a user that has not logged into the WSO2 Governance Registry Management Console. Granting "Read" access to resources for this role would mean that you do not require authentication to access resources using the respective Permalinks. The "everyone" role is a special role that represents a user that has logged into the WSO2 Governance Registry Management Console
Refer http://docs.wso2.org/wiki/display/Governance460/Managing+Role+Permissions