I have wso2 IS 5.3.0 with several user stores. I want to connect my app to the embebed ldap and access the user in the secondary user stores, but I only see the users in the primary user store.
How I can see the user in the secondary user stores con connect an application to the WSO2 IS ldap?
The aim is to have serveral user stored merged in just one, the IS ldap, and connect legacy applications to that merged LDAP. Is this approach wrong?
Please follow this documentation[1] to configure multiple secondary user stores with WSO2 IS 5.3.0. Yes you can add multiple user stores to Identity Server and let the applications from outside see those as a single user store through Identity Server.
[1] https://docs.wso2.com/display/IS530/Configuring+Secondary+User+Stores
May I use some specific configuration to connect to the ldap to can see the whole set of users?
Multiple user stores are completely separate, their own users, realm name, etc. In theory - your application you could use WSOIS API to access user information (with the realm prefix, such as usenr identity is userstore_realm\username
But as it is already mentioned in the comments, you don't see multiple LDAP stores as a single LDAP
The aim is to have serveral user stored merged in just one, the IS ldap, and connect legacy applications to that merged LDAP. Is this approach wrong?
What could you do is "inbound" user provisioning. Effectively when a user is authenticated (using an external IS, secondary userstore, ...), the user could be provisionined ( imported ) to the primary userstore
Though it is possible, I won't recommend this approach as you will have duplicates out of control (e.g. when reseting the password)
Related
I just really want to understand the configuration of the identity server without a tenant and how it handles the users and their login. Please help.
Multi tenancy is introduced to logically separate data (which belong to different organizations), despite being stored with the same Identity Server and in the same database.
Say that you are handling Identities for a group of companies where the existence of Company A shouldn't be known to Company B. In this case you can consider A and B as two different tenants.
Regarding the users and login :
In WSO2 the default tenant is carbon.super and you can define your own tenants as well (i.e. abc.com, xyz.com). In the IS(Identity Server), we are storing users in the user stores (LDAP, AD, JDBC). There's a Primary user store (Defined in the user-mgt.xml file) and you can define your own secondary user stores.
When you create a secondary user store (business_users) in tenant abc.com (in any tenant) and add user John there, that user john is only available within that tenant. Also that secondary user store business_users is not visible from any other tenant beside the one in which it has configured.
But this PRIMARY user store (one that is defined in user-mgt.xml file) is visible to all the tenants. But not all the users there are shared with all the tenants. Means, from xyz.com tenant, you can add user John to the PRIMARY user store. You can again add user John from tenant abc.com as well. These users will be treated as two different users through out the server. One's existence is independent of, and unknown to the other. Fully qualified user names of these users inside the WSO2 IS server would be as John#xyz.com and John#abc.com.
Therefore, if you are performing a login to a service provider created in the xyz.com tenant, you can only login with the users who are visible (or defined within) that tenant it self.
P.S. You can define a shared Service Provider (SaaS app) if you want users from all the tenants to be able to login to your application.
I am trying to create a centralized authentication server for multiple Django apps (APIs). I've seen posts/recommendations but none fit exactly what I am looking for.
Overview:
Users can be associated to one or multiple projects
Users have same credentials to all projects they are associated to
Use JSON Web Tokens - use payload to add user data, sub-domain (project) to route to, role, etc
Sub-domain will not be used for login. All users will login to same site and will be routed to project they are associated to (or given list if there are multiple). SSO is optional.
Questions/uncertainties:
Q: Should the authentication tokens be created on the authentication server or on each project? ie) Each user having one auth token for all projects or have one auth token for each project?
Q: Roles will be stored in each app. I would like to send the roles along with the authentication token in the JWT. Should this data be redundantly stored on the authentication server? Another other way would be for the authentication server to access the project databases. What is the best way to handle this? Users will have different roles for each project.
Q: Auth server will have basic user information (email/username, password, first/last name, etc). Since foreign keys can't be used between databases I can use a user proxy based on usernames to create the user on each project. Do the app servers need to have access to which authentication tokens are valid?
Taking advantage of pre-existing software:
Another approach I had in mind was to use django-tenant-schemas which takes advantage of Postgres schemas where each one of my projects would be a schema (currently using MYSQL databases). Does it make sense to take advantage of this?
Can I take advantage of an IdP service to offload some of the authentication? Does this easily tie into the Django auth layer?
Your question seems to be multiple so I would split the answer too:
ABOUT THE USERS
Since your users are not part of your "mutitencancy model" you have two options here:
Replicate your user data among the different tenant databases (via triggers and what not).
Write your own authentication middleware that verifies users in the right database (lets call it root database since now on). You can use user ids to from the root database and verify manually that they match, which is a bad idea.
That means your database schema will be something like this:
root database (all common data here)
project 1 database (with it's own user data or referencing root)
project 2 database (with it's own user data or referencing root)
Now for authentication tokens
You have the same options as above:
Keep them in the root database and write your own middleware.
Replicate them.
How to implement the whole thing
Since your use case is pretty particular, you may encounter some resistance from existing software. But creating your own multitenant solution is not that hard
Is possible to set a Service Provider to use a specific user store?
Ex.: I have a secondary user store, foo.com that uses JDBC, and other secondary user store, foo.net that uses LDAP.
I have two service providers, I want tha first SP called mobile uses the foo.com user store only to authenticate via oauth2, and the other SP foo.net uses the foo.net user store.
Thats is possible?
Thank you.
This is really what I want to know. Multiple tenant is a solution. Make this two service providers belong to different tenants.Then service providers can use different user store.
However, I think there should be other solutions.
For authenticate functionality you don't have to bind Service Provider with specific User store. In mobile application scenario it will recursively go through all user stores and user will be authenticated against foo.com user store. In order to provide comprehensive answer can please provide what are the protocols you are using in both service providers like in first SP oauth, saml and second SP saml, scim.
We would like to move the users from a one Identity system to WSO2 IS. Both userstores reside on a SQL DB. We would use SELECT INTO (INSERT INTO SELECT) at the database level to move the users from the old Identity Store to WSO2 IS. Will this cause any issues with the data integrity? Or should we just use the WSO2 IS APIs instead?
You have your users in separate user DB (say foo user store) and you need to move all users in to WSO2IS user store schema..? It mostly depends on the how user's password has been stored in the foo user store.
If password is stored as plain text (or encrypted as it can be decrypted), you can WSO2IS APIs to add users which is mostly the best option. You can write some tool to read from foo DB and call the API of WSO2IS. User Mgt API can be used for it. More details from here
If password is stored as hashed, then we can not use the APIs and we need to use some database level migration. You can move to username and user's password in to UM_USER table and user's attributes in UM_ATTRIBUTE tables.
But, please note, if your foo DB has used some different password hashing schema which is not supported by WSO2IS, above migration also would not be success out of the box. By default WSO2IS supports for SHA-1, SHA-2 hashing methods only. If it is not, you may need to do some customization.
However, why you are trying migrate it to WSO2IS schema? Can't you write a custom user store manager implementation for your foo DB and connect WSO2IS in to your existing user store ? I guess, it is more convenient than migrating.
Can you use WSO2 IdentityServer as a LDAP aggregate (also known as a LDAP proxy)?
For example, I have 2 ActiveDirectory servers and I want to search for a user who could be on either server. Usually I would need to execute separate LDAP searches on each ActiveDirectory.
To save us executing a search on each AD, could we configure IS to use both AD's as external LDAP user stores. Then if we did a LDAP search against IS it would search both AD's and return the results from both servers.
Due to the first answer, I need to add that I can connect the Active Directory servers as user stores. But what I can't get working is using a LDAP search against IS to find a user in these user stores. I get back a list of LDAP objects but there none of the users are listed.
David/
You can configure multiple user stores with wso2 IS
https://docs.wso2.com/display/IS500/Working+with+User+Stores
https://docs.wso2.com/display/IS450/Configuring+Secondary+User+Stores
Hope this helps