we are running WSO2 IS 5.3.0 with multiple tenants. The question is can we specify a different email smtp configuration per tenant such as the 'mail.smtp.from'?
It appears like there is only one file in the IS server for configuring email 'from' address in:
<IS_HOME>/repository/conf/output-event-adapters.xml
and the 'mail.smtp.from' from there gets applied to all outbound emails sent from IS, no ability to change this per tenant?
Yes, above requirement is not supported at the moment by WSO2 IS 5.3.0. Sender email configuration is common for all the emails. We don't have such a configuration to set sender email configuration for each tenant. We have to do some code level customization to achieve your requirement.
Related
We use GCP Identity Platform to manage multi-tenant authentication with email and password provider.
Google provides a way to configure email templates that are sent when user requests a password reset (in our case, this flow is triggered on the fronted by calling https://firebase.google.com/docs/reference/js/v8/firebase.auth.Auth#sendpasswordresetemail).
This will trigger a email send to the user for which identity this method was called.
This email, however, is problematic for us: it is sent from the *.firebaseapp.com domain (we want to use our own domain) and since it's been setup initially, it is now not possible to amend body of the email sent or change the "from" email used to send it.
This is how the configuration looks like in GCP console:
Identity console
Anyone experienced the same issues or know what is the proper procedure to update email templates?
Answering my own question.
After some research, I started to believe GCP Console doesn't offer a way to make email templates configured at parent/top level project and inherit these settings by tenant providers. It is possible, however, with direct API calls:
Using patch https://cloud.google.com/identity-platform/docs/reference/rest/v2/projects.tenants/patch
one needs to update Tenant entity with Inheritance object (setting emailSendingConfig flag) :
{
"name": "projects/<project-id>/tenants/<tenant-id>",
"displayName": "<your tenant>",
"allowPasswordSignup": true,
"inheritance": {
"emailSendingConfig": true
}
}
In WSO2IS 5.7.0 I created a user with two profiles: Profile_A and Profile_B. Then I created two different Service Providers: App_A and App_B.
Now I would like that during the authentication phase the claims of the Profilo_A are sent to the App_A and the claims of the profilo B are sent to the App_B.
Is it possible ? Which configuration should be applied?
Thanks in advance.
Even though this feature is not directly supported in WSO2 Identity Server, you have couple of options to get this done.
[a] If your intention is to send different set of claims to based on service provider, you can configure them under service provider claim configuration.
[b] If you intention is to send completely different user profile to different service providers, you can create multiple users for multiple profiles and associate them together by using the feature associate local profiles [1].
[1] https://docs.wso2.com/display/IS570/Associating+User+Accounts
IMO option [a] is good.
We recently migrated (registry and user store) from WSO2 IS 5.0 to WSO2 IS 5.1 as per instructions at WSO2 migration guide. After migrating and successfully bringing up the WSO2 IS server, when we are trying to authenticate existing user with /oauth2/token endpoint the authentication is failing. We can see user along with user attributes in user store.
On WSO2 server we are seeing error -
{org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler} - Token request with Password Grant Type received. Username : <username>#carbon.superScope : openid, Authentication State : false
This is migrated user so we can not change the user name. I tried googling to disable the multi tenancy with 5.1 as we do not use that feature, but no luck.
This is blocking us from moving to newer version of WSO2.
Has Any one fixed this?
Modified the SP to disable domain name as per instructions from Gusto2 -
enter image description here
But still same results.
on the duo identity provider configuration page, under federated authenticators, put "true" in the "disable tenant domain" box
This solution may help. You can go to your identity server and navigate to the service. Now click on edit button of your target service and go to Local & Outbound Authentication Configuration section and uncheck following options-
Use tenant domain in local subject identifier
Use user store domain in local subject identifier
I am showing in the image. Follow the red mark box -
I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines). I am also using the so called WSO2 IS Admin services.
As mentioned in the heading I am consuming the UserProfileMgtService
(https://url:port/services/UserProfileMgtService?wsdl).
In combination with it I am using OAuth2TokenValidationService
(https://url:port/services/OAuth2TokenValidationService?wsdl).
If I pass valid access token to the OAuth2TokenValidationService I am able to fill in with data OAuth2TokenValidationResponseDTO object by using the Validate method of the OAuth2TokenValidationService. As result I am able to extract the authorizedUser and pass it to the getUserProfile method of the UserProfileMgtService. I am using the standard carbon.super domain and I am using the email as username. For example I am passing the following two parameters to the getUserProfile:
"admin#admin.com#carbon.super" as username
"default" as profileName
And as result I receive the following message:
UserNotFound: User admin#admin.com#carbon.superdoes not exist in: PRIMARY
If I remove the "#carbon.super" from the authorizedUser, everything is fine and I am able to get the user profile information. This is quite important for me since I am using multitenancy of the IS and there is a case that I might have the following users:
admin#admin.com#test.net
admin#admin.com#test2.net
I noticed that this service was not working this way in WSO2 IS 5.0.0. I started experiencing this issue after the upgrade.
Is this a desired behavior and is introduced because of the change in the API in IS 5.2.0? If so is there another way to be able to get the user profile using the "username"+"tenant-domain"(that is retrieved by the OAuth2TokenValidationService as authorized user when passing valid access token).
Is it possible that this is caused because of misconfiguration? If so which is the file that needs to updated and what exactly should be modified in it?
Is there a place where more information could be retrieved for the WSO2 IS 5.2.0 Admin Services?
Thanks in advance.
UserProfileMgtService in Identity Server is an Admin Service. In WSO2 Admin Services, the tenant domain is identified by authenticated user and it should not pass with username.
username should be tenant free username.
So, you can remove carbon.super portion from the username and then it will work.
In tenant setup, you need to authenticate with a tenant user (Ex admin#admin.com#test.net) in order to access these API. So, like in the super tenant, you can use tenant free username and then it will work.
For example, if you want to get user profile of user : testuser#admin.com in tenant domain test.net, your request should be like bellow image.
Thanks
Isura.
I have a situation where I need to setup a standalone version of wso2 Identity Server and have that act as the SSO provider into all of the products in Stratos.
Currently I have Stratos Identity Server configured so that I can login via the standalone Identity Server, using admin.
However, if I use another user I either
get a "Authorization Failure"
or cannot login.
First Question
1) I have the same user created in both Identity Server (that is not admin). Why would I get the "Authorization Failure" ?
Second Question
2) Why is it I can not even get to the "Authorization Failure" problem if I have a user created with username in format of user#domain.com ?
UPDATE:
I figured out that if I remove the property tags in user-mgt.xml that reference the usernames with regular expressions I am able to create usernames in the format of name#domain.com. But I am still unable to use that username to login, the error log says that the account has not been activated.
I also created two instances of wso2 identity server and configured them in such a way to test being able to use one to login to the other. I was able to do this by making sure that the same username and password was in both servers list of users. This way I do not get the "Authorization Failure"
The answers I came up with.
1. I need to have the same username and password in each Identity Server.
2. I cannot have format name#domain.com unless I have Multi-tenancy configured. Otherwise wso2 will try to find the ACTIVATE field in the Tenant table and not find it.
UPDATE: I got this installed and configured and it turned out that I now get another error about
Issuer details are not valid. Issuer details should be registered in advance
So my answer turned out not to to be valid.
I wonder why I get this new login failure?
UPDATE RESOLVED!!:
I resolved this problem by downloading just the wso2 stratos IS 1.5.2 package. I installed it. Configured with same configuration I was using before. Now I can login without problems across domains.