We want to use WSO2 as IAM framwork for our Internal and external applications.
We have below 3 main requirements.
WSO2 should be able to Authenticate user using LDAP (Active
Directory for Internal Employees ) or other data source for external
users.
We want to configure API access level in WSO2 example : ROLE based Authorization (or Policy based ) where we can configure who can access which
web API with Http verb.
We should be able dynamically add/update/delete users , update Authorization policies/ roles through WSO2 API.
Please let me know if this is out of box supported in community edition or we have to buy any licenses for the same.
Note: I have installed the server and playing around as well.
Yes these requirements are possible with WSO2 IS (Product stack)
You can easily plug an existing LDAP user store to WSO2 IS. (https://docs.wso2.com/display/IS530/Configuring+a+Read-write+LDAP+User+Store)
I am not 100% clear about what you are asking here. But if you are talking about IS APIs (Which specified in point number 3) you can do them solely with IS by little customization or else you can use WSO2 ESB with entitlement mediator to add XACML policies.
There are SOAP admin services(Non standard but able to update authorization polices etc) and REST services. (Standard SCIM 2.0 for user operations)
https://docs.wso2.com/display/IS530/Calling+Admin+Services
https://docs.wso2.com/display/IS530/SCIM+1.1+APIs
Related
We have a requirement in one of our projects where our client wants 3 factor authentication for a web application.
We are already using WSO2 IS for user authentication and authorization.
We would like to know if WSO2 IS supports 3 factor authentication of web application users.
Following is the requirement of 3 factor authentication
Factor #1- Username and password
Factor #2 – Individual/Personal digital certificate
Factor #3 – Biometric of the user
Can WSO2 team let us know if this 3 factor authentication is possible using WSO2 IS so that we can approach them for more details.
It would be great if we get any reference link to some doc so that we can share it with our management for further decision.
WSO2 Identity Server supports multi-factor authentication with any number of steps. Refer this documentation for more information.
In your authentication flow, you need 3 specific authenticators. WSO2 Identity Server supports basic authentication. But other 2 authenticators are not supported out of the box. But you can download the relevant authenticators from the connector store and deploy.
For certificate based authentication, you can find the connector from here and documentation from here.
For bio-metric authentication we do have one connector. You can find the connector from here and documentation from here. If you need any other bio-metric authenticator, please refer this documentation to write your own authenticator.
I have a web app where front end layer has a angular based UI.It has both public pages and other private pages which are accessible to logged in users and it depends on roles of the logged in users as well
My server based application is a java based rest service api .
How can i use wso2 for handle user authenticaiton and role based authorsation.i would like to have an additional layer of api security depending on the role of the user as well.
can someone explain the best architecture for this in wso2?
if i use wso2 api manager , how can i handle login's of the user and how to relate api access with role of the logged in user?
thanks in advance
you can use wso2 appmanager to control the access of any web apps[1]. App manager supports role based access control as well as xacml policy based access control . In order to provide api level role based security you can use scopes[2] in wso2 api manager
[1] https://docs.wso2.com/display/APPM120/Web+Application+Resource+Authorization
[2] https://docs.wso2.com/display/APPM120/Web+Application+Resource+Authorization
Let me suggest another solution. I haven't tried this with APIM. But since APIM also has Identity features installed in it, this should work.
Use OpenID Connect for login. See here for a sample. This sample is for IS, but it should work for APIM too. Only endpoint URLs are different in APIM like this.
Token: https://localhost:8243/token
Revoke: https://localhost:8243/revoke
Authorize: https://localhost:8243/authorize
There, when a user login, you get an ID_token which contains user claims. You can allow/deny page views depending on those data.
In above step, you create an SP and generate a client key-secret pair. You can set the same keys in APIM's application. Read this.
Then, as I mentioned here, you can use scopes to secure your APIs by roles.
I have downloaded the new version of API Manager 1.0.0 GA.
I am confused about publishing the WSDLs, since that has not a related API KEY, everyone can access it.
For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB (even if I have configured an external JDBC db for both APIManager and ESB user-mgt.xml).
So, is there a way to create an API key for WSDLs as well from the API Manager? Or How do I control the access to the published WSDLs in the API store?
Many thanks
EDIT:
From the ESB I have added security to the service by using the built-in security scenarios, in my case I have used "UsernameToken". This authenticates users based on roles defined in the ESB "admin/everyone..." and only accepts users defined in the ESB's user store "admin/admin" (and others you might have created).
I have ESB and AM configured to share the same mysqlDB for user store, but that does not work in my Security Scenario described before: if I create a user "apicreator" inside AP and I create "usertest" inside ESB, they store the users inside the same MySQL db, but under different "tentant", i.e. "apicreator" is not a valid user to authenticate in my Security Scenario (UsernameToken). I hope this description helps to clarify the problem. thanks
With WSO2 API Manager, you couldn't control the access to a published WSDL in API Store.Currently there's no way of creating an API key for WSDLs as well from the API Manager.But that controlling has to be done through your back-end service. How-ever when creating an API from WSO2 API Manager ,giving the Wsdl url as an input is not a required field,but an optional field.
Apart from that I'm not clear about your following phrase."For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB".Can you explain a bit more what you mean by "add access token from ESB"?
Thanks;
/Lalaji
I am going to have a web portal from which I will be calling services with "UsernameToken" security.
For authentication purposes I would like to create a system user in the wso2 Identity Server, so that I can use it to call the services from the ESB. So basically, I want to request a token for the system user from the WSO2 Identity Server and use it to authenticate infront WSO2 ESB so I can call the services.
I plan to use the AuthenticationAdmin and UserAdmin services for the authentication.
Is this scenario possible? If not what would be a good way to achieve similar scenario?
If I understood your requirement properly, I assume, you're trying to call a set of backend services via WSO2 ESB having "UsernameToken" as the authentication pattern. If that's so, then I don't see any requirement for you to use WSO2 IS for user creation, unless you're planning to do much deeper Identity Management.(You can still use it but I consider it as sort of an overhead given the fact that you just want to create the users there in WSO2 IS). For this, you can use the user management capabilities embedded in the WSO2 ESB (or in any other WSO2 product). What you would simply have to do is, create a user at the ESB level and use those credentials to call the backend services via the ESB.
Hope this helps.
Regards,
Prabath
We've Installed Pre-Packaged Identity Server 5.1.0 with API Manager 1.10.0 and use sqlserver as a data store.
We use OAUTH2 to authorize our API's and we want to map our local claims to a service provider (an application?). Behind the API we have a .Net Wcf Service with some logging where we read the header with WebOperationContext.Current.IncomingRequest.Headers["assertion"] and print the claims which are present.
The Claims which are returned are:
{"iss":"wso2.org/products/am"
"exp":1462357259751
"wso2url/claims/subscriber":"Sjaak"
"wso2url/claims/applicationid":"1003"
"wso2url/claims/applicationname":"DefaultApplication"
"wso2url/claims/applicationtier":"Medium"
"wso2url/claims/apicontext":"/Test/v1.0"
"wso2url/claims/version":"v1.0"
"wso2url/claims/tier":"Silver"
"wso2url/claims/keytype":"PRODUCTION"
"wso2url/claims/usertype":"APPLICATION"
"wso2url/claims/enduser":"Sjaak#carbon.super"
"wso2url/claims/enduserTenantId":"-1234"
"wso2url/claims/emailaddress":"sjakie#chocola.nl"
"wso2url/claims/givenname":"Sjakie"
"wso2url/claims/lastname":"van de Chocoladefabriek"
"wso2url/claims/role":"Internal/subscriber
Internal/everyone
Application/Sjaak_DefaultApplication_PRODUCTION"}
Where wso2url is http://wso2.org, but we cannot post this, because I don't have 10 reputation points...:(
The information in these claims is good, but only we want to use our own uri, so not wso2.org, but myorg.com. And we want to add other claims, with for example our own userId and some other stuff.
Among other things we have followed the guide for configuring claims for a service provider but had no success with this. We have made the assumption that an application is a service provider for which we can use the claims.
Has anyone got an idea what we are doing wrong? What do we need to do to add custom claims?
Thanks in advance!
[Added on 9th may]
Maybe this can point us in the right direction?
When we add a subscription to an application and we generate a new key than there is no new Service provider in the list:
The list of service provider without a new one for user Sjaak, so there is missing: Sjaak_CalculatorApp_PRODUCTION
But even when we do this for user admin the claims are not coming through. We have the following claim configuration and in my logging still the same claims as described above are there, no new ones, so no claim named accountnaam and no voogd.com uri:
Service Provider(SP) - It provides services to some end users and relies on a trusted Identity provider(IDP) to handle authentication and authorization for them. SP may use multiple protocols(Oauth2, SAML2, etc.) to communicate with IDP.
Claims are defined for SP, since same claims can be send over different protocols. In the default case, Identity server uses wso2 claim dialect(start with wos2.com) for claims. If you want a different claim dialect than this, use "Define Custom Claim Dialect" option in the service provider configuration. In there you can map wso2 claims(Local Claim) to your own claims(Service Provider Claim).