can anyone assist me here . I am trying to use WSO2 to authenticate a user from active directory and return a OIDC/oauth jwt token .
Please provide more details on where you are stuck and which version of component you try to configure.
There is three steps to get this done:
0 - Set email field as login : https://docs.wso2.com/display/IS530/Using+Email+Address+as+the+Username
1 - ConfigureAD as primary store in WSO2IS : https://docs.wso2.com/display/IS530/Configuring+a+Read-Write+Active+Directory+User+Store
2 - Set up an OIDC client in WSO2IS : https://docs.wso2.com/display/IS530/Configuring+OAuth2-OpenID+Connect+Single-Sign-On
3 - Configure your client to use WSo2IS as OIDC token provider
Jeff
Related
We are running WSO2 IS version 5.10. and want to use external iDP (SafeNet) as step 2 authentication for Service Provider. I configured Service Provider in order to use an advanced configuration for the login process. I configured 2 steps where first step is basic auth and second step is federeted iDP - SafeNet (Saml2SSO).
Everything work's fine except one thing - when i try to logon to my application, WSO2 shows me login interface, I put my credentials (username and password) after that a redirected to SafeNet login interface and I should put my username again in safenet login page. So the user name, how it say correctly, does not transferred to step 2 (sorry for my English ))). I inspect SAML request which is generated by WSO2 and could not find NAMEID. Can any one help with this?
How to custom the default authentication method-username/password in WSO2 Identity Server 5.7.0? i.e. use password plus any of mobile/email/username to authentication an end user and provide the user an JWT token as response.
Please refer to the following[1][2] as per your requirement you can use basic(username/password) as authentication step 1 and SMS OTP or email OTP as step 2. Following examples are based on SAML but as you need to get JWT token as a responce you need to register an OIDC application as a service provider.[3][4]
[1].https://docs.wso2.com/display/IS570/Configuring+Email+OTP#ConfiguringEmailOTP-ConfigureWSO2ISastheemailOTPprovider
[2].https://docs.wso2.com/display/ISCONNECTORS/Configuring+Multi-factor+Authentication+using+SMSOTP
[3].https://docs.wso2.com/display/IS570/Configuring+OAuth2-OpenID+Connect+Single-Sign-On
[4].https://docs.wso2.com/display/IS570/Try+Authorization+Code+Grant
I have a API Manager 2.6.0 deployment within 3 nodes i.e. 3 VMs. Abbreviations:
GW - Gateway
AIO - Traffic Manager, Key Manager, Dev portal, Publisher
Analytucs - Api M Analytics 2.6.0
DB - PostgreSQL.
I've set everything working between components, till I changed the default admin password, username stood the same.
As per manual I did
Changed the admin password from UI, sice I did a tests already with default credentials
Changed password in api-manager.xml on AIO and GW
Changed password in user-mgt.xml on AIO and GW
Changed password in jndi.properties on AIO and GW
Above 4 points as noted in manual- https://docs.wso2.com/display/AM260/Maintaining+Logins+and+Passwords
This manual does not tell how to make distributed analytics node to accept that password.
The Analytics Install manual told to install WSO2 API-M Analytics and WSO2 API-M(which as I understand is meant if both are on same machine). Again, this manual does not tell much about user configuring on Analytics server.
I tried to look from DAS and SP manual, but the Analytics does not have auth.configs: in YAML files and nor adding them manually from SP source code helps.
Error returned on GW and AIO:
2019-02-21 15:13:52,090 [-] [DataBridge-ConnectionService-tcp://192.168.102.39:7612-pool-11-thread-1] ERROR DataEndpointConnectionWorker Error while trying to connect to the endpoint. Cannot borrow client for ssl://192.168.102.39:7712.
org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: Cannot borrow client for ssl://192.168.102.39:7712.
Caused by: org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: Error while trying to login to the data receiver.
Caused by: ThriftAuthenticationException(message:wrong userName or password)
On Analytics obvious:
[2019-02-21 15:16:49,016] ERROR {org.wso2.carbon.databridge.core.internal.authentication.CarbonAuthenticationHandler} - Authentication failed for username 'admin'. Error : 'Invalid_Credentials'. Error Description : 'The login credential used for login are invalid, username : 'admin'.'
[2019-02-21 15:16:49,016] ERROR {org.wso2.carbon.databridge.core.internal.authentication.Authenticator} - wrong userName or password
The question is, how to make WSO2 APIM Analytics(2.6.0) node, which is separated from API Manager, to accept the changed credentials.
Last tought is do I need to connect Analytics to Carbon DB?
You have to add the auth.configs element to the conf/worker/deployment.yaml file, (Please note the password has to be The Base64(UTF-8) encrypted)
auth.configs:
type: 'local'
userManager:
adminRole: admin
userStore:
users:
-
user:
username: admin
password: YWRtaW4=
roles: 1
roles:
-
role:
id: 1
displayName: admin
We recently migrated (registry and user store) from WSO2 IS 5.0 to WSO2 IS 5.1 as per instructions at WSO2 migration guide. After migrating and successfully bringing up the WSO2 IS server, when we are trying to authenticate existing user with /oauth2/token endpoint the authentication is failing. We can see user along with user attributes in user store.
On WSO2 server we are seeing error -
{org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler} - Token request with Password Grant Type received. Username : <username>#carbon.superScope : openid, Authentication State : false
This is migrated user so we can not change the user name. I tried googling to disable the multi tenancy with 5.1 as we do not use that feature, but no luck.
This is blocking us from moving to newer version of WSO2.
Has Any one fixed this?
Modified the SP to disable domain name as per instructions from Gusto2 -
enter image description here
But still same results.
on the duo identity provider configuration page, under federated authenticators, put "true" in the "disable tenant domain" box
This solution may help. You can go to your identity server and navigate to the service. Now click on edit button of your target service and go to Local & Outbound Authentication Configuration section and uncheck following options-
Use tenant domain in local subject identifier
Use user store domain in local subject identifier
I am showing in the image. Follow the red mark box -
I'm trying to achieve SSO among different application. The applications are:
API Manager 1.7.0 Store
API Manager 1.7.0 Publisher
Liferay 6.2
I managed to configure Liferay to login through Identity Server Openid and to configure API Manager to login through Identity Server generated SAML Token as detailed in API Manager documentation.
The SSO is working well between api store and api publisher.
The problem is that I can't achieve SSO between Liferay and API Manager. If I login to liferay with openID and I open the store or publisher URL the user is asked for username and password again.
How can I configure the IS to implement the desired scenario?
Thanks, Paolo
Are you using IS 5.0.0 version? Normally it would create a same session for all the login in IS 5.0.0 version. it means, if you login with OpenID, SAML2 or OAuth2, it does not matter, IS creates a common session for given user. Normally it should not ask the password again. If it is asked, it can be a bug. Can you just check whether there is a cookie called commonauthid in the browser? If you are using some older version of IS, you can enable the this property <AcceptOpenIDLogin>false</AcceptOpenIDLogin> in identity.xml file