We are trying to use WSO2 IS 5.3 as IdP to perform SAML2 Web SSO for a multitenant SaaS app.
We’d like to host a single instance of the app, register app as a service provider in WSo2 IS , create/manage tenants in WSo2 IS and configure different authentication means for each tenant.
In the POC we can successfully register our app as SaaS service provider and users from different tenants can login into App as soon as users are listed in the tenant’s primary or secondary user stores.
However we cannot find info on how to configure ADFS based authentication on per- tenant basis (i.e. each tenant has its own IdP configured with ADFS based Federated authenticator. When user logs into app , WSO2 IS, based on customer’s domain name, would use IdP from corresponding tenant)
We followed this link and can set ADFS based authentication for superuser tenant and it works fine. (i.e. ADFS is configured as IdP for superuser tenant and we use Federated authentication in service provider associated with our app) ….
Question is how can we achieve the same but enable/configure ADFS based authentication on per-tenant basis?
Thank you in advance for comments/ideas !
Update:
we were able to configure ADFS on per customer basis(following steps from blog https://omindu.wordpress.com/2015/06/19/setting-ad-fs-3-0-as-federated-authenticator-in-wso2-identity-server/ ) and used tenantDomain parameter to differentiate b/w tenants during authentication.
In the final solution we made web app available to different tenants under different URLs . The app, based on the URL used to access it , would reconstruct and include tenantDomain parameter (as specified in WSO2 IS documentation ) into SAML request and that would effectively instruct WSO2 to use IdPs/auth means configured for that specific tenant for authentication
Related
I am using WSO2 API Manager 4.1.0 and I am trying to configure it with a custom OAuth2 authenticator to provide different users to different tenants.
By following this guide, meant for Okta, I was able to make logging in and token claim-to-role mapping work, with some adjustments to the configuration to adapt to the custom IdP. Users can successfully login with the custom IdP, are assigned roles correctly, and can act accordingly in the publisher and developer portals.
However, I cannot figure out if there is any way to assign users to any tenant other than carbon.super.
The custom IdP I am working with uses e-mail addresses as usernames and, when enable_email_domain=true in the configuration file deployment.toml, users are created in APIM with said e-mail as their names, but if that setting is false (or commented), only the part before # is used. I thought this could be used to assign them to other tenants, but even if the e-mail domain is an existing tenant, the user is created in carbon.super.
I've noticed, when logging into carbon as admin, in the Service Providers section, under Local & Outbound Authentication Configuration for apim_devportal and apim_publisher, the Use tenant domain in local subject identifier setting. I am unsure what exactly this option entails, but checking it does not seem to change anything.
This article in the documentation talks about tenants, but does not cover this scenario.
Does anyone know how (if it's even possible) to assign a user to a specific API Manager tenant, instead of carbon.super, upon logging in via custom IdP (not Okta or Identity Server)?
same question here, i use Keycloak as Idp and not found solutions yet for multitenancy schema implementation
How to achieve below Scenario:
I have multiple IDP such as APM, Predix, etc. Every IDP has its own user management such as a create user, groups, etc.
tenant 1 - APM
tenant 2 - Predix
Is there any configuration in WSO2 base on tenant dependant they will be giving a response such as Tenant 1 in request automatically wso2 connect to APM and giving endpoint information?
Doc - 1, guides the steps to configure federated identity provider to WSO2 IS. You can create different service providers and select the required IdP for each service provider. Steps to configure federated IdP to a service provider can be found in [2], under section "Click here for details on how to configure local and outbound authentication"
Edit: Identity Provider can be created in WSO2 IS to represent the external IdP. We can create service providers (based on the requirement, it could be created in relevant tenants) select federated authentication as "Authentication Type" and select the relevant IdP from drop down menu.Refer the image below:
1 https://docs.wso2.com/display/IS570/Configuring+Federated+Authentication
[2] https://docs.wso2.com/display/IS570/Adding+and+Configuring+a+Service+Provider
I have 3 application (microservice spring) configured as service provider. I set the OAuth2 auth. and works perfectly.
Now I want to have a SSO between these 3 application/service providers. How can I configure it? (I want to login to one application/service provider ad re-user the auth with other applications/service provider)
Thanks!
There is nothing special you need to configure to have SSO between those 3 applications. As 3 of them are registered as service providers in WSO2 Identity Server, they will automatically SSO between them whenever you use the same browser session. When a user logins to one of these application through Identity Server, there will be session created for that user inside the Identity Server and same session will be used whenever the same user (Same browser session) tries to login to any other registered application.
I have created 2 tenants in WSO2 identity server.
We need to deploy a sample application to which users belonging to both the tenants should have access to using SAML 2.0.
Please suggest how the sample application can be configured as service provider in WSO2 Identity Server to achieve this requirement.
Assuming that the above is done, we would also like to know how the application can identify which User belongs to which tenant once the login is successful? is this some information that would be passed in SAML response ?
You can create the service provider in SaaS mode. With this configuration, service provider will be visible to all the tenants in the Identity Server. You can find how to configure a SaaS application from the documentation at [1]
If you want to return the tenant domain with the subject identifier in the saml response, you can enable 'Use tenant domain in local subject identifier' in 'Local & Outbound Authentication Configuration' of the service provider. More information is available in [2].
[1] https://docs.wso2.com/display/IS510/Configuring+a+Service+Provider#ConfiguringaServiceProvider-Addingaserviceprovider
[2] https://docs.wso2.com/display/IS510/Configuring+Local+and+Outbound+Authentication+for+a+Service+Provider
is olso needed to put in the url the query param for select the right tenant, I modifyed the urls in the metadata.xml generated from the WS2 IS from someting like this:
https://your-domain:9443/samlsso
to
https://your-domain:9443/samlsso?tenantDomain=tenant-name
And use this metadata.xml in the SP
Otherwise when the SP send the saml message the IS will geneate the log "Service Provider with the issuer 'xxx' is not registered." if your SP is not registered in the super tenant
WSO2 IS 5.10
We are using the WSO2 Identity Server SOAP API to add users. Is there way to add a user without specifying a password in the SOAP Envelope?
Users can login to WSO2 Carbon management console by providing username/password. Also external system can access admin services of Carbon server by providing username/password.
Is there any ways to extend the default authentication mechanism ?
Yes. WSO2 Carbon product provides an authentication framework that can be used to extend the different authentication mechanism. By default WSO2 Carbon product is shipped with several authenticators. Some authenitcators only use for access the admin service APIs. Some are only for access management console login….. You can find more details about WSO2 Authentication framework from here
Following are currently available authenticators
IWA Authenticator : Once user is login in to the windows server machine using windows authentication, User can seamlessly login to the WSO2 Carbon management console. WSO2 Carbon product must be configured with AD
SAML2 SSO Authenticator : Once user tries to access WSO2 Carbon management console, user would be redirected to configured IDP. User only provides credentials to the IDP and would be able to login to Carbon management console seamlessly. But here, IDP and WSO2 Carbon product must have the same user for authorization purpose. Therefore sometime, same user store can be shared with IDP and Carbon products.
WebSeal Authenticator : User has already login to WebSeal server, when user tried to login to Carbon management console. User can login seamlessly. But here, IDP and WSO2 Carbon product must have the same user for authorization purpose
Mutual SSL : This is not used to login to management console. But this is used to access Admin service APIs of Carbon server.
For more details, check here