I need to expose an api via WSO2 Api-Manager and I want protect my api not with oAuth2 but via SAML autentication, actually I need to use the APi-Manager as SAML SP.
Therefore I need protect the may api and if a user isn't authenticated on SAML IDP presents the SAML IDP login page.
Is it possible do that with WSO2 Api-Manger or the SAML OSS is releated only for Web SSO for /carbon, /pubblish and /store web app?
thank you for the help!
OAuth2 is for authorization. You can use SAML for authentication and use APIM's SAML grant type to get an OAuth2 token using the SAML assertion.
https://docs.wso2.com/display/AM210/SAML+Extension+Grant
Related
I have created and published API with WSO2 API Manager. API client get access through OAuth2 and client credentials grant, sending consumer key and consumer secret to request access token. But now I need to implement authorization by means of authorization code grant. I have to use client_id and client_secret of WSO2 APIM and user login form of my backend application, not WSO2 APIM user.
Can anybody tell if it is possible and how it can be implemented???
Documentation of WSO2 does not describe this flow and all examples I have found describe authorization process (OAuth2, authorization_code) only for user of WSO2 APIM.
now I need to implement authorization by means of authorization code grant.
I have to use client_id and client_secret of WSO2 APIM and user login form of my backend application, not WSO2 APIM user.
If you want to use your own (application) authentication form, the simplest option is to leverage the password grant type where your application sends the token request along application and user credentials through a backend service
Using a code grant you suppose to use an authorization endpoint https://gateway:8243/authorize with parameters described in the documentation and indeed the default login form is used when the user is not yet authenticated
(I still have an urge to downvote the question for not searching the documentation)
If you still want to use the code grant type with your own authentication form, you may either customize the default logon form of the wso2 api gateway or customize an authenticator to use form of your application (this is quite advanced topic requiring configuring your own implementation and out of scope of the question/answer)
You have 2 options here without any customizations.
1) If your backend has a userstore, it can be configured as a secondary userstore for APIM. Then you can use any user in that userstore for authentication.
See https://docs.wso2.com/display/ADMIN44x/Configuring+Secondary+User+Stores
2) If above option is not possible, and if your backend IDP supports any federation SSO protocols such as SAML2 or OIDC, you can configure federation using WSO2 IS.
See https://docs.wso2.com/display/IS550/Single+Sign-On+and+Identity+Federation
I am trying to call the WSO2 IS web service (i.e: getUserProfile) from service provider when we are using SAML2 SSO authentication ,but i am getting un authorized access.
Do we get any token that can be used to call the web service after the initial authentication,without passing the credential or cookies ??
This might be a permission problem. Make sure you have enable login permission for particular user.
Admin services are secured using common types of security protocols such as HTTP basic authentication, WS-Security username token, and session based authentication.
You can use SAML2SSOAuthenticationService.
Please refer the sample How to get a session cookie from a webapp which uses SAML SSO
i am newbie to the WSO2 identity server 5.0 service pack one.
I've been so confused lately that, what is different between identity provider and an outbound authentication?
How can i usage each of them ?
if i define a custom user store authentication, when must be used a custom authentication in Authentication endpoint? what is difference and usage each of them?
Identity providers are providing identity for users to interact with a system. As an example here in wso2 identity server we can configure Facebook as an Identity Provider(IDP). By doing this we can allow users to be logged into Service Providers using facebook credentials. you can follow the blog in [1] to test Wso2 IS with facebook IDP. Otherthan facebook we can use google, Live, Yahoo, etc. as IDP with IS.
[1] http://prasadtissera.blogspot.com/2014/04/login-with-facebook-for-wso2-identity.html
Thanks
I am very new to wso2 API manager. Sometimes an application might need to call a service in another application on behalf of a user. How can we make this in wso2 API manager by configuring Signed JWT Authenticator as like Google OAuth 2.0 Authorization Server?
If user is authenticated by saml2 in the application, then application can get the oauth token using saml token and invoke the apis on behalf of user.
check following links for more detail
1.http://shafreenanfar.blogspot.in/2014/02/exchanging-sml2-token-to-oauth2-token.html
2.http://pushpalankajaya.blogspot.in/2014/01/invoking-apis-using-web-app-with-oauth2.html
Earlier I was in assumption that, WSS4J is not compatible with SAML, but as I see this http://jaminhitchcock.blogspot.in/2014/05/creating-and-validating-saml-assertions.html , I hope to give a try. But I want to use a Identity Provider(WSO2) to generate SAML token. So I should be able to configure WSS4J with a SecurityPolicy.xml file which verifies the token from Identity Provider. Please let me know where can I start looking for it?
Thanks
There are two ways that you can generates SAML tokens with Identity Server.
Use Identity Server as SAML2 SSO IDP that implements SAML2 SSO web browser based profile.
Use Identity Server as STS (Security Token Server) with WS-Trust specification.
I think, It is more likely that you are hoping to use Identity Server as STS. With STS, Identity Serve provides a web service to retrieve SAML tokens. This STS web service can be secured with WS-Security mechanism by default. As an example, you can secure STS service with user name token. Then client needs to send the RST request with user name token. Once user it authenticated, client would be received a SAML token. I think, you can find some information about STS service from here