I see that WSO2IS capable of having multiple user store and it has embedded LDAP Server. My question is, whether it is possible to setup secondary user store using JDBC for example and then make it browse-able via WSO2IS LDAP Server on its default port (10389) ?
Thanks
Related
How can use WSO2 (5.11) IS to generate JWT with information stored on server that is not WSO2 that is used for autnetication? My use case is to login user via WSO2 IS, but the actual authentication will happen on a different server, not WSO2. In turn this server upon authenticating the user, will call WSO2 to generate JWT with custom data that it sends. If I understand this post correctly, I need to create local authenticator, is this the approach I should take in my use case?
Moreover, if this approach is possible, will I be able to use WSO2 SSO to allow user to access applications on remote server, or is WSO2 SSO strictly for applications running on WSO2 server itself?
Since you need to connect to some external store using REST API, you can write some custom local authenticators and deploy into Identity servicer. You can implement the custom local authenticator to call your store using some REST API and authenticate the user.
[1]https://is.docs.wso2.com/en/5.9.0/develop/writing-a-custom-local-authenticator/
[2]https://github.com/vihanga-liyanage/samples-is-1/tree/master/custom-local-authenticator
[3]https://everything1know.wordpress.com/2019/09/17/wso2-is-custom-local-authenticator/
I have installed WSO2 identity server 5.3.0 in our system and tried to establish external LDAP connection using steps provided by LABKIT.pdf.
I have successfully configured "apache directory studio" on my windows server 20008 R2 Stand. To communicate or authenticate to "Active Directory" using Bind DN and password
Bind DN : CN=Administrator,CN=Users,DC=orap,DC=co,DC=in
Bind Password : Psas#2017!!
after configuring necessary settings in a file "user-mgt.xml" for external LDAP settings.Then restarting services "./wso2servr.sh" shows embedded LDAP settings disabled and External LDAP connection successful, but login page of WSO2 can't able to log in using
default admin login
LDAP Username and password.
How to solve this issue in order to communicate our own LDAP server to WSO2 IS?
By looking at your question it seems you haven't added the admin user or pointed an existing admin user for the Identity Server. You can do this via <AddAdmin>true</AddAdmin> and adding a new admin user with new password in the user-mgt.xml. Or else you can point existing user in you LDAP server as an admin user in the <AdminUser> section in the user-mgt.xml
You need to setup your external LDAP connection as a secondary store. What you define in 'user-mgt.xml' becomes your primary store. Your primary store should be a JDBC store in this instance since you're disabling embedded LDAP. If you do it this way, you'll be able to login with your default admin login. Don't forget to disable the admin settings at the top of user-mgt.xml once you start your WSO2 IS for the first time.
I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines). I am also using the so called WSO2 IS Admin services.
As mentioned in the heading I am consuming the UserProfileMgtService
(https://url:port/services/UserProfileMgtService?wsdl).
In combination with it I am using OAuth2TokenValidationService
(https://url:port/services/OAuth2TokenValidationService?wsdl).
If I pass valid access token to the OAuth2TokenValidationService I am able to fill in with data OAuth2TokenValidationResponseDTO object by using the Validate method of the OAuth2TokenValidationService. As result I am able to extract the authorizedUser and pass it to the getUserProfile method of the UserProfileMgtService. I am using the standard carbon.super domain and I am using the email as username. For example I am passing the following two parameters to the getUserProfile:
"admin#admin.com#carbon.super" as username
"default" as profileName
And as result I receive the following message:
UserNotFound: User admin#admin.com#carbon.superdoes not exist in: PRIMARY
If I remove the "#carbon.super" from the authorizedUser, everything is fine and I am able to get the user profile information. This is quite important for me since I am using multitenancy of the IS and there is a case that I might have the following users:
admin#admin.com#test.net
admin#admin.com#test2.net
I noticed that this service was not working this way in WSO2 IS 5.0.0. I started experiencing this issue after the upgrade.
Is this a desired behavior and is introduced because of the change in the API in IS 5.2.0? If so is there another way to be able to get the user profile using the "username"+"tenant-domain"(that is retrieved by the OAuth2TokenValidationService as authorized user when passing valid access token).
Is it possible that this is caused because of misconfiguration? If so which is the file that needs to updated and what exactly should be modified in it?
Is there a place where more information could be retrieved for the WSO2 IS 5.2.0 Admin Services?
Thanks in advance.
UserProfileMgtService in Identity Server is an Admin Service. In WSO2 Admin Services, the tenant domain is identified by authenticated user and it should not pass with username.
username should be tenant free username.
So, you can remove carbon.super portion from the username and then it will work.
In tenant setup, you need to authenticate with a tenant user (Ex admin#admin.com#test.net) in order to access these API. So, like in the super tenant, you can use tenant free username and then it will work.
For example, if you want to get user profile of user : testuser#admin.com in tenant domain test.net, your request should be like bellow image.
Thanks
Isura.
I'm trying to create a self-signup client application which is using WSO2 API Manager and Identity Server.
When I tried to call a web service provided by Identity Server, I've observed that some of the java classes are trying to get a tenant admin credential from a registry file called self-signup.xml.
Due to this I am forced to change the tenant's admin credential manually in self-signup.xml whenever I change the admin's credential through carbon UI.
My questions are:
Is there any specific reason that WSO2 Identity Sever gets a tenant admin credential from that registry file rather than retrieving it from a database?
Is there any way to automatically update the tenant admin's credential written on that registry file when the credential is updated in the database (e.g. changed through carbon UI)
Thanks in advance.
What is the web service you are using for self sign up here?
If you are using UserRegistrationAdminService you should not require any admin credential for self sign up.
You should not require to read admin credentials from a file in your client. Usually if you want to call a web service which require authentication from your client, you need an user logged in to your client and you need to use the cookie retrieved by that user.
We have an issue with WSO2 Identity Server Version 4.5.0 where we have swapped out the default embedded Apache DS and replaced it with OID (Oracle Internet Directory).
We have updated the user-mgt.xml and other configuration files the way we think they should be.
However, we cannot write users/roles back to LDAP from WSO2.
We can write create users/roles directly in LDAP when logged in through Directory Studio.
We can view users/roles in WSO2.
We can also delete a user in WSO2.
We have gone through the user docs on configuring the user store: https://docs.wso2.org/display/IS450/Configuring+Primary+User+Stores#ConfiguringPrimaryUserStores(Carbon4.2.0v2)-ConfiguringanexternalLDAPorActiveDirectoryuserstore
It is only the writing to LDAP through WSO2 that is not working so it must be a WSO2 configuration issue. I have the UserStoreManager configured to ReadWriteLDAPUserStoreManager
Again - reading, and deleting works fine through WSO2.
Does anyone have any ideas/suggestions on where to look to solve this problem?
We discovered the problem. We switched out the default LDAP for an external LDAP but the schema definitions were off a bit and we had SCIM enabled in user-mgt.xml.
There's a good explanation here:
http://sureshatt.blogspot.com/2013/06/scim-user-provisioning-with-wso2.html