I want to upgrade my WSO2 identity server from 5.0 to 5.3 but I don't know how to add custom authentication in local and outbound authentication configuration in service provider, for example, I need to add level of assurance(LOA) for my mobile connect project
Your requirement has two aspects.
Add custom authentication.
LoA
1. Custom Authentication
For custom Authentication, you can create your own local or federated authenticators. The documentation are available at [1] [2]
2. LoA
This will be available on one of post IS 5.4.0 releases. This will be handled with ACR ("Authentication Context Class Reference")
[1] https://docs.wso2.com/display/IS530/Writing+a+Custom+Local+Authenticator
[2] http://wso2.com/library/articles/2017/04/writing-a-custom-inbound-authenticator-for-wso2-identity-server/
Further discussion on Dynamic Authentication flow changes can be found on WSO2 architecture thread.
Conditional Authentication Support on WSO2 Identity Server
Related
I'm trying to customize the login pages for the dev portal and publisher and I'm referring to the below documentation.
https://apim.docs.wso2.com/en/latest/reference/customize-product/customizations/customizing-login-pages-for-dev-portal-and-publisher/
The 1st step tells to download the Identity Server and in the 2nd step, it says to start up the server using api-manager.sh which could be a mistake.
However, I have the following questions related to the scenario.
In order to customize the login pages in APIM, should I start up the IS as a key manager as well?
Can't we customize the login pages just by using the JSP files readily available in the authentication endpoint in APIM?
I guess the documentation should be updated. You can use the existing jsp files in the authentication endpoint if you use OAuth2/OpenID. If you are using SAML, then you have to use WSO2 IS as the IDP with WSO2 API Manager.
Some samples can be found in [1].
By default API Manager uses OAuth2/OpenID. You can do the service provider configurations in API Manager. OAuth2/OpenID and SAML use the jsp files used in the authentication endpoint.
[1] - https://github.com/wso2/samples-is/tree/master/re-branding-the-default-login-page
We have a requirement in one of our projects where our client wants 3 factor authentication for a web application.
We are already using WSO2 IS for user authentication and authorization.
We would like to know if WSO2 IS supports 3 factor authentication of web application users.
Following is the requirement of 3 factor authentication
Factor #1- Username and password
Factor #2 – Individual/Personal digital certificate
Factor #3 – Biometric of the user
Can WSO2 team let us know if this 3 factor authentication is possible using WSO2 IS so that we can approach them for more details.
It would be great if we get any reference link to some doc so that we can share it with our management for further decision.
WSO2 Identity Server supports multi-factor authentication with any number of steps. Refer this documentation for more information.
In your authentication flow, you need 3 specific authenticators. WSO2 Identity Server supports basic authentication. But other 2 authenticators are not supported out of the box. But you can download the relevant authenticators from the connector store and deploy.
For certificate based authentication, you can find the connector from here and documentation from here.
For bio-metric authentication we do have one connector. You can find the connector from here and documentation from here. If you need any other bio-metric authenticator, please refer this documentation to write your own authenticator.
How to integrate WSO2 am 1.10.0 with PingFederate SAML 2.0? Any instructions?
From WSO2 web site, I only saw docs on how to set up SSO among WSO2 products: https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 . But I did not see documentation on how to enable WSO2 AM 1.10.0 with external identity providers such as PingFederate via SAML2.
Any help is appreciated.
*** UPDATE:
I followed the instructions here https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 - just assuming WSO2 IS as PingIdentity. For the mojority part it's working, but I cannot generate keys when subscribing to an API. It says "invalid credentials" even if I have logged into applications and subscriptions and can create applications from /store UI.
I can confirm that this can be done without adding a separate wso2 IS server into the picture. I fixed several issues (Cannot generate keys, cannot publish APIs, etc..) by: What I did to fix the issue was to 1) add admin user inside ApiKeyValidaor in api-manager.xml also into admin user via management console and into user-mgt.xml; 2) Inside api-manager.xml:
Change the following:
https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/
to: https://[FQDN_OF_HOST}:${mgt.transport.https.port}${carbon.context}/services/
Reason is my server certificate only recorded the domain name, not ip address.
The solution was also mentioned here: wso2 am 1.10.0 API Store: "Error occurred while executing the action generateApplicationKey" with " Invalid credentials provided."
Basically, you can do this by adding PingFederate as an IDP in WSO2 AM and configuring federated SAML SSO configurations. An example of how to achieve this with Shibboleth is given in [1]. You can follow the same steps to do any configurations according to your requirement.
Refer [2] for configuring SAML SSO Federated authenticator in general
[1] https://docs.wso2.com/display/IS510/How+To%3A+Configure+Shibboleth+IdP+as+a+Trusted+Identity+Provider
[2] https://docs.wso2.com/display/IS510/Configuring+SAML+2.0+Web+SSO
When walking through the code of WSO2 identity server 5.x, I can find a samlsso authenticator in application-authenticator and another one in carbon-authenticator. Same is true for IWA.
What is the difference between these? Which one is used when? Or is one of them obsolete?
Application Authenticators are used to authenticate users to the external apps (service providers) using WSO2 products.
Carbon authenticators are used to authenticate users to the admin console of that particular server.
I'm interested in using only the Publisher and the Store. We have already many API gateways in place and also a dedicated OAuth Authorization Server.
The Publisher and the Store should be used basically as an API Portal where APIs are published and potential new consumers can self-register...
I understand that all necessary information is distributed within the WSO 2 API Manager ecosystem out-of-the-box. But could this behaviour be adjusted in the following way:
When publishing an API it must be created on an external, third-party API Gateway. This gateway has it's own management API which must be triggered by the Publisher.
When a new consumer registers to an API the external, third-party OAuth authorization server must be called in order to create the necessary OAuth information there so that the new consumer is known on the Authorization Server. Again, the Authorization Server has it's own management API which must be triggered by the Store.
Is it possible to add custom fields in the Store which allows a consumer to enter additional information?
Any feedback is highly appreciated!
To answer your question on thrid party gateways, WSO2 API Manager does not support this at the moment.
But we do support incorporating a third party Key manager. You can plug a third-party OAuth provider to manage OAuth clients and access tokens. This is supported from API manager 1.9.0 onwards.
You may need to implement a key manager extention to incorporate your OAuth Authorization Server. WSO2 API manager includes a key manager extention to 'Surf OAuth Authorization Server' by default.
You can find more details on configuring a thrid party Key manager at [1] and [2]
To answer your question on adding custom fields, yes, you can include custom fields by customizing the store with a sub theme [1] [2]
[1] https://docs.wso2.com/display/AM1100/Configuring+a+Third-Party+Key+Manager
[2] https://docs.wso2.com/display/AM1100/Extending+Key+Validation
[3] https://docs.wso2.com/display/AM1100/Adding+a+new+API+Store+Theme
[4] https://docs.wso2.com/display/AM1100/Adding+a+new+API+Store+Theme#AddinganewAPIStoreTheme-Writingasubthemeofthemaintheme