I'm looking for help on how to call WS-Trust secured SOAP service from WSO2 ESB.
The idea is to create a non-secure proxy-service which would call WS-Trust secured back-end service, so our SOAP clients wouldn't have to worry about authentication.
I've been going though the documentation and have found nothing of much value. The documentation mentions that WSO2 ESB uses Apache Rampart and more specifically Rahas module to engage WS-Trust secured services, yet there are no examples on how to configure, for example - security token service address.
So far i've found this blog post http://xacmlinfo.org/2012/11/05/how-to-invoke-secured-backend-service-using-wso2-esb/
It runs a similar scenario but without WS-Trust. It uses Rampart configuration inside WS-Policy files, but Rampart configuration doesn't support any WS-Trust attributes.
I've also found this: http://ask.programmershare.com/279_17604398/
Which is more in line with what i'm looking for, but this example is doing the STS calls programmatically and even then unsuccesfully.
Is anyone aware of any examples of a succesfull configuration to call security token service -> service call itself using WSO2 ESB?
Related
I am new to this wso2 evaluating wso2,
I am using Identity Server I have web application , want to apply web SSO feature using WSo2, I had check there are soap web service present in wso2 for UserAdmin,
https://server-info:9443/services/UserAdmin.UserAdminHttpsSoap12Endpoint/ using soap client for test , for dev have to write java client for request
but did not find any web services related WEB SSO for example I require authentication web service which will accept Username/password return some token information and using that token I can store in session for single sign out
Is there any web service/ API in wso2 provide authentication? or what is best approach for implement SSO using wso2 for web applications.
Thanks
If you are looking for SSO with WSO2IS, WSO2IS supports several standard ways to achieve it. They are,
SAML2 SSO
OpenId Connect
OpenId
Passive STS (for windows based applications)
From above, most popular way is to use SAML2 SSO or Openid connect. Your web application also must support to talk with WSO2IS using above standards. Say, if you need to achieve SSO using SAML2 SSO. You application needs to send the SAML2 Request and process the SAML2 Response in standard way as mentioned in SAML2 SSO spec. You can find a sample web application that has been implemented to work with WSO2IS from here. This blog contains all configuration details that you need to do in WSO2IS side as well. You can even use the sample web application with other SAML2 IDP as sample web application is talking in standard way. Also. if you are looking for Openid connect, you can find another sample web application from here with config details. I hope this would be a good starting points for you.
I'm working on a master's degree project which the main goal is wso2 study.
Through wso2 I need to be able to:
Do protocol Bridging (eg: rest to soap);
Apply data transformation (apply xslt on xml);
Content based routing;
Load balancing;
Create authentication and authorization layer to legacy services (authentication via oauth 1.0a);
Exception shielding;
Service monitoring;
Services lifecycle control;
So, my question is: do I need any other wso2 product, or ESB is just fine? For example to implement the security layer and all the load balance stuff do I need to add wso2 identity server and wso2 elastic load balancer?
Or even more: do I need to extend the esb by writing custom code to solve any of this issues? In which cases extend the esb is the only way to go?
I hope to do not be naive trying to solve all this complicated issues, but I'm kinda lost on this big swiss knife that wso2 is.
Thanks
Please find my answer..
Do protocol Bridging (eg: rest to soap ---> ESB
Apply data transformation (apply xslt on xml) ----> ESB
Content based routing ----> ESB
Load balancing ---> ESB can be used. But i prefer Apache HTTP and Nginx. They are more intended for that purpose
Create authentication and authorization layer to legacy services (authentication via oauth 1.0a) --> ESB can be used. But you need an OAuth2 Authorization server for token validation. Also, XACML PDP for policy validation. Both are available with Identity Server. According to the Carbon, you can install those features with ESB as well. But it is not recommended much. Please see more details from here
Exception shielding ---> ESB
Service monitoring ----> ESB can be used. But if more, you can use BAM
Services lifecycle control ---> ESB can be used. If needed more, you can install G-reg features
I think. It is only enough to use WSO2 ESB and WSO2 IS for this purpose. Sometime you may need to write some code. But it is easy as there are lot of samples are available freely.
Does anyone know if the WSO2 Identity Server exposes a web service endpoint/URI to which I can send XACML requests via HTTP(S)? I am aware that they provide an API for doing this, but I have a situation where I can't use that, but I can do HTTP requests.
Thanks,
Jim
P.S. For the record, I think I've found my answer, mostly deduced from this page:
http://wso2.com/library/articles/2013/11/fine-grained-xacml-authoriation-with-pip-points/
That page tells how to enable WSO2 to unhide the WSDL for the EntitlementService web service.
Yes, you can enable the entitlement service wsdl and call it from external systems according to your requirement to send requests. By default this admin service is disabled. You can read more about it at PDP PEP Communication – how WSO2 Identity Server defines
A backend service needs to know the user for the service call. Reading through the API 1.6.0 documentation I have configured it to generate JWT and removed and republished my services as stated. Running tests, I am not seeing the JWT being passed to the backed service in the response headers in Fiddler. I am not using the ESB or Identity services from WSO2.
What am I missing?
JWT information should be passed in the header under the parameter X-JWT-Assertion. The Content is been encoded. Use TCPMon to intercept the request and see if the API Manager is actually passing the JWT. This would be a good starting point to debug.
I am going to have a web portal from which I will be calling services with "UsernameToken" security.
For authentication purposes I would like to create a system user in the wso2 Identity Server, so that I can use it to call the services from the ESB. So basically, I want to request a token for the system user from the WSO2 Identity Server and use it to authenticate infront WSO2 ESB so I can call the services.
I plan to use the AuthenticationAdmin and UserAdmin services for the authentication.
Is this scenario possible? If not what would be a good way to achieve similar scenario?
If I understood your requirement properly, I assume, you're trying to call a set of backend services via WSO2 ESB having "UsernameToken" as the authentication pattern. If that's so, then I don't see any requirement for you to use WSO2 IS for user creation, unless you're planning to do much deeper Identity Management.(You can still use it but I consider it as sort of an overhead given the fact that you just want to create the users there in WSO2 IS). For this, you can use the user management capabilities embedded in the WSO2 ESB (or in any other WSO2 product). What you would simply have to do is, create a user at the ESB level and use those credentials to call the backend services via the ESB.
Hope this helps.
Regards,
Prabath