Does WSO2 Identity Server has api for session management?
I have an app with SAML SSO.
What I would like to achieve is to check if for given saml token there is an active session.
Validity of the SAML token has nothing to do with validity of the user session.
In theory - when user does "logout", the identity server should execute SLO (single logout), however based on our experience with WSO2IS 5.0.0 it works only for limited number of options.
Since version 5.2.0 there's OpenID Connect Session Management implemented using iframes, see http://malithiedirisinghe.blogspot.be/2016/03/openid-connect-session-management.html
But generally - you will have hard time to synchronize session between multiple service providers and WSO2 IS. With the claim based authentication (SAML, OAuth 2.0) the sessions between the IdP and SP are independent. (the only option I've see when the IdP is working as the pass-through-proxy for backend SP, but that's not what WSO2IS is intended for)
In version WSO2IS 5.3.0 there should be "user session management" implemented, but I haven't worked with that yet (managing session for WSO2IS, not external SPs)
Seems like it does, you should investigate the documentation here and here, those links were provided by a WSO2 team member to me or ask directly to your local WSO2 office.
Related
I have used WSO2 APP Manager to publish my web applications with Identity server 5.3.0 as the Identity Provider. I have configured SSO and SLO using three service providers. I'm using simpleSAMLphp with my web apps. SSO function works fine in my system but single logout is not working properly. I have configured this using the following document.
https://docs.wso2.com/display/IS500/SAML2+IdP+with+SimpleSAMLphp+Service+Provider
Can someone advice me regarding this issue.
Please see WSO2 IS Single Logout partially working
Indeed WSO2 IS uses "backend channel" for SLO requests when logging out from multiple service providers (at least it was that way up to version 5.2.0), I don't believe it was changed/fixed in 5.3.0
we are using WSO2 Identity Server As an IDP. we have registered our application www.abcdefg.com as a Service Provider. Now when we access the www.abcdefg.com in any browser, IDP is giving us the page to enter the credentials to authenticate into www.abcdefg.com.
Now what we are looking for is, do we have any WSO2 Product where we can see how many users were authenticated into www.abcdefg.com? or can we achieve this in WSO2 Identity Server Product.
This is a feature planned for an upcoming Identity Server release and is currently under development. See the mail "[Architecture] Security Analytics" at architecture#wso2.org mailing list for more details if you are interested :)
A few days ago, I started to work with WSO2 Identity Server in my project as an authorization server in my architecture, I found that it can be interfaced with an external data source like LDAP, then I can use the enterprise LDAP instead re-create all users and roles in WSO2 IS.
My question is about authentication on WSO2 IS, when the user authenticates on WSO2 IS and approves access normally this is done by HTTPS protocol.
I don't know if it's possible to use another authentication protocol like Kerberos or Radius to connect to WSO2 IS?
by default the WSO2 IS on the frontend supports OAuth 2.0, SAML 2.0, OpenID and WS-Trust STS protocol. They are indeed all based on the HTTPS. Next to that you may use Kerberos KDC.
For Kerberos configuration you may check this article. http://wso2.com/library/articles/2012/07/kerberos-authentication-using-wso2-products/
g.
WSO2IS has the kerberos support [1]. But it doesn't support RADIUS yet.
[1] https://docs.wso2.com/display/IS500/Kerberos+Security
I am new to this wso2 evaluating wso2,
I am using Identity Server I have web application , want to apply web SSO feature using WSo2, I had check there are soap web service present in wso2 for UserAdmin,
https://server-info:9443/services/UserAdmin.UserAdminHttpsSoap12Endpoint/ using soap client for test , for dev have to write java client for request
but did not find any web services related WEB SSO for example I require authentication web service which will accept Username/password return some token information and using that token I can store in session for single sign out
Is there any web service/ API in wso2 provide authentication? or what is best approach for implement SSO using wso2 for web applications.
Thanks
If you are looking for SSO with WSO2IS, WSO2IS supports several standard ways to achieve it. They are,
SAML2 SSO
OpenId Connect
OpenId
Passive STS (for windows based applications)
From above, most popular way is to use SAML2 SSO or Openid connect. Your web application also must support to talk with WSO2IS using above standards. Say, if you need to achieve SSO using SAML2 SSO. You application needs to send the SAML2 Request and process the SAML2 Response in standard way as mentioned in SAML2 SSO spec. You can find a sample web application that has been implemented to work with WSO2IS from here. This blog contains all configuration details that you need to do in WSO2IS side as well. You can even use the sample web application with other SAML2 IDP as sample web application is talking in standard way. Also. if you are looking for Openid connect, you can find another sample web application from here with config details. I hope this would be a good starting points for you.
I'm trying to achieve SSO among different application. The applications are:
API Manager 1.7.0 Store
API Manager 1.7.0 Publisher
Liferay 6.2
I managed to configure Liferay to login through Identity Server Openid and to configure API Manager to login through Identity Server generated SAML Token as detailed in API Manager documentation.
The SSO is working well between api store and api publisher.
The problem is that I can't achieve SSO between Liferay and API Manager. If I login to liferay with openID and I open the store or publisher URL the user is asked for username and password again.
How can I configure the IS to implement the desired scenario?
Thanks, Paolo
Are you using IS 5.0.0 version? Normally it would create a same session for all the login in IS 5.0.0 version. it means, if you login with OpenID, SAML2 or OAuth2, it does not matter, IS creates a common session for given user. Normally it should not ask the password again. If it is asked, it can be a bug. Can you just check whether there is a cookie called commonauthid in the browser? If you are using some older version of IS, you can enable the this property <AcceptOpenIDLogin>false</AcceptOpenIDLogin> in identity.xml file