created and published api in wso2.1 as admin. created roles and rules in identity server as admin and generated token for user created under admin and tried accessing api , it is working fine.
When i created api under admin and subscribed using tenant and created roles and rules in identity server logged in as tenant,create user under teanant and then tried accessing api using the user generated token , it is not working getting "User is not authorized to perform the action"
Please help
Related
after completing the oauth openid authentication I want to list the roles (or groups) the user is part of. I tried adminSDK api but that is only for account admin (this is what i understood).
I want to list the user's roles once authenticated and I have the access_token.
I tried AdminSDK but that was only for account admin or gcp admin from what I understood.
Good evening experts,
I am trying to apply authorization with Azure AD roles in my Django web app.
What I have so far:
I created a user in Azure AD (which works with SAML in my Django web app so the authentication works fine) and I assigned a role to it
I have a Django web app which uses djangosaml2 to perform SSO
I added the following attribute mapping:
'http://schemas.microsoft.com/ws/2008/06/identity/claims/role': ('user_permissions')
I cannot see the assigned role in the SAML response. I added the attribute mappping above to the djangosaml2 config so I thought I can instruct Azure AD to add the roles to the SAML response but obviously it doesn't work.
How can I make Azure AD to work with Django (or any other web app framework) to perform the authorization (what I mean is that I'd like to see the assigned roles in the SAML response so the Django user will have this role as permission)?
I'd appreciate any help please!
Thanks!
You must create an App registration and/or give those permissions to your App Registration
Follow this documentation https://learn.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles
I use WSO2 identity server, i can´t understand in documentation how works roles to my application (service provider), i understand the roles works for make changes into wso2 platform, but i don´t know how this help me to get roles and permissions to my app.
For example, i need it create a role with the name writer and other role supervisor, the role writer can edit and create new docs, but supervisor only can read docs and mark for edit by editors.
When i create this rol in wso2 and i have to mark permissions only can see permissions for wso2 management.
The permissions that you can see in the WSO2 management console are only to set the permission levels for WSO2 identity server functionalities.
If you need to implement any permission levels based on the user roles in your application side, it needs to be handled by yourself.
You can retrieve the available roles of the authenticated user to your application from the WSO2 identity server via a SAML response, an ID token, etc based on the authentication protocol that you use.
After that, you will have to implement the permission levels in your application side based on your requirements.
I'm using Cognito with a user pool to provide authentication for my Ionic application application. The application use AWS Amplify to perform the Signup and Signin operation.
Now, I need to add facebook authentication so I added an external federated identity mapping also the facebook attributes to the corresponding Cognito user pool attributes.
On the application side I use the Facebook SDK to login with Facebook, receive Facebook's JWT token and call the Amplify federatedSignIn() to authenticate. The authentication works but no user is created inside the Cognito user pool (accordingly to official documentation "Whether your users sign in directly or through a third party, all users have a profile in the user pool").
Since the user is not created I cannot call the Amplify method currentSession() to get the token (to be used for lambda authentication) since there is no user.
Am I missing something?
This is the expected behaviour using federated identity. In order to use socials login through Cognito user pool its necessary to use Cognito's built-in hosted UI which is not supported by Ionic at the moment.
The Problem
Right now when a user tries to login to the default wso2 API Store/Publisher. It wont authorize the user so it tries to login in then will log out right away, in the store. In the publisher it will throw a 401 Unauthorized error. I found a quick fix which was in the carbon I added a user to the role application/API Store and application/API Publisher and now that user can login. I'm guessing either the SP or the IdP isn't getting the roles right on the user.
There are no errors to find, but logging in causes the logs in API Manager to say this
INFO {org.wso2.carbon.hostobjects.sso.SAMLSSORelyingPartyObject} - invalidate: Session already invalidated {org.wso2.carbon.hostobjects.sso.SAMLSSORelyingPartyObject}
Environment
Our environment is a cluster environment with the identity server 5.2 as the key manager. Also we got the API manager 2.0 and some gateway workers. We use federated authentication SAML2 over to shibboleth, all of that seems to be working fine.
Any ideas on how to trouble shoot this problem or maybe help me understand the user roles and permissions better within wso2 would be a big help.
I got login in to work by adding the permissions login and API(subscribe, create, publish) to the internal/everyone role.