It is possible to approve the openid certification for wso2 is? - wso2

The certification openid is this http://openid.net/certification/ and i don't know if it is posible pass with wso2 is.
In the next link talk about wso2 is but does not specify specify it is approvove
http://openid.net/developers/uncertified/

From IS 5.2.0, it is compliance with OIDC basic and implicit profiles but not hybrid, config and dynamic profiles. In our road maps we have tracked the requirement to compliance the other pofiles as well. In future releases this will be added.

Related

SSO Implementation ColdFusion

This is a very basic question. I want to do an SSO integration using ColdFusion but do not know where to start. I found the website ssoeasy.com through a google search, but am very confused about how to use it and where to find documentation.
I think it has something related with cfldap or cfhttp but not sure what and where:
<cfhttp method="get" url="http://testsso.com/login.cfm">
</cfhttp>
It really depends on what role you want to play in an SSO ecosystem. Are you an app in a larger federation (Service Provider), or are you trying to implement an SSO style login across multiple applications that you control, or are you looking to setup so that your users can log in with Google or Facebook or such other identity registers?
A few years back we did an implementation with Shibboleth (https://shibboleth.net/) and CF where our intended place in the system would be that of a Service Provider to other companies Identity Providers. It works pretty straight forward as we let Shibboleth handle all the SAML federation grunt work and then when it's completed we get an e-mail address (the unique identifier we decided on) back from Shibboleth saying that the user has been authenticated via the Identity Provider.
Other 'SSO' implementations are around for other types of integrations.
From CFCs to handle OAuth -- https://github.com/coldfumonkeh/oauth2
To integrated oauth support if you're running a new enough version of ColdFusion https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-m-o/cfoauth.html
Hope this is of assistance to you.
If I understand your SSO use case, the application will be a cloud service provider (SP). There are three things you need to determine to help in the selection of the appropriate technology, mainly (1) SSO protocol to integrate, mainly SAML, OAuth, OpenID Connect (OIDC), etc. (2) Hosting, mainly Cloud, On-Prem, or hybrid, and (3) whether or not IdP discovery is needed for your business partners.
Being ColdFusion based as well as working to be a cloud SP web application, my experience is that the application is to be hosted by your organization, such that an on premise SSO capability is desired, as well as IdP Discovery will be needed for your partners.
As noted in your question there are some options for integration. I have found the most popular approach to being a SP website is to utilize a vendor product that handles the SSO protocol (e.g. SAML, OIDC) where the integration with your ColdFusion application is based upon a simple REST API integration. With this design pattern, the vendor product manages all the security of the SSO protocol and then simplifies integration to your application as a secure REST API exchange of identity information. This will minimize the impact to your application and also give the most support for modern identity. One product that offers this capability is PingFederate via the Agentless integration (also referred to as Reference ID integration). I have had much success integrating ColdFusion applications following this type of approach.
SAML seemed to be the easiest to implement for our team. Phil Duba's 2013 Beyond Encrypt() presentation is a good starting place. His website is down right now, but I'm sure you can find the downloadable file somewhere. Learning about SAML in general would be a good idea. Also, you can use Java, so maybe look at SAML/OAUTH Java examples and try doing that for Coldfusion since it is based on Java.

How to ptotect non-browser based webservice with saml

I want to protect non-browser based web service with saml using wso2is. please provide me some links or tutorial to do this. So far I google about this but I didn't get idea how to do this. please help. thnx
To protect non-Browser based web services with SAML we need the ECP Profiles. But in the current implementation of the WSO2 Identity server, it doesn't support ECP profiles. It will be implemented in future releases.

WSO2 Identity Server setting a user to "inactive"

Is there a way to inactivate a user in WSO2 identity server 5.0.0?
Inactivating should mean that the user cannot login to other applications which are SSO integrated into the IS.
Removing roles/permissions seems not to do the trick.
WSO2 IS supports account lock feature to cater your requirement from IS 4.5.0 onwards. Please follow this document.
Account disable functionality is not yet implemented and we have already reported a jira to track it in future releases.

Recommendation for integrating WSO2 API Manager, Identity Server and Shibboleth

What is the current, recommended way to setup a WSO2 API manager to use SSO against a Shibboleth IDP?
Our organization has an existing SSO infrastructure built around Shibboleth’s IDP which we would like to integrate into our API Manager installation. Ideal Use Case:
User navigates to API Manager Store.
User is redirected to Shibboleth IDP Login page.
If one doesn’t exist, an API Manager Account is created and assigned the Subscriber role.
User is returned to API Manager and logged in. “Signed-in-as:” renders a reasonable user name (i.e. not a GUID).
I’m aware that there is an included SAML2 authenticator component to the API Manager but it is limited in features, specifically it does not handle Encrypted Assertions, Using specific attributes for username/display name and automatic user creation.
I understand that we could write a custom authenticator, however we would rather avoid creating another code base that needs to be maintained and doesn’t have community support. If a simpler solution cannot be determined then this will likely be what we do.
What I am currently investigating is delegating all user management for the API Manager to a WSO2 Identity Server. It IS would delegate authentication to Shibboleth and auto provision users before returning to the AM. The IS seems like it could address all of the issues mentioned above.
Firstly, is this an appropriate strategy? If so, how is it recommended that the AM and IS be configured?
Should the IS and AM both point to the same JDBC Database or should the AM point to the IS’s LDAP server?
Regarding the AM authenticator which is pointed to the IS, should I use SAML or OAuth, or is there a better/simpler one?
Shibboleth IDP v2.4 – SAML2 with Attribute Push preferred.
WSO2 API Manager v1.6.0
WSO2 Identity Server v5.0.0
Here's the results of my research, for anyone interested:
1) This is an appropriate strategy. The new features in the 5.0 release of Identity Server are mainly centered around this scenario. And the 1.7 release of AM also includes features to facility this setup. Finally I've heard from the developers that they intend to push this integration even further in the next few releases.
2) As of AM 1.6 there was a bug which made it almost required to share the same Primary JDBC user store. As of 1.7 it should be more open.
There does not seem to be a preference from the people at WSO2 between LDAP and JDBC (except that the default H2 DB is not designed for production environments), however if you are choosing between installing a DB or Open LDAP for this, a LDAP server seems more suited to the choice.
3) It's best to use SAML for communicating between the two when the goal is to present the user with a UN/PW screen. When the goal is to login with pre-issued tokens then OAuth. The API Manager and IS use both protocols behind the scenes, but the answer to this particular question seems to be SAML.
In the future WSO2 plans to expand the "Trusted IDP" feature of their products, which will streamline this process (and use SAML behind the scenes).

SAML with Django authentication

I'm using Django and nginx hosted on AWS. I'm trying to integrate with a university for SAML authentication, using their idp. There are plenty of outdated answers on SO, but is there anything more relevant with current standards?
Many of the apps i've seen are for django 1.2 and lower. Specifically i'm looking for resources that would allow me to more easily manage the SAML authentication through some middleware or anything else.
Some of the things I have seen are:
https://github.com/unomena/django-saml2-idp
https://github.com/WiserTogether/django-saml2-sp
The project I found is below:
https://bitbucket.org/lgs/djangosaml2/overview
The project uses psaml2 for SAML support. Pysaml2 can be found here:
https://github.com/rohe/pysaml2
Bear in mind that djangosaml2 may not use the latest version of pysaml2. I tested it and its working fine.
UPDATE
djangosaml2 works with latest version of pysaml2, but make sure to add this line to make it work:
SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer'
This should be in your settings.py.
SAML is two sides:
IDP -> Identity Provider side -> i.e. the university
SP -> Service Provider -> i.e. your application
Sounds like this one is what you want: https://github.com/WiserTogether/django-saml2-sp.
You have to take into account that SAML as a standard is complex, so you might find issues getting the library talk to the SAML implementation in the university. You will also have to get from them the identity provider cert public key and ask them to add your application on their side with a specific entity id. And when you start managing a couple of them it gets complex.
You might also want to check out something like Auth0 to handle all those SAML connections. There is a very simple python sample https://gist.github.com/woloski/8149412
Hi I just created a django saml2 authentication plugin.
https://github.com/fangli/django-saml2-auth
It's quite easy to integrate with your SAML2 provider, hope you enjoy.
This library is actively maintained: https://github.com/onelogin/python3-saml/tree/master/demo-django