I use single sign on with shibboleth and identity server. I always seem to run into authorization issues when logging in. When I add login permissions to the internal/everyone role, users can login in, but I don't want all users to login in. So I have a secondary user store added and only want specific roles to be allowed to login. No matter what permissions I add to the roles it doesn't do anything for single sign on. Do I have to add role mapping to the Service providers or the identity provider? I tried many things, and its always a problem I run into.
Under user-mgt.xml I changed this tag to true.
<Property name="GetAllRolesOfUserEnabled">true</Property>
Change this tag in the APIM and gatways where I have my secondary user store connected. If your APIM is checking permissions remotely you can change the tag in the identity server.
Related
Requirement
I am working on a client project where we need to setup our AWS managed OpenSearch dashboard (Kibana). As per the requirement, we should use keycloak for SAML configurations. Also need to use LDAP as user federation.
Current Setup
AWS OpenSearch setup is completed and able to login with the master user credentials.
Integration of Keycloak with OpenSearch dashboard is done. I am able to login to the OpenSearch dashboard using keycloak local user by adding it in the all_access group in Dashboard (kibana).
LDAP integration with Keycloak is also completed. I can sync all LDAP users within Keycloak and able to login with individual LDAP users when adding them in the all_access group in Dashboard (Kibana).
Issue/Open tasks
How can I add the entire keycloak group to the OpenSearch Dashboard so I do not have to add individual users. I tried adding the group name in the dashboard under backend role section but it does not work. Also tried a few mappings (not sure if they were correct) but got no luck. Every time it gives "missing role-contact your administrator"
Same issue with LDAP groups as well, I can sync all LDAP groups within my Keycloak but not sure how to map them with OpenSearch Dashboard to login.
Ultimate Goal
Create two groups, one as admin and other as limitedaccess so that users who are part of admin group can login with the assigned permissions and users in limitedaccess group can login with their permissions.
I do not want to add individual users in the Dashboard rather they should be able to login directly based on role/group mapping.
The issue is resolved.
Following are the things I did, which may be useful for others looking for similar setup.
Created two groups in my Keycloak. "admin" and "limited".
Created two roles "admin_role" and "limited_role".
Made the limited group as default group and the limited_role as default role so the new users will directly get the limited permissions.
Next, which i was missing all the time (and thanks to other stack overflow answers) was to enable the Single Role mapping. For this, Go to Client scope role_list --> mappers --> role list --> enable "Single Role attribute"
Added the "Role" keyword in OpenSearch in the role key section (under additional settings in AWS OpenSearch SAML configs.). Also mentioned a generic user in the SAML master user section (generic user which I created in Keycloak) so that I can gain admin privileges to add backend roles in OpenSearch Dashboard.
Finally, logged in to my OpenSearch with this generic user. Go to the security --> Roles --> Manage mapping --> backend roles --> added my admin_role to the all_access and limited_role to the read roles.
Now I am able to login with all the users who are part of the respective groups in Keycloak.
I have installed Wso2 api manager and am trying to set up authentication and authorization via Api manager. I can't figure out how to configure certain users who will be able to login through the app. Currently, all users who are in user story are allowed to login. I need to restrict the ability to login to the app for a certain range of users. How can this be done?
You can achieve this by adding roles to the particular users. Refer to this doc https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-user-roles/#managing-user-roles
You need to configure the roles and permissions according to your use case:
Create a role (eg: testRole) and assign required permissions except for the login permission(Admin Permissions > Login) to that role [1].
Create a new user(eg: testUser) and assign the testRole to that user[2].
Now the testUser that you have created has no login permissions to the app.
[1] https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-user-roles/#create-user-roles
[2] https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-users/#adding-a-new-user
I installed WSO2 Identity server and logged in using admin/admin, but under home pane, I am not able to see SAML SSO, OAuth entries under Manage category. Any help will be appreciated. Thanks
Did you try to login as "admin", to create a new role and validate the list of permission settings visible under this role (see icon permissions). A tree with checkboxes should be visible defining the permission level for each role, by this defining the permissions inherited to the account. Once the role is defined, create and add a user account to this role. Logout and login with the new administrator userid and hopefully you will see all options on the menu.
I have a primary LDAP user store pointing to Active Directory in user-mgt.xml. When I initially set it up I set the <AdminRole> setting to "everyone" as I was testing the configuration. Later, I switched this to a new AD group / role. I then went in and was reviewing the role permissions. The new role had all permissions but the "internal/everyone" role still had full admin permissions as well. I removed the permissions from internal/everyone and now I cannot sign-in on the Identity Server web interface with any account. How do I reset the roles so I can sign-in and only my AdminRole group has full admin access?
The problem was due to two missing properties from the default read-only LDAP sample in user-mgt.xml when using Active Directory. Adding these two lines and restarting the server resolved the issue:
<Property name="BackLinksEnabled">true</Property>
<Property name="MemberOfAttribute">memberOf</Property>
This was mentioned in the post: WSO2 -> Active Directory -> user - role mapping
I am using WSO2 Identity Server 5.0.0. I have setup a primary read-only LDAP connection in user-mgt.xml. I created a new group on the LDAP server to assign permissions in the Roles section. The new group is not listed. How long does it take to refresh the LDAP groups and is there a way to force a refresh?
Normally LDAP groups are read on-demand when it is listed down in the UI. If you have more then 1000 groups in the LDAP, then all the group would not be listed down in the UI.
If you mentioned about the roles under users.. It means that assigned roles for the users... Yes.. there is cache in WSO2IS called userRoleCache which will cache the roles for given user. This cache would be refreshed after 15min. Currently you can not configure this timeout value. If you want, you can completely disable the cache using following user store manager property (in user-mgt.xml file)
<Property name="UserRolesCacheEnabled">true</Property>