I'm working with Identity Server 5.1, my customer requiere support multiple languages, so the login authorization page and the recovery password function on the identity server are in english by default Is there a way to manage multiple languages?
For example I want to send the recovery password email, I know the email template is in this file email-admin-config.xml and it's ok if you only support one language but in my case I need support more languages is there a way or a solution to this?
This is one of the features in the upcoming release of Identity Server (5.3.0). According to the JIRA it is available from milestone 1 release of 5.3.0. You can download the milestone releases from here.
Related
I am trying to utilise multitenancy feature in WSO2 by using github releases(https://github.com/wso2/product-is/releases/tag/v5.11.0). I just wanted to understand if there are any limitations for the same between enterprise version downloaded from wso2 site and github releases.
Thanks
WSO2 doesn't have an Enterprise Version of the product. Everybody uses the same base release and if you have a subscription you will be receiving product updates for bug fixes, improvements, security issues etc. Other than that there are no hidden features or limitations in the Opensource version.(Rarely some features are introduced as updates, in these cases you may not receive them) The subscription is for getting updates and getting support from WSO2.
You can read more about WSO2 subscription from here.
Adding to #YCR answer, yes, multi tenancy is supported in IS 5.11.0 and IS 6.0.0 and it was supported throughout IS 5.x series. Please see Tenant Management on WSO2 documentation.
According to https://docs.aws.amazon.com/cognito/latest/developerguide/apple.html:
If you use Sign in with Apple with native iOS applications, enter the
BundleID [...] Or if you use Sign in with Apple with web or other
applications, enter the service ID".
However, we are integrating the Identity Pool with both, App & Web. So, if we add the bundle Id as the 'Apple Service ID', it works only for App, but if we put the Service ID instead, it only works for Web. There doesn't seem to be a way to add more than one Service ID.
How can we integrate with both, an iOS App and Web?
If anyone still is looking, one solution is to create SIWA as an OpenID Connect Provider depending on what you need.
Amazon does recommend this for Google on multiple platforms and there is this documentation which shows you how to do it for "accounts.google.com" but it actually works if you set up the provider as "appleid.apple.com" and add both the Bundle ID and the Service ID as an audience for the brand new identity provider.
After raising this with AWS, they notified me that they only support one Apple provider per identity pool at this time.
They then asked if we could use multiple identity pools for integrating both app, and web. For that I'll need to see wider implications to our application.
I am new to this software. From what I know, the WSO2 Enterprise Integrator is come with Enterprise Service Bus inside it. But the Identity Server (IS) is not bundled with the EI.
For my current and new project, we going to be used both of it inside the architecture. Please see below diagram for more information.
Part of my project architecture
Based on the diagram, when the user is using the portal to login. The EI is serve as the middle-ware between the portal and the IS to connect to the LDAP.
Looking at the documentation, there is way to connect from IS to the other product but not vice-versa.
My question right here is how to allow the ESB to communicate to the IS and return back the message/request to the Portal.
Thank you.
Yoy did not describe your use case what do you want to achieve so I will assume you want to authenticate the portal user or manage users.
WSO2IS (and effectively any wso2 product) exposes admin services, some are common, some specific to the product. The services require basic authentication.
please see https://medium.com/#maheeka/wso2-admin-services-c61b7d856272
Another service to authenticate a user is a token service with password grant (that may be more appropriate to authenticate users and authorize requested scopes)
Just a note:
If you want to use the whole setup only only to authenticate users, then IMHO you rather may use OAuth or SAML with the IS, not passing passwords in ESB
Is there a way to inactivate a user in WSO2 identity server 5.0.0?
Inactivating should mean that the user cannot login to other applications which are SSO integrated into the IS.
Removing roles/permissions seems not to do the trick.
WSO2 IS supports account lock feature to cater your requirement from IS 4.5.0 onwards. Please follow this document.
Account disable functionality is not yet implemented and we have already reported a jira to track it in future releases.
What is the current, recommended way to setup a WSO2 API manager to use SSO against a Shibboleth IDP?
Our organization has an existing SSO infrastructure built around Shibboleth’s IDP which we would like to integrate into our API Manager installation. Ideal Use Case:
User navigates to API Manager Store.
User is redirected to Shibboleth IDP Login page.
If one doesn’t exist, an API Manager Account is created and assigned the Subscriber role.
User is returned to API Manager and logged in. “Signed-in-as:” renders a reasonable user name (i.e. not a GUID).
I’m aware that there is an included SAML2 authenticator component to the API Manager but it is limited in features, specifically it does not handle Encrypted Assertions, Using specific attributes for username/display name and automatic user creation.
I understand that we could write a custom authenticator, however we would rather avoid creating another code base that needs to be maintained and doesn’t have community support. If a simpler solution cannot be determined then this will likely be what we do.
What I am currently investigating is delegating all user management for the API Manager to a WSO2 Identity Server. It IS would delegate authentication to Shibboleth and auto provision users before returning to the AM. The IS seems like it could address all of the issues mentioned above.
Firstly, is this an appropriate strategy? If so, how is it recommended that the AM and IS be configured?
Should the IS and AM both point to the same JDBC Database or should the AM point to the IS’s LDAP server?
Regarding the AM authenticator which is pointed to the IS, should I use SAML or OAuth, or is there a better/simpler one?
Shibboleth IDP v2.4 – SAML2 with Attribute Push preferred.
WSO2 API Manager v1.6.0
WSO2 Identity Server v5.0.0
Here's the results of my research, for anyone interested:
1) This is an appropriate strategy. The new features in the 5.0 release of Identity Server are mainly centered around this scenario. And the 1.7 release of AM also includes features to facility this setup. Finally I've heard from the developers that they intend to push this integration even further in the next few releases.
2) As of AM 1.6 there was a bug which made it almost required to share the same Primary JDBC user store. As of 1.7 it should be more open.
There does not seem to be a preference from the people at WSO2 between LDAP and JDBC (except that the default H2 DB is not designed for production environments), however if you are choosing between installing a DB or Open LDAP for this, a LDAP server seems more suited to the choice.
3) It's best to use SAML for communicating between the two when the goal is to present the user with a UN/PW screen. When the goal is to login with pre-issued tokens then OAuth. The API Manager and IS use both protocols behind the scenes, but the answer to this particular question seems to be SAML.
In the future WSO2 plans to expand the "Trusted IDP" feature of their products, which will streamline this process (and use SAML behind the scenes).