I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines).
I noticed that if I want to return particular set of claims I must:
- Update the Claim Configuration of the particular Service Provider
- Make sure /_system/config/oidc has the necessary claims stored in the "openid" property
- Make sure the claims stated in the Claim Configuration of the Service Provider are populated in the identity profile
Is there a way to centralize the claim mappings and not have to configure the claims for each Service Provider?
I noticed that I could update directly the SP_CLAIM_MAPPING table in the database, but is there another way achieve this result?
Thanks in advance.
Currently, there is no way to centralize claim mappings in Identity Server. You have to specify claim mappings in each SP separately.
It will be supported in a future release. You can find some discussions here.
Thanks
Isura
Related
I have multiple wso2-is server set up as my dev, staging and prod environment.
And I would want to have a functionality wherein I can export all the configuration from some server ( say dev ) to some other server ( say staging ) to make both the server identical i.e both the server would have same database configurations, same tenants, same service providers and same identity providers and so on.
From the documentation here, I know that I can create service providers and identity providers using XML files, so in turn, I can share the XML files to sync SPs and IdPs between servers.
But is there a standard way to achieve that? Like, from the management console or so?
It even seems possible that syncing between [IS-HOME]/repository directory would ensure that the servers are identical, But are there any caveats for this approach?
There is no standard way to sync the service provider configurations among different environment, as of now. This issue is reported to track the feature requirement and its a work in progress at the moment and you can expect it in a future release.
One possible solution you can use to achieve your target is, retrieving the service provider from the Admin service and create the same service provider in other environment.
You can use the file based service provider configurations to achieve this target. But with that approach, you will not be able to see the service providers added from the configuration files in the management console. Next limitation you will face is you can add saml based inbound authentication configurations only through the config files ( such as OAuth 2.0 / OIDC inbound authentication configurations)
To answer your last question, you can't sync the [IS-HOME]/repository folder to achieve this. The reason you were able to observe this behavior seems to be you are using the inbuilt H2 database and its in [IS-HOME]/repository/database folder. With your file sync, you have actually synced the databases.
i'm used wso2 api manager v2.2.0 for api gateway, and i've problem for backup users and roles, at the moment i'm used api-import-export-2.1.0, but just backup APIs, any advice for my problem?
Users and roles are in the user database, therefore you need to backup your user database (or any other userstore you use).
By default WSO2AM comes with H2 embedded database which is not really recommended (or suited) for production deployment and you should setup your own databases on any supported DB system.
If you still use the the embedded H2 database, by default the user database file is located at repository/database/WSO2CARBON_DB.h2.db , however I don't recommend to backup/copy the file while it is open (while wso2am is running).
In the multi-tenanted environment (create and work with tenants), Registry Database is required to share the information in this database between the Gateway and Key Manager components.
So in the above line Which information need to be shared and where it need to be shared?
There is no special DB configurations for Multi-tenancy, Tenant related information will be stored in same DBs. And when you are clustering APIM you need to share databases among the nodes irrespective of tenant usage. You can refer this guide for clustering.
What is basically says is you need to do step 8.c and 11 in Installing and configuring the databases section in API Manager clustering guide for gateway and keymanager nodes as well.
I have clustered and deployment synchronize enabled 'wso2 esbs'(4.9).and i had enable secure vault. now all the deployments have been sync with all worker nodes.but how can i sync my secure vault credentials with worker nodes.
I tried copy "wso2carbon.jks" file,i tried copy "cypher-text.property" file,it doesn't worked.
so how can i sync my secure valet with other worker node?
Yes. If you have clustered the environment correctly it should automatically get synchronized. Steps to follow,
Add a secure vault entry to ESB manager node.
Check the secure vaults in ESB woker node. (If not running in the -Dworker mode.)
If the workers are running on -Dworker mode, you can also check the wso2carbon.log for the logs right after adding the entries to secure vault.
When you are deploying ESB cluster, you can use Puppet and Hiera to make the configurations changes.Wso2, already provided puppet modules to deploy wso2 product clusters.You can use existing Wso2 ESB puppet module to
achieve your requirement. Refer "Running WSO2 Enterprise Service Bus with Secure Vault" section of the README of the WSO2 Enterprise Service Bus Puppet Module to configure Secure Vault related configurations among the cluster.
I have two instances of wso2 api manager running on two different servers.Both of them are referring to same UM_DB . I created a role by logging with admin credentials on one server .After that i checked for the role on other server by logging with admin credentials again.I found that there was role existing on other server but permission that i provided for that role does not exist on another server.Is that a bug with wso2 api manager or I missed something in configuration..?
You want to deploy two APIM instances in a cluster. It is better to refer the APIM clustering guide to setup it properly. There are tow things you need to understand.. when your deploying APIM in cluster
You must point both instance in to same database. There are can be three logical databases i.e UM, Registry and AM database. These three can be an one physical DB. However must pointed to same by the both instance.
You must configure the Hazelcast based clustering using axis2.xml file. This is required because, APIM uses Hazelcast based implementation to distribute the data in the caches. Sometime, In your scenario, i guess you have not configured this. Therefore permission tree has not been distributed between two nodes. Therefore lot of data that is stored in the caches for high performance. therefore please make sure to configure this properly.
I guess this would help you.