I have created secondary user store with postgres database and import tables by running script PRODUCT_HOME/dbscripts/postgresql.sql.
In Advance settings for newly created user store I have checked Enable SCIM.
UserStore is working fine, but when i try to fetch users with:
curl -k --user admin:adminPass https://server.com:9443/wso2/scim/Users
I receive only users that are in PRIMARY store. How to receive also users that are from secondary store, or just users from secondary store?
EDIT: It suppose that any newly created user from secondary store can be fetched and it works, only old users that are created before I checked Enable SCIM are not fetched.
For a user/group to be retrieved from SCIM APIs, they should have below SCIM specific claims.
urn:scim:schemas:core:1.0:userName
urn:scim:schemas:core:1.0:meta.location
urn:scim:schemas:core:1.0:meta.created
urn:scim:schemas:core:1.0:meta.lastModified
urn:scim:schemas:core:1.0:id
When you create a user/group after enabling SCIM in userstore, these claims are automatically created. But since your existing users/groups don't have these claims, SCIM APIs can't retrieve them.
Related
I have a secondary userstore (JDBC) created in wso2 IS 5.11.0.
2 roles are added under the userstore.
I am using the below SCIM 2.0 api to get the roles.
https://{IS_IP}:(PORT}/t/carbon.super/scim2/Roles, but only the roles created under primary user store is listed in the response.
Under the claims list -> http://wso2.org/claims -> Role -> Mapped attributes, I have added the secondary user store to the list. still not getting the response.
Is there any other configuration to be done to get it via scim api?
Since WSO2 IS-5.11.0 Groups and Roles are considered separately. Refer [1]
https://{IS_HOST}:(PORT}/scim2/Groups endpoint lists out the userstore groups (both primary and secondary user stores' groups)
https://{IS_HOST}:(PORT}/scim2/Roles endpoint lists out the Roles (Roles are basically Internal and Application Roles. You won't see any prefix for Internal roles in the list)
In your case, since you have added a userstore group, it need to be managed via https://{IS_HOST}:(PORT}/scim2/Groups.
I have installed Wso2 api manager and am trying to set up authentication and authorization via Api manager. I can't figure out how to configure certain users who will be able to login through the app. Currently, all users who are in user story are allowed to login. I need to restrict the ability to login to the app for a certain range of users. How can this be done?
You can achieve this by adding roles to the particular users. Refer to this doc https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-user-roles/#managing-user-roles
You need to configure the roles and permissions according to your use case:
Create a role (eg: testRole) and assign required permissions except for the login permission(Admin Permissions > Login) to that role [1].
Create a new user(eg: testUser) and assign the testRole to that user[2].
Now the testUser that you have created has no login permissions to the app.
[1] https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-user-roles/#create-user-roles
[2] https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-users/#adding-a-new-user
If the usernames across the primary and secondary user stores are globally unique, is it possible to configure WSO2 (API Manager) to accept usernames from the secondary store without requiring the user store domain prefix, e.g. userstore/username?
You do not need to provide the userstore when login to store, publisher and admin.
I am using WSO2 Identity Server 5.0.0. I have setup a primary read-only LDAP connection in user-mgt.xml. I created a new group on the LDAP server to assign permissions in the Roles section. The new group is not listed. How long does it take to refresh the LDAP groups and is there a way to force a refresh?
Normally LDAP groups are read on-demand when it is listed down in the UI. If you have more then 1000 groups in the LDAP, then all the group would not be listed down in the UI.
If you mentioned about the roles under users.. It means that assigned roles for the users... Yes.. there is cache in WSO2IS called userRoleCache which will cache the roles for given user. This cache would be refreshed after 15min. Currently you can not configure this timeout value. If you want, you can completely disable the cache using following user store manager property (in user-mgt.xml file)
<Property name="UserRolesCacheEnabled">true</Property>
I'm working on upgrading from WSO2 Identity Server 4.1.0 to 4.5.0 and I've found that new users are now added to an internal/identity group instead of the in LDAP identity group that they were being added to formerly.
In particular I would like to add new users to the LDAP group (I've got a lot of things that expect and need accounts to be in that group). But it brings up another question, is there anyway to define groups / roles that a new user automatically gets added to during sign-up?
Users who are signing up would be added in to a Internal/identity role by default in 4.5.0. This internal role is created in the internal databases. Basically the user management database which has been defined in user-mgt.xml file.(UM_HYBRID_ROLE table). This is because, This role is created pragmatically, therefore is not good to create in the actual user store. I guess WSo2 Identity Server has not way to configure this role name and configure where it must be retrieved. I saw this as some limitation.