OpenAM provides a "Java EE Policy Agent", which is a PEP implementation (a Servlet Filter) to intercept requests and protect an application on the same container. The nice thing is:
admin can control the agent from the central Identity Provider. For example, admin can tell the agent to map SAML assertions to a HTTP header/cookie/HTTP request params before passing the request to the application.
admin can choose if the agent allows request according to the decision in PDP, or authorization should be enforced through the container's Java EE security policies (which may be configured declaratively in the XML deployment descriptor of the protected application).
Do WSO2 Identity Provider have similar PEP agent implementation with the 2 features above?
Many thanks
We have entitlement filter[1] and entitlement proxy[2] as extensions that can address entitlement requirements for applications and Java EE container authorization scenarios.
[1] https://github.com/wso2-extensions/identity-agent-entitlement-filter
[2] https://github.com/wso2-extensions/identity-agent-entitlement-proxy
Related
I want to create a user in Wso2 (version 5.8) Identity Server and then populate it into my Service Providers automatically.
At this moment, after user registration in my Wso2, then I need to register the same user manually in each Service Providers (in my case, a SP is M-Files tool which provides a way to create user described here)
I am not sure if wso2 offers an automatic way to do this. I read the following documentation
Inbound provisioning: This approach is used for the opposite goal. Create a user in a Service Provider and with SCIM API I can create it into my wso2.
Outbound provisioning: This approach is very close that I want to but require relating the Service Provider with an Identity Provider (which must implement SCIM) and I dont want to use my Service Provider as an Identity Provider.
User store: I think it is not what I looking for. I think wso2 queries the external user store searching if the user which attempt to login is valid or not. I dont want my Service Provider act like a Identity Provider
Thanks
Outbound provisioning: This approach is very close that I want to but require relating the Service Provider with an Identity Provider (which must implement SCIM) and I dont want to use my Service Provider as an Identity Provider.
This is the approach you should be using. You don't have to use it as an Identity Provider. Just register it as an Identity Provider so that WSO2 can provision users to M-Files.
Regarding provisioning to M-Files, WSO2 support standard user management SCIM2 rest APIs. But if (I couldn't find any reference) M-files doesn't support such, you might have to find the API format that M-files support and then you can write a simple Java extension (Custom outbound provisioning Connector) to WSO2 Identity Server, so that it can provision users to M-files in a way that it prefers.
Documentation for customization
Can someone please clarify when to use API Manager and when to use Identity Server. I see that API Manager comes with Key Manager. Isn't that sufficient. I am really confused. Any help would be helpful.
Many thanks....
I hope this explaination will help you out,
WSO2 Identity Server
WSO2 Identity Server is a fully fledged Identity Management Solution which supports Authentication, Authorization, Single Sign-On and Identity Federation to name a few capabilities. WSO2 Identity Server supports almost all major identity protocols such as SAML, OAuth2, OpenID Connect etc.Take a look at this page to get an idea about the capabilities of WSO2 Identity Server.
WSO2 API Manager
WSO2 API Manager, on the other hand, focuses on managing your APIs. Managing life cycle of your APIs, Authorization, Throttling, applying policies on API consumers are some of the functionalities handled by API manager. API manager has several components such as publisher, store, gateway, key manager, traffic manager that clearly separates different aspects of API Management.
So the Key manager component is responsible for managing OAuth applications, generate, validate and revoke OAuth2 Tokens. API has an inbuilt key manager component to handle these functionalities.
API Manager also offers the flexibility to use an external key manager instead of its inbuilt one should you require to do so. This external key manager needs to confirm to an interface specified by API manager. By default, API has an implementation of this interface that allows WSO2 Identity Server to used an external key manager.
So whether or not you want to use Identity Server or any other external key manager is totally dependent on your use case and the API traffic.
You can use WSO2 Identity Server for all the authentication/authorization stuff:
XACML Architecture solution.
SSO with anothers webapps or WSO2 tools.
Implement a Oauth2 autorization mechanish
Federate authentication
etc....
You can uso WSO2 API Manager for expose unsecure resultful apis or webservices as secure apis using Oauth with monitoring and billings functionallities
The key manager functionallity properly decouples the operations for creating OAuth applications and validating access tokens so that you can even plug in a third party-authorization server for key validations.
In a DEV enviroment you can work with WSO2 API Manager without the WSO2 Identity Server at all.
In a production enviroment it's recommended to use a separate WSO2 API Manager as a Key Manager or use the WSO2 Identity Server as the Key Manager
I am new in security. I have downloaded wso2 sso sample and executed it. Now I want to configure xacml into this project.
My requirement is when user logged in with sso I want to restrict them to access some particular jsp pages. Please give me some suggestion how to implement it and how I can send xacml request.
thank you
[1] is a comprehensive blog written by Asela Pathberiya on XACML and how you can leverage XACML on the wso2 identity server. Please read the blog to clarify different use cases you might have and how you can achieve them using wso2 identity server.
Basically, WSO2 uses Balana - XACML implementation on top of Sun XACML which supports XACML 3.0 specification.
You can use WSO2 Identity Server as a XACML policy decision point (PDP) quite easily. You can leverage the SOAP client or the thrift client to send XACML request to WSO2 Identity Server Entitlement Service and receive the decisions. There are samples that suit you exact use case at [2]
So basically you can do the following to achieve what you want to do,
Configure XACML policies in WSO2 Identity Service using policy editor
Call the Entitlement Service via SOAP or thrift from you app to get the entitlement decisions [3].
[1] http://xacmlinfo.org/category/xacml/
[2] https://github.com/wso2/balana/tree/master/modules/balana-samples
[3] https://github.com/wso2/carbon-identity-framework/tree/master/components/entitlement/org.wso2.carbon.identity.entitlement/src/main/java/org/wso2/carbon/identity/entitlement
I need to secure a SOAP web service (based on Axis2) with this configuration:
Client tries to consume the service
Client is redirected to an authentication server for authentication
If the client authenticates properly, the Authentication Server gives client a SAML token with his attributes (basically a role)
There is a XACML policy (client can use an operation provided by the web service only if has a proper role) which is evaluated based on the role included in the SAML token.
So I have thought about using WSO2 Identity Server coupled with rampart (I also need WS-Security for encryption and signature). Is it possible to do so? Can you suggest me how?
You can either go with WSO2 IS STS (which is WS-*) or Web Browser SSO of SAML. Depends on the nature of your application (Web browser based or not), you can pick any one of the above methods. You can get user roles from the SAML Response.
However, if you are using XACML, you do not need to get the user roles over SAML. Simply create a policy in WSO2 IS (with the required role and other conditions). Then create a PEP module to validate service requests. WSO2 IS will get the username and read user roles from LDAP/userstore and do the validation.
I am trying to use wso2 identification server as authorization center:
there are several system, they share same user information
I want them to utilize identification server to perform authentication and authorization
In current research, I have found the API which I can use to perform authentication, and also soap api to perform user/group/permission management soap api
But I could not find the api which I can use to perform authorization request? So far those code are written in AuthrozationMgrJDBCImpl, there is no soap API expose those API.
Is there anybody know such API?
Yes.. WSO2 Identity Server can be used as centralized authorization management. There are two approaches
Use XACML capabilities of the WSO2IS. This is the standard way. WSO2IS can act as XACML PDP. You can create policies for different appolications. PDP is exposed as web service API, Application can call this web service API to receive authorization decision based on the policies. You can see the WSDL by pointing to https://localhost:9443/services/EntitlementService?wsdl. You can find more details on XACML and WSO2IS from here.
Use "AuthorizationAdminService" services. This is a custom way that you have referred. WSO2IS stores permission data in its own database and manage it through JDBCAuthorizationManager. However it only supports for RBAC. (in XACML you can use ABAC). you can see the WSDL by pointing to https://localhost:9443/services/AuthorizationAdminService?wsdl.
Note : You can see the WSDL of this service. But it is not exposed by default. Please go through this OS question. Also "AuthorizationAdminService" service available only after WSO2IS 450 version.