Environment :
wso2 API-M + wso2 Identity server (Key manager) and they shared the
same user store.
2 service providers(publisher and store) and 2 identity
providers(Google and Facebook) in the carbon.super tenant.
APIM SSO service is enabled and issuer IDs follow above.
Enable OAuth2.0 users(Google and Facebook) to login.
3 tenants (carbon.super , TA and TB) in the environment.
Publisher SP and Store SP are both in SaaS mode.
Step:
1.Super admin login to carbon UI.
2.Edit role "everyone" and set creater, subscriber and publisher permissions.
3.Social account login to Publisher fail. (401 error)
4.In 1~8 hours, social account login again and it works.
5.Super admin login to carbon UI and remove all permission from the role "everyone" and it can be effective immediately.(Social account can't login.)
6.Repeat step 1 and 2.
7.Same as step 3.
8.Same as step 4.
I'm not sure if I have to configure any system setting thus the permission can be effective immediately.
Related
How to achieve below Scenario:
I have multiple IDP such as APM, Predix, etc. Every IDP has its own user management such as a create user, groups, etc.
tenant 1 - APM
tenant 2 - Predix
Is there any configuration in WSO2 base on tenant dependant they will be giving a response such as Tenant 1 in request automatically wso2 connect to APM and giving endpoint information?
Doc - 1, guides the steps to configure federated identity provider to WSO2 IS. You can create different service providers and select the required IdP for each service provider. Steps to configure federated IdP to a service provider can be found in [2], under section "Click here for details on how to configure local and outbound authentication"
Edit: Identity Provider can be created in WSO2 IS to represent the external IdP. We can create service providers (based on the requirement, it could be created in relevant tenants) select federated authentication as "Authentication Type" and select the relevant IdP from drop down menu.Refer the image below:
1 https://docs.wso2.com/display/IS570/Configuring+Federated+Authentication
[2] https://docs.wso2.com/display/IS570/Adding+and+Configuring+a+Service+Provider
SSO established between wso2 identity server and wso2 api manager. Added API_Publisher and API_Store as a service provider in identity server.
Created 2 tenants in Identity server, as citizen.in and business.in and created users under those tenants. When i try to login to API-M Publisher with API-URL/Publisher the page redirects to Identity server for authentication but the authentication fails.
"Login failed! Please recheck the username and password and try again."
Also checked the users in the tenants are showing in OpenLDAP
Looks like you have not enabled SaaS Application option in the service providers you created.
Ref: https://docs.wso2.com/display/AM260/Configuring+Identity+Server+as+IDP+for+SSO
I'm using Google Federated Authenticator as IDP and i have problem with Jit provisioning.
After successful login account is created in User Store witch i choose, but created user doesn't have role that i set in claim configuration.
Logs from Identity Server:
http://pastebin.com/7Rd7mrV2
How to configure IDP to set a role to accounts created with Jit?
Environment :
wso2 API-M + wso2 Identity server (Key manager) and they shared the
same user store.
2 service providers(publisher and store) and 2 identity
providers(Google and Facebook) in the carbon.super tenant.
APIM SSO service is enabled and issuer IDs follow above.
Enable OAuth2.0 users(Google and Facebook) to login.
3 tenants (carbon.super , TA and TB) in the environment.
Publisher SP and Store SP are both in SaaS mode.
Question:
How can user get his access token by API with his account and password?
I try to refer the document : https://docs.wso2.com/display/AM1100/Token+API
but it seems need consumer key and secret, is there other way without consumer key pair to get user access token?
Thanks
Tom
Yes you need to have consumer/key secret pair to get access token. For user authentication you can use different grant flows(SAML2, Authorization code etc) but to verify client OAuth application you must pass application details(because you can have multiple applications in system and Oauth server need to know what application you are referring).
Thanks
sanjeewa.
My environment is wso2 API-M + wso2 IdP + wso2 DAS. I set SSO with those components and Facebook and Google users can log in to my environment.
My question is :
If I create 2 tenants in API-M, how should I assign Facebook or Google users to a specific tenant I created while they logging in API-M? (without auto user provision).
From service provider configuration --> Local & Outbound Authentication Configuration
check "Use tenant domain in local subject identifier"