How do I add security to my WSO2 ESB? - wso2

Such as two factor authentication, 3rd party OAuth, Connecting to LDAP.
I have added the above security to Wso2 Identity Server. But please help me achieve the same with Wso2 ESB.
Thanks

Where you want to add the security? What you want to secure?
I see two parts where the user security may play role in ESB:
For the carbon (management) console, I may disappoint you, that may not be so simple. See the Custom carbon authentication . It seems you need to enable other authenticators or add your own (see the file authenticators.xml, they are disabled by default) and "patch" the carbon to use it. However - for our best practices the management console (and the management services) should be not accessible from untrusted network .
If you're talking about securing the web services, this is not something an end user (person) is accessing. Ok - excluding the REST services. There are multiple options available to secure web services. From basic authentication (and username token), to STS (security token service), signing and encrypting the payload. See Securing web services, however here we assume some knowledge about the service security.

Related

Is there any OpenID Connect Identity Provider that can delegate autentication to other OpenID Connect IdPs?

I'm facing the following scenario:
There are several companies each one with its own OpenID Connect Identity Provider (IdP) which federates users from their respetive LDAP servers. These providers are used to perform SSO in the context of each company.
There's a requirement to create an application that offers a common login for all the users of those companies.
The idea is to provision or use an existing cloud solution (AWS Cognito, Google Cloud Identity, etc., ...) that offers a shared login screen but delegates/federates the actual login to each of the company IdPs.
Are there any solutions that allows this?
Could you point at any documentation/guide to implement it?
This is just standard OAuth and OpenID Connect behaviour, with these 3 roles:
Application, uses OIDC to redirect to ...
An Authorization Server, which you own, and which redirects to ...
An Identity Provider
So you need a standards based authorization server and to configure your app as an OAuth Client. Then include the openid scope so that OpenID Connect is used. SAML based identity providers can also be supported in this flow, even though your app only uses OIDC.
The way to manage this with best usability, is for the authorization server to present a usernane authenticator, which captures a user identifier first, such as an email. It then runs some custom logic, such as a user lookup, to determine which IDP to route the user to. The user then authenticates at the IDP.
After authentication, the IDP issues tokens to the authorization server, which validates them, then issues its own tokens to the application. In particular the app gets an access token whose scopes and claims you can control. Your app can then send these to your APIs, which can authorize access to business data correctly.
Aim for behaviour similar to that above, or adjust it based on your preferences. Then trial it, eg with a cloud or Docker based authorization server, and ensure that you select one with sufficient extensibility to meet your requirements.
Note also that Stack Overflow answers should not recommend particular vendors, so I have not done so.
There is a solution called cloudpods using which you can manage both on-prem and public cloud resources. Cloudpods supports integration with multiple cloud providers like aws, GCP, azure, alibaba and etc.,
Is there any OpenID Connect Identity Provider that can delegate autentication to other OpenID Connect IdPs?
Yes. https://github.com/apereo/cas is one. You can set it up as an OIDC identity provider and have it then delegate to as many OIDC Identity providers as you want.

WSO2 Configuration (IS Application securing APIM endpoint)

We're attempting to configure a relatively complicated WSO2 setup in which Identity Server (5.7.0 with KM) authenticates through an OAuth Service Provider, uses the token to secure API Manager (2.6.0) Endpoints, which then cycles through the Enterprise Integrator (6.5.0).
I've followed the steps to configure IS as the Key Manager (https://docs.wso2.com/display/AM260/Configuring+WSO2+Identity+Server+as+a+Key+Manager). This appears to be working, as I can see users in APIM that were configured in IS.
The problem is in the application. In IS I've created an OAuth POC that federates to another authentication provider. I want APIM to understand that application, and be able to use it to subscribe to APIs through the store for users that IS has given roles to. The application doesn't appear in APIM's applications, and I can't figure out how to link the two. I'd like for APIM to understand the token, figure out that it's for the OAuth POC in IS, and then if the user has that role, let them in, else return a 401 or something equivalent. Haven't been able to find someone else with a tutorial or guidance on this setup specifically.
Linking an Oauth2 provider from IS to an APIM application is called by WSO2 as "Out-of-Band provisioning". This guide may bring you a step further in your POC: https://docs.wso2.com/display/AM260/Provisioning+Out-of-Band+OAuth+Clients

How to authenication and Authorize End application users in wso2 api manager?

I wanted to do some POC for wso2 API manager where API Manager will expose login and registration url which will be called by UI layer but wanted to handle end user authorization and authentication
in API manager layer and don't want to handle this in database how can I do this i don't to use Identity server also.
I have gone through password grant_type tutorial and we can use this but how the authorization is going to performed?
Do we need to maintain user details in separate database or in identity server? if yes how this is going to happen.
I have gone through below questions but didn't get exact solution, please help me on this.
authorize user in wso2 api manager
wso2 api manager end-user
Thanks
how can I do this i don't to use Identity server also
By default you should be using the provided OAuth2 endpoints to authorize the users. However - the API Manager itselfs doesn't support self-registration and account verification.
I'd suggest to configure a WSO2 Identity Server as an APIM Key manager.
The WSO2IS has capability for self-registration and account verification.
The application or users will authenticate against the WSO2IS and the returned token will be valid for APIM (as the KeyManager shares the database with tokens).

How to test WSO2 Identity Server federated Authentication

I’ve made a new Identity Provider and setup it’s SAML2 authentication to our Shibboleth IDP. How do I “login” using this new setup?
The login link still goes to the IS login page, which is desirable because I need to login as admin to fix things, but is there another login link which will redirect to the IDP?
If you need to provide federated authentication for your applications. Your applications can be connected with Identity Server as service providers. Then you can defined your external IDPs a trusted IDP. Each service provider, you can select multiple IDPs as out-bound authenticators. There is some blog about that uses saleforce as trusted IDP, you can go through it as well
If what you want is to login to IS using Shibboleth as IDP, you should edit IS_HOME/repository/conf/security/authenticators.xml to enable SAMLSSOAuthenticator and configure it with the required details.
As best I can tell, there's not facility for testing an Identity Provider. The only way is to actually use it by setting up the full chain. In my case I setup API Manager as a Service Provider in the Identity Server, and selected the Identity Provider (mentioned in the original question) as Federated Authentication for that Service Provider. Then I changed the API Store to use SSO (pointed at the IS). Finally by attempting to open the store I was bounced to the IS, then immediately on to the Identity Provider.
Unfortunately there are a lot of steps in this chain and a lot of things that could be set wrong. I was hoping to find a method for testing this one part but as best I can tell there isn't such a capability.

Options for securing REST based service for iOS/Android app

I am working on a web application implementing online shopping functionality. I am using Struts2 + Spring + Hibernate. I am using Spring security to implement authorization and authentication.
Now my client wants to develop an iOS/Android App for the same where users of my web application can login and use some of the functionality using the app.
Mobile App will access the REST based web services on JSON which will be implemented using Jersey. Here are my questions:
Users are going to have a role from three of the roles. Depending on the role they should be able to access the specific resources. I am thinking about using Spring Security 2.0 with Jersey and authenticate the users using OAuth 2.0. Is OAuth 2.0 right applicable choice?
Also, Jersey doesn't support oAuth 2.0 on server side. Still I guess I should be able to use any other OAuth provider to secure Jersey services right?
If oAuth is not the right choice then what I can use to provide role based authentication and authorization for Mobile App users to my REST web services.
Don't forget you can use simple HTTP BASIC auth (with SSL, of course).
For comparsions of OAuth versions, see this.
After having to deal with the same problem I did some research and currently I can see 3 solutions.
Pivotal actually have a piece of software which they use for their cloudfoundry services, called UAA (User Account and Authentication) Server. You can deploy this to your own server, and it's role is basically to provide OAuth2 access tokens. You will need to create your own Resource Server which will serve different resources if the correct OAuth token is provided in the request. (they have a couple of sample apps in the UAA repo which you can use) https://github.com/cloudfoundry/uaa
Google actually provide services like that. If you host your backend on appengine you can use cloud endpoints to expose your API and they take care of Authentication and Authorization.
https://cloud.google.com/appengine/docs/java/endpoints/
You can create your own architecture. Basic approach would be to have an Authorization server (to generate tokens), an Resource Server (to serve your API) and some sort of storage for users and tokens.
Hope that helps a bit, I'm personally going to go with the UAA to try it out.