I have a WSO2 5.1 identity server that is configured as a multi tenant host. I have a tenant configured with a Passive STS. The response documents from that Passive STS do not include any of the claims defined in the Claim Configuration for the Passive STS in the tenant. I only get the subject assertion. If I configure the same Passive STS on the global tenant, or on a server that is not multi tenant, I get the expected response document with the subject assertion and all the mapped claims. Interestingly, the tenant document is also signed with the global certificate and not the tenant specific certificate.
I guess that you need to update the passive sts url from the client\web app.
Suppose you have tenant called 'foo.com'. Then set the Identity Server's passive sts url as,
https://localhost:9443/passivests?tenantDomain=foo.com
Above will point 'foo.com' tenant's passive sts endpoint while following url points super tenant\global tenant's passive sts endpiont.
https://localhost:9443/passivests
HTH,
DarRay
Related
Environment :
wso2 API-M + wso2 Identity server (Key manager) and they shared the
same user store.
2 service providers(publisher and store) and 2 identity
providers(Google and Facebook) in the carbon.super tenant.
APIM SSO service is enabled and issuer IDs follow above.
Enable OAuth2.0 users(Google and Facebook) to login.
3 tenants (carbon.super , TA and TB) in the environment.
Publisher SP and Store SP are both in SaaS mode.
Question:
How can user get his access token by API with his account and password?
I try to refer the document : https://docs.wso2.com/display/AM1100/Token+API
but it seems need consumer key and secret, is there other way without consumer key pair to get user access token?
Thanks
Tom
Yes you need to have consumer/key secret pair to get access token. For user authentication you can use different grant flows(SAML2, Authorization code etc) but to verify client OAuth application you must pass application details(because you can have multiple applications in system and Oauth server need to know what application you are referring).
Thanks
sanjeewa.
I have created 2 tenants in WSO2 identity server.
We need to deploy a sample application to which users belonging to both the tenants should have access to using SAML 2.0.
Please suggest how the sample application can be configured as service provider in WSO2 Identity Server to achieve this requirement.
Assuming that the above is done, we would also like to know how the application can identify which User belongs to which tenant once the login is successful? is this some information that would be passed in SAML response ?
You can create the service provider in SaaS mode. With this configuration, service provider will be visible to all the tenants in the Identity Server. You can find how to configure a SaaS application from the documentation at [1]
If you want to return the tenant domain with the subject identifier in the saml response, you can enable 'Use tenant domain in local subject identifier' in 'Local & Outbound Authentication Configuration' of the service provider. More information is available in [2].
[1] https://docs.wso2.com/display/IS510/Configuring+a+Service+Provider#ConfiguringaServiceProvider-Addingaserviceprovider
[2] https://docs.wso2.com/display/IS510/Configuring+Local+and+Outbound+Authentication+for+a+Service+Provider
is olso needed to put in the url the query param for select the right tenant, I modifyed the urls in the metadata.xml generated from the WS2 IS from someting like this:
https://your-domain:9443/samlsso
to
https://your-domain:9443/samlsso?tenantDomain=tenant-name
And use this metadata.xml in the SP
Otherwise when the SP send the saml message the IS will geneate the log "Service Provider with the issuer 'xxx' is not registered." if your SP is not registered in the super tenant
WSO2 IS 5.10
I found docs about IDP intitiated SSO in WSO2 IS. But haven't found anything about service provider initiated SSO.
Consider the scenario in which a local IS is used as a service provider which is connected to several externally hosted SAML IDP for outbound authentication.
Am I able to trigger a SP initiated login to one specific external IDP with a static link? Ideally with a relay state attribute which is evaluated after successful SAML sign on process.
I am using WSO2 IS 5.0.0 - but hints for 5.1.0 would also be appreciated.
IDP initiated login.
https://localhost:9443/samlsso?spEntityID=(Your SP Issuer ID)&fidp=(Your Home Realm Identifier if you have multiple IDP's)
https://localhost:9443/samlsso?spEntityID=myspissueid&fidp=myidp
OR
If you only have one IDP or don't need to skip selection page.
https://localhost:9443/samlsso?spEntityID=myspissueid
I believe if you get the fidp parameter in the SAML authnrequest then that will do the trick for the SP initiated one.
considering IDP is running over localhost
IDP init SSO : https://localhost:9443/samlsso?spEntityID=yourSPEntityName
SP init SSO: https://localhost:9443/samlsso
The basic topology is like this:
WSO2 IS as my service provider and takes care of authorization via XACML, our existing internal IdP takes care of corporate authentication (SAML, Oauth2).
I'd like to receive a guidance about best practice how to configure an outbound Federation using the WSO2 IS as a proxy for SAML protocol. Is it correct to separate the user ID domain, by creating so a called "tenant" in order to route the SAML requests though an outgoing STS connection to an external primary IdP? Is this configured under Identity Provider - add Identity Provider - Federated Authenticators - WS Federation Passive Configuration?
Domains and Tenants?
As an example, I would like to configure an account like this. ID = falb#red.com, where the federated lookup will forward my request to the IdP responsible for the domain "#red.com". Is there any discovery, or smart routing mechanism available that is able to identify the "red.com" domain, without need of creating a tenant?
XACML Access?
In a more advanced scenario, once we have a federation between the WSO2 server and and external IDP, is a service provider, a web application server, able to dispatch a PEP request by attaching a SAML token, without use of preceding entitlement routines, like passage of login and password. Is there an entitlement routine in place that accepts SAML tokens at the PDP side and validates it though the SSO federation mechanism?
Thanks in advance for your guidance.
Regards
Claude
My understanding of SAML and WSO2 is very basic so sorry in advance. I'm wondering if access to a SSO service can be restricted to a subset of users?
Yes you can restrict the access to a SAML SSO Service Provider to a subset of users. This is an authorization requirement indeed. When the service provider redirects the user to the Identity Provider (in this case to the WSO2 Identity Server), the service provider can request claims about the user from the Identity Server (claims such as Role, Email, Age, Country etc). Then after successful authentication of the user at the Identity Provider, the Identity Provider will send those claim values to the SSO Service Provider along with the SAML Response message. The SSO Service provider can read these claims and can decide if should let the user access the service or not. (For example by looking at the Role claim, if use has a particular role then SSO Service Provider allows the user, if not refuse)
I think that according the SAML specification, Identity provider can return error state. It has an element in SAMLResponse dedicated to this -> Status. But WSO2 Identity Server (up to 5.0.0), as far as I know, doesn't automatically support this behavior. One should change WSO2 authorization code to achieve this behavior...
Source:
SAML 2.0 Overview - line 1131, chapter: 3.2.2.2 Element
<samlp:Response
...<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<samlp:Status>
<samlp:StatusCode
**Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>**
</samlp:Status>
<saml:Assertion ...
Instead of Success IdP can return:
urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
or similar... see:
SAML2.0 handling SSO error