Currently our apps integrate (service provider) with WSO2 IS v5.1.0 with multitenancy. We are using SAML2 Web SSO Authentication. There is an requirement to do profile update, change password, manage user from service provider.
I found 1 sample apps that use SAML2 token for authentication
https://github.com/firzhan/saml2.sso.demo
The problem is:
I need to specify ServiceProviderID in authenticators.xml (step no 3 on the link above).
Is there any way disabled this checking?
Related
I have 3 application (microservice spring) configured as service provider. I set the OAuth2 auth. and works perfectly.
Now I want to have a SSO between these 3 application/service providers. How can I configure it? (I want to login to one application/service provider ad re-user the auth with other applications/service provider)
Thanks!
There is nothing special you need to configure to have SSO between those 3 applications. As 3 of them are registered as service providers in WSO2 Identity Server, they will automatically SSO between them whenever you use the same browser session. When a user logins to one of these application through Identity Server, there will be session created for that user inside the Identity Server and same session will be used whenever the same user (Same browser session) tries to login to any other registered application.
I'm trying to setup what I'll call a SAML2 idp initiated chain on wso2is (5.1.0) . Diagram below:
website.com (sp) <--saml2 idp init-- (idp) wso2is (sp) <--POST saml2 idp init-- (idp) 3rdPartyIDP
The idea being that a 3rd party want's to do an IDP initiated POST saml2 call to authenticate against our internal website but anytime the saml2 call is made wso2 just shows the login page (on wso2is) for the website.com sp. I currently have advanced authentication setup with 3rdParty saml IDP and other IDPs that allow SP initiated saml, they work as expected.
idp iniated SAML2 works fine from wso2is if i use the link: https://wso2is/samlsso?spEntityID=website.com so I thought I would be able to use this as the saml consumer location for the 3rdParty site however as stated however it ends up on the wso2is login page for the website sp with a SAMLresponse as a query parameter instead of performing a second IDP initiated call down the website sp as I'd expect.
Does my consumer URL that I'm providing to the 3rdParty IDP seem correct? Is this flow even possible with wso2is?
https://wso2is/samlsso?spEntityID=website.com is the correct consumer URL to point in this scenario. You need to do following as well.
Configure an Identity Provider in WSO2 IS adding 3rd party saml2 Idp as a Federated authenticator. Refer this URL for more details https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider
Go to the Service Provider Configuration added for website.com in IS, expand Local & Outbound Authentication Configuration. Select Federated Authentication and pick the Identity Provider you configured from the drop down. Update the Service Provider configuration.
I am trying to call the WSO2 IS web service (i.e: getUserProfile) from service provider when we are using SAML2 SSO authentication ,but i am getting un authorized access.
Do we get any token that can be used to call the web service after the initial authentication,without passing the credential or cookies ??
This might be a permission problem. Make sure you have enable login permission for particular user.
Admin services are secured using common types of security protocols such as HTTP basic authentication, WS-Security username token, and session based authentication.
You can use SAML2SSOAuthenticationService.
Please refer the sample How to get a session cookie from a webapp which uses SAML SSO
We are using the WSO2 Identity Server SOAP API to add users. Is there way to add a user without specifying a password in the SOAP Envelope?
Users can login to WSO2 Carbon management console by providing username/password. Also external system can access admin services of Carbon server by providing username/password.
Is there any ways to extend the default authentication mechanism ?
Yes. WSO2 Carbon product provides an authentication framework that can be used to extend the different authentication mechanism. By default WSO2 Carbon product is shipped with several authenticators. Some authenitcators only use for access the admin service APIs. Some are only for access management console login….. You can find more details about WSO2 Authentication framework from here
Following are currently available authenticators
IWA Authenticator : Once user is login in to the windows server machine using windows authentication, User can seamlessly login to the WSO2 Carbon management console. WSO2 Carbon product must be configured with AD
SAML2 SSO Authenticator : Once user tries to access WSO2 Carbon management console, user would be redirected to configured IDP. User only provides credentials to the IDP and would be able to login to Carbon management console seamlessly. But here, IDP and WSO2 Carbon product must have the same user for authorization purpose. Therefore sometime, same user store can be shared with IDP and Carbon products.
WebSeal Authenticator : User has already login to WebSeal server, when user tried to login to Carbon management console. User can login seamlessly. But here, IDP and WSO2 Carbon product must have the same user for authorization purpose
Mutual SSL : This is not used to login to management console. But this is used to access Admin service APIs of Carbon server.
For more details, check here
I am very new to wso2 API manager. Sometimes an application might need to call a service in another application on behalf of a user. How can we make this in wso2 API manager by configuring Signed JWT Authenticator as like Google OAuth 2.0 Authorization Server?
If user is authenticated by saml2 in the application, then application can get the oauth token using saml token and invoke the apis on behalf of user.
check following links for more detail
1.http://shafreenanfar.blogspot.in/2014/02/exchanging-sml2-token-to-oauth2-token.html
2.http://pushpalankajaya.blogspot.in/2014/01/invoking-apis-using-web-app-with-oauth2.html