Using the multi-tenancy model of WSO2 Identity Server, I found out that there is a limit of 100 users per tenant (as the 101th failed to be created). Where is this limitation defined?
FYI, for convenient I'm using the "Demo" plan, as I am not required to hold multiple tenants models.
Related
I am using the camunda spring-boot-starter and running the embedded camunda engine.
For Authentication, we are using a JWT token and the user information exists in an outside database. From Camunda docs, what I understood is that, for Camunda Authorization like assigning A User Task to a user, will totally depend on the Camunda Database.
How should I use an outside user authenticated with an external system, for the Authorization purpose in the Camunda? Should I create a copy of the authenticated user in the Camunda Database?
As part of the authentication you can also tell Camunda which groups/roles the user belongs to. For instance as shown in this generic simple Spring Security example: https://github.com/camunda-consulting/code/tree/master/snippets/springboot-security-sso
specifically: https://github.com/camunda-consulting/code/blob/4a609b375c6564838e85a1bde7d70e5a9951ab64/snippets/springboot-security-sso/src/main/java/com/camunda/demo/filter/webapp/SpringSecurityAuthenticationProvider.java#L35
Another mechanism uses a custom identity provider (read-only or writable) as explained here: https://docs.camunda.org/manual/latest/user-guide/process-engine/identity-service/#custom-whitelist-for-user-group-and-tenant-ids
It is correct that the default implementation is the database identity service, which uses the engine database for managing users and groups.
However, this is only the case if no alternative identity service implementation is provided. Camunda also provides an LDAP identity service for an LDAP-based user/group repository and you can of course implement your own.
Once you have an authenticated user and user group information for the user, the detailed functional permissions are linked to these groups as shown here: https://docs.camunda.org/manual/latest/webapps/admin/authorization-management/
You don't have to manage users in Camunda and or to sync with another system. If user's authorizations (groups, roles) should be fetched from another system, then use the SPI mentioned above. Either way you don't need to create the users in the Camunda DB. When a request comes in you may set the user and its roles on the IdentityService. In your subsequent API usage the user id and the authorization will be considered (if auth is enabled). If authorizations are disabled, then you only need the user id, not the groups/roles. If you want to provide neither and handle everything in your custom code, then you can just complete task without the user's Id (but won't have the user info in the audit information).
I'm using WSO2 Identity Server 5.10.0 configured in order to use ActiveDirectory as UserStore
I don't have the oportunity to add custom properties to the ActiveDirectory so I'm facing several issues in claims configuration.
To solve the issue I was thinking to user ActiveDirectory as primary UserStore and configure WSO2 claims in order to be stored and retrieved from a secondary userstore (a JDBC user store).
I configured all what I needed but I can't make it working. When I start the WSO IS ti complains because it can't find mapped claims.
More exactly I have:
system error while authenticating/authorizing user : cannot find suitable mapped attribute for local claim http://wso2.org/claims/userid
Once I slve userid it gives to me other claims till I return all to the primary user store.
I'm wondering if my idea is feasible. If I can select from where to take claims.. why do I get this kind of error?
Actually, configuring the Active Directory as the Primary userstore will not have any difference when it comes to attribute mappings. Because all the userstores in the system should to have correct mapped attributes for these meta claim set and other claims which are marked as "Supported by Default".
The solution would be updating the mapped attributes for local claims with correct exciting attributes from your active directory. If you are having multiple userstoes, you can have different mapped attributes for each userstore domain. Refer this document for more info.
You may find a list of mandatory meta claims which we must have correct mappings to create users in this document.
I just really want to understand the configuration of the identity server without a tenant and how it handles the users and their login. Please help.
Multi tenancy is introduced to logically separate data (which belong to different organizations), despite being stored with the same Identity Server and in the same database.
Say that you are handling Identities for a group of companies where the existence of Company A shouldn't be known to Company B. In this case you can consider A and B as two different tenants.
Regarding the users and login :
In WSO2 the default tenant is carbon.super and you can define your own tenants as well (i.e. abc.com, xyz.com). In the IS(Identity Server), we are storing users in the user stores (LDAP, AD, JDBC). There's a Primary user store (Defined in the user-mgt.xml file) and you can define your own secondary user stores.
When you create a secondary user store (business_users) in tenant abc.com (in any tenant) and add user John there, that user john is only available within that tenant. Also that secondary user store business_users is not visible from any other tenant beside the one in which it has configured.
But this PRIMARY user store (one that is defined in user-mgt.xml file) is visible to all the tenants. But not all the users there are shared with all the tenants. Means, from xyz.com tenant, you can add user John to the PRIMARY user store. You can again add user John from tenant abc.com as well. These users will be treated as two different users through out the server. One's existence is independent of, and unknown to the other. Fully qualified user names of these users inside the WSO2 IS server would be as John#xyz.com and John#abc.com.
Therefore, if you are performing a login to a service provider created in the xyz.com tenant, you can only login with the users who are visible (or defined within) that tenant it self.
P.S. You can define a shared Service Provider (SaaS app) if you want users from all the tenants to be able to login to your application.
I have wso2 IS 5.3.0 with several user stores. I want to connect my app to the embebed ldap and access the user in the secondary user stores, but I only see the users in the primary user store.
How I can see the user in the secondary user stores con connect an application to the WSO2 IS ldap?
The aim is to have serveral user stored merged in just one, the IS ldap, and connect legacy applications to that merged LDAP. Is this approach wrong?
Please follow this documentation[1] to configure multiple secondary user stores with WSO2 IS 5.3.0. Yes you can add multiple user stores to Identity Server and let the applications from outside see those as a single user store through Identity Server.
[1] https://docs.wso2.com/display/IS530/Configuring+Secondary+User+Stores
May I use some specific configuration to connect to the ldap to can see the whole set of users?
Multiple user stores are completely separate, their own users, realm name, etc. In theory - your application you could use WSOIS API to access user information (with the realm prefix, such as usenr identity is userstore_realm\username
But as it is already mentioned in the comments, you don't see multiple LDAP stores as a single LDAP
The aim is to have serveral user stored merged in just one, the IS ldap, and connect legacy applications to that merged LDAP. Is this approach wrong?
What could you do is "inbound" user provisioning. Effectively when a user is authenticated (using an external IS, secondary userstore, ...), the user could be provisionined ( imported ) to the primary userstore
Though it is possible, I won't recommend this approach as you will have duplicates out of control (e.g. when reseting the password)
I'm using WSO2 Identity Server 5.3.0 and several LDAP user stores.
I need to integrate AWS as a service provider and WSO2 IS as identity provider.
The situation is: I have lots of users stored in the user stores and some of them have specific roles that should be allowed to login to AWS service. So far I don't have the possibility to alter / update the current user stores.
That's why I'm trying to figure out a way to populate / generate / translate / calculate the value of a claim based on an already stored attribute in the user store.
I have a sort of table with the groups coming from LDAP's memberOf attribute a user could belong to and their equivalences to AWS attributes that should be stored in specific claims in order for AWS to allow that user to enter certain services.
The end user is willing to solve this situation within the WSO2 IS component without altering the stores content.
I'm wondering if the only way to do this is writing a custom User Store Manager or a Custom Claim Handler [1] to deal with this particular situation or there is a more standard way to accomplish this.
I will appreciate any input, thanks in advance
[1] http://pushpalankajaya.blogspot.ca/2014/07/adding-custom-claims-to-saml-response.html
I think Claim Handler is the right place to implement your logic. You can find a sample in https://github.com/mefarazath/CustomClaimHandler