Does anyone know what the maximum tenant is supported in WSO2 Identity Server?
Thanks
Ideally there is no maximum limit. Tenant Id is stored as a int value. Therefore in theory you should be able to create upto Integer.MAX_VALUE.
I did some load test for tenant creation with WSO2 IS and was able to create about 20000 tenants without any issue.
Related
I am setting up a WSO2 Identity Server at the moment . The first step was to use the resident identity provider in super tenant and setting up service providers as SaaS applications. This worked pretty nice so far.
The bad thing about it is that (1) users need to login by identfying themselves using the username#tenantdomain schema. The next bad thing about it is, (2) that we can not configure login policies or account management policies per tenant. We only can handle it globally.
For testing reasons we modified the authenticationendpoint application to inject the tenant domain on the fly while logging in (by analyzing relyingParty parameter). This worked so far, but point (2) still remains.
Next step was to configure an IdP and SPs per tenant. For my understanding that is the way to get rid of points (1) and (2).
That is where I am completely stuck. The carbon log only mentions that we need to register the SPs in advance. I am reading various posts, jiras issues and blog entries for the last week but I still do not have a working solution. Seems to me that even though I configured the tenants resident IdP and exchanged metadata accordingly the IS still thinks we are trying to communicate with the super tenants resident IdP.
The SPs we are using are created using SimpleSAMLphp.
Maybe I missunderstood the principles of setting up IdP/SPs per tenant in WSO2 IS? Maybe I am handling the resident IdPs the wrong way?
Any help/advice is welcome.
Even though this question is old, below part from the documentation will help whoever searching for an answer.
From WSO2 Identity Server 5.0.0 onwards, there are different SAML
endpoints for each tenant. If the service provider calls the identity
provider's SAML endpoint URL as
https://is.com:9443/samlsso?tenantDomain=foo.com or the issuer name is
appended with #<TenantDomain> like travelocity.com#foo.com, the SAML
requests are directed to the foo.com tenant.
Additionally, note that when using SAML SSO with a tenant (using either of the above methods), the SAML response is signed with the private key of the particular tenant.
I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines). I am also using the so called WSO2 IS Admin services.
As mentioned in the heading I am consuming the UserProfileMgtService
(https://url:port/services/UserProfileMgtService?wsdl).
In combination with it I am using OAuth2TokenValidationService
(https://url:port/services/OAuth2TokenValidationService?wsdl).
If I pass valid access token to the OAuth2TokenValidationService I am able to fill in with data OAuth2TokenValidationResponseDTO object by using the Validate method of the OAuth2TokenValidationService. As result I am able to extract the authorizedUser and pass it to the getUserProfile method of the UserProfileMgtService. I am using the standard carbon.super domain and I am using the email as username. For example I am passing the following two parameters to the getUserProfile:
"admin#admin.com#carbon.super" as username
"default" as profileName
And as result I receive the following message:
UserNotFound: User admin#admin.com#carbon.superdoes not exist in: PRIMARY
If I remove the "#carbon.super" from the authorizedUser, everything is fine and I am able to get the user profile information. This is quite important for me since I am using multitenancy of the IS and there is a case that I might have the following users:
admin#admin.com#test.net
admin#admin.com#test2.net
I noticed that this service was not working this way in WSO2 IS 5.0.0. I started experiencing this issue after the upgrade.
Is this a desired behavior and is introduced because of the change in the API in IS 5.2.0? If so is there another way to be able to get the user profile using the "username"+"tenant-domain"(that is retrieved by the OAuth2TokenValidationService as authorized user when passing valid access token).
Is it possible that this is caused because of misconfiguration? If so which is the file that needs to updated and what exactly should be modified in it?
Is there a place where more information could be retrieved for the WSO2 IS 5.2.0 Admin Services?
Thanks in advance.
UserProfileMgtService in Identity Server is an Admin Service. In WSO2 Admin Services, the tenant domain is identified by authenticated user and it should not pass with username.
username should be tenant free username.
So, you can remove carbon.super portion from the username and then it will work.
In tenant setup, you need to authenticate with a tenant user (Ex admin#admin.com#test.net) in order to access these API. So, like in the super tenant, you can use tenant free username and then it will work.
For example, if you want to get user profile of user : testuser#admin.com in tenant domain test.net, your request should be like bellow image.
Thanks
Isura.
I would like to know whether WSO2 Identity Server supports session concurrency management? So i want configure the pre-defined maximum number of open concurrent session for each service provider. When this number was exceeded then either oldest of former session logout or no any login session has been setup.
Exist any possible ways or ideas for session authentication strategy that manage session concurrency in WSO2 Identity Server?
Cab be solved this problem with enabling authentication session persistence?
appreciate for your cooperation
There is No specific way we can track the session to support concurrent session management in such way.
AFAIK in session persistence it only persists some session but no information related to its service provider , therefore we can not limit number of concurrent sessions to be handle by a specific service provider.
To you can get some idea on this by following this guide [1]
[1] https://docs.wso2.com/display/IS510/Enabling+Authentication+Session+Persistence
I want to know if it possible to map attibutes between salesforce and wso2.
I can create my custom attributes on salesforce, but i want to map attirbutes with my WSO2 IDP configuration i.e salesforce configured as IDP within WSO2.
For eg:
If i choose to login with my salesforce account to my web app with my user of salesforce say abc#salesforce.com login must be successful only if same user exists in WSO2 IDP. Though the credentials for abc#salesforce.com user are correct w.r.t to salesforce account ,user must login only if same username exists in wso2 idp.
I tried with claim mapping but no luck.
Please suggest.
I believe the claim mapping is the correct way.
You need to define whole data path
SP claim->IdP dialect claim->user attribute->local dialect claim->SP claim
If you use a federation IdP (SF), you may want to set 'provisioning' of the user, storing their identity and attributes localy (so you can see what attributes are passed and recognized.
Have fun
I have downloaded the new version of API Manager 1.0.0 GA.
I am confused about publishing the WSDLs, since that has not a related API KEY, everyone can access it.
For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB (even if I have configured an external JDBC db for both APIManager and ESB user-mgt.xml).
So, is there a way to create an API key for WSDLs as well from the API Manager? Or How do I control the access to the published WSDLs in the API store?
Many thanks
EDIT:
From the ESB I have added security to the service by using the built-in security scenarios, in my case I have used "UsernameToken". This authenticates users based on roles defined in the ESB "admin/everyone..." and only accepts users defined in the ESB's user store "admin/admin" (and others you might have created).
I have ESB and AM configured to share the same mysqlDB for user store, but that does not work in my Security Scenario described before: if I create a user "apicreator" inside AP and I create "usertest" inside ESB, they store the users inside the same MySQL db, but under different "tentant", i.e. "apicreator" is not a valid user to authenticate in my Security Scenario (UsernameToken). I hope this description helps to clarify the problem. thanks
With WSO2 API Manager, you couldn't control the access to a published WSDL in API Store.Currently there's no way of creating an API key for WSDLs as well from the API Manager.But that controlling has to be done through your back-end service. How-ever when creating an API from WSO2 API Manager ,giving the Wsdl url as an input is not a required field,but an optional field.
Apart from that I'm not clear about your following phrase."For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB".Can you explain a bit more what you mean by "add access token from ESB"?
Thanks;
/Lalaji