i am newbie to the WSO2 identity server 5.0 service pack one.
I've been so confused lately that, what is different between identity provider and an outbound authentication?
How can i usage each of them ?
if i define a custom user store authentication, when must be used a custom authentication in Authentication endpoint? what is difference and usage each of them?
Identity providers are providing identity for users to interact with a system. As an example here in wso2 identity server we can configure Facebook as an Identity Provider(IDP). By doing this we can allow users to be logged into Service Providers using facebook credentials. you can follow the blog in [1] to test Wso2 IS with facebook IDP. Otherthan facebook we can use google, Live, Yahoo, etc. as IDP with IS.
[1] http://prasadtissera.blogspot.com/2014/04/login-with-facebook-for-wso2-identity.html
Thanks
Related
Can WSO2 API Manager be used with a separate Identity Server as IdP, without sharing the database? All documentation and tutorials point to a special version of IS and sharing the database, and I'd like to avoid that.
You can configure WSO2 API Manager with an external IDP without using WSO2 IS. I think this blog will be helpful for you. In this blog, Keycloak has been used as the federated IDP for SSO.
Thanks.
Yes, you can configure IS as federated Identity Provider. This blog has steps to configure WSO2 IS as federated IdP for API Manager.
I wanted to do some POC for wso2 API manager where API Manager will expose login and registration url which will be called by UI layer but wanted to handle end user authorization and authentication
in API manager layer and don't want to handle this in database how can I do this i don't to use Identity server also.
I have gone through password grant_type tutorial and we can use this but how the authorization is going to performed?
Do we need to maintain user details in separate database or in identity server? if yes how this is going to happen.
I have gone through below questions but didn't get exact solution, please help me on this.
authorize user in wso2 api manager
wso2 api manager end-user
Thanks
how can I do this i don't to use Identity server also
By default you should be using the provided OAuth2 endpoints to authorize the users. However - the API Manager itselfs doesn't support self-registration and account verification.
I'd suggest to configure a WSO2 Identity Server as an APIM Key manager.
The WSO2IS has capability for self-registration and account verification.
The application or users will authenticate against the WSO2IS and the returned token will be valid for APIM (as the KeyManager shares the database with tokens).
The basic topology is like this:
WSO2 IS as my service provider and takes care of authorization via XACML, our existing internal IdP takes care of corporate authentication (SAML, Oauth2).
I'd like to receive a guidance about best practice how to configure an outbound Federation using the WSO2 IS as a proxy for SAML protocol. Is it correct to separate the user ID domain, by creating so a called "tenant" in order to route the SAML requests though an outgoing STS connection to an external primary IdP? Is this configured under Identity Provider - add Identity Provider - Federated Authenticators - WS Federation Passive Configuration?
Domains and Tenants?
As an example, I would like to configure an account like this. ID = falb#red.com, where the federated lookup will forward my request to the IdP responsible for the domain "#red.com". Is there any discovery, or smart routing mechanism available that is able to identify the "red.com" domain, without need of creating a tenant?
XACML Access?
In a more advanced scenario, once we have a federation between the WSO2 server and and external IDP, is a service provider, a web application server, able to dispatch a PEP request by attaching a SAML token, without use of preceding entitlement routines, like passage of login and password. Is there an entitlement routine in place that accepts SAML tokens at the PDP side and validates it though the SSO federation mechanism?
Thanks in advance for your guidance.
Regards
Claude
I’ve made a new Identity Provider and setup it’s SAML2 authentication to our Shibboleth IDP. How do I “login” using this new setup?
The login link still goes to the IS login page, which is desirable because I need to login as admin to fix things, but is there another login link which will redirect to the IDP?
If you need to provide federated authentication for your applications. Your applications can be connected with Identity Server as service providers. Then you can defined your external IDPs a trusted IDP. Each service provider, you can select multiple IDPs as out-bound authenticators. There is some blog about that uses saleforce as trusted IDP, you can go through it as well
If what you want is to login to IS using Shibboleth as IDP, you should edit IS_HOME/repository/conf/security/authenticators.xml to enable SAMLSSOAuthenticator and configure it with the required details.
As best I can tell, there's not facility for testing an Identity Provider. The only way is to actually use it by setting up the full chain. In my case I setup API Manager as a Service Provider in the Identity Server, and selected the Identity Provider (mentioned in the original question) as Federated Authentication for that Service Provider. Then I changed the API Store to use SSO (pointed at the IS). Finally by attempting to open the store I was bounced to the IS, then immediately on to the Identity Provider.
Unfortunately there are a lot of steps in this chain and a lot of things that could be set wrong. I was hoping to find a method for testing this one part but as best I can tell there isn't such a capability.
It is possible to authenticate users with Facebook account, google account, twitter etc... through Oauth? (In the case of a web application try to access to a protected ressource)
I understood that WSO2 Identity Server can act as an authorization server and provides its own access token but it is possible to authenticate user if facebook or google provide access token after user authorize retrieving its info?
Oauth is supported in identity server, but I doubt if it is necessary to have two of this authentication server together :) ?