I deployed WSO2 Identity Server 5.0.0 and configured it with an external LDAP. But now I need to change the domain from #carbon.super.
Ex:
carbon.super is the super tenant's domain name. You can't change that. But you can create your own tenant and give your domain name like api.com or similar.
All WSO2 products support multitenancy, you can create new tenant, manage tenant through super tenant. Please have a look on here
Related
I am using WSO2 API Manager 4.1.0 and I am trying to configure it with a custom OAuth2 authenticator to provide different users to different tenants.
By following this guide, meant for Okta, I was able to make logging in and token claim-to-role mapping work, with some adjustments to the configuration to adapt to the custom IdP. Users can successfully login with the custom IdP, are assigned roles correctly, and can act accordingly in the publisher and developer portals.
However, I cannot figure out if there is any way to assign users to any tenant other than carbon.super.
The custom IdP I am working with uses e-mail addresses as usernames and, when enable_email_domain=true in the configuration file deployment.toml, users are created in APIM with said e-mail as their names, but if that setting is false (or commented), only the part before # is used. I thought this could be used to assign them to other tenants, but even if the e-mail domain is an existing tenant, the user is created in carbon.super.
I've noticed, when logging into carbon as admin, in the Service Providers section, under Local & Outbound Authentication Configuration for apim_devportal and apim_publisher, the Use tenant domain in local subject identifier setting. I am unsure what exactly this option entails, but checking it does not seem to change anything.
This article in the documentation talks about tenants, but does not cover this scenario.
Does anyone know how (if it's even possible) to assign a user to a specific API Manager tenant, instead of carbon.super, upon logging in via custom IdP (not Okta or Identity Server)?
same question here, i use Keycloak as Idp and not found solutions yet for multitenancy schema implementation
We are trying to use WSO2 IS 5.3 as IdP to perform SAML2 Web SSO for a multitenant SaaS app.
We’d like to host a single instance of the app, register app as a service provider in WSo2 IS , create/manage tenants in WSo2 IS and configure different authentication means for each tenant.
In the POC we can successfully register our app as SaaS service provider and users from different tenants can login into App as soon as users are listed in the tenant’s primary or secondary user stores.
However we cannot find info on how to configure ADFS based authentication on per- tenant basis (i.e. each tenant has its own IdP configured with ADFS based Federated authenticator. When user logs into app , WSO2 IS, based on customer’s domain name, would use IdP from corresponding tenant)
We followed this link and can set ADFS based authentication for superuser tenant and it works fine. (i.e. ADFS is configured as IdP for superuser tenant and we use Federated authentication in service provider associated with our app) ….
Question is how can we achieve the same but enable/configure ADFS based authentication on per-tenant basis?
Thank you in advance for comments/ideas !
Update:
we were able to configure ADFS on per customer basis(following steps from blog https://omindu.wordpress.com/2015/06/19/setting-ad-fs-3-0-as-federated-authenticator-in-wso2-identity-server/ ) and used tenantDomain parameter to differentiate b/w tenants during authentication.
In the final solution we made web app available to different tenants under different URLs . The app, based on the URL used to access it , would reconstruct and include tenantDomain parameter (as specified in WSO2 IS documentation ) into SAML request and that would effectively instruct WSO2 to use IdPs/auth means configured for that specific tenant for authentication
Can anyone help me out with a guideline to configure a specific Service Provider to a specific Tenant only, i.e. exclude all tenants from accessing the specific Service Provider.
I tried creating Service Provider using the guidelines from:
https://docs.wso2.com/display/IS530/Configuring+a+Service+Provider
by the way I used oauth2 with Implicit flow.
Then I created multiple tenant domains like:
abc.com
xyz.com
I created rob under abc.com tenant and sam under xyz.com.
when I use url(https://localhost:9443/oauth2/authorize?response_type=token&client_id=my_client_id_was_here&redirect_uri=my_redirect_uri_was_here) to login, login page showed up but I was ABLE to login using both rob and sam credentials.
What I want is to do is to restrict users of only one specific domain/tenant to access my service provider.
Thanks in advance
To restrict a service provider to a specific tenant, you have to create that service provider inside that tenant. So to create a SP inside "abc.com". Log into that tenant using a tenant user (rob#abc.com) and create the service provider inside it.
I have created 2 tenants in WSO2 identity server.
We need to deploy a sample application to which users belonging to both the tenants should have access to using SAML 2.0.
Please suggest how the sample application can be configured as service provider in WSO2 Identity Server to achieve this requirement.
Assuming that the above is done, we would also like to know how the application can identify which User belongs to which tenant once the login is successful? is this some information that would be passed in SAML response ?
You can create the service provider in SaaS mode. With this configuration, service provider will be visible to all the tenants in the Identity Server. You can find how to configure a SaaS application from the documentation at [1]
If you want to return the tenant domain with the subject identifier in the saml response, you can enable 'Use tenant domain in local subject identifier' in 'Local & Outbound Authentication Configuration' of the service provider. More information is available in [2].
[1] https://docs.wso2.com/display/IS510/Configuring+a+Service+Provider#ConfiguringaServiceProvider-Addingaserviceprovider
[2] https://docs.wso2.com/display/IS510/Configuring+Local+and+Outbound+Authentication+for+a+Service+Provider
is olso needed to put in the url the query param for select the right tenant, I modifyed the urls in the metadata.xml generated from the WS2 IS from someting like this:
https://your-domain:9443/samlsso
to
https://your-domain:9443/samlsso?tenantDomain=tenant-name
And use this metadata.xml in the SP
Otherwise when the SP send the saml message the IS will geneate the log "Service Provider with the issuer 'xxx' is not registered." if your SP is not registered in the super tenant
WSO2 IS 5.10
Can anyone give me a sample program or any blog to add, update and delete users/roles on external user store in wso2 Identity Server. I configured external ldap as apacheDS in wso2 Identity Server successfully and authenticate users also. But my problem is I am unable to add, update, and delete users/roles in external ldap using wso2 Identity Server.
I am using latest wso2 Identity Server.
Use SCIM endpoints to manage users and roles, Please go through the following article.
http://docs.wso2.org/display/IS410/WSO2+Identity+Server+as+a+SCIM+Service+Provider
you can use SCIM. check the following blogs they can help
pavithramadurangi.blogspot.com
sureshatt.blogspot.com