I recently deployed WSO2 Identity Server 5.0 at our institution. Now, we want to add more services, but we want to limit access by user population. Since we already have secondary user stores with these populations (Students and Employees), I was hoping to leverage for access.
How can I restrict access to service providers based on secondary user store membership?
Related
I have request from users to be able to connect to my datasets and table in bigquery to fetch the data and manipulate it programmatically outside of GCP
The situation now that i created a service account with credentials to view data and i share the json key of this service account with users in email .
I want to avoid users to use the key inside their code
best way to secure sharing this key with them
The best way to share your application outside Google Cloud is through Workload Identity Federation. Although, creating public/private key pairs is also a secured way to use and share your user-managed service account, it can still impose a threat and security risk if not correctly managed.
Just run through this documentation and use IAM external identities to impersonate a service account to avoid any security issues on your security account keys even without mantaining it.
We are struggling to connect with Azure Data Factory to Amazon Marketplace Web Services.
It seems that we have all information required, however, we are getting the following error:
Parameter AWSAccessKeyId cannot have multiple values.
All data seems to be correct. However, we think it is strange that a Access Key Id and Secret Access Key are needed to connect to the Marketplace Web Services. Both keys come from the AWS environment which is currently not connected to anything.
Any help is appreciated.
Kind regards,
Jens
Yes, you need Access key ID and Secret key while creating the Amazon Marketplace Web Service linked service in Azure Data Factory. There should only be one Access Key assigned to per user in AWS Marketplace. Apart from this, other properties are also required. Please refer below image for the same. Some properties are mandatory and others not.
To allow people in your company to sign in to the AWS Marketplace Management Portal, create an IAM user for each person who needs access.
To create IAM users
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Users and then choose Create New Users.
In the numbered text boxes, enter a name for each user that you want to create.
Clear the Generate an access key for each user check box and then choose Create.
This key now you will pass in Linked Service in ADF.
Also, for better security, you can save the SecretKey in Azure Key Vault and use Azure Key Vault Linked Service to access the SecretKey. Refer Store credentials in Azure Key Vault.
I am considering creating a user pool per tenant based on the recommended multi-tenant architecture (for ex: https://aws.amazon.com/quickstart/saas/identity-with-cognito/)
The rest of the resources in the application are going to be using pooled resources (for ex: API gateway, dynamoDB tables). Considering the silo model just for the Cognito/auth part of the application.
Application requirements:
Subdomain per tenant i.e. tenant1.company.com an tenant2.company.com
A user can belong to multiple tenants(Forex: User A can be in tenant1 and tenant2)
Need to be able to list all users for a particular tenant
Data residency restrictions for personally identifiable information
I believe If I was to use the same Cognito user pool for all tenants, I could force users to use a different email for a new tenant i.e abc#tenant1.com for Tenant1 and abc+tenant2#tenant2.com for Tenant2.
But to list all users for a particular tenant, I imagine the same user pool for all tenants will not work as tenant_id will be a custom attribute.
I could also ensure data residency restrictions by creating a user pool per tenant. However, how do I handle regional failover in this case?
Also, Is subdomain per tenant supported with this approach?
I hear that the user pool per tenant is constant pain and should be avoided. What are some of the pain points?
For my use case, Does it look like that I should opt for an AuthZ provider instead like auth0 or authress?
Our organization has set up WSO2 API Manager 2.1, with a secondary user store binding to our organization's LDAP. We need all users from our organization to have a subscriber role by default.
We would prefer for there to be no need for users to use "Self Sign Up"-- and additionally, "Self Sign Up" appears to create new accounts, however all of our accounts are already in the secondary user store.
How can we configure the system to grant the subscriber role by default?
Is there any common ldap user group for the users? For example users who need to log in to the store belongs to X group. If so, you could assign subscriber related permissions for that group from API manager instead of assigning permissions to the 'everyone' role. (If you have configured the groups related ldap queries correctly you should be able to view them in the API manager carbon console. refer https://docs.wso2.com/display/IS550/Configuring+a+Read-write+LDAP+User+Store)
we trying to add structure for SSO using WSO2, In WSO2 we need to create general Roles and connect this roles with Service provider (Please note service provider doesn't has custom roles so connection will be on service provider level with WSO2 general roles) , in WSO2 we found way to mapping SP roles with WSO2 roles but that not help us, and ,the structure in image below :
Beleive you are saying that your SP application does not persist or maintain the roles, rather you want WSO2 server to do so.
And you want to control authorization based on the availability of these roles for an user.
In that case, WSO2 server has no value nor need to know of the permissions you've assigned to these roles. You just define all the roles you want in the WSO2 server. Then (given that you use Oauth) by using scopes (mapped against each or multiple roles) to define access levels, you can issue access tokens to the users with the relevant scopes (defines access levels) after checking for the roles assigned to them.
On the resource server, it can validate the scopes of the provided access token against the Identity Server and grant or deny resource availability.
Cheers