WSO2IS multiple users store - wso2-identity-server

Is possible to set a Service Provider to use a specific user store?
Ex.: I have a secondary user store, foo.com that uses JDBC, and other secondary user store, foo.net that uses LDAP.
I have two service providers, I want tha first SP called mobile uses the foo.com user store only to authenticate via oauth2, and the other SP foo.net uses the foo.net user store.
Thats is possible?
Thank you.

This is really what I want to know. Multiple tenant is a solution. Make this two service providers belong to different tenants.Then service providers can use different user store.
However, I think there should be other solutions.

For authenticate functionality you don't have to bind Service Provider with specific User store. In mobile application scenario it will recursively go through all user stores and user will be authenticated against foo.com user store. In order to provide comprehensive answer can please provide what are the protocols you are using in both service providers like in first SP oauth, saml and second SP saml, scim.

Related

How do I manage google groups and modify user attributes without domain wide delegation?

I want to give GSAs direct access to modify Google users. I can't find current docs on this so assuming it's not possible right now?
It looks like this is only possible for working with groups:
https://workspaceupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
I need to give a GSA access to read group membership and also modify user attributes.
Right now I:
create an admin a G Suite user
create a GSA with domain wide auth with these scopes
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.user
Impersonate the G Suite user with the GSA and modify user attributes like this:
service = create_directory_service("G SUITE USER")
service.users().update(userKey=uKey, body=myAttributes).execute()
Do I still need domain wide delegation to modify user attributes? Or is it supported now as well?
You can follow this guide to create a Service Account, turning on the Admin SDK API (which allows the service account to provision/manage the users), and authorizing it.
The Service Account created can be used then to provision/manage the G-Suite users, here is a guide on how to manage user accounts using the Directory API, which is part of the Admin SDK.
In short, yes it is possible to manage users too, by using Service Accounts, not just groups.

How to use WSO2 identity server without a tenant?

I just really want to understand the configuration of the identity server without a tenant and how it handles the users and their login. Please help.
Multi tenancy is introduced to logically separate data (which belong to different organizations), despite being stored with the same Identity Server and in the same database.
Say that you are handling Identities for a group of companies where the existence of Company A shouldn't be known to Company B. In this case you can consider A and B as two different tenants.
Regarding the users and login :
In WSO2 the default tenant is carbon.super and you can define your own tenants as well (i.e. abc.com, xyz.com). In the IS(Identity Server), we are storing users in the user stores (LDAP, AD, JDBC). There's a Primary user store (Defined in the user-mgt.xml file) and you can define your own secondary user stores.
When you create a secondary user store (business_users) in tenant abc.com (in any tenant) and add user John there, that user john is only available within that tenant. Also that secondary user store business_users is not visible from any other tenant beside the one in which it has configured.
But this PRIMARY user store (one that is defined in user-mgt.xml file) is visible to all the tenants. But not all the users there are shared with all the tenants. Means, from xyz.com tenant, you can add user John to the PRIMARY user store. You can again add user John from tenant abc.com as well. These users will be treated as two different users through out the server. One's existence is independent of, and unknown to the other. Fully qualified user names of these users inside the WSO2 IS server would be as John#xyz.com and John#abc.com.
Therefore, if you are performing a login to a service provider created in the xyz.com tenant, you can only login with the users who are visible (or defined within) that tenant it self.
P.S. You can define a shared Service Provider (SaaS app) if you want users from all the tenants to be able to login to your application.

How to map one social account to several user account with django-allauth

I need to map one social account (created on a Django server with django-oauth-toolkit) to several different logins in a Django website. I already managed to connect and the server passes all allowed accounts so that the client connects as one of them.
I'd like to add the possibility to prompt for the choice of which of the accounts should be used. I'm currently connecting the user in the pre_social_login method of the account adapter.
The only idea I have is to persist in the session the available accounts and redirect to a page to select the preferred one. I'd like to understand if there's a better way.

WSO2 IS Secondary userstore from ldap explorer

I have wso2 IS 5.3.0 with several user stores. I want to connect my app to the embebed ldap and access the user in the secondary user stores, but I only see the users in the primary user store.
How I can see the user in the secondary user stores con connect an application to the WSO2 IS ldap?
The aim is to have serveral user stored merged in just one, the IS ldap, and connect legacy applications to that merged LDAP. Is this approach wrong?
Please follow this documentation[1] to configure multiple secondary user stores with WSO2 IS 5.3.0. Yes you can add multiple user stores to Identity Server and let the applications from outside see those as a single user store through Identity Server.
[1] https://docs.wso2.com/display/IS530/Configuring+Secondary+User+Stores
May I use some specific configuration to connect to the ldap to can see the whole set of users?
Multiple user stores are completely separate, their own users, realm name, etc. In theory - your application you could use WSOIS API to access user information (with the realm prefix, such as usenr identity is userstore_realm\username
But as it is already mentioned in the comments, you don't see multiple LDAP stores as a single LDAP
The aim is to have serveral user stored merged in just one, the IS ldap, and connect legacy applications to that merged LDAP. Is this approach wrong?
What could you do is "inbound" user provisioning. Effectively when a user is authenticated (using an external IS, secondary userstore, ...), the user could be provisionined ( imported ) to the primary userstore
Though it is possible, I won't recommend this approach as you will have duplicates out of control (e.g. when reseting the password)

Django-Socialauth - How to associate multiple authentication providers to a single user account

Django-Social in its feature list claims that it supports associating multiple authentication providers to a single user account.
I can't seem to figure out how to use that feature.
When I try to login using a new authentication provider it automatically seems to be creating a new account for each provider.
Any ideas?
Sarvi
Take a look to django-social-auth, it's simpler and easier to setup than Django-Socialauth.
Multiple account association is supported but limited to logged in users to avoid the decision of which user instance must be removed.
it supports associating multiple authentication providers to a single user account
By looking at the code for models.py here, socialauth has a UserProfile for each provider, associating them to the User object which you use for basic authentication. So indeed, what it claims is true.
It can be done manually through admin once you have logged in with multiple accounts. Then the Socialauth models for the accounts can be adjusted to point at the User they are required too and multiple accounts can point to the same user.
But I have not had a good enough look to work out how to let users do this automatically for themselves. It does not work out of the box if you sign in to another account if while already signed into an existing account.