I have a primary LDAP user store pointing to Active Directory in user-mgt.xml. When I initially set it up I set the <AdminRole> setting to "everyone" as I was testing the configuration. Later, I switched this to a new AD group / role. I then went in and was reviewing the role permissions. The new role had all permissions but the "internal/everyone" role still had full admin permissions as well. I removed the permissions from internal/everyone and now I cannot sign-in on the Identity Server web interface with any account. How do I reset the roles so I can sign-in and only my AdminRole group has full admin access?
The problem was due to two missing properties from the default read-only LDAP sample in user-mgt.xml when using Active Directory. Adding these two lines and restarting the server resolved the issue:
<Property name="BackLinksEnabled">true</Property>
<Property name="MemberOfAttribute">memberOf</Property>
This was mentioned in the post: WSO2 -> Active Directory -> user - role mapping
Related
Our installation of wso2 Identity Server 5.7.1 has multiple service providers configured. The built-in admin set all of these up. We defined a group in the user-mgt.xml that is in the Primary store that has admins. These admins can sign-in as Administrators, but they cannot see the Service Providers configured by the built-in administrator account. How can the other administrators see all the Service Provider configurations?
There is a corresponding role for each SP. The users in that role can view and update the SP. By default, only the owner of the SP is assigned to that role. But you can add others to it so that they also get access to the SP.
I use single sign on with shibboleth and identity server. I always seem to run into authorization issues when logging in. When I add login permissions to the internal/everyone role, users can login in, but I don't want all users to login in. So I have a secondary user store added and only want specific roles to be allowed to login. No matter what permissions I add to the roles it doesn't do anything for single sign on. Do I have to add role mapping to the Service providers or the identity provider? I tried many things, and its always a problem I run into.
Under user-mgt.xml I changed this tag to true.
<Property name="GetAllRolesOfUserEnabled">true</Property>
Change this tag in the APIM and gatways where I have my secondary user store connected. If your APIM is checking permissions remotely you can change the tag in the identity server.
I wanted to give privileges to few users to edit few entitlement policies in wso2 Identity server.Is it posible to do?
You can control the permission of entitlement policy management of users, but cannot be applied per policy in default WSO2 Identity Server.
In WSO2 Identity server management console, you can add a role with appropriate permissions for managing entitlement policies. Click on 'Add' under 'Users and Roles' and select 'Add New Role'. Give a role name and click next to get the permission tree. You can select permission as shown below,
I installed WSO2 Identity server and logged in using admin/admin, but under home pane, I am not able to see SAML SSO, OAuth entries under Manage category. Any help will be appreciated. Thanks
Did you try to login as "admin", to create a new role and validate the list of permission settings visible under this role (see icon permissions). A tree with checkboxes should be visible defining the permission level for each role, by this defining the permissions inherited to the account. Once the role is defined, create and add a user account to this role. Logout and login with the new administrator userid and hopefully you will see all options on the menu.
I am using WSO2 Identity Server 5.0.0. I have setup a primary read-only LDAP connection in user-mgt.xml. I created a new group on the LDAP server to assign permissions in the Roles section. The new group is not listed. How long does it take to refresh the LDAP groups and is there a way to force a refresh?
Normally LDAP groups are read on-demand when it is listed down in the UI. If you have more then 1000 groups in the LDAP, then all the group would not be listed down in the UI.
If you mentioned about the roles under users.. It means that assigned roles for the users... Yes.. there is cache in WSO2IS called userRoleCache which will cache the roles for given user. This cache would be refreshed after 15min. Currently you can not configure this timeout value. If you want, you can completely disable the cache using following user store manager property (in user-mgt.xml file)
<Property name="UserRolesCacheEnabled">true</Property>