A few days ago, I started to work with WSO2 Identity Server in my project as an authorization server in my architecture, I found that it can be interfaced with an external data source like LDAP, then I can use the enterprise LDAP instead re-create all users and roles in WSO2 IS.
My question is about authentication on WSO2 IS, when the user authenticates on WSO2 IS and approves access normally this is done by HTTPS protocol.
I don't know if it's possible to use another authentication protocol like Kerberos or Radius to connect to WSO2 IS?
by default the WSO2 IS on the frontend supports OAuth 2.0, SAML 2.0, OpenID and WS-Trust STS protocol. They are indeed all based on the HTTPS. Next to that you may use Kerberos KDC.
For Kerberos configuration you may check this article. http://wso2.com/library/articles/2012/07/kerberos-authentication-using-wso2-products/
g.
WSO2IS has the kerberos support [1]. But it doesn't support RADIUS yet.
[1] https://docs.wso2.com/display/IS500/Kerberos+Security
Related
Does WSO2 Identity Server has api for session management?
I have an app with SAML SSO.
What I would like to achieve is to check if for given saml token there is an active session.
Validity of the SAML token has nothing to do with validity of the user session.
In theory - when user does "logout", the identity server should execute SLO (single logout), however based on our experience with WSO2IS 5.0.0 it works only for limited number of options.
Since version 5.2.0 there's OpenID Connect Session Management implemented using iframes, see http://malithiedirisinghe.blogspot.be/2016/03/openid-connect-session-management.html
But generally - you will have hard time to synchronize session between multiple service providers and WSO2 IS. With the claim based authentication (SAML, OAuth 2.0) the sessions between the IdP and SP are independent. (the only option I've see when the IdP is working as the pass-through-proxy for backend SP, but that's not what WSO2IS is intended for)
In version WSO2IS 5.3.0 there should be "user session management" implemented, but I haven't worked with that yet (managing session for WSO2IS, not external SPs)
Seems like it does, you should investigate the documentation here and here, those links were provided by a WSO2 team member to me or ask directly to your local WSO2 office.
I am new to this wso2 evaluating wso2,
I am using Identity Server I have web application , want to apply web SSO feature using WSo2, I had check there are soap web service present in wso2 for UserAdmin,
https://server-info:9443/services/UserAdmin.UserAdminHttpsSoap12Endpoint/ using soap client for test , for dev have to write java client for request
but did not find any web services related WEB SSO for example I require authentication web service which will accept Username/password return some token information and using that token I can store in session for single sign out
Is there any web service/ API in wso2 provide authentication? or what is best approach for implement SSO using wso2 for web applications.
Thanks
If you are looking for SSO with WSO2IS, WSO2IS supports several standard ways to achieve it. They are,
SAML2 SSO
OpenId Connect
OpenId
Passive STS (for windows based applications)
From above, most popular way is to use SAML2 SSO or Openid connect. Your web application also must support to talk with WSO2IS using above standards. Say, if you need to achieve SSO using SAML2 SSO. You application needs to send the SAML2 Request and process the SAML2 Response in standard way as mentioned in SAML2 SSO spec. You can find a sample web application that has been implemented to work with WSO2IS from here. This blog contains all configuration details that you need to do in WSO2IS side as well. You can even use the sample web application with other SAML2 IDP as sample web application is talking in standard way. Also. if you are looking for Openid connect, you can find another sample web application from here with config details. I hope this would be a good starting points for you.
I'm trying to achieve SSO among different application. The applications are:
API Manager 1.7.0 Store
API Manager 1.7.0 Publisher
Liferay 6.2
I managed to configure Liferay to login through Identity Server Openid and to configure API Manager to login through Identity Server generated SAML Token as detailed in API Manager documentation.
The SSO is working well between api store and api publisher.
The problem is that I can't achieve SSO between Liferay and API Manager. If I login to liferay with openID and I open the store or publisher URL the user is asked for username and password again.
How can I configure the IS to implement the desired scenario?
Thanks, Paolo
Are you using IS 5.0.0 version? Normally it would create a same session for all the login in IS 5.0.0 version. it means, if you login with OpenID, SAML2 or OAuth2, it does not matter, IS creates a common session for given user. Normally it should not ask the password again. If it is asked, it can be a bug. Can you just check whether there is a cookie called commonauthid in the browser? If you are using some older version of IS, you can enable the this property <AcceptOpenIDLogin>false</AcceptOpenIDLogin> in identity.xml file
Does anyone know if the WSO2 Identity Server exposes a web service endpoint/URI to which I can send XACML requests via HTTP(S)? I am aware that they provide an API for doing this, but I have a situation where I can't use that, but I can do HTTP requests.
Thanks,
Jim
P.S. For the record, I think I've found my answer, mostly deduced from this page:
http://wso2.com/library/articles/2013/11/fine-grained-xacml-authoriation-with-pip-points/
That page tells how to enable WSO2 to unhide the WSDL for the EntitlementService web service.
Yes, you can enable the entitlement service wsdl and call it from external systems according to your requirement to send requests. By default this admin service is disabled. You can read more about it at PDP PEP Communication – how WSO2 Identity Server defines
I am experimenting with WSO2 API Manager and would like to integrate the embedded WSO2 Identity Server with our institutions existing CAS framework. Is it possible to have the WSO2 Identity Server redirect logins to our CAS login page and use the CAS ticket in place of username/password?
This explains how to use WSO2 IS as identity server for WSO2 products such as WSO2 AS, ESB etc.
You can configure your CAS instead of WSO2 IS in the very much similar way.