I am very new to wso2. I try to integrate wso2 identity server 5.0 with an external ldap. I configured it according to this : https://docs.wso2.com/display/IS500/Configuring+a+Read-only+LDAP+User+Store
At the end of the link, it says that try to sign in with admin user but how can I authenticate an another user which is available in LDAP? Is it possible to login to the identity server with another ldap user (other than admin).
Thanks
according the configuration how it is described, a new user 'admin' with 'admin' role is added after startup. I assume you want to log on another user. You should be able to authenticate other users as well for other service providers (applications), but not in the management console. For that the admin role is required.
What you can try is to use the 'dashboard' application ( https://your-is-server-hostname:9443/dashboard/ )
Have fun
g.
Since you are configuring a read-only LDAP as the primary user store,
The user that should have admin permissions is required to be stored in the user store when you start the system for the first time. After that you have to give the login permission for all users in the LDAP user store. Login permission defined under admin permissions, which allows users to login to the management console.
Configure----->Users and Roles----->Roles----->Select "Permissions" of "Internal/everyone" or "Internal/your configured application" that you would like to give the permission.
Select "Login".
Update.
For the more details you can refer [1].
[1] https://docs.wso2.com/display/IS500/Role-based+Permissions
Related
Following the documentation, registered an application with Accounts in any organizational directory. The Tenant where the application resides is in "Default Directory" and has only one user, tiagomartinsperes#gmail.com. Also, the app has user assignment (as pointed out here) set to No
After, created another Tenant (different directory) and invited the external user me#tiagoperes.eu. That's the user I'm getting troubles logging into the previously created app.
Then, enable the OAuth2 support using social_core.backends.azuread.AzureADOAuth2 (from here).
As I try to authenticate now, it works well with tiagomartinsperes#gmail.com but with me#tiagoperes.eu gives the following error
Selected user account does not exist in tenant 'Default Directory' and cannot access the application 'a9a22676-8a1c-4297-95d3-8cd89553220e' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.
The problem is the URL the user is redirected to. According to the docs, multi-tenant applications should redirect to https://login.microsoftonline.com/organizations.
As we see in the Python Social Auth AzureADOAuth2 class, the BASE_URL is
BASE_URL = "https://{authority_host}/{tenant_id}"
Since authority_host = "https://login.microsoftonline.com/" and tenant_id="common", we'd get the wrong url.
Changing that and signing in with the same user and now I get a request to add the permissions
Reported that issue here too.
We're integrating our asp.net MVC client with WSO2's Identity Server v5.8.0.
Below are the steps we've followed:
1) Created a Service provider for our MVC application & configured Inbound authentication with OAuth/OpenID configuration, also configured Inbound provisioning with primary user store.
2) In our MVC application, we've set up a WSO2 configuration using OWIN's WSO2 NuGet package with the generated client-id & client-secret from the service provider.
3) We've configured MongoDB as our primary user store.
Now we're trying to add a user using SCIM2 API (https://localhost:9443/scim2/Users). Below is the response we're getting:
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Cannot add user through scim to user store . SCIM is not enabled for user store WSO2.COM","status":"500"}
I've even changed below config in user-mgt.xml
<Property name="SCIMEnabled">true</Property>
What else do we need to configure? Is there any other way to add user in WSO2 Identity server apart from using SCIM APIs?
It seems like you are having two user stores the primary user store and a secondary user store named wso2.com. By adding the
<Property name="SCIMEnabled">true</Property>
To the user-mgt.xml you are enabling SCIM2 to the primary user store. Not the secondary user store. But from the API you are adding the user to the secondary user store. Since you havent enabled SCIM in the secondary user store you are getting this error. You have two options.
1) Add the user to PRIMARY user store
By analyzing the error that you are getting the user name of the user that you are trying to add should be some thing like
WSO2.COM/Abhishek
Change this to
Abhishek
2) Enable SCIM2 in the secondary user store
Log in to the management console and click list in User Stores sub menu under identity menu.
The User Store Management page opens. There should be a user store named WSO2.COM
Click on edit. Click on advanced tick the enable scim
Reference: https://docs.wso2.com/display/IS580/Using+the+SCIM+2.0+REST+APIs
I had migrated one user from source wso2 (4.6.0) to target wso2(5.5.0) using insert query in below tables only.
1. UM_USER (The Table contains users username, password etc.)
2. UM_USER_ATRIBUTES (The Table contains user attributes like sn, giveName etc.)
We have using wso2 manage user credential only(user add/delete) that's why we had directly inserted user details
in above tables instead of follows the complete migration step.
we have successfully creating token for migrated user base on password grant_type but unable to login in wso2 admin console using the same credential.
In order to create access tokens, the user doesn't need to have login permission. But in order to log in to management console & dashboard, the particular user should have login permission. Please assign login permission to the user and then login to management console.
We have the WSO2 API Manager deployed and working, although we are unable to figure out an issue about users addition. We want to add the users via the management console (Carbon) and after being added we want the user to receive an email saying that his/her account was successfully created.
Although there is documentation for a workflow extension when the user signs up, we were unable to find any documentation regarding the matter we've pointed out, is this possible to achieve via the API Manager or with some kind workflow extension?
Thanks in advance!
EDIT: We are using WSO2 API Manager 1.10.0.
If your requirement is to create a user through the management console and allow the created user to define a password, you can configure APIM server to support 'Ask password from user' feature. (In this feature, APIM server administration can create a user through the management console and provide the email address of the user, so that user can set the password through the redirection URL provided in the email). To configure 'Ask password from user' feature follow the instructions given in https://docs.wso2.com/display/IS510/Creating+Users+Using+the+Ask+Password+Option.
If you want the APIM server administrator to set the username and password through the APIM management console and only send a notification to the user that his/her account is created successfully, then you have to write a custom component, because this is not supported by default.
I am using Facebook Ad Api to create ads. How ever when i grant a user Administrator Role (1001) with the following api call:
https://graph.facebook.com/v2.5/<AD_ACCOUNT_ID>/users?role=1001&uid=xxxxx
it successfully creates the user, and when i get all the users using the following request:
https://graph.facebook.com/v2.5/<AD_ACCOUNT_ID>/users
it successfully returns the array as:
"{"data":[{"name":"firstname lastname","permissions":[1,2,3,4,5,7],"role":1001,"id":"101xxxxxxxxxx352"}}"
but when i try to create an Ad campaign or Adset with the newly added user the following exception is thrown:
[FacebookAds\Http\Exception\AuthorizationException]
(#272) This Ads API call requires the user to be admin of the application. User 16xxxxx351 not admin or developer for application 109xxxxxxxx0403.
And when i go to my app and assign the user with an Administrator or Developer Role, I can make requests successfully.
Why is facebook not allowing a user created with administrator role from the api not make api calls to its Ad Api ? And why does it allow when the user is granted Administrator/Developer role make requests ?
This is because the objects you can promote are not based upon an adaccount but are based upon your user.
You can see the connection objects a user has access to by make the following request:
<API_VERSION>/act_<AD_ACCOUNT_ID>/connectionobjects?access_token=<ACCESS_TOKEN>
The documentation states:
this call returns the IDs of all objects for which the current session
user is an administrator, and the IDs of apps for which the user is
listed as a developer or advertiser.
If you don't want to make additional administrators for your app, you can create system user in Facebook Business Manager, grant him administrator (or even advertiser) rights for Ad Account.
https://developers.facebook.com/docs/marketing-api/business-manager-api
And use his token to manage ads. In my case I used it to retrieve targeting of ads, to find where leads came to lead form from.
https://www.facebook.com/marketingdevelopers/videos/vb.606699326111137/883648801749520/