I am new to WSO2 Identity Server and I'm using the APIs from UserStoreManager. I want to let a super admin be able to add a tenant remotely but I cannot seem to find an addTenant API. Also, I want to make admin/user of one tenant to be added as admin/user of another tenant instead of creating a new username everytime. I cannot figure out how to do so. What is the correct way to go forward with this? TIA!
For your first requirement you can use the registerTenant method in TenantMgtService Web Service.
The second requirement is not supported out of the box. It can be achieved by having a flat user structure in the LDAP. The flat user sructure will be as follows; All the users of tenants will be in a single OU called Users. Tenant OU will only have Groups (which are roles in the sense of Carbon Servers)
dc=WSO2,dc=ORG
|--OU=Users
| |--admin
| |--user1
| |--user2
| |...
|--OU=Groups
|--OU=tenantone.org
| |--OU=Groups
| | |...
| ...
|
|
For the above you will have to write your own Tenant manager, Realm Configuration Bulder and a User Store Manager.
Related
I want to give GSAs direct access to modify Google users. I can't find current docs on this so assuming it's not possible right now?
It looks like this is only possible for working with groups:
https://workspaceupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
I need to give a GSA access to read group membership and also modify user attributes.
Right now I:
create an admin a G Suite user
create a GSA with domain wide auth with these scopes
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.user
Impersonate the G Suite user with the GSA and modify user attributes like this:
service = create_directory_service("G SUITE USER")
service.users().update(userKey=uKey, body=myAttributes).execute()
Do I still need domain wide delegation to modify user attributes? Or is it supported now as well?
You can follow this guide to create a Service Account, turning on the Admin SDK API (which allows the service account to provision/manage the users), and authorizing it.
The Service Account created can be used then to provision/manage the G-Suite users, here is a guide on how to manage user accounts using the Directory API, which is part of the Admin SDK.
In short, yes it is possible to manage users too, by using Service Accounts, not just groups.
I'm trying to find a way to import Azure AD users to Dynamics 365 Finance & Operations (D365FO).
It is possible to get all system users using this endpoint (like using Postman):
/data/SystemUsers
However, not sure how the new user could be imported from Azure AD. If I go to D365FO UI I can do this using System administration -> Users -> Import users and there is an option to add users from AAD. Is there a way to do the same using API? Looking through the web was not very helpful so far.
So here is the answer if someone is looking for the same - it is not possible.
If you work with SystemUsers using API - you can only select D365FO users.
At the same time there is 'AccountType' attribute which tells D365 F&O what account type is it.
It can be Claims User, Claims Group, AD User or AD Group. Types starting with 'Claims' are pointing to Azure objects while AD are pointing to AD.
So when you create a new user and selecr 'ClaimsUser' as account type - D365F&O would know that this is Azure user and would do mapping.
That sounds a bit 'magical', however this is how it works.
I want to extend user account association in dashboard Jaggery module of WSO2 Identity Server 5.1 and want display all of tenants in a option select combo when create new association by associated user authentication.
I would like to know exists any possible solution that i can extract all tenants in an array of Tenant object (Tenant[]) by call a web service stub methods from a web client so as Jaggery file.
appreciate for your cooperation
You can use the retrieveTenants() of TenantMgtAdminService (WSDL is at https://localhost:9443/services/TenantMgtAdminService?wsdl) which will give an array of TenantInfoBean
Is possible to set a Service Provider to use a specific user store?
Ex.: I have a secondary user store, foo.com that uses JDBC, and other secondary user store, foo.net that uses LDAP.
I have two service providers, I want tha first SP called mobile uses the foo.com user store only to authenticate via oauth2, and the other SP foo.net uses the foo.net user store.
Thats is possible?
Thank you.
This is really what I want to know. Multiple tenant is a solution. Make this two service providers belong to different tenants.Then service providers can use different user store.
However, I think there should be other solutions.
For authenticate functionality you don't have to bind Service Provider with specific User store. In mobile application scenario it will recursively go through all user stores and user will be authenticated against foo.com user store. In order to provide comprehensive answer can please provide what are the protocols you are using in both service providers like in first SP oauth, saml and second SP saml, scim.
I need to add new user in Wso2 CEP (3.1.0) and I know that is possible by "clicking" few steps in console (example from documentation). I wonder if it possible to add new user without login into console, but connect to H2 database and insert user there?
I know that new user is save into "UM_USER" table.
Maybe someone knows what class write user into H2, how passowrd is enrcypted and what is "UM_SALT_VALUE" and why I need it?
If all you want is to manage users programmatically, a better way rather than trying to modify H2 DB is to do it through the relevant admin service. This way you don't have to bother about the underlying user-store or the salt values used for hashing passwords etc.
In Carbon-based products, most of the configurations done through the web console can be done programmatically by calling the relevant admin web service, such as user management, adding/managing deployment artifacts etc.
So for you use case, you can use the User Management admin service at:
https://localhost:9443/services/UserAdmin?wsdl
Note that in order to access this wsdl, you should make these admin service wsdl's visible by editing <CEP>/repository/conf/carbon.xml and restart the server.
<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>