SAML and OpenID SSO with WSO2 Identity server - wso2

I'm trying to achieve SSO among different application. The applications are:
API Manager 1.7.0 Store
API Manager 1.7.0 Publisher
Liferay 6.2
I managed to configure Liferay to login through Identity Server Openid and to configure API Manager to login through Identity Server generated SAML Token as detailed in API Manager documentation.
The SSO is working well between api store and api publisher.
The problem is that I can't achieve SSO between Liferay and API Manager. If I login to liferay with openID and I open the store or publisher URL the user is asked for username and password again.
How can I configure the IS to implement the desired scenario?
Thanks, Paolo

Are you using IS 5.0.0 version? Normally it would create a same session for all the login in IS 5.0.0 version. it means, if you login with OpenID, SAML2 or OAuth2, it does not matter, IS creates a common session for given user. Normally it should not ask the password again. If it is asked, it can be a bug. Can you just check whether there is a cookie called commonauthid in the browser? If you are using some older version of IS, you can enable the this property <AcceptOpenIDLogin>false</AcceptOpenIDLogin> in identity.xml file

Related

WSO2 API Manager(wso2am-4.1.0) - Customize Login Pages for Developer Portal and Publisher

I'm trying to customize the login pages for the dev portal and publisher and I'm referring to the below documentation.
https://apim.docs.wso2.com/en/latest/reference/customize-product/customizations/customizing-login-pages-for-dev-portal-and-publisher/
The 1st step tells to download the Identity Server and in the 2nd step, it says to start up the server using api-manager.sh which could be a mistake.
However, I have the following questions related to the scenario.
In order to customize the login pages in APIM, should I start up the IS as a key manager as well?
Can't we customize the login pages just by using the JSP files readily available in the authentication endpoint in APIM?
I guess the documentation should be updated. You can use the existing jsp files in the authentication endpoint if you use OAuth2/OpenID. If you are using SAML, then you have to use WSO2 IS as the IDP with WSO2 API Manager.
Some samples can be found in [1].
By default API Manager uses OAuth2/OpenID. You can do the service provider configurations in API Manager. OAuth2/OpenID and SAML use the jsp files used in the authentication endpoint.
[1] - https://github.com/wso2/samples-is/tree/master/re-branding-the-default-login-page

WSO2 Identity Server 5.0.0 Api for session management

Does WSO2 Identity Server has api for session management?
I have an app with SAML SSO.
What I would like to achieve is to check if for given saml token there is an active session.
Validity of the SAML token has nothing to do with validity of the user session.
In theory - when user does "logout", the identity server should execute SLO (single logout), however based on our experience with WSO2IS 5.0.0 it works only for limited number of options.
Since version 5.2.0 there's OpenID Connect Session Management implemented using iframes, see http://malithiedirisinghe.blogspot.be/2016/03/openid-connect-session-management.html
But generally - you will have hard time to synchronize session between multiple service providers and WSO2 IS. With the claim based authentication (SAML, OAuth 2.0) the sessions between the IdP and SP are independent. (the only option I've see when the IdP is working as the pass-through-proxy for backend SP, but that's not what WSO2IS is intended for)
In version WSO2IS 5.3.0 there should be "user session management" implemented, but I haven't worked with that yet (managing session for WSO2IS, not external SPs)
Seems like it does, you should investigate the documentation here and here, those links were provided by a WSO2 team member to me or ask directly to your local WSO2 office.

WSO2 API Manager end user registration from Mobile(Android and iOS) Application using google or facebook sign-in

We are using WSO2 API Manager 1.10 and WSO2 Identity server 5.1.0 for managing back end REST APIs which will be consumed by Android and iOS application.For a end user(Mobile App user) to access the APIs exposed,process followed is:-
1.User registers to WSO2 IS server using WSO2 SCIM create user API.
2.User request for access token which will be used for accessing the APIs.
We are planning to add Google and facebook sign in feature in our Mobile app which will help end user avoid user creation in WSO2 IS. Does WSO2 API Manager support this sort of implementation? if so,what are the cofiguration changes we need to do to our current setup?
You can achieve this using identity federation. IS will act as key manager as well as it can federate the authentication to facebook/google.
you can find how facebook can be configured to get access token in this blog[1]. Similarly you can add google for federation[2]
[1] http://nuwanzone.blogspot.com/2015/10/getting-access-tokens-for-wso2-api.html
[2] https://docs.wso2.com/display/IS510/Configuring+Google

How to integrate WSO2 API Manager (AM) 1.10.0 with PingFederate SAML 2.0?

How to integrate WSO2 am 1.10.0 with PingFederate SAML 2.0? Any instructions?
From WSO2 web site, I only saw docs on how to set up SSO among WSO2 products: https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 . But I did not see documentation on how to enable WSO2 AM 1.10.0 with external identity providers such as PingFederate via SAML2.
Any help is appreciated.
*** UPDATE:
I followed the instructions here https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 - just assuming WSO2 IS as PingIdentity. For the mojority part it's working, but I cannot generate keys when subscribing to an API. It says "invalid credentials" even if I have logged into applications and subscriptions and can create applications from /store UI.
I can confirm that this can be done without adding a separate wso2 IS server into the picture. I fixed several issues (Cannot generate keys, cannot publish APIs, etc..) by: What I did to fix the issue was to 1) add admin user inside ApiKeyValidaor in api-manager.xml also into admin user via management console and into user-mgt.xml; 2) Inside api-manager.xml:
Change the following:
https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/
to: https://[FQDN_OF_HOST}:${mgt.transport.https.port}${carbon.context}/services/
Reason is my server certificate only recorded the domain name, not ip address.
The solution was also mentioned here: wso2 am 1.10.0 API Store: "Error occurred while executing the action generateApplicationKey" with " Invalid credentials provided."
Basically, you can do this by adding PingFederate as an IDP in WSO2 AM and configuring federated SAML SSO configurations. An example of how to achieve this with Shibboleth is given in [1]. You can follow the same steps to do any configurations according to your requirement.
Refer [2] for configuring SAML SSO Federated authenticator in general
[1] https://docs.wso2.com/display/IS510/How+To%3A+Configure+Shibboleth+IdP+as+a+Trusted+Identity+Provider
[2] https://docs.wso2.com/display/IS510/Configuring+SAML+2.0+Web+SSO

is there any web service present for authnetication using wso2

I am new to this wso2 evaluating wso2,
I am using Identity Server I have web application , want to apply web SSO feature using WSo2, I had check there are soap web service present in wso2 for UserAdmin,
https://server-info:9443/services/UserAdmin.UserAdminHttpsSoap12Endpoint/ using soap client for test , for dev have to write java client for request
but did not find any web services related WEB SSO for example I require authentication web service which will accept Username/password return some token information and using that token I can store in session for single sign out
Is there any web service/ API in wso2 provide authentication? or what is best approach for implement SSO using wso2 for web applications.
Thanks
If you are looking for SSO with WSO2IS, WSO2IS supports several standard ways to achieve it. They are,
SAML2 SSO
OpenId Connect
OpenId
Passive STS (for windows based applications)
From above, most popular way is to use SAML2 SSO or Openid connect. Your web application also must support to talk with WSO2IS using above standards. Say, if you need to achieve SSO using SAML2 SSO. You application needs to send the SAML2 Request and process the SAML2 Response in standard way as mentioned in SAML2 SSO spec. You can find a sample web application that has been implemented to work with WSO2IS from here. This blog contains all configuration details that you need to do in WSO2IS side as well. You can even use the sample web application with other SAML2 IDP as sample web application is talking in standard way. Also. if you are looking for Openid connect, you can find another sample web application from here with config details. I hope this would be a good starting points for you.