I am trying to understand how SSO works in WSO2 EMM. I am looking through the directory structure of the source code and found that there are 2 different SSO folders. What are the purposes of each of these 2 folders?
(1) [WSO2EMM HOME]/modules/sso
(2) [WSO2EMM HOME]/repository/deployment/server/jaggeryapps/sso
In (1) I can see the functions to handle SAML requests/response but isn't this handled by the individual jaggeryapps?
If you need to handle the SAML request then you can use [WSO2EMM HOME]/modules/sso.
other folder is used to Login function.
Related
I'm trying to customize the login pages for the dev portal and publisher and I'm referring to the below documentation.
https://apim.docs.wso2.com/en/latest/reference/customize-product/customizations/customizing-login-pages-for-dev-portal-and-publisher/
The 1st step tells to download the Identity Server and in the 2nd step, it says to start up the server using api-manager.sh which could be a mistake.
However, I have the following questions related to the scenario.
In order to customize the login pages in APIM, should I start up the IS as a key manager as well?
Can't we customize the login pages just by using the JSP files readily available in the authentication endpoint in APIM?
I guess the documentation should be updated. You can use the existing jsp files in the authentication endpoint if you use OAuth2/OpenID. If you are using SAML, then you have to use WSO2 IS as the IDP with WSO2 API Manager.
Some samples can be found in [1].
By default API Manager uses OAuth2/OpenID. You can do the service provider configurations in API Manager. OAuth2/OpenID and SAML use the jsp files used in the authentication endpoint.
[1] - https://github.com/wso2/samples-is/tree/master/re-branding-the-default-login-page
I am setting up a WSO2 Identity Server at the moment . The first step was to use the resident identity provider in super tenant and setting up service providers as SaaS applications. This worked pretty nice so far.
The bad thing about it is that (1) users need to login by identfying themselves using the username#tenantdomain schema. The next bad thing about it is, (2) that we can not configure login policies or account management policies per tenant. We only can handle it globally.
For testing reasons we modified the authenticationendpoint application to inject the tenant domain on the fly while logging in (by analyzing relyingParty parameter). This worked so far, but point (2) still remains.
Next step was to configure an IdP and SPs per tenant. For my understanding that is the way to get rid of points (1) and (2).
That is where I am completely stuck. The carbon log only mentions that we need to register the SPs in advance. I am reading various posts, jiras issues and blog entries for the last week but I still do not have a working solution. Seems to me that even though I configured the tenants resident IdP and exchanged metadata accordingly the IS still thinks we are trying to communicate with the super tenants resident IdP.
The SPs we are using are created using SimpleSAMLphp.
Maybe I missunderstood the principles of setting up IdP/SPs per tenant in WSO2 IS? Maybe I am handling the resident IdPs the wrong way?
Any help/advice is welcome.
Even though this question is old, below part from the documentation will help whoever searching for an answer.
From WSO2 Identity Server 5.0.0 onwards, there are different SAML
endpoints for each tenant. If the service provider calls the identity
provider's SAML endpoint URL as
https://is.com:9443/samlsso?tenantDomain=foo.com or the issuer name is
appended with #<TenantDomain> like travelocity.com#foo.com, the SAML
requests are directed to the foo.com tenant.
Additionally, note that when using SAML SSO with a tenant (using either of the above methods), the SAML response is signed with the private key of the particular tenant.
We want to use WSO2 as IAM framwork for our Internal and external applications.
We have below 3 main requirements.
WSO2 should be able to Authenticate user using LDAP (Active
Directory for Internal Employees ) or other data source for external
users.
We want to configure API access level in WSO2 example : ROLE based Authorization (or Policy based ) where we can configure who can access which
web API with Http verb.
We should be able dynamically add/update/delete users , update Authorization policies/ roles through WSO2 API.
Please let me know if this is out of box supported in community edition or we have to buy any licenses for the same.
Note: I have installed the server and playing around as well.
Yes these requirements are possible with WSO2 IS (Product stack)
You can easily plug an existing LDAP user store to WSO2 IS. (https://docs.wso2.com/display/IS530/Configuring+a+Read-write+LDAP+User+Store)
I am not 100% clear about what you are asking here. But if you are talking about IS APIs (Which specified in point number 3) you can do them solely with IS by little customization or else you can use WSO2 ESB with entitlement mediator to add XACML policies.
There are SOAP admin services(Non standard but able to update authorization polices etc) and REST services. (Standard SCIM 2.0 for user operations)
https://docs.wso2.com/display/IS530/Calling+Admin+Services
https://docs.wso2.com/display/IS530/SCIM+1.1+APIs
How to integrate WSO2 am 1.10.0 with PingFederate SAML 2.0? Any instructions?
From WSO2 web site, I only saw docs on how to set up SSO among WSO2 products: https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 . But I did not see documentation on how to enable WSO2 AM 1.10.0 with external identity providers such as PingFederate via SAML2.
Any help is appreciated.
*** UPDATE:
I followed the instructions here https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 - just assuming WSO2 IS as PingIdentity. For the mojority part it's working, but I cannot generate keys when subscribing to an API. It says "invalid credentials" even if I have logged into applications and subscriptions and can create applications from /store UI.
I can confirm that this can be done without adding a separate wso2 IS server into the picture. I fixed several issues (Cannot generate keys, cannot publish APIs, etc..) by: What I did to fix the issue was to 1) add admin user inside ApiKeyValidaor in api-manager.xml also into admin user via management console and into user-mgt.xml; 2) Inside api-manager.xml:
Change the following:
https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/
to: https://[FQDN_OF_HOST}:${mgt.transport.https.port}${carbon.context}/services/
Reason is my server certificate only recorded the domain name, not ip address.
The solution was also mentioned here: wso2 am 1.10.0 API Store: "Error occurred while executing the action generateApplicationKey" with " Invalid credentials provided."
Basically, you can do this by adding PingFederate as an IDP in WSO2 AM and configuring federated SAML SSO configurations. An example of how to achieve this with Shibboleth is given in [1]. You can follow the same steps to do any configurations according to your requirement.
Refer [2] for configuring SAML SSO Federated authenticator in general
[1] https://docs.wso2.com/display/IS510/How+To%3A+Configure+Shibboleth+IdP+as+a+Trusted+Identity+Provider
[2] https://docs.wso2.com/display/IS510/Configuring+SAML+2.0+Web+SSO
I've created a simple API and I'm trying to publish it using WSO2's API Publisher (aka API Cloud). I've gone through all the steps, but it seems to require an Authorization header to access my endpoint. In older documentation, it says that I can change the "Auth Type" at the resource level.
https://docs.wso2.com/display/AM160/API+Resources
However, this option doesn't seem to be there in the current version. I tried to make it so the Authorization header was not required. Unfortunately, I still get the following error:
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900902</ams:code>
<ams:message>Missing Credentials</ams:message>
<ams:description>Required OAuth credentials not provided</ams:description>
</ams:fault>
Is it possible to disable authentication for my API? I don't need it at this point in my project.
The document you have referred is from APIM 1.6. From APIM 1.7, the APIM team changed the API creation process to a 3-step process. It involves API Design, Implement and Manage. I think you have experienced this by now. In the Manage section, at the very bottom, it lists down the available resources of the API, their auth type, allowed tier and the scope allowed.
Default auth type is application & application user. If you click on that, you will get a drop down where you will see "None" as an option. If you set the auth type as none, you will be able to invoke the API without providing the OAuth token.
See the following screenshot where I have selected different Auth types when creating an API.
Open the configuration related to your API in ${AM_HOME}/repository/deployment/server/synapse-configs/default/api/ and remove the following part.
<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler"/>