I need to secure a SOAP web service (based on Axis2) with this configuration:
Client tries to consume the service
Client is redirected to an authentication server for authentication
If the client authenticates properly, the Authentication Server gives client a SAML token with his attributes (basically a role)
There is a XACML policy (client can use an operation provided by the web service only if has a proper role) which is evaluated based on the role included in the SAML token.
So I have thought about using WSO2 Identity Server coupled with rampart (I also need WS-Security for encryption and signature). Is it possible to do so? Can you suggest me how?
You can either go with WSO2 IS STS (which is WS-*) or Web Browser SSO of SAML. Depends on the nature of your application (Web browser based or not), you can pick any one of the above methods. You can get user roles from the SAML Response.
However, if you are using XACML, you do not need to get the user roles over SAML. Simply create a policy in WSO2 IS (with the required role and other conditions). Then create a PEP module to validate service requests. WSO2 IS will get the username and read user roles from LDAP/userstore and do the validation.
Related
I have created and published API with WSO2 API Manager. API client get access through OAuth2 and client credentials grant, sending consumer key and consumer secret to request access token. But now I need to implement authorization by means of authorization code grant. I have to use client_id and client_secret of WSO2 APIM and user login form of my backend application, not WSO2 APIM user.
Can anybody tell if it is possible and how it can be implemented???
Documentation of WSO2 does not describe this flow and all examples I have found describe authorization process (OAuth2, authorization_code) only for user of WSO2 APIM.
now I need to implement authorization by means of authorization code grant.
I have to use client_id and client_secret of WSO2 APIM and user login form of my backend application, not WSO2 APIM user.
If you want to use your own (application) authentication form, the simplest option is to leverage the password grant type where your application sends the token request along application and user credentials through a backend service
Using a code grant you suppose to use an authorization endpoint https://gateway:8243/authorize with parameters described in the documentation and indeed the default login form is used when the user is not yet authenticated
(I still have an urge to downvote the question for not searching the documentation)
If you still want to use the code grant type with your own authentication form, you may either customize the default logon form of the wso2 api gateway or customize an authenticator to use form of your application (this is quite advanced topic requiring configuring your own implementation and out of scope of the question/answer)
You have 2 options here without any customizations.
1) If your backend has a userstore, it can be configured as a secondary userstore for APIM. Then you can use any user in that userstore for authentication.
See https://docs.wso2.com/display/ADMIN44x/Configuring+Secondary+User+Stores
2) If above option is not possible, and if your backend IDP supports any federation SSO protocols such as SAML2 or OIDC, you can configure federation using WSO2 IS.
See https://docs.wso2.com/display/IS550/Single+Sign-On+and+Identity+Federation
I am new to WSO2 API Manager. I have installed it to proxy my REST endpoints and to do access management via oAuth2.
Great! I managed to get access to my backend REST implementation through the oAuth2 process of API Manager (via API console). Now I want to setup the complete roundtrip starting from a user authentication process where identity is verified with corresponding roles. So...
Next I want to create a single page app and bring an authentication step by either redirect the user to a login page (authentication service) or let the user interact with single app page directly and let the single app page do the login to some authentication service.
Question:
Can I use the Key Manager component of the API Manager to handle user authentication (oAuth2 based) or do I need to install the WSO2 Identity Server to handle the authentication?
I see that WSO2 API Manager can host Users and Roles, a User Store and an endpoint to handle (authz) token requests, but can it also handle a login (authentication) request from my single app?
You can use APIM with OAuth2 Authorization code grant type. See this sample in identity server docs, but use below endpoints of APIM instead of IS endpoints.
https://localhost:8243/authorize
https://localhost:8243/token
I am trying to call the WSO2 IS web service (i.e: getUserProfile) from service provider when we are using SAML2 SSO authentication ,but i am getting un authorized access.
Do we get any token that can be used to call the web service after the initial authentication,without passing the credential or cookies ??
This might be a permission problem. Make sure you have enable login permission for particular user.
Admin services are secured using common types of security protocols such as HTTP basic authentication, WS-Security username token, and session based authentication.
You can use SAML2SSOAuthenticationService.
Please refer the sample How to get a session cookie from a webapp which uses SAML SSO
The basic topology is like this:
WSO2 IS as my service provider and takes care of authorization via XACML, our existing internal IdP takes care of corporate authentication (SAML, Oauth2).
I'd like to receive a guidance about best practice how to configure an outbound Federation using the WSO2 IS as a proxy for SAML protocol. Is it correct to separate the user ID domain, by creating so a called "tenant" in order to route the SAML requests though an outgoing STS connection to an external primary IdP? Is this configured under Identity Provider - add Identity Provider - Federated Authenticators - WS Federation Passive Configuration?
Domains and Tenants?
As an example, I would like to configure an account like this. ID = falb#red.com, where the federated lookup will forward my request to the IdP responsible for the domain "#red.com". Is there any discovery, or smart routing mechanism available that is able to identify the "red.com" domain, without need of creating a tenant?
XACML Access?
In a more advanced scenario, once we have a federation between the WSO2 server and and external IDP, is a service provider, a web application server, able to dispatch a PEP request by attaching a SAML token, without use of preceding entitlement routines, like passage of login and password. Is there an entitlement routine in place that accepts SAML tokens at the PDP side and validates it though the SSO federation mechanism?
Thanks in advance for your guidance.
Regards
Claude
Earlier I was in assumption that, WSS4J is not compatible with SAML, but as I see this http://jaminhitchcock.blogspot.in/2014/05/creating-and-validating-saml-assertions.html , I hope to give a try. But I want to use a Identity Provider(WSO2) to generate SAML token. So I should be able to configure WSS4J with a SecurityPolicy.xml file which verifies the token from Identity Provider. Please let me know where can I start looking for it?
Thanks
There are two ways that you can generates SAML tokens with Identity Server.
Use Identity Server as SAML2 SSO IDP that implements SAML2 SSO web browser based profile.
Use Identity Server as STS (Security Token Server) with WS-Trust specification.
I think, It is more likely that you are hoping to use Identity Server as STS. With STS, Identity Serve provides a web service to retrieve SAML tokens. This STS web service can be secured with WS-Security mechanism by default. As an example, you can secure STS service with user name token. Then client needs to send the RST request with user name token. Once user it authenticated, client would be received a SAML token. I think, you can find some information about STS service from here