I maybe have a stupied question concerning WSO2 and SAML- attributes.
I have written a Service Provider which made it possible to login via WSO2.
With login- response / authentication- response, I get all SAML- Attributes which are defined in WSO2 as claims (attributes came from Active Directory)
If logged in, with an "org.opensaml.saml2.core.AuthnRequest", die SAML Attributes can be retrieved from WSO2 once again of the logged in user - for any reason.
This all works fine.
Now, I would need attributes of other persons (not the logged in one) in the Active Directory.
Therefore my question would be if it is possible to retrieve attributes of different persons than the logged in one from Active Directory over WSO2 and SAML without login of that different persons?
The reason is, that I have different AD- groups (each contains different person information) and I will show the attributes of the persons in my Service Provider.
Thanks a lot for your answers and help.
All the best and thanks.
Yes, you can do that. You can use the SOAP service https://host:port/services/RemoteUserStoreManagerService
HideAdminServiceWSDLs must be set to false - thanks a lot!!
Related
I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines). I am also using the so called WSO2 IS Admin services.
As mentioned in the heading I am consuming the UserProfileMgtService
(https://url:port/services/UserProfileMgtService?wsdl).
In combination with it I am using OAuth2TokenValidationService
(https://url:port/services/OAuth2TokenValidationService?wsdl).
If I pass valid access token to the OAuth2TokenValidationService I am able to fill in with data OAuth2TokenValidationResponseDTO object by using the Validate method of the OAuth2TokenValidationService. As result I am able to extract the authorizedUser and pass it to the getUserProfile method of the UserProfileMgtService. I am using the standard carbon.super domain and I am using the email as username. For example I am passing the following two parameters to the getUserProfile:
"admin#admin.com#carbon.super" as username
"default" as profileName
And as result I receive the following message:
UserNotFound: User admin#admin.com#carbon.superdoes not exist in: PRIMARY
If I remove the "#carbon.super" from the authorizedUser, everything is fine and I am able to get the user profile information. This is quite important for me since I am using multitenancy of the IS and there is a case that I might have the following users:
admin#admin.com#test.net
admin#admin.com#test2.net
I noticed that this service was not working this way in WSO2 IS 5.0.0. I started experiencing this issue after the upgrade.
Is this a desired behavior and is introduced because of the change in the API in IS 5.2.0? If so is there another way to be able to get the user profile using the "username"+"tenant-domain"(that is retrieved by the OAuth2TokenValidationService as authorized user when passing valid access token).
Is it possible that this is caused because of misconfiguration? If so which is the file that needs to updated and what exactly should be modified in it?
Is there a place where more information could be retrieved for the WSO2 IS 5.2.0 Admin Services?
Thanks in advance.
UserProfileMgtService in Identity Server is an Admin Service. In WSO2 Admin Services, the tenant domain is identified by authenticated user and it should not pass with username.
username should be tenant free username.
So, you can remove carbon.super portion from the username and then it will work.
In tenant setup, you need to authenticate with a tenant user (Ex admin#admin.com#test.net) in order to access these API. So, like in the super tenant, you can use tenant free username and then it will work.
For example, if you want to get user profile of user : testuser#admin.com in tenant domain test.net, your request should be like bellow image.
Thanks
Isura.
I have this problem when using SAML SSO authentication. I have successfully set up WSO2IS 5.0.0 Identity server, I also succeeded setting up (at least I hope so) secondary user store. I used JDBCUserStoreManager implementation. I have set this store as DOMAIN. This user store works nice, at least I think it does. Because it is storing user attributes into its tables (USER_ATTRIBUTES) and those attributes are read by WSO2IS administration ...
https://localhost:9443/carbon/userprofile/edit.jsp?username=DOMAIN/demo_jbu&profile=default&fromUserMgt=true
Users are identified as DOMAIN\username so when I want to log in user from this DOMAIN, request goes to my AUTHENTICATOR implementation so I can manage authentication for users from this domain.
What is strange is, that if I use WSO2IS administration pages, I can set and read users's attributes well. And if I use SAML SSO authentication (have already set up service provider & claim mappings) for users from PRIMARY domain, everything goes fine and calling SP gets all attributes - mapped in WSO2IS administration here:
https://localhost:9443/carbon/application/configure-service-provider.jsp
If I use SAML SSO authentication, but I want to log user from my DOMAIN, SP doesn't get anything.
I can override this behavior in DefaultResponseBuilder, I can put into SAMLResponse anything I want, but I don't feel this approach is OK. Can anyone tell me, where to look for an error? What may be wrong? Where should I start looking for problems? I have already tried to debug it, and it seems it (SAML SSO/AUTHENTICATOR) doesn't find any claim for DOMAIN user.
Thank you in advance.
Josef
I think this is bug in Identity Server 5.0.0. When you are using SAML2 SSO, user can login to Identity Server with both username with domain name and username without domain name. Basically
bob and foo.com/bob must both works and returns the bob user's attributes from foo.com user store. However there is issue with IS 5.0.0, if secondary user store user login without domain name, Identity Server does not returns the user attributes. But, please try to login with foo.com/bob , Then it would return the user's attributes.
You can find the public jira. It contains source diff. It must be a simple fix and you even can compile the source and add fix in to the Identity Server.
In some previous WSO2IS versions, there was a default self sign-up feature.
However, I could not find it in the 5.0 version.
Reading the WSO2IS 5.0 documentation, what I have found is 2 APIs used for this feature:
getUserIdentitySupportedClaims() - Set of claims to which the user profile details should be saved in the Identity Server.
registerUser() - This registers a user in the system. You need to pass values like user name, password, claim attributes and values returned from the previous call and the tenant domain. The confirmation code is sent by email to the given email address.
So, the self sign-up feature is hidden somewhere OR do I need to implement it by myself?
And is there any example of using APIs for this feature?
Thank you.
This is available in the dashboard:
https://<url>:9443/dashboard/
You can use the following service for signing up users:
https://<url>:9443/services/UserInformationRecoveryService?wsdl
Note that in WSO2 products, admin services WSDL's are hidden by default. You can expose them by setting HideAdminServiceWSDLs parameter to 'false' in <IS>/repository/conf/carbon.xml.
I need to add the emailaddress which is stored in LDAP as part of the SAML Response. I read a few articles like http://sureshatt.blogspot.co.uk/2012/11/getting-user-claims-over-saml-sso-token.html
but could not get it working. I am using wso2 IS 5.0 version. Whenever I add the claim on the sp configuration save it and when I go back to the screen I could not find the claims that I added earlier. Please help.
Regards
Jay
In IS 5.0.0, configurations have been changed. Therefore you need to do some more things to return the attribute.
First please go to the user profile of the user and verify whether LDAP attribute is properly displayed there. Then we can sure that claim mappings are fine.
In SAML2 SSO SP configuration you need to enable attribute profile. Tick on Enable Attribute Profile Also make sure to tick on Include Attributes in the Response Always. Then you do not want to send the consumer index in SAML auth request.
Then please go to SP configuration page and configure the attributes (claims) that you want to send to the SP.
It is better, if you can go through this blog, It contains all details how you can configure it with IS 5.0.0
I have a situation where I need to setup a standalone version of wso2 Identity Server and have that act as the SSO provider into all of the products in Stratos.
Currently I have Stratos Identity Server configured so that I can login via the standalone Identity Server, using admin.
However, if I use another user I either
get a "Authorization Failure"
or cannot login.
First Question
1) I have the same user created in both Identity Server (that is not admin). Why would I get the "Authorization Failure" ?
Second Question
2) Why is it I can not even get to the "Authorization Failure" problem if I have a user created with username in format of user#domain.com ?
UPDATE:
I figured out that if I remove the property tags in user-mgt.xml that reference the usernames with regular expressions I am able to create usernames in the format of name#domain.com. But I am still unable to use that username to login, the error log says that the account has not been activated.
I also created two instances of wso2 identity server and configured them in such a way to test being able to use one to login to the other. I was able to do this by making sure that the same username and password was in both servers list of users. This way I do not get the "Authorization Failure"
The answers I came up with.
1. I need to have the same username and password in each Identity Server.
2. I cannot have format name#domain.com unless I have Multi-tenancy configured. Otherwise wso2 will try to find the ACTIVATE field in the Tenant table and not find it.
UPDATE: I got this installed and configured and it turned out that I now get another error about
Issuer details are not valid. Issuer details should be registered in advance
So my answer turned out not to to be valid.
I wonder why I get this new login failure?
UPDATE RESOLVED!!:
I resolved this problem by downloading just the wso2 stratos IS 1.5.2 package. I installed it. Configured with same configuration I was using before. Now I can login without problems across domains.