WSO2 Identity Server - multiple users under an admin group - wso2

We would like to have a single WSO2 Identity Server (4.5.0) serve many different applications.
However, we cannot give the admin password (listed in user-mgt.xml) to all these dev teams.
But these dev teams will need to write software that will be calling the PDP/PIP WSO2 APIs.
So, we must have separate accounts for each dev team. We want these LDAP accounts in a single 'admin' LDAP group. And we want them to connect and execute these WSO2 APIs with these accounts.
Is that possible? Let me know if that does not make sense.

Yes, this is possible. You can configure different roles with different permission levels and assign each user to each of these roles. Following document will help you.
[1] - http://docs.wso2.com/display/IS450/Configuring+Roles
Thanks,
Pushpalanka

Related

WSO2 IS Create a secondary user store using internal LDAP

I need to organize users in WSO2 IS 5.9 in several user stores (secondaries). Can I do this using the WSO2 IS internal LDAP? I do not have any other external user store (ldap, ad, ...)
About this way to organize users, is there another way to group users in the primary user store, so that I can use a specific user store/group with a defined service provider?
About the first question, the answer is no. Internal embedded LDAP is the primary user store. You cannot use that as the secondary user store. Also, it is not recommended to use embedded LDAP in production. So it will be good to set up an external LDAP server so you can connect to that using identity server and make it the user store. [1]
About the second question, my suggestion is when creating an SP there is a hybrid role that creates automatically for that service provider. You can assign that role to users that you need to group based on the service provider. [2]
[1]. https://is.docs.wso2.com/en/5.9.0/setup/configuring-secondary-user-stores/
[2]. https://is.docs.wso2.com/en/5.9.0/learn/configuring-roles-and-permissions-for-a-service-provider/
This is not a straight answer to your question. But just mentioning in case if it helps.
You may want to check tenancy in WSO2 IS. It internally uses the same LDAP, but creates isolated OUs for each tenant within the LDAP.

WSO2 Identity server - multiple tenants on service provider side

Application I inherited uses WSO2 Identity server which I have't used before. I might need to support multiple tenants in this application and I need to research if WSO2 IS will support this. Documentation is not helping me unfortunately. I want all tenants to have same, shared roles. Adding new tenant should mean adding it's users and assigning them already existing roles.
So in my head solution should be rather simple. Just add new field to user profile - tenantId, and then return it as a claim in token. When I have it in token then it's up to code to use it. First of all is this possible at all? If it is it a good idea?
There are two other possible solutions I was considering.
Service Provider has SASS checkbox but I don't understand yet how it works.
You can add tenants to WSO2 IS itself. But to me it looks like it is multitenancy on WSO2 IS side (to share WSO2 IS) and it's not a feature to support multitenancy in my application. I was told that in this case each tenant would have to have roles defined again and that even those roles would have to be named differently.
WSO2 Identity Server do have the IDP level tenant separation but it does not have an OOB SP level tenant separation mechanism. However, your proposed solution can be done. It is a simple configuration to add an extra claim to the user [1](Assumes that the underlying user store supports it).
Answers for your other questions,
It is for IDP level tenant separation and if you need to share SP between those tenants, you can use this check box.
Correct.
This will do a clear separation in the IS side so data will be contained to each tenant. However, you can share user stores between each tenant.
[1] https://docs.wso2.com/display/IS580/Adding+Claim+Mapping

WSO2 EI (ESB) communicate with WSO2 IS

I am new to this software. From what I know, the WSO2 Enterprise Integrator is come with Enterprise Service Bus inside it. But the Identity Server (IS) is not bundled with the EI.
For my current and new project, we going to be used both of it inside the architecture. Please see below diagram for more information.
Part of my project architecture
Based on the diagram, when the user is using the portal to login. The EI is serve as the middle-ware between the portal and the IS to connect to the LDAP.
Looking at the documentation, there is way to connect from IS to the other product but not vice-versa.
My question right here is how to allow the ESB to communicate to the IS and return back the message/request to the Portal.
Thank you.
Yoy did not describe your use case what do you want to achieve so I will assume you want to authenticate the portal user or manage users.
WSO2IS (and effectively any wso2 product) exposes admin services, some are common, some specific to the product. The services require basic authentication.
please see https://medium.com/#maheeka/wso2-admin-services-c61b7d856272
Another service to authenticate a user is a token service with password grant (that may be more appropriate to authenticate users and authorize requested scopes)
Just a note:
If you want to use the whole setup only only to authenticate users, then IMHO you rather may use OAuth or SAML with the IS, not passing passwords in ESB

Automatically add users to API Manager

I am looking for a way to automatically add users to WSO2 API Manager. I have a basic install with the H2 database, but someday I might move to postgres or something like that. What is the best way to add users from say a script?
In Carbon products (APIM, IS), All user store operations can be exposed via web services. External application can use these web services to add/delete/update/get in to user store users and groups. Please note, H2 is not recommended for products`
REST web service according to the SCIM provisioning specification.
SOAP based Web service. You can find more detail from here

WSO2 and LDAP end point service

I'm currently evaluating WSO2 and if it can fit for my project requirements
I have different mobile applications that will connect to our ESB , all of them will use different LDAP server to authenticate their users against it in order to access the applications, what's the best way to achieve this through WSO2 ESB ,I mean configuring multiple LDAP login services as end point services
I heard terms "user store" and "Identity Server" not sure about them , but I got the feeling that they are used for internal use of WSO2 (Storing users who can access WSO2) not related to what I need
You can use WSO2 Identity server to manage your users. You can use internal (Embedded user store) or External User store such as Active Directory. If you use Identity Server you will be able to inherit its features which you can easily integrate with WSO2 ESB.
These links will be useful for your implementations.
[1] http://wso2.org/project/solutions/identity/3.2.3/docs/user-core/admin_guide.html
[2] http://wso2.org/library/articles/2011/06/securing-web-service-integration