We would like to ship wso2 IS with our product.Instead of adding service providers manually through console, we want to pre-configure with some default identity providers and Service providers. I was expecting some xml files by which I can configure these. But seems like there is no such file and previous versions of IS has SCIM rest points to add SP configurations, I don't see them with IS 5.0. Any idea on how to go about this?
There is file that you can configure the service providers. You can locate the sso-idp-config.xml file in <IS_HOME>/repository/conf/security directory. You can find a pre-configured service provider inside this file. It is the Identity Server dashboard (you can access it https://{hostname}:{port}/dashboard/). You can configure multiple service providers using this file. It is important to note that, once you configure using this file, configured service providers would be available for all the tenants of the Identity Server. Also, you can NOT edit these configured service providers from UI.
Related
I want to create a user in Wso2 (version 5.8) Identity Server and then populate it into my Service Providers automatically.
At this moment, after user registration in my Wso2, then I need to register the same user manually in each Service Providers (in my case, a SP is M-Files tool which provides a way to create user described here)
I am not sure if wso2 offers an automatic way to do this. I read the following documentation
Inbound provisioning: This approach is used for the opposite goal. Create a user in a Service Provider and with SCIM API I can create it into my wso2.
Outbound provisioning: This approach is very close that I want to but require relating the Service Provider with an Identity Provider (which must implement SCIM) and I dont want to use my Service Provider as an Identity Provider.
User store: I think it is not what I looking for. I think wso2 queries the external user store searching if the user which attempt to login is valid or not. I dont want my Service Provider act like a Identity Provider
Thanks
Outbound provisioning: This approach is very close that I want to but require relating the Service Provider with an Identity Provider (which must implement SCIM) and I dont want to use my Service Provider as an Identity Provider.
This is the approach you should be using. You don't have to use it as an Identity Provider. Just register it as an Identity Provider so that WSO2 can provision users to M-Files.
Regarding provisioning to M-Files, WSO2 support standard user management SCIM2 rest APIs. But if (I couldn't find any reference) M-files doesn't support such, you might have to find the API format that M-files support and then you can write a simple Java extension (Custom outbound provisioning Connector) to WSO2 Identity Server, so that it can provision users to M-files in a way that it prefers.
Documentation for customization
I am trying to implement SAML Extension Grant by following the instructions in https://apim.docs.wso2.com/en/latest/Learn/APISecurity/OAuth2/GrantTypes/saml-extension-grant/ but got a blank screen when I tried to configure the service provider:
Sign into the Management Console
Select Service Providers > Add
After I registered the service provider, click Inbound Authentication Configuration > SAML2 Web SSO Configuration.
Click Configure. A blank screen appears.
There is already a similar issue reported in APIM 3.0.0. Please refer to the git issue here
Inbound SAML2 Web SSO Authentication will not work in APIM OOTB as the relevant Identity feature is not available. If you need to use this, you need to use WSO2 IS or WSO2 IS-KM.
We're attempting to configure a relatively complicated WSO2 setup in which Identity Server (5.7.0 with KM) authenticates through an OAuth Service Provider, uses the token to secure API Manager (2.6.0) Endpoints, which then cycles through the Enterprise Integrator (6.5.0).
I've followed the steps to configure IS as the Key Manager (https://docs.wso2.com/display/AM260/Configuring+WSO2+Identity+Server+as+a+Key+Manager). This appears to be working, as I can see users in APIM that were configured in IS.
The problem is in the application. In IS I've created an OAuth POC that federates to another authentication provider. I want APIM to understand that application, and be able to use it to subscribe to APIs through the store for users that IS has given roles to. The application doesn't appear in APIM's applications, and I can't figure out how to link the two. I'd like for APIM to understand the token, figure out that it's for the OAuth POC in IS, and then if the user has that role, let them in, else return a 401 or something equivalent. Haven't been able to find someone else with a tutorial or guidance on this setup specifically.
Linking an Oauth2 provider from IS to an APIM application is called by WSO2 as "Out-of-Band provisioning". This guide may bring you a step further in your POC: https://docs.wso2.com/display/AM260/Provisioning+Out-of-Band+OAuth+Clients
We are getting following error when we try to edit service provider: Could not add Service Provider. You might be entering a duplicate Service Provider
Steps Followed
Created service provider
Trying to update Inbound Authentication Configuration --> SAML2 Web SSO Configuration --> Configure
Update
We are using version wso2is-5.1.0.
Depending on the version of WSO2 you are using, this was a bug that infrequently came up when the entry for the SAML provider persisted after the Service Provider that used it was deleted. There's a URL that is not documented in the interface where you can fix this. After logging into the interface, go to this URL:
https://yourhost:yourport/carbon/sso-saml/manage_service_providers.jsp
and you should be able to delete the offending SAML provider and configure the service provider.
WSO2 IS: 5.0.0 with service pack
documentation: https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0
I added the travelocity.com service provider according the document.
run http://localhost:8080/travelocity.com and got authentication error. So I tried to check and modify inbound Authentication Configuration > SAML2 Web SSO Configuration, all I see is "Configure" link. Click the link, it shows "New Service Provider" page with "Register" and "Cancel" buttons. If I click Register button, I got duplicate service provider error. Does the UI support modifying SAML2 Web SSO Configuration?
I then deleted the Service Provider and add the travelocity.com service provider from scratch. However, I got duplicate service provider error too when I configure 'SAML2 Web SSO Configuration'
I am stuck. How can I get rid of duplicate service provider error?
Probably, you may have configured an another SAML2 SSO configuration with same issuer name. You can browse the registry and go to the /_system/config/repository/identity/SAMLSSO location and delete the SAML2 SSO configuration that can be found there. Then retry again.
If not, you can try with some other issuer name and see.. As in doc,then you need to provide a new issuer name in the travelocity.com application.
SAML.IssuerID=travelocitynew.com
Then in the SAML2 SSO configuration of the WSO2IS, you can create the configuration with new issuer name which is travelocitynew.com
If you try with fresh WSO2IS SP1, we can not see this issue.
The document missed one step: click 'Update' button to save whole configuration after clicking Register button new SAML2 Web SSO Configuration. Anyway, I believe it still a bug in the web console of WSO2IS.
What I did is to reinstall WSO2IS+service pack from scratch and configure it again.