I'm using WSO2 Identity Server 5.0 for SAML SSO and need to have user passwords expire after n days. I found the following properties in identity-mgt.properties but I can't find any documentation on how to use them. Is this functionality implemented/available?
Authentication.Policy.Check.Password.Expire=false
Authentication.Policy.Password.Expire.Time=0
Thanks
These two properties had been introduced initially to IS planning to support password expiry, but the implementation was never done.
if Authentication.Policy.Check.Password.Expire is set to true, then the when the user updates the password, timestamp of password update is set as a user claim.
But Authentication.Policy.Password.Expire.Time is not logically used anywhere in the code base, and ideally should be removed.
Anyways, you can achieve the same functionality in a different way using password policy authenticators in IS. Hope this helps.
Related
I have added a local custom claim namely http://wso2.org/claims/fg_imprenditore to http://wso2.org/claims dialect and mapped it on a custom primary user store attribute (JDBC user store).
The custom claim appears in the user profile and I can set/update the value correctly.
I have defined a new service provider and added the custom claim in Claim Configuration -> Use Local Claim Dialect.
In addition I have edited /_system/config/oidc and modified the openid property to include the new claim as follows: sub,...,street,http://wso2.org/claims/fg_imprenditore
Now the issues.
I ask a JWT Token from a javascript client with the following request:
http://**********/?response_type=id_token&client_id=" + "f8SatEWpyi1qvPLVspsDfTbefm0a" + "&scope=openid&redirect_uri=http://localhost:3000/oauth_callback.html&nonce=" + nonce
After login the WSO2is server prompts the following message (even if the attribute is already present in the profile): You are trying to login to **** application, but it needs following information filled in the user profile. You can fill those below and proceed with the authentication. But it is advised to fill these information in your Identity Provider profile in order to avoid this step every time you login.
If I fill the field (correctly) labeled "http://wso2.org/claims/fg_imprenditore" I can proceed. In any case the claim is not returned in the JWT Token.
In addition if I go in the user profile the attribute is set correctly (with the new value!) but if I try to authenticate again I need to fill the attribute again..
Many thanks for the support.
If you don't mark the claim as mandatory on your Service Provider it shouldn't request it when you try to log in. Also, in order for the jwt to contain your custom claim you need to map the custom claim to a new custom claim under the oauth dialect, and then map the new oauth claim under the oidc scope you use. It took me a while to get it too as there isn't sufficient documentation describing these steps. Hope this solves your issue.
This happens because "http://wso2.org/claims/fg_imprenditore" claim is not mapped to any oidc claims in WSO2 IS. Do the following in get rid of the issue.
Go to List under Claims in IS Management Console Main tab.
Click on http://wso2.org/oidc/claim
Add new claim with the name fg_imprenditore in oidc claim dialect. You will see a drop down to select "Mapped Local Claim". Map it to http://wso2.org/claims/fg_imprenditore. (Check "Add External Claim" section in this)
Save new oidc claim and try again.
I have this problem when using SAML SSO authentication. I have successfully set up WSO2IS 5.0.0 Identity server, I also succeeded setting up (at least I hope so) secondary user store. I used JDBCUserStoreManager implementation. I have set this store as DOMAIN. This user store works nice, at least I think it does. Because it is storing user attributes into its tables (USER_ATTRIBUTES) and those attributes are read by WSO2IS administration ...
https://localhost:9443/carbon/userprofile/edit.jsp?username=DOMAIN/demo_jbu&profile=default&fromUserMgt=true
Users are identified as DOMAIN\username so when I want to log in user from this DOMAIN, request goes to my AUTHENTICATOR implementation so I can manage authentication for users from this domain.
What is strange is, that if I use WSO2IS administration pages, I can set and read users's attributes well. And if I use SAML SSO authentication (have already set up service provider & claim mappings) for users from PRIMARY domain, everything goes fine and calling SP gets all attributes - mapped in WSO2IS administration here:
https://localhost:9443/carbon/application/configure-service-provider.jsp
If I use SAML SSO authentication, but I want to log user from my DOMAIN, SP doesn't get anything.
I can override this behavior in DefaultResponseBuilder, I can put into SAMLResponse anything I want, but I don't feel this approach is OK. Can anyone tell me, where to look for an error? What may be wrong? Where should I start looking for problems? I have already tried to debug it, and it seems it (SAML SSO/AUTHENTICATOR) doesn't find any claim for DOMAIN user.
Thank you in advance.
Josef
I think this is bug in Identity Server 5.0.0. When you are using SAML2 SSO, user can login to Identity Server with both username with domain name and username without domain name. Basically
bob and foo.com/bob must both works and returns the bob user's attributes from foo.com user store. However there is issue with IS 5.0.0, if secondary user store user login without domain name, Identity Server does not returns the user attributes. But, please try to login with foo.com/bob , Then it would return the user's attributes.
You can find the public jira. It contains source diff. It must be a simple fix and you even can compile the source and add fix in to the Identity Server.
In some previous WSO2IS versions, there was a default self sign-up feature.
However, I could not find it in the 5.0 version.
Reading the WSO2IS 5.0 documentation, what I have found is 2 APIs used for this feature:
getUserIdentitySupportedClaims() - Set of claims to which the user profile details should be saved in the Identity Server.
registerUser() - This registers a user in the system. You need to pass values like user name, password, claim attributes and values returned from the previous call and the tenant domain. The confirmation code is sent by email to the given email address.
So, the self sign-up feature is hidden somewhere OR do I need to implement it by myself?
And is there any example of using APIs for this feature?
Thank you.
This is available in the dashboard:
https://<url>:9443/dashboard/
You can use the following service for signing up users:
https://<url>:9443/services/UserInformationRecoveryService?wsdl
Note that in WSO2 products, admin services WSDL's are hidden by default. You can expose them by setting HideAdminServiceWSDLs parameter to 'false' in <IS>/repository/conf/carbon.xml.
I have been fighting an issue for awhile where I cannot get our application to work with a secondary user store (AD) without specifying the domain name. AD user/role enumeration is working fine, and I am able to login to the WSO2 admin console with an AD account (username only!) granted admin rights via an AD group, so if that works, then I would think the entitlement service would too...
I have determined the reason for this is that while I can login to the application (and WSO2 admin console) with the AD username only, the role assignment is not being picked up by the application unless I specify the domain with the account (domain/user), as confirmed by using the PEP/search tool. If I use the domain/user in PEP search, I can see the entitlements.. if I use the username only, I don't. My XACML is defined to use domain/group for the role. It's worth noting that if I use an internal role with an internal user and applicable XACML policy, the application works perfect.
This looks to be the same bug as for 4.2.0 (https://wso2.org/jira/browse/CARBON-14861) but I cannot find anything similar for 4.5.0. Does anyone know of a way around this other than making my LDAP user store primary?
TIA!
Idea is that, when you are using XACML with multiple user stores feature of Identity Server, you need to send the username with domain name. Therefore, when you are searching, you must set the username to domain/user
I think it is fine, because authorization happened after the authentication. When authenticating, somehow, user's domain name (user store which user has been authenticated) can be known.
The issues that has been referred, is a separate issue.
We are using WSO2 in a project and i need to get the number of days left for password expiry for a given user, via some web service interface, so that a warning could be displayed upon login.
Didn't find any operation in the web service endpoints i know about. Could any one help? Thanks.
As I understand, there is no out of box service for doing this.We had somewhat similar requirement which we accomplished by creating a custom operation in User Management Web Service. Below is the way by which you may achieve this:
In case you are using LDAP as user store then you may configure the password expiration policy there. And then you may create a custom operation which will check the applicable password policy for the given user and fetch password expiration interval and then calculate the number of days left by comparing the last password changed time from LDAP. Hope it helps.