I have found the WSO2 carbon admin service that can be used to add role permissions using admin webservices (setRoleUIPermission). Based on the WSDL I have no clue how it should be used.
This is the request SoapUI generates:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:mgt="http://mgt.user.carbon.wso2.org">
<soap:Header/>
<soap:Body>
<mgt:setRoleUIPermission>
<!--Optional:-->
<mgt:roleName>?</mgt:roleName>
<!--Zero or more repetitions:-->
<mgt:rawResources>?</mgt:rawResources>
</mgt:setRoleUIPermission>
</soap:Body>
</soap:Envelope>
How should rawResource be used?
Regards, nidkil
First i guess, it is great, if you can try out the method "getRolePermissions" in the API. This method returns all UI permission (management console related permissions) mentioning that whether role contains permission or not. Then you can see each permission has been identified by a resource value such as "/permission/admin/manage/modify/webapp". Therefore echo permission check box that is show under role permission UI, has some hidden String value. That is value that you need to pass as "rawResources" in this method. Ex if you want to give "login" permission to role "test". You need to pass like that.
AFAIK, these permissions that are return and can be set... is management console permissions that can be used in Carbon Admin services and in UI
<xsd:roleName>test</xsd:roleName>
<xsd:rawResources>/permission/admin/login</xsd:rawResources>
Related
Does any one know, how to add additional assertions in a SAML request to federated iDP? The problem is that there is no nameID in SAML request:
?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="https://testserver.domain.local:9443/commonauth"
Destination="https://idp.eu.safenetid.com/auth/realms/XXXXXXXXXX-STA/protocol/saml"
ForceAuthn="true"
ID="_b53cdb3765c8b92fa51d6079a061deaf"
IsPassive="false"
IssueInstant="2021-02-03T10:45:48.275Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">WSO2</samlp:Issuer>
<saml2p:RequestedAuthnContext Comparison="exact"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>
We configured federated iDP - SafeNet and wont to use it as second factor auth.
I configured 2 steps in SP where first step is basic auth and second step is federeted iDP - SafeNet (Saml2webSSO). But, as you can see WSO2 do not include nameID in request and username do not populated on safenet login page. May be we can, some how, configure what to include in SAML request?
You can enable NameID Policy in the authentication request by enabling the Include NameID Policy configuration in your IDP configuration. (Identity Provider > Federated Authenticators> SAML2 Web SSO Configuration )
You can add the requested NameID policy as well in the NameID format config.
I need to find the REST/SOAP API for Password Policies (Password History and Password Pattern) and Login Policies (Account Locking and Account Disabling).
I am using WSO2 IS 5.9.0.
I am creating a Multi-tenant environment from WSO2. I am able to perform all the steps from code but not able to find API for these two settings.
I have to manually do this but this is just a workaround and need to figure out the WSO2 APIs for these.
Need curl request or documentation for these 2 settings API.
From WSO2 IS 5.10.0 onwards there is a rest API to update these configurations.
However, in 5.9.0 and before that, only SOAP APIs are available. You can use https://localhost:9443/services/IdentityGovernanceAdminService SOAP service for this purpose. There are 2 operations available in this service. getConnectorList and updateConfigurations.
You can use getConnectorList to find the available connectors and their property names. Then you can use updateConfigurations operation to update property value. Message body would look like below to update Password History validation count configuration.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:gov="http://governance.identity.carbon.wso2.org" xmlns:xsd="http://model.common.application.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<gov:updateConfigurations>
<gov:configurations>
<xsd:name>passwordHistory.count</xsd:name>
<xsd:value>6</xsd:value>
</gov:configurations>
</gov:updateConfigurations>
</soapenv:Body>
</soapenv:Envelope>
I've install a WSO2 API-M 1.10.0 and try to update the password of a user.
Steps:
Create a user in the tenant "carbon.super" and assign the user admin role at the same time.(success)
Using the credential of the user to change his password via web
service UserAdminService changePasswordByUser.(fail)
The request is:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsd="http://org.apache.axis2/xsd">
<soap:Header/>
<soap:Body>
<xsd:changePasswordByUser>
<!--Optional:-->
<xsd:userName>?</xsd:userName>
<!--Optional:-->
<xsd:oldPassword>?</xsd:oldPassword>
<!--Optional:-->
<xsd:newPassword>?</xsd:newPassword>
</xsd:changePasswordByUser>
</soap:Body>
</soap:Envelope>
And the error message is :
Error while updating password. Wrong old credential provided
I'm sure that the two passwords are correct and the credential is base64 encoded(account:oldPassword).Am I try to encode the passwords into something??
Thanks
Tom
I verified this scenario and it is working fine in both APIM 1.10.0 and 2.0.0. If you get that error that means the password has already been changed and your are trying to change it for the second time. Please try to login to the management console using the new password and make sure it has been changed.
I'd like to know if it is possible to retrieve the user claims via the UserAdmin SOAP interface? I have found when adding a user it is possible to specify user claims. Also i have noticed that get list of user by Claims is possible but I have not found how to retrieve all the claims of a user.
Any hint?
Thanks in advance.
You can try "RemoteUserStoreManagerService" for your purpose.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getUserClaimValues>
<ser:userName>admin</ser:userName>
</ser:getUserClaimValues>
</soapenv:Body>
</soapenv:Envelope>
Above request will return you the claims of admin user of its default profile.
EDIT
As per the comment you need the WSDL of new admin service.
By default WSDLs of admin services are hidden. To change that behavior open <IS_HOME>/repository/conf/carbon.xml then locate HideAdminServiceWSDLs tag and set it to false.
Then you can view WSDL of any admin service from the url
https://localhost:9443/services/<SERVICE_NAME>?wsdl
In this case
https://localhost:9443/services/RemoteUserStoreManagerService?wsdl
HTH,
DarRay,
I need to know how to get wso2 users by claim value, to perform some kind of search?
example:
getUsersByClaimValue(String claimUri, String claimValue);
Yes.This API method has been introduced to user store API to get user names associated with particular user's attribute. say you want to get users whose "country" attribute value is "USA". then you can use this method as follows.
getUserList("http://wso2.org/claims/country", "USA", null);
You can find this method as web service API in RemoteUserStoreManagerService of WSO2IS. Your SOAP message would look likes follows.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getUserList>
<ser:claimUri>http://wso2.org/claims/country</ser:claimUri>
<ser:claimValue>USA</ser:claimValue>
<ser:profile></ser:profile>
</ser:getUserList>
</soapenv:Body>
</soapenv:Envelope>
Here, this claim uri is generic one which is independent of the user store. With WSO2 Identity server you can map these claim uri in to any attribute in your user store. More details from here