Can anyone give me a sample program or any blog to add, update and delete users/roles on external user store in wso2 Identity Server. I configured external ldap as apacheDS in wso2 Identity Server successfully and authenticate users also. But my problem is I am unable to add, update, and delete users/roles in external ldap using wso2 Identity Server.
I am using latest wso2 Identity Server.
Use SCIM endpoints to manage users and roles, Please go through the following article.
http://docs.wso2.org/display/IS410/WSO2+Identity+Server+as+a+SCIM+Service+Provider
you can use SCIM. check the following blogs they can help
pavithramadurangi.blogspot.com
sureshatt.blogspot.com
Related
Can WSO2 API Manager be used with a separate Identity Server as IdP, without sharing the database? All documentation and tutorials point to a special version of IS and sharing the database, and I'd like to avoid that.
You can configure WSO2 API Manager with an external IDP without using WSO2 IS. I think this blog will be helpful for you. In this blog, Keycloak has been used as the federated IDP for SSO.
Thanks.
Yes, you can configure IS as federated Identity Provider. This blog has steps to configure WSO2 IS as federated IdP for API Manager.
I have successfully integrated external IDP (keycloak) with publisher to do saml based single sign-on. After authentication, it says user is not authorized. From the investigations, For authorization
User DB need to be shared with external idp - this is not possible for my usecase
Sending user roles via saml response - is it possible?, if so what are the claims need to be sent and related configurations
pointing identity server for authorization - how to do it?
also I dont want to integrate IS server
I want answer for above unknown concerns?
it says user is not authorized
which version are you using?
is there anything preventing the authorization, such as required scopes
User DB need to be shared with external idp - this is not possible for my usecase
Usually you need a userstore to manage users and roles, in case of SAML I believe that us not needed. However - you can setup a JDBC userstore and inbound user provisioning (all logged in users will be stored in the database with their attributes and roles)
Sending user roles via saml response - is it possible?, if so what are the claims need to be sent and related configurations
I believe WSO2AM 2.1.0 (other version I don't know) do not read roles directly from the SAML response (there is a environmental property where you could enable that, I cannot find it right now, so just search a little)
However - together with the inbound provisioning it should work (the roles should be stored and updated in the database on each login)
pointing identity server for authorization - how to do it?
What do you mean by that? You could setup an WSO2IS as KM (key manager) where you could do additional authorization (I am still not sure what are you asking here)
We have the following Setup:
WSO2 IS 5.1.0 configured with an external SAML IDP
OAuth Service Providers configured against IS with outbound authentication against the external IDP
IS has a secondary user store which is another external LDAP server
Login works and Just-In-Time provisioning to the secondary user store works as well.
But it looks like user attributes and role memberships are not set for the user, when used with entitlements or userinfo endpoints.
It looks similar to what wso2-identity-server-5-0-0-fails-to-return-user-claims-in-samlresponse-for-user describes. But the suggested fix is not working with 5.1.0.
Please note: the external IDP is returning the user as "username" not "userDomain/username". Is my configuration missing anything? Or is there a workaround? If the IDP does return the user with "userDomain/username" the attributes are set. Unfortunately the IDP cannot set this value for the user in production use.
I’ve made a new Identity Provider and setup it’s SAML2 authentication to our Shibboleth IDP. How do I “login” using this new setup?
The login link still goes to the IS login page, which is desirable because I need to login as admin to fix things, but is there another login link which will redirect to the IDP?
If you need to provide federated authentication for your applications. Your applications can be connected with Identity Server as service providers. Then you can defined your external IDPs a trusted IDP. Each service provider, you can select multiple IDPs as out-bound authenticators. There is some blog about that uses saleforce as trusted IDP, you can go through it as well
If what you want is to login to IS using Shibboleth as IDP, you should edit IS_HOME/repository/conf/security/authenticators.xml to enable SAMLSSOAuthenticator and configure it with the required details.
As best I can tell, there's not facility for testing an Identity Provider. The only way is to actually use it by setting up the full chain. In my case I setup API Manager as a Service Provider in the Identity Server, and selected the Identity Provider (mentioned in the original question) as Federated Authentication for that Service Provider. Then I changed the API Store to use SSO (pointed at the IS). Finally by attempting to open the store I was bounced to the IS, then immediately on to the Identity Provider.
Unfortunately there are a lot of steps in this chain and a lot of things that could be set wrong. I was hoping to find a method for testing this one part but as best I can tell there isn't such a capability.
It is possible to authenticate users with Facebook account, google account, twitter etc... through Oauth? (In the case of a web application try to access to a protected ressource)
I understood that WSO2 Identity Server can act as an authorization server and provides its own access token but it is possible to authenticate user if facebook or google provide access token after user authorize retrieving its info?
Oauth is supported in identity server, but I doubt if it is necessary to have two of this authentication server together :) ?