ADFS delegation with SAML 2.0 delegation tokens - delegation

I have managed to configure ADFS 2.0 as a SAML 2.0 Idp and implement a SSO scenario with Shibboleth as a SAML 2.0 SP.
Now I want to implement a delegation scenario in which ADFS will act as an Idp that issues SAML 2.0 delegation tokens for non WIF applications.
Does anyone know if this is supported?
I read that SAML 2.0 delegation is executed using the SAML ECP profile. Does ADFS 2.0 support the ECP profile?
Thanks
Manu

ECP requires PAOS binding. If you look in the ADFS metadata, the only bindings are HTTP Redirect / POST / Artifact and SOAP.

Related

WSO2 IS - Oauth SP + UserStore restriction

I have an OAuth2 service provider with password credentials in WSO2 IS and I need that just users from a userStore can get a token. I have tried using XACML policies with now success.
Is it possible to deny the OAuth token request per userStore?
Cheers.
In order to support userstore preference during the authentication flow, you can use application-authentication extension explained here https://medium.com/#anuradha.15/how-to-configure-your-preferred-user-stores-to-authenticate-users-for-a-service-provider-in-wso2-cdadf43f9366. However, this feature is supported WSO2-IS 5.9.0 onwards. Hope this will satisfy your requirement.

Does WSO2 Identity Server support SAML Artifact Binding Federation?

I am trying to integrate WSO2 Identity Server with a Mock SAML2 Identity Provider.
Currently the Mock SAML 2.0 Identity Provider only support SAML Artifact binding.
I have configured a federated SAML 2.0 Web SSO base on the guide found from this link:
https://is.docs.wso2.com/en/latest/learn/configuring-saml-2.0-web-sso/
The WSO2is as Service provider is able to redirect the user to the Mock SAML 2.0 Identity provider and after successful authentication with the Mock SAML 2.0 Identity Server, the Mock SAML 2.0 Identity Server need to redirect to a endpoint at WSO2is with the "?SAMLart=" support.
After looking around, the default https://localhost:9443/acs does not support "?SAMLart=".
May I ask does wso2is support this type of setup?
Thank You.

configuration only auth in Wso2

i m new learner for wso2
wso2 - oauth, user Management and my other service available in predix.
so i have used wso2 identity server for oauth and user management.
Problem :
1) how to integrate predix(idp)
2) how to used this things using REST API
For your first question, I understood that you need to integrate the mentioned Idp as federated Identity Provider in WSO2 Identity Server. Doc - https://docs.wso2.com/display/IS570/Configuring+Federated+Authentication guides the steps to configure federated authentication.
Currently, WSO2 IS don't have a build in authenticator for the Prefix. But as the Prefix support OIDC flow, you should be able to WSO2 OIDC federated authenticator. Steps can be found here
I haven't got the chance to test with Prefix. But it needs to work

WSO2 SAML api authentication

I need to expose an api via WSO2 Api-Manager and I want protect my api not with oAuth2 but via SAML autentication, actually I need to use the APi-Manager as SAML SP.
Therefore I need protect the may api and if a user isn't authenticated on SAML IDP presents the SAML IDP login page.
Is it possible do that with WSO2 Api-Manger or the SAML OSS is releated only for Web SSO for /carbon, /pubblish and /store web app?
thank you for the help!
OAuth2 is for authorization. You can use SAML for authentication and use APIM's SAML grant type to get an OAuth2 token using the SAML assertion.
https://docs.wso2.com/display/AM210/SAML+Extension+Grant

confused in concept of identity provider and outbound authentication in wso2 identity server

i am newbie to the WSO2 identity server 5.0 service pack one.
I've been so confused lately that, what is different between identity provider and an outbound authentication?
How can i usage each of them ?
if i define a custom user store authentication, when must be used a custom authentication in Authentication endpoint? what is difference and usage each of them?
Identity providers are providing identity for users to interact with a system. As an example here in wso2 identity server we can configure Facebook as an Identity Provider(IDP). By doing this we can allow users to be logged into Service Providers using facebook credentials. you can follow the blog in [1] to test Wso2 IS with facebook IDP. Otherthan facebook we can use google, Live, Yahoo, etc. as IDP with IS.
[1] http://prasadtissera.blogspot.com/2014/04/login-with-facebook-for-wso2-identity.html
Thanks