turning wso2 into a pep with identity server acting as the pdp - wso2

I am trying to use wso2 ESB server as a PEP, I already have wso2 identity server acting as the PDP and an application hosted on wso2 Application server. I have uploaded policies into identity server and I was wondering if there any tutorials out there that both show and explain how to make this happen. I have tried the blog http://wso2.org/library/articles/2011/08/finegrained-authorization-restful-services-xacml but it has not worked. any direction on how to turn esb into a pep would be appreciated

You can use wso2 esb Entitlement mediator. Have a look at following guide which explains how we can add fine grained authorization to proxy services.
http://docs.wso2.org/wiki/display/IS400/Adding+Fine-grained+Authorization+for+Proxy+Services+in+ESB

Related

Calling WS-Trust secured service from WSO2 ESB

I'm looking for help on how to call WS-Trust secured SOAP service from WSO2 ESB.
The idea is to create a non-secure proxy-service which would call WS-Trust secured back-end service, so our SOAP clients wouldn't have to worry about authentication.
I've been going though the documentation and have found nothing of much value. The documentation mentions that WSO2 ESB uses Apache Rampart and more specifically Rahas module to engage WS-Trust secured services, yet there are no examples on how to configure, for example - security token service address.
So far i've found this blog post http://xacmlinfo.org/2012/11/05/how-to-invoke-secured-backend-service-using-wso2-esb/
It runs a similar scenario but without WS-Trust. It uses Rampart configuration inside WS-Policy files, but Rampart configuration doesn't support any WS-Trust attributes.
I've also found this: http://ask.programmershare.com/279_17604398/
Which is more in line with what i'm looking for, but this example is doing the STS calls programmatically and even then unsuccesfully.
Is anyone aware of any examples of a succesfull configuration to call security token service -> service call itself using WSO2 ESB?

is there any web service present for authnetication using wso2

I am new to this wso2 evaluating wso2,
I am using Identity Server I have web application , want to apply web SSO feature using WSo2, I had check there are soap web service present in wso2 for UserAdmin,
https://server-info:9443/services/UserAdmin.UserAdminHttpsSoap12Endpoint/ using soap client for test , for dev have to write java client for request
but did not find any web services related WEB SSO for example I require authentication web service which will accept Username/password return some token information and using that token I can store in session for single sign out
Is there any web service/ API in wso2 provide authentication? or what is best approach for implement SSO using wso2 for web applications.
Thanks
If you are looking for SSO with WSO2IS, WSO2IS supports several standard ways to achieve it. They are,
SAML2 SSO
OpenId Connect
OpenId
Passive STS (for windows based applications)
From above, most popular way is to use SAML2 SSO or Openid connect. Your web application also must support to talk with WSO2IS using above standards. Say, if you need to achieve SSO using SAML2 SSO. You application needs to send the SAML2 Request and process the SAML2 Response in standard way as mentioned in SAML2 SSO spec. You can find a sample web application that has been implemented to work with WSO2IS from here. This blog contains all configuration details that you need to do in WSO2IS side as well. You can even use the sample web application with other SAML2 IDP as sample web application is talking in standard way. Also. if you are looking for Openid connect, you can find another sample web application from here with config details. I hope this would be a good starting points for you.

Does WSO2 Identity Server expose an endpoint/URI for XACML requests?

Does anyone know if the WSO2 Identity Server exposes a web service endpoint/URI to which I can send XACML requests via HTTP(S)? I am aware that they provide an API for doing this, but I have a situation where I can't use that, but I can do HTTP requests.
Thanks,
Jim
P.S. For the record, I think I've found my answer, mostly deduced from this page:
http://wso2.com/library/articles/2013/11/fine-grained-xacml-authoriation-with-pip-points/
That page tells how to enable WSO2 to unhide the WSDL for the EntitlementService web service.
Yes, you can enable the entitlement service wsdl and call it from external systems according to your requirement to send requests. By default this admin service is disabled. You can read more about it at PDP PEP Communication – how WSO2 Identity Server defines

WSO2 Identity Server REST and SOAP call

WSO2 Identity Server : I am new to WSO2 Identity Server. Could somebody help to get list of REST call and soap call supported by WSO2 Identity Server
This blog post has an example of using WSO2-IS APIs.
Take a look at the answer to the following question also. WSO2 identity server api
WSO2 products are manage internally SOAP web services known as admin services. The admin service wsdl as bellow.
https://localhost:9443/services/UserAdmin?wsdl
Note: you cannot view the wsdl of admin service by default due to security reason. Configure the following steps to enable and invoke the admin service wsdl.
Set the <HideAdminServiceWSDLs> element to false in <IS_HOME>/repository/conf/carbon.xml file.
<HideAdminServiceWSDLs>false</HideAdminServiceWSDL>
Restart the server.
Also you can use OSGi console to get the list of SOAP Services exposed in Identity Server and view the available service components details. To enable osgi console doing following steps.
Get osgi console by executing the following command.
<IS_Home>/bin/wso2server.bat –DosgiConsole
After successfully started the server press ‘Enter’ key and osgi>console will be displayed.
To get all admin services that are deployed on this server.
osgi> listAdminServices
List down all hidden services that are deployed on this server.
osgi>listHiddenServices
All services expose Web Service APIs which can be used for to gain access to back end functionality.

Can WSO2 Identity Server be integrated with an existing CAS framework?

I am experimenting with WSO2 API Manager and would like to integrate the embedded WSO2 Identity Server with our institutions existing CAS framework. Is it possible to have the WSO2 Identity Server redirect logins to our CAS login page and use the CAS ticket in place of username/password?
This explains how to use WSO2 IS as identity server for WSO2 products such as WSO2 AS, ESB etc.
You can configure your CAS instead of WSO2 IS in the very much similar way.