I am trying to evaluate WSO2 identity server. One of the key featues I need to evaluate is the multi tenant support. How can I configure WSO2 identity server to support multi tenant mode?
Itay
Please checkout Identity Server 4.0.0 Milestone 2 from here. Multitenancy feature is available by default. Goto Configure-->Multitenancy
Hope this helps.
Thanks
Thilini
Related
I have used WSO2 APP Manager to publish my web applications with Identity server 5.3.0 as the Identity Provider. I have configured SSO and SLO using three service providers. I'm using simpleSAMLphp with my web apps. SSO function works fine in my system but single logout is not working properly. I have configured this using the following document.
https://docs.wso2.com/display/IS500/SAML2+IdP+with+SimpleSAMLphp+Service+Provider
Can someone advice me regarding this issue.
Please see WSO2 IS Single Logout partially working
Indeed WSO2 IS uses "backend channel" for SLO requests when logging out from multiple service providers (at least it was that way up to version 5.2.0), I don't believe it was changed/fixed in 5.3.0
I'm using WSO2 API MANAGER VERSION 1.10.0
Sample API published with script description in publisher portal
and i open the api detail in store portal
setting carbon.xml is below
<XSSPreventionConfig>
<Enabled>true</Enabled>
<Rule>allow</Rule>
<!--Patterns>
<Pattern></Pattern>
</Patterns-->
</XSSPreventionConfig>
How can I solve it with setting?
You can download security patches for APIM 1.10.0 from here. This is already fixed in them.
How to integrate WSO2 am 1.10.0 with PingFederate SAML 2.0? Any instructions?
From WSO2 web site, I only saw docs on how to set up SSO among WSO2 products: https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 . But I did not see documentation on how to enable WSO2 AM 1.10.0 with external identity providers such as PingFederate via SAML2.
Any help is appreciated.
*** UPDATE:
I followed the instructions here https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 - just assuming WSO2 IS as PingIdentity. For the mojority part it's working, but I cannot generate keys when subscribing to an API. It says "invalid credentials" even if I have logged into applications and subscriptions and can create applications from /store UI.
I can confirm that this can be done without adding a separate wso2 IS server into the picture. I fixed several issues (Cannot generate keys, cannot publish APIs, etc..) by: What I did to fix the issue was to 1) add admin user inside ApiKeyValidaor in api-manager.xml also into admin user via management console and into user-mgt.xml; 2) Inside api-manager.xml:
Change the following:
https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/
to: https://[FQDN_OF_HOST}:${mgt.transport.https.port}${carbon.context}/services/
Reason is my server certificate only recorded the domain name, not ip address.
The solution was also mentioned here: wso2 am 1.10.0 API Store: "Error occurred while executing the action generateApplicationKey" with " Invalid credentials provided."
Basically, you can do this by adding PingFederate as an IDP in WSO2 AM and configuring federated SAML SSO configurations. An example of how to achieve this with Shibboleth is given in [1]. You can follow the same steps to do any configurations according to your requirement.
Refer [2] for configuring SAML SSO Federated authenticator in general
[1] https://docs.wso2.com/display/IS510/How+To%3A+Configure+Shibboleth+IdP+as+a+Trusted+Identity+Provider
[2] https://docs.wso2.com/display/IS510/Configuring+SAML+2.0+Web+SSO
When walking through the code of WSO2 identity server 5.x, I can find a samlsso authenticator in application-authenticator and another one in carbon-authenticator. Same is true for IWA.
What is the difference between these? Which one is used when? Or is one of them obsolete?
Application Authenticators are used to authenticate users to the external apps (service providers) using WSO2 products.
Carbon authenticators are used to authenticate users to the admin console of that particular server.
A few days ago, I started to work with WSO2 Identity Server in my project as an authorization server in my architecture, I found that it can be interfaced with an external data source like LDAP, then I can use the enterprise LDAP instead re-create all users and roles in WSO2 IS.
My question is about authentication on WSO2 IS, when the user authenticates on WSO2 IS and approves access normally this is done by HTTPS protocol.
I don't know if it's possible to use another authentication protocol like Kerberos or Radius to connect to WSO2 IS?
by default the WSO2 IS on the frontend supports OAuth 2.0, SAML 2.0, OpenID and WS-Trust STS protocol. They are indeed all based on the HTTPS. Next to that you may use Kerberos KDC.
For Kerberos configuration you may check this article. http://wso2.com/library/articles/2012/07/kerberos-authentication-using-wso2-products/
g.
WSO2IS has the kerberos support [1]. But it doesn't support RADIUS yet.
[1] https://docs.wso2.com/display/IS500/Kerberos+Security