I need to organize users in WSO2 IS 5.9 in several user stores (secondaries). Can I do this using the WSO2 IS internal LDAP? I do not have any other external user store (ldap, ad, ...)
About this way to organize users, is there another way to group users in the primary user store, so that I can use a specific user store/group with a defined service provider?
About the first question, the answer is no. Internal embedded LDAP is the primary user store. You cannot use that as the secondary user store. Also, it is not recommended to use embedded LDAP in production. So it will be good to set up an external LDAP server so you can connect to that using identity server and make it the user store. [1]
About the second question, my suggestion is when creating an SP there is a hybrid role that creates automatically for that service provider. You can assign that role to users that you need to group based on the service provider. [2]
[1]. https://is.docs.wso2.com/en/5.9.0/setup/configuring-secondary-user-stores/
[2]. https://is.docs.wso2.com/en/5.9.0/learn/configuring-roles-and-permissions-for-a-service-provider/
This is not a straight answer to your question. But just mentioning in case if it helps.
You may want to check tenancy in WSO2 IS. It internally uses the same LDAP, but creates isolated OUs for each tenant within the LDAP.
I want to authenticate users from an exiting database. Are there any examples of trivial Identity Providers to form a starting point?
You can find the details from here.
So in short, you will have to write a custom UserStoreManager in Java to customize the authentication logic.
I need to extend org.wso2.carbon.user.mgt.stub.UserAdminStub to contain an additional method which allows me to obtain the AD attributes of other users.
Is it possible to create a custom webservice for Identity Server 4.5. We are not using any other wso2 products. Wso2 IS only will ship with the solution distribution.
Thanks
There is a separate API for user management functions which is called as "RemoteUserStoreManagerService" service. This service exposes all user management function as a web service.... "UserAdmin" is also user management web service that has been implemented specially for WSO2 Carbon UI.
You have methods in the "RemoteUserStoreManagerService" to retrieve AD attributes (user attributes)
Please find the java client from here. There is a readme file also there
I am working on a salesforce feature, where we are trying to expose a single web Service method in a custom class to a "Partner" so they can generate leads.
The class/method has been created/tested and functions as expects, so we are working on implementation.
I have been poring over all of Salesforce's Web Service documentation and cookbook recipes, but everything I see only talks about using either the Enterprise or Partner WSDL files, which would give them more access then I believe should be required.
If I import the WSDL file that is generated off the class itself, I have access to the methods, but I can't seem to find any way to log in (using their examples as reference).
I have 2 basic questions here.
Do I really need to give full access to my instance to expose a single method?
What is the bare minimum I need to provide?
The WSDL itself is just a definition of the web service and does not control actual access to your org. To get access to your org, a session id must be included in each request to the web service. Session ids are tied to a given user in your org, so you can also control what they can access by giving them their own profile and locking down access to only what they need to get to. The profiles are associated with objects/fields, not the web services themselves, think about what they will need to access in terms of data, because they could always use that same session to access other web services. There are also Apex class-level access controls on the profile, but this doesn't stop them from doing the same data operations through the SOAP APIs, so make sure you have their profile only expose what they need access to and that will be enforced everywhere.
As far as obtaining the session id, it somewhat depends on how you are interfacing with them and what their application is like. In general, the recommended way is to use OAuth (called "Remote Access" in Salesforce Help), which will make it so usernames and passwords don't have to be used in their application, but are rather sent directly to Salesforce by the end user. There are a few different flows to choose from depending on the app and are explained in Help. The REST API doc has a nice intro to using OAuht to get the session id (aka "token" in OAuth). Speaking of REST, you might even consider using the new Apex REST API, which allows you to make similar custom web services from Apex, but with REST interfaces.
The Partner and Enterprise APIs also have a login() method, which is convenient since it is also SOAP-based, but is losing favor because the app has to directly handle the username and password. If you do this option, you would login with either the Partner and Enterprise API, get the session id, and then switch over to your custom web service. So, yes, for this option you would have to consume both your WSDL and either the Partner or Enterprise WSDL, and just ignore the other methods, but again, the methods just being there does not mean they can access them (e.g. if you remove Delete from their profile for a given object type, they would not be able to use the delete() method for it).
What you provide, and what they can do are 2 separate things, if you give them a users credentials, then they can do anything the user can do regardless of which WSDL they use. So you'll want to create a user with restricted permissions that has the bare minimum rights to do what you want.
Once you've got that, it doesn't matter if you give them the enterprise, partner or a custom WSDL.
If you give them the apex class WSDL, then they'll need some way to login, which could be login from the partner WSDL, one of the OAuth2 flows, or a webtab or custom link. (depending on the exact scenario).
Finally, have you seen the web2lead feature, that allows for leads to be created in your salesforce account without needing a WSDL or credentials.
I have created a Web service using Netbeans', JEE6 and Jersey - Webservice from Database feature.
So my webservices can be accessed at: http://localhost:8080/SampleWS/listOfItems
The above returns a list of items present in my DataBase. I am using RESTKit on iOS as a client to access this resource.
However, there are two things i would like to do:
1) I would like to restrict access to the above resource only to authenticated users. What is the way to do that?
2) I would also like to restrict only selected out of authorized users to invoke DELETE, PUT and CREATE commands.
Finally, NetBeans allows me to create WS from Database, entities and pattern. Can someone point me to a tutorial for creating a RESTfulwithout using any of the above? In other words, and for example, i would like to map GET, PUT/DELETE methods to mathematical functions like addition, multiplication etc.
You don't mention which app server your deploying to. I assume GlassFish?
I haven't implemented this myself, but I believe Marc Hadleys blog post describes how to configure an application to cover your requirements 1) and 2):
http://weblogs.java.net/blog/mhadley/archive/2008/03/authentication.html
If you're using Spring you might also want to consider using spring-security instead, as described in this answer:
User authentication on a Jersey REST service