I need to know how to get wso2 users by claim value, to perform some kind of search?
example:
getUsersByClaimValue(String claimUri, String claimValue);
Yes.This API method has been introduced to user store API to get user names associated with particular user's attribute. say you want to get users whose "country" attribute value is "USA". then you can use this method as follows.
getUserList("http://wso2.org/claims/country", "USA", null);
You can find this method as web service API in RemoteUserStoreManagerService of WSO2IS. Your SOAP message would look likes follows.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getUserList>
<ser:claimUri>http://wso2.org/claims/country</ser:claimUri>
<ser:claimValue>USA</ser:claimValue>
<ser:profile></ser:profile>
</ser:getUserList>
</soapenv:Body>
</soapenv:Envelope>
Here, this claim uri is generic one which is independent of the user store. With WSO2 Identity server you can map these claim uri in to any attribute in your user store. More details from here
Related
I need to find the REST/SOAP API for Password Policies (Password History and Password Pattern) and Login Policies (Account Locking and Account Disabling).
I am using WSO2 IS 5.9.0.
I am creating a Multi-tenant environment from WSO2. I am able to perform all the steps from code but not able to find API for these two settings.
I have to manually do this but this is just a workaround and need to figure out the WSO2 APIs for these.
Need curl request or documentation for these 2 settings API.
From WSO2 IS 5.10.0 onwards there is a rest API to update these configurations.
However, in 5.9.0 and before that, only SOAP APIs are available. You can use https://localhost:9443/services/IdentityGovernanceAdminService SOAP service for this purpose. There are 2 operations available in this service. getConnectorList and updateConfigurations.
You can use getConnectorList to find the available connectors and their property names. Then you can use updateConfigurations operation to update property value. Message body would look like below to update Password History validation count configuration.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:gov="http://governance.identity.carbon.wso2.org" xmlns:xsd="http://model.common.application.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<gov:updateConfigurations>
<gov:configurations>
<xsd:name>passwordHistory.count</xsd:name>
<xsd:value>6</xsd:value>
</gov:configurations>
</gov:updateConfigurations>
</soapenv:Body>
</soapenv:Envelope>
I've been trying to integrate SAML with WSO2 cloud.
I have some successful experience with other vendors like onelogin, okta, ping one.
But I get a obscure 500 error with wso2.
I get a 500 error with every request I try.
I don't need much - just a SAMLRequest format that will work for WSO2.
For example, now I'm passing:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest ID="z9dac5520-d4a4-4da9-b71a-483948c1655c" IssueInstant="2017-04-29T08:40:39.677Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</saml2p:AuthnRequest>
I defalate, base 64 encode and url encode it.
I tried different variations but nothing works
thanks
The request has no value for the Issuer element. Why would any IDP accept a request from an unidentified SP? You need to use a value that identifies the SP and that was previously registered out-of-band with the IDP.
Can you explain a bit more what you are trying to do here. Is that enable SAML based authentication via wso2 cloud for one of your application ? If that is the scenario, you need to login to Identity Cloud [1] and configure a service provider as described in [2]. Then only you can send SAML request to Identity Cloud for authentication.
[1] https://identity.cloud.wso2.com
[2] https://docs.wso2.com/display/IdentityCloud/Configuring+SSO+for+Custom+Applications
Once Service provider is configured to accept SAML requests as described in previous links, you can send standard SAML request to Identity Cloud. Sample SAML request is given bellow. Note that AssertionConsumerServiceURL, Destination, Issuer attributes should be changed as relavant for you. Each tenant gets a separate SSO service URL, which is in the format of "https://identity.cloud.wso2.com/identity/t/{TenantDomain}". This will be the value for "Destination" in SAML request.
<samlp:AuthnRequest AssertionConsumerServiceURL="http://apps.com/travelocity/home.jsp"
Destination="https://identity.cloud.wso2.com/identity/t/demo1org"
ForceAuthn="false"
ID="a9b1b4992f048bb1004677207cc97097a73e47cdaf4ba21360ef8cf38dc76702"
IsPassive="false"
IssueInstant="2017-05-02T12:59:45.409Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">wso2App1-wso2org-1.0</samlp:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="Issuer"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
/>
<saml2p:RequestedAuthnContext Comparison="exact"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
I am implementing an OAuth 2 token flow using the password grant_type as per the WSO2 docs here
I have this working for logging in users in the web application I am working on currently, and am storing the retrieved access token in local storage.
If I wanted to check the token is still valid (say the user refreshes the browser), is there a request I can make to check access token is still valid and hasn't expired? I assume it would be some form of POST request to the token end point URL?
Thanks
To validate the token, there is a admin service which you can use.It's a SOAP service and calling "validate" method in admin service can used to validate the token.
Validation Endpoint
https://localhost:9443/services/OAuth2TokenValidationService/
Validate method will respond back to you with validity period. This service is an admin service which you can invoke through basic authentication and other authentication mechanisms such as mutual authentication.
I believe another approach is to call the token endpoint for new token. AFAIR if valid token exist, it's return it with the expiry time which you can calculate the validity period.
Another way is that, if possible you can store the token requested time and have a separate timer to check whether the validity time expired. At the very first time the token generation request make, it's return token with validity period.
As harsha89 mentioned you can use the OAuth2TokenValidationService to validate. Sample SOAP request will be like as follows
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.oauth2.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:validate>
<xsd:validationReqDTO>
<xsd1:accessToken>
<xsd1:identifier>b443652fdc3642bb1b3ba8ebae99068</xsd1:identifier><!--access token received-->
<xsd1:tokenType>bearer</xsd1:tokenType>
</xsd1:accessToken>
<xsd1:context>
<xsd1:key></xsd1:key>
<xsd1:value></xsd1:value>
</xsd1:context>
</xsd:validationReqDTO>
</xsd:validate>
</soapenv:Body>
</soapenv:Envelope>
Sample response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:validateResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:type="ax2369:OAuth2TokenValidationResponseDTO" xmlns:ax2369="http://dto.oauth2.identity.carbon.wso2.org/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2369:authorizationContextToken xsi:type="ax2369:OAuth2TokenValidationResponseDTO_AuthorizationContextToken">
<ax2369:tokenString>eyJhbGciOiJSUzI1NiIsIng1dCI6Ik5tSm1PR1V4TXpabFlqTTJaRFJoTlRabFlUQTFZemRoWlRSaU9XRTBOV0kyTTJKbU9UYzFaQSJ9.eyJodHRwOlwvXC93c28yLm9yZ1wvZ2F0ZXdheVwvYXBwbGljYXRpb25uYW1lIjoiRGVmYXVsdEFwcGxpY2F0aW9uIiwiZXhwIjoxNDQ2Nzg1NjczLCJzdWIiOiJhZG1pbjJAY2FyYm9uLnN1cGVyIiwiaHR0cDpcL1wvd3NvMi5vcmdcL2dhdGV3YXlcL3N1YnNjcmliZXIiOiJhZG1pbiIsImlzcyI6Imh0dHA6XC9cL3dzbzIub3JnXC9nYXRld2F5IiwiaHR0cDpcL1wvd3NvMi5vcmdcL2dhdGV3YXlcL2VuZHVzZXIiOiJhZG1pbjJAY2FyYm9uLnN1cGVyIiwiaHR0cDpcL1wvd3NvMi5vcmdcL2NsYWltc1wvcm9sZSI6WyJJbnRlcm5hbFwvZXZlcnlvbmUiXSwiaWF0IjoxNDQ2NzgzMjExfQ.VY2J_stNVvCwdGdOn71yw96z0EnbtRabQBt8fDFO5LM4TyNmF56T4uXLGjPW-BaHFKEa21ao0s8zW3UVp3yh2Va5pJhJdEcNeSMHObVvDJBdrDbOqrFZnVG7hxV4n4yIJfWt3jciRQz-SdqVYKJuRF-Tn8qfX30m1s0cMeqEZ2A</ax2369:tokenString>
<ax2369:tokenType>JWT</ax2369:tokenType>
</ax2369:authorizationContextToken>
<ax2369:authorizedUser>admin2#carbon.super</ax2369:authorizedUser>
<ax2369:errorMsg xsi:nil="true"/>
<ax2369:expiryTime>1737</ax2369:expiryTime>
<ax2369:scope/>
<ax2369:valid>true</ax2369:valid>
</ns:return>
</ns:validateResponse>
</soapenv:Body>
</soapenv:Envelope>
I'd like to know if it is possible to retrieve the user claims via the UserAdmin SOAP interface? I have found when adding a user it is possible to specify user claims. Also i have noticed that get list of user by Claims is possible but I have not found how to retrieve all the claims of a user.
Any hint?
Thanks in advance.
You can try "RemoteUserStoreManagerService" for your purpose.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getUserClaimValues>
<ser:userName>admin</ser:userName>
</ser:getUserClaimValues>
</soapenv:Body>
</soapenv:Envelope>
Above request will return you the claims of admin user of its default profile.
EDIT
As per the comment you need the WSDL of new admin service.
By default WSDLs of admin services are hidden. To change that behavior open <IS_HOME>/repository/conf/carbon.xml then locate HideAdminServiceWSDLs tag and set it to false.
Then you can view WSDL of any admin service from the url
https://localhost:9443/services/<SERVICE_NAME>?wsdl
In this case
https://localhost:9443/services/RemoteUserStoreManagerService?wsdl
HTH,
DarRay,
I have found the WSO2 carbon admin service that can be used to add role permissions using admin webservices (setRoleUIPermission). Based on the WSDL I have no clue how it should be used.
This is the request SoapUI generates:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:mgt="http://mgt.user.carbon.wso2.org">
<soap:Header/>
<soap:Body>
<mgt:setRoleUIPermission>
<!--Optional:-->
<mgt:roleName>?</mgt:roleName>
<!--Zero or more repetitions:-->
<mgt:rawResources>?</mgt:rawResources>
</mgt:setRoleUIPermission>
</soap:Body>
</soap:Envelope>
How should rawResource be used?
Regards, nidkil
First i guess, it is great, if you can try out the method "getRolePermissions" in the API. This method returns all UI permission (management console related permissions) mentioning that whether role contains permission or not. Then you can see each permission has been identified by a resource value such as "/permission/admin/manage/modify/webapp". Therefore echo permission check box that is show under role permission UI, has some hidden String value. That is value that you need to pass as "rawResources" in this method. Ex if you want to give "login" permission to role "test". You need to pass like that.
AFAIK, these permissions that are return and can be set... is management console permissions that can be used in Carbon Admin services and in UI
<xsd:roleName>test</xsd:roleName>
<xsd:rawResources>/permission/admin/login</xsd:rawResources>