I would like to disable the default wso2 identity server functionality that allows new users to sign themselves up (wso2is user guide description).
Instead, I would only like the administrator to be able to create new users. Is this possible? How do I configure this?
It is possible to disable users from registering themselves on the WSO2 identity server.
The steps to follow for disabling users from self registering can be found here
Related
I have a web app where front end layer has a angular based UI.It has both public pages and other private pages which are accessible to logged in users and it depends on roles of the logged in users as well
My server based application is a java based rest service api .
How can i use wso2 for handle user authenticaiton and role based authorsation.i would like to have an additional layer of api security depending on the role of the user as well.
can someone explain the best architecture for this in wso2?
if i use wso2 api manager , how can i handle login's of the user and how to relate api access with role of the logged in user?
thanks in advance
you can use wso2 appmanager to control the access of any web apps[1]. App manager supports role based access control as well as xacml policy based access control . In order to provide api level role based security you can use scopes[2] in wso2 api manager
[1] https://docs.wso2.com/display/APPM120/Web+Application+Resource+Authorization
[2] https://docs.wso2.com/display/APPM120/Web+Application+Resource+Authorization
Let me suggest another solution. I haven't tried this with APIM. But since APIM also has Identity features installed in it, this should work.
Use OpenID Connect for login. See here for a sample. This sample is for IS, but it should work for APIM too. Only endpoint URLs are different in APIM like this.
Token: https://localhost:8243/token
Revoke: https://localhost:8243/revoke
Authorize: https://localhost:8243/authorize
There, when a user login, you get an ID_token which contains user claims. You can allow/deny page views depending on those data.
In above step, you create an SP and generate a client key-secret pair. You can set the same keys in APIM's application. Read this.
Then, as I mentioned here, you can use scopes to secure your APIs by roles.
I was wondering if there is an option for users who want to use the store but have forgotten their password
Currently the WSO2 sign-in page looks like this:
I have set the following in < APIM_HOME >/repository/conf/identity/identity-mgt.properties:
Identity.Listener.Enable=true
Notification.Sending.Enable=true
Notification.Expire.Time=3
Notification.Sending.Internally.Managed=true
UserAccount.Recovery.Enable=true
Captcha.Verification.Internally.Managed=true
I'm assuming the email settings for the same are in < APIM_HOME >/repository/conf/email/email-admin-config.xml
Anyhow, after applying the above settings and restarting the server, the sign-in page remained the same.
Is there some configuration to enable an option on the sign-in page (eg. Forgot password/Reset password)?
Also, are there any additional settings that need to be configured for it to work as expected?
API Manager Store/Publisher UIs do not support this out-of-the-box. But you can achieve this with WSO2 Identity server. (You can use the same identity server, as key manager node of the APIM setup)
Please refer to IS docs. A sample webapp also available here.
I want to know if it possible to map attibutes between salesforce and wso2.
I can create my custom attributes on salesforce, but i want to map attirbutes with my WSO2 IDP configuration i.e salesforce configured as IDP within WSO2.
For eg:
If i choose to login with my salesforce account to my web app with my user of salesforce say abc#salesforce.com login must be successful only if same user exists in WSO2 IDP. Though the credentials for abc#salesforce.com user are correct w.r.t to salesforce account ,user must login only if same username exists in wso2 idp.
I tried with claim mapping but no luck.
Please suggest.
I believe the claim mapping is the correct way.
You need to define whole data path
SP claim->IdP dialect claim->user attribute->local dialect claim->SP claim
If you use a federation IdP (SF), you may want to set 'provisioning' of the user, storing their identity and attributes localy (so you can see what attributes are passed and recognized.
Have fun
I have downloaded the new version of API Manager 1.0.0 GA.
I am confused about publishing the WSDLs, since that has not a related API KEY, everyone can access it.
For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB (even if I have configured an external JDBC db for both APIManager and ESB user-mgt.xml).
So, is there a way to create an API key for WSDLs as well from the API Manager? Or How do I control the access to the published WSDLs in the API store?
Many thanks
EDIT:
From the ESB I have added security to the service by using the built-in security scenarios, in my case I have used "UsernameToken". This authenticates users based on roles defined in the ESB "admin/everyone..." and only accepts users defined in the ESB's user store "admin/admin" (and others you might have created).
I have ESB and AM configured to share the same mysqlDB for user store, but that does not work in my Security Scenario described before: if I create a user "apicreator" inside AP and I create "usertest" inside ESB, they store the users inside the same MySQL db, but under different "tentant", i.e. "apicreator" is not a valid user to authenticate in my Security Scenario (UsernameToken). I hope this description helps to clarify the problem. thanks
With WSO2 API Manager, you couldn't control the access to a published WSDL in API Store.Currently there's no way of creating an API key for WSDLs as well from the API Manager.But that controlling has to be done through your back-end service. How-ever when creating an API from WSO2 API Manager ,giving the Wsdl url as an input is not a required field,but an optional field.
Apart from that I'm not clear about your following phrase."For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB".Can you explain a bit more what you mean by "add access token from ESB"?
Thanks;
/Lalaji
We've Installed Pre-Packaged Identity Server 5.1.0 with API Manager 1.10.0 and use sqlserver as a data store.
We use OAUTH2 to authorize our API's and we want to map our local claims to a service provider (an application?). Behind the API we have a .Net Wcf Service with some logging where we read the header with WebOperationContext.Current.IncomingRequest.Headers["assertion"] and print the claims which are present.
The Claims which are returned are:
{"iss":"wso2.org/products/am"
"exp":1462357259751
"wso2url/claims/subscriber":"Sjaak"
"wso2url/claims/applicationid":"1003"
"wso2url/claims/applicationname":"DefaultApplication"
"wso2url/claims/applicationtier":"Medium"
"wso2url/claims/apicontext":"/Test/v1.0"
"wso2url/claims/version":"v1.0"
"wso2url/claims/tier":"Silver"
"wso2url/claims/keytype":"PRODUCTION"
"wso2url/claims/usertype":"APPLICATION"
"wso2url/claims/enduser":"Sjaak#carbon.super"
"wso2url/claims/enduserTenantId":"-1234"
"wso2url/claims/emailaddress":"sjakie#chocola.nl"
"wso2url/claims/givenname":"Sjakie"
"wso2url/claims/lastname":"van de Chocoladefabriek"
"wso2url/claims/role":"Internal/subscriber
Internal/everyone
Application/Sjaak_DefaultApplication_PRODUCTION"}
Where wso2url is http://wso2.org, but we cannot post this, because I don't have 10 reputation points...:(
The information in these claims is good, but only we want to use our own uri, so not wso2.org, but myorg.com. And we want to add other claims, with for example our own userId and some other stuff.
Among other things we have followed the guide for configuring claims for a service provider but had no success with this. We have made the assumption that an application is a service provider for which we can use the claims.
Has anyone got an idea what we are doing wrong? What do we need to do to add custom claims?
Thanks in advance!
[Added on 9th may]
Maybe this can point us in the right direction?
When we add a subscription to an application and we generate a new key than there is no new Service provider in the list:
The list of service provider without a new one for user Sjaak, so there is missing: Sjaak_CalculatorApp_PRODUCTION
But even when we do this for user admin the claims are not coming through. We have the following claim configuration and in my logging still the same claims as described above are there, no new ones, so no claim named accountnaam and no voogd.com uri:
Service Provider(SP) - It provides services to some end users and relies on a trusted Identity provider(IDP) to handle authentication and authorization for them. SP may use multiple protocols(Oauth2, SAML2, etc.) to communicate with IDP.
Claims are defined for SP, since same claims can be send over different protocols. In the default case, Identity server uses wso2 claim dialect(start with wos2.com) for claims. If you want a different claim dialect than this, use "Define Custom Claim Dialect" option in the service provider configuration. In there you can map wso2 claims(Local Claim) to your own claims(Service Provider Claim).