I am trying to map LDAP groups/roles to local roles in WSO2. I have created one service provider in WSO2 with OAuth/OpenID connect configurations. In Claim Configuration of the service provider, I have requested for roles by mapping OIDC groups claim URI to local role claim URI. I do the password grant using the username and password of a user from LDAP to get an access token. So when I hit the user info endpoint using access token. I should receive the local roles of WSO2 which are mapped with groups in LDAP as a part of user info.
To map the ldap roles to WSO2 local roles, you have to do claim mapping. Please follow this document https://docs.wso2.com/display/IS580/Adding+Claim+Mapping for how to do claim mapping for a particular claim to an attribute in the userstore (LDAP).
When you are mapping the local role claim, please add the mapped attribute for Role claim in the userstore.
Please follow this document on how to configure claims for a service provider.: https://docs.wso2.com/display/IS570/Configuring+Claims+for+a+Service+Provider
Related
Assume that client X uses role based authorization and the client identity is provided by any OpenID Connect provider (e.g. microsoft). User logs in client app and client X wants to authorize user access to e.g. admin page with role. Should client app have some store (e.g. database) where user roles are associated with their subjects received from id_token, or identity provider should do it?
The approach where the client does it seems better to me. If authorization server would handle e.g. 100 clients where any client has it's own roles, I think it's not efficent but some identity providers do it.
So what would be good solution to handle role based authorization using some OpenID Connect server as identity provider?
Configured grafana with wso2 IS for authentication, Authentication is working fine but I am not able get user role into grafana from WSO2 IS. Can anyone guide on this.
You need to request the roles(groups) claim in the SP you registered for grafana. You can following the steps in doc to add roles claims to the SP
If you are using new console, follow these steps
Go to the registered SP edit page
Select the user attributes tap
Add the role(groups) attributes
In the access token, you can see the roles. (note: to always receive the roles in the access token make the roles attribute mandatory in the claims/attribute setting)
I have a web application that is leveraging Keycloak for IdM.
I am using the Resource Owner Password Credentials or Direct Grant flow for authentication which uses REST API calls to /auth/realms/{realm}/protocol/openid-connect/token instead of browser redirects to get the user a JWT.
I would like to implement a similar workflow for signing users up.
Looking at the Keycloak documentation it appears the Keycloak Admin API exposes an endpoint for this at /auth/admin/realms/{realm}/users.
To allow clients to interact with the Keycloak Admin API you have to create a client service account and associate it with a keycloak role with sufficient privilege to manage realm users.
The expected approach for this seems to be to apply the manage-users realm specific role to the client service account. This is more permissions than I would like to grant to the client.
Is there a way to grant a client service account just the ability to create new users and not the full set of permissions that comes with manage-users?
Using Ping as OAuth authorization server, when introspect access token issued with client credential grant type, the resulted output does not include "sub" claim. Is there a way to configure Ping to include some functional ID or technical ID in the "sub" claim?
If you have PingFederate 9.0 and up, the Client Credentials grant mapping contract is customizable (see Version History here) for these purposes.
To add a "sub" claim, add the attribute "sub" to your Access Token Manager instance's contract. Then, in your Access Token Mapping (under Grant Mapping in the administrative console) you can add a mapping for the Client Credentials context for your Access Token Manager instance. You will then be able to define the fulfillment logic (as you say to some ID value) there. For more details, see: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-92&topicId=adminGuide%2FaccessTokenMapping.html
We are setting up an Identity Server 4 instance and one of the GrantTypes we wish to use is the Client Credentials Grant Type.
Is there a way we can link Client Credentials up to a use an AspNetIdentity user so we can get the claims and users details back for the client credentials provided?
Thanks in Advance
The Client Credentials grant type does not represent a user, it represents an application, so you would not use AspNetIdentity with the client credentials grant type.
If you want to include user specific claims you need to look at one of the grant types which involves user authentication. Examples are available in the quickstarts here. I would advise looking first at the Resource Owner flow and then the OpenID Connect based flows.
The quickstarts also include an example of integration with ASP.Net Identity, that can be seen here