I am writing a set of Puppet modules that deploy WSO2 ESB & Identity Service and the API & authentication services we are providing to a client.
For the most part, I have been able to figure out which XML config files I need to update to automatically configure the WSO2 product.
However, I can't work out how to automatically provision an OAuth2 service provider via the config files. I can create and successfully use an OAuth2 service provider through the Identity Service mgmt console, however I'd really rather not have to do that as a manual step when my aim is to configure a set of machines using Puppet to automatically provision an OAuth2 provider.
To confirm, screenshot of the UI below that I am trying to apply settings for via an XML config file, rather than having to do it in the UI:
After some googling, is the correct directory /repository/conf/identity/service-providers?
If so, could somebody point me in the direction of an example where this is used for configuring an OAuth2 service provider?
If not, any more pointers would be gratefully received!
Many thanks
Chris
In case of searching configuration file for adding OAuth configuration without management console UI, you are in the right place. As you specified you can use the configuration in /repository/conf/service-providers/default.xml.
When you add service provider you have to call IdentityApplicationManagementService. You can use IdentityApplicationManagementServiceStub to call IdentityApplicationManagementService. When you add OAuth configuration you have to call OAuthAdminService. You can use OAuthAdminServiceStub to call OAuthAdminService. After creating the service provider and OAuth configurations separately, you have to bind service provider with created OAuth configs.
Note that I will recommend to check the source code in UI classes which used to add service providers, OAuth configs and binding those two. Hope this helps.
Related
I have setup a Linked Service in Azure Data Factory to use in a Copy Activity to access Graph APIs, which require use of the OAuth protocol, which works fine. I now want to extend that to use the same Linked Service with a Web Activity. But in tests, it is returning "Empty Token"; Am I missing a (simple) config. option, or am I misunderstanding something?
Earlier, I used explicit Token fetch, which also works fine, but as my queries will - in Production - take longer than the (default) Token TTL, I did not want to have to implement Token refresh, at least not if the Linked Service will handle it for me.
I'm grateful to https://learn.microsoft.com/answers/users/7986441/carlzhao-msft.html for pointing out that I need also to specify, in the Web Services Settings Tab, the Authentication as Managed Identity, with the accompanying Resource as https://graph.microsoft.com/, for my Use Case
This is an architecture question. I want to implement an application that processes two kinds of users (admin and clients). Each role can register in the following ways:
admin: username/password registration
client: Facebook/Google/username&password registration
Based on the user's role each of them has a specific action to which he's authorized.
From a technology stack, I want to use Java 8, Spring Cloud Netflix and later on Docker and Kubernetes (in order to have auto-heal and auto-scale).
I've implemented Eureka discovery, Config server, Zuul Gateway and I have two microservices for each role (to get me started). I don't know at all how to approach the user's authentication/authorization, from what I see Spring Security 5 is no longer supporting Authorization server and I am supposed to use Keycloack? Should the gateway be the authorization server or should I create another component that is responsible for authentication? What do I use, how to implement, how to approach redirection between my authorization server and the business microservice?
I can't really find a proper documentation that uses username/password, social login and Spring Cloud Netflix, together with Spring Security 5.
Your gateway shouldn't be responsible for handling authentication.
One possibility is using the cas project. It can run as a micro service to handle the whole authentication process. It can handle multiple auth methods like database (for username / password) and social media like Google or Facebook.
It comes with a basic setup having a login page and a configured DockerFile. You can customize everything. Just add the related dependency and add the config in the application.properties. You can customize the frontend.
https://apereo.github.io/cas/6.1.x/planning/Getting-Started.html
By the way: if you use kubernetes you don't need a gateway or service discovery with eureka. Kubernetes does this for you.
For api security, after moving to #Kubernetes, you can use Envoy or similar solution
For authentication and authorisation, you need an identity management system (like #Okta or PingFederate or an open source version like #OpenIAM) and then integrate using Spring & OAUTH2.
Hello Spring Security SAML pros and enthusiasts alike,
For instance, Service Provider metadata generation yields something like
<md:AssertionConsumerService Location="http://localhost:8080/<app-servlet-context>/saml/SSO"/>
when deployed and running on local Tomcat container, which can be used by Identity Management to configuration SAML Consumer URL.
We're using Okta and OneLogin to test. Everyone's happy.
Issue I'm facing is that same web application configuration deployed on to docker container preconfigured with specific DNS record returns
<md:AssertionConsumerService Location="http://<app-context-root>:8080/<app-servlet-context>/saml/SSO"/>
replacing localhost with application context root (default?).
Actual domain http://<app-name>.<company-domain>.com is nowhere to be found, rendering Assertion Consumer Service Location value unusable for purpose of configuring IdP-initiated SSO.
Same case for Single Logout Service Location value.
Can someone help me understand this behavior and configure my implementation so Location for both AssertionConsumerService and SingleLogoutService provided in Service Provider Metadata looks like
<md:AssertionConsumerService Location="http://<my-app-dns-domain-name>:8080/<app-servlet-context>/saml/SSO"/>
<md:SingleLogoutService Location="http://<my-app-dns-domain-name>:8080/<app-servlet-context>/saml/SingleLogout"/>
Thank you!
How did you generate your metadata ? Did you do it programmatically ?
If yes you can use the method setEntityBaseURL() of MetadataGenerator class.
Spring Cloud Data Flow Server (Local) does not have any dynamic way to set up users and roles either through dashboard UI or shell, ie. there is no way to add or delete users with roles while the server is running.
I have been able to get both single user or file based authentication and authorization working but both of them I had to set up the docker-compose.yml file like so:
spring.cloud.dataflow.security.authentication.file.enabled=true
spring.cloud.dataflow.security.authentication.file.users.bob=bobpass, ROLE_MANAGE
spring.cloud.dataflow.security.authentication.file.users.alice=alicepass, ROLE_VIEW, ROLE_CREATE
spring.cloud.dataflow.security.authentication.file.users.hare=harepass, ROLE_VIEW
However, if I have to add new users with roles, I will have to docker-compose down, edit the docker-compose.yml and then do docker-compose up, for the new user authentication authorization to work.
Is there any work around this?
There isn't any other approach to dynamically add/update users and then have it reflect at runtime in SCDF.
However, in SCDF 2.0, we have redesigned/rewritten the security architecture. In this baseline, we rely on Cloud Foundry's UAA component, which is a standalone application that can work in Local, CF or K8s.
Here, you can directly interact with UAA outside of SCDF. You can add, update, and delete users, too. Of course, you can centrally manage the OAuth token-credentials such as remote renewals and revocations. Check out the end-to-end sample demonstration of the new design with SCDF + OAuth + LDAP, all in action.
The recent 2.0 M1 release already include this improvement - see blog. Try it out and let us know if you have any questions/feedback.
UPDATE:
I recently also bumped into a UAA Web-UI from the community. Perhaps UAA team could consider adding it to the official stack eventually.
I am trying to use this username in my code but I do not know if it is provided in the environment variables. Thanks!
Additional information: I am using using PingFederate and Ping One.
My website is based on C sharp and it used to get the windows environment variable for username. now I want it changed to the user logged in through ping identity.Is it possible to do so and in that case which SDK should I get (I am assuming the .net integration kit right?)?
As a .NET hosted application on IIS, your application would be considered the Service Provider (SP). In this architecture PingFederate is the Identity Provider (IdP). This is a brokered authentication design pattern, or more commonly known as Single Sign-On (SSO). When PingFederate authenticates the user, a token is sent to your application that would contain the username. The code (or library) within your application would process the token and then read out the username.
Here’s a list of options that you could pursue to solve your problem:
WS-Federation protocol using the Windows Identity Foundation (WIF) libraries. The config on the PingFederate side is very simple, and you just have to integrate the WIF libraries on your side. Once the WIF libraries and associated web.config configuration is established, you read the claims object passed to your application.
OpenID Connect (OIDC) protocol using the OWIN middleware. This is also a native MS solution that leverages an open standard. It will require that you have some understanding of OWIN/Katana, as examples are not exactly exhaustive online. PingFedeate supports the OIDC protocol, which is also a very straight forward configuration.
PingFederate Agentless Integration Kit. The integration kit is installed on PingFederate and is easy to configure. It is essentially a REST interface between PingFederate and your application to provide a JSON object with the identity information including username. Your application would need to implement the REST APIs to PingFederate.
PingFederate .NET Integration Kit. This solution implements the PingFederate Opentoken solution for exchanging attributes between your app and PingFederate. The .NET code libraries for handling the Opentoken are provided to you by the integration kit, you just have to integrate them into your code baseline along with about 10 lines of code to read the OpenToken to get username. Configuration on PingFederate is simple.