Add claims to Wso2 service provider through AdminServices - soap

So i am trying to add claims to a service provider in Wso2. I have managed to create an IdentityApplication and connect it with some SSO configuration. The only problem is adding Claims to that SSO because i use those after the SSO login.
So what i have tried so far:
I have added an SSO configuration using the addRPServiceProvider soap function from the IdentitySAMLSSOConfigService
I have created a service provider using createApplication soap function from the IdentityApplicationManagementService and connected it to the SSO configuration i added earlier
At this point my external application connects correctly with Wso2 and do the SSO. The only thing i need is to return additional claim info with the SSO response.
I am trying to do that using the claimConfig part of the createApplication function parameters but i cant seem to make it right.
Is there somewhere some more info about how to set this up through the AdminServices? ( the official docs are not really helping
)

Please refer this documentation for more information on using the API. You can't add the claimConfig during the createApplication call as it only allows you to set the applicationName and description. Set the claimConfig during updateApplication method. The document has a sample request in Claim configuration level parameters section.

Related

Use two OIDC Auth flows in parallel in Quarkus

I created a Rest-API and a frontend as a self contained system with Quarkus.
The frontend is served statically.
For Authentication i use a kleycloak server and have nearly the same configuration as in this guide from quarkus.
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=frontend
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
With this config i need to authenticate for the rest-api and the frontend. Thats what i want.
If i try to load the index.html i got redirected to keycloak and back. That works perfectly.
The problem is, that the same thing happens with the rest-api. I got redirected to keycloak with a "302 found"-status code. Here I would like to have an authentication with a bearer token and no redirect. Quarkus has the following configuration for this:
quarkus.oidc.application-type=service
That collides with the configuration for the frontend. Is there a way to use both, one for static files and one for the rest-api?
If I'm not wrong you're looking for a multi-tenant oidc setup(even though you're not designing tenants). The guide and example can be found on the official quarkus website here.
This way you'll have similar setup:
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=frontend
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
quarkus.oidc.restapi.auth-server-url=http://localhost:8180/auth/your/path
quarkus.oidc.restapi.client-id=backend
quarkus.oidc.restapi.application-type=service
P.S you can replace restapi with more likable name.

Authentication Info to Backend Service

I have a situation, wherein, I have integrated, WSO2APIM, Identity Server, Microsoft ADFS2.0. Configured successfully so that MSADFS is acting as IdP, APIM acting as SP (with /publisher) as a service. Configuration worked fine when accessed(/publisher of APIM), ADFS presented LogonPage, all necessary SAML2.0 exchanges happened perfect and final page (/publisher) presented.
Now, the actual situation is, instead of accessing APIM service (/publisher), I need to access a POST Rest URL(Eg. APIMIP:Port/vendors/payments). This API is configured to hit backend API (Eg. BEIP:Port/vendors/payments).
1. In above situation, I need to pass the SAML authentication information or any other authorized info to actual BE, somehow.
2. How to achieve it.

How can I enable login button of identity provider (external) on SP login page

I am using WSO2 Identity server product version 5.0.0. I use SP1. In our latest architecture we use a specific login page for each service provider. Each service provider can be configured under different tenant domains, eventually with differences (for an example, for a tenant is configured the internal and the facebook login but for another tenant just the internal login).
I want to know if it is possible to visualize on the login page the external Identity provider login button according to the Service provider configuration under the specific tenant domain. Please help me to solve this, I am stuck on this advance configuration. I could not find any documents for this.
Yes, according to my knowledge your requirement is possible with WSO2-IS.
Please refer document [1] for Customizing the login page for SAML SSO service providers.
And you can get more custom configuration details using this blog as well. [2]
Also if you need to re-theming wso2 management console, that also possible with WSO2-IS. Please find the reference document [3].
[1]https://docs.wso2.com/display/IS500/Customizing+Login+Pages
[2]http://dulanja.blogspot.com/2014/01/wso2-is-samlsso-customizing-login-page.html
[3]http://wso2.com/library/tutorials/2011/12/retheming-carbon-products/

Keycloak security for Spring base rest apis

I want to integrate keycloak security features to my spring boot based rest apis.
I am using KeyCloak 1.3.1 Final.
Now this is pure rest based api and am doing my testing through postman
I have got my rest api secured and when i try to access it do asks me for authorization, but am not able to execute my request. basically am locked out of my api.
I will quickly list out things that I have already done
Created a spring boot rest api and tested it. It works fine.
Modified my gradle for KeyCloak and configured it as per this document
Configured my keyCloak for the "bearer only" application
I tried to generate access token, but I was not able to. Therefore I created another Client in keycloak with "confidential" and used this client to generate the access token (both the clients were pointing to same application. Am not sure if this is correct)
With this access token, I am trying to make api call but am getting 401
Again am using this document.
I am new to both keycloak and spring.
So what I want to ask here is how can we generate the access token for testing a rest api in a scenario like one which is here.
Any useful resource on KeyCloak that can help me out here. As of now I dont have a clue as to where the problem is? Is it with my api or with how I have configured the KeyCloak.
Also since I am new to spring and I just could not found a decent document on how to configure cloak for spring boot. If you can help with that as well.
Moving further on this I was informed on the KeyCloak mailing list that spring boot adapter only supports basic authentication, and so I decided to incorporate the spring security adapter itself.
I did that and when am running the application and providing creds am still not able to make it work. However something interesting is happening. I am being redirected to http://127.0.0.1:8090/sso/login
I double checked it and that is not the redirect url i have provided.
???
Any idea why?
(Once again am new to it and learning about spring and security on way through this project. So please bear with me.)
So after spending quite a good amount of time and getting some help from keycloak user list here is how i got it to work.
Use Spring Security instead of spring boost security adapter (as I have already mentioned in the the edit, boot adapter is only for basic authentication)
There documentation does a decent job of explaining out everything else refer to that.
I am still testing the whole thing and will document it out for future references.

how to Configure openam as Identity provider(IdP) to test SAML based SSO

I am trying to configure openam as Identity provider to test my SAML
based service provider application.
I have searched a lot and saw documentation of openam. There are lots
of thing supported by openam which probably I do not need at this
moment. I don't wish to read whole documentation which will take lot
of time reading things I do not want to test right now. I even saw
chatpet 9 "Managing SAML 2.0 SSO" at
http://docs.forgerock.org/en/openam/10.0.0/admin-guide/index/index.html
But it requires lot of things to be configured before this.
Is there any quick start guide to test it as saml based IdP?
EDIT
Not a quick, detailed is also fine. But I want OpenAm as Identity provider. SP is an application hosted on Jetty which we have developed. Also tell me what changed do I have to make on SP like what urls of application should respond with what.
There is no one-fits-all answer to your question really. Setting up SAMLv2 Federation largely depends on the actual SP implementation, some SPs can work with SAML metadata, some don't..
The simplest way to set up federation between two OpenAM instances for reference would be something like:
Create Hosted IdP wizard on node1
Create Hosted SP wizard on node2
On both nodes remove the persistent NameID-Format, so both will have transient at the top of the list
Register Remote SP wizard on node1, with URL: node2/openam/saml2/jsp/exportmetadata.jsp
Register Remote IdP wizard on node2, with URL: node1/openam/saml2/jsp/exportmetadata.jsp
On node2 in the Hosted SP setting set the transient user to "anonymous"
After all this you can test Federation by using:
/openam/spssoinit?metaAlias=/sp&idpEntityID=node1_entityid on node2
/openam/idpssoinit?metaAlias=/idp&spEntityID=node2_entityid on node1
I've used the default metaAlias values, but those should be visible on the console pages. Similarly by downloading the metadata you can see the actual entity IDs for the given entities.
Based on this, you should see now that with an OpenAM IdP you could at least test SAML support using the idpssoinit URL (if your SP supports unsolicited responses), but from the other way around it pretty much depends on your SP implementation how you need to actually trigger a SAML authentication.
This seems like a simple setup.