WSO2 IS 5.3.0 - IWA authentication option not available - windows-authentication

We are using WSO2 Identity Server for user authentication.
We have upgraded from WSO2 IS 5.2.0 version to WSO2 IS 5.3.0.
We are using the IWA (Integrated Windows Authentication) for user authentication for our applications.
In WSO2 5.3.0 version we do not see the option to select IWA under the Authentication Type “Local Authentication” while registering the application under “Service Provider”. This option was available in WSO2 IS 5.2.0 and we were able to use it properly.
Can you please let us know if this feature is deprecated or disabled in the WSO2 IS 5.3.0 version? Please let us know the steps to enable IWA in WSO2 IS 5.3.0

From IS 5.3.0 onwards we moved to Kerberos based IWA Authentication. The motive behind this decision was to overcome the limitations faced in NTLM based IWA.
To mention a few, NTLM based IWA forced the WSO2 Identity Server to be run on Windows and the AD was required to plugged in as the primary user store.
To read more about IWA Authentication using Kerberos please refer this blog.
So to answer,
Can you please let us know if this feature is deprecated or disabled
in the WSO2 IS 5.3.0 version? Please let us know the steps to enable
IWA in WSO2 IS 5.3.0
Yes, we deprecated the NTLM based IWA Authenticator in IS 5.3.0. However, for the benefit of the users preferring to use the NTLM based authenticator we have the tag compatible with IS 5.3.0.
You can build the tag and drop the authenticator jar to IS_HOME/repository/components/dropins. Then you should be able to see the authenticator listed under local authenticators and use it as in IS 5.2.0

Are you sure it is activated in your installed instance :
Open the <wso2is_home>/repository/conf/security/authenticators.xml file and add the following lines inside the <Authenticators> tag.
<Authenticator name="IWAUIAuthenticator" disabled="false">
<Priority>5</Priority>
</Authenticator>
Source : https://docs.wso2.com/display/IS530/Configuring+IWA+Single-Sign-On
Jeff

Related

CAS Server 5.3 configuration with SAML 1.1

I am very new in this IAM and SSO area. I am trying to setup CAS server which support SAML1.1, I have gone through cas v5.3 documentation and followed the instruction there but still I am not able to setup CAS server with SAML1.1 support.
I am looking for any documentation which can help me to do so that would be great as I am not sure how I can enable SAML 1.1 support.

wso2is 5.4.1 + liferay 6.2ga6

I followed official documentation from : https://docs.wso2.com/display/IS541/Integrating+WSO2+Identity+Server+with+Liferay to Login in my Liferay Portal with wso2is user, but it not work for me in wso2is-5.4.1 and liferay6.2ga6. When I try login, liferay's log print "Primary URL :https://wso2is.local:9443/services/Secondary URL :null" but no call to wso2is server is done.
I added this lines into my portal-ext.properties :
auth.pipeline.pre=org.wso2.liferay.is.authenticator.WSO2ISAuthenticator auth.pipeline.enable.liferay.check=false wso2is.auth.service.endpoint.primary=https://wso2is.local:9443/services/ wso2is.auth.thrift.endpoint=localhost wso2is.auth.thrift.port=10500 wso2is.auth.thrift.connection.timeout=10000 wso2is.auth.thrift.admin.user=admin wso2is.auth.thrift.admin.user.password=admin wso2is.auth.thrift.endpoint.login=https://wso2is.local:9443/ wso2is.auth.thrift.system.trusstore=/wso2is-5.4.1/repository/resources/security/wso2carbon.jks wso2is.auth.thrift.system.trusstore.password=wso2carbon
Is there something wrong?
Unfortunately, a lot of the WSO2 documentation is very crufty, containing articles that have been pulled forward from previous versions of the documentation without regression testing on the use cases they present. In short, there's stuff in the documentation that plain doesn't work. If you look at the bottom of the article you'll see the following:
Please note that the above configuration is tested with Liferay 6.1.1
and WSO2 Identity 3.2.3/4.0.0.
I recall I tested this a long time ago, and determined that it wouldn't work with the current version, but that was so long ago that I can't remember why. In any case, the approach presented for integrating Liferay was offered at a time where Liferay didn't have the ability to use standardized authentication protocols like SAML. Now that it does, you probably want to do it in a standards compliant manner instead of using an authentication interface Liferay only promotes using for proprietary authentication systems.
My suggestion is that if you are using Liferay portal enterprise with LDAP that you use the built-in SAML connector. If you aren't using Enterprise, there are some compatible authenticator extensions in the extensions store that will also integrate with Liferay. If you configure Liferay to be a client against WSO2 and then integrate Liferay to LDAP on the backend, it also allows Liferay to be used as a user dashboard instead of the jaggery based one that comes in the product.

SSO jbpm 6.2 via CAS server 4.0.0?

I want to use SSO jbpm 6.2 via CAS server 4.0.0 (and cas is running on tomcat) but i don't know how to do it. I searched on google but i can't find how to config wildfly of jbpm 6.2 with CAS server.
Please help me, thank you for your help !
I have no expirience with CAS but this tutorial helped me set up jbpm 6.1 with WSO2 Identity Manager.
http://riyazmsm.blogspot.mx/2014/05/jbpm-60-sso-integration-with-wso2.html
It might not be the same but this can put you on the right track since CAS can also handle SAML. Wildfly uses picketlink to handle security federation, reading the docs will be helpful on your journey.

Connecting IdSrv to LDAP

I've seen samples that connect an on premises IdSrv instance to ADFS, but I can't find one that connects to a LDAP IP (AD, not ADFS).
Is there a sample or documentation somewhere on this?
Thanks.
There is a contrib project for IdentityServer v1 here. Maybe you can make it work in v2 (the latest stable version).
I have found an example of using Windows Integrated Authentication in Authorization Server which is an implementation of the OAuth2 authorization framework. It was developed after v2.
But if I were you I would try to persuade your customer to install ADFS. It should be possible. Then you can use it directly as you IdP or you can set it up with IdentityServer.

WSO2 SAML SSO for different carbon versions

I'm trying to setup SAML based SSO for set of WSO2 products (all used by latest versions available for now):
WSO2 Identity Server 4.5.0
WSO2 Business Rules Server 2.0.0
WSO2 ESB 4.7.0
WSO2 Business Activiti Monitoring 2.4.0
WSO2 Application Server 5.2.0
SSO works fine for BAM and AS, but failed for other servers (BRS, ESB).
I'm getting on IS side exception like:
[Fatal Error] :1:1: Content is not allowed in prolog.
[2013-11-01 22:16:26,830] ERROR {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Error in constructing AuthRequest from the encoded String
org.xml.sax.SAXParseException: Content is not allowed in prolog.
nd
As I understand problem is: IS, AS and BAM all based on carbon 4.2.0 - and as result SSO working fine, but BRS and ESB latest versions based on older carbon (4.1.0 or 4.0.0) and there are compatibility problem in message encoding between different carbon versions.
Question - is it possible to fix somehow tools based on older carbon version to make it working with latest carbon 4.2.0 based IS 4.5.0?
Or, in general, how setup SAML SSO independently from each carbon (or even not carbon-based at all) service providers used?
Yes this is a know issue. Identity Server 4.5.0 can not be used to do SSO with older carbon versions. This is due that SAML2 SSO authenticator in older carbon version is not complaint with IS 4.5.0 IDP. Actually there is some bug in the older versions. However there are some fixes for that. They can be found in public jiras (not sure). ESB and BRS are going to release soon, before end of Nov, Therefore you can try with newer versions as they are also based on Carbon 4.2.0 platform,
I am getting exactly same issue with same configuration. #Asela as you mentioned, I can either go with ESB 4.8.0 (or) IS 4.1.0; but what kind of issues we'll have when we go for decentralized federated SAML2 IdP.
Is IS 4.1.0 is compatible with ESB 4.7.0, and is tested in decentralized federated SAML2 IdP? If so, we would downgrade our IS to 4.1.0.