Env: WSO2 Is 5.0 SP1
I have created two tenants and have separate secondary store configured in each on of it. Is there a way where I can share the role among them? i.e can I create the role in Primary store and would they be accessible in tenants?
I don't see much documentation around multi-tenancy in wso2 Is 5.0 sp1. Any pointers would be helpful
Regards,
Cijoy
You cannot share primary roles(created by super admin) with tenants with the wso2 identity server 5.0 or 5.1.
Because there is no data sharing across multiple tenants in WSO2 products. Each tenant is isolated from others & They have different users/roles.Even supper tenant cannot be share data with other tenents
This improvement already included in Identity server roadmap and this will be release in future.
Related
I'm currently trying to integrate an existing Blazor Server (ASP.NET Core 6.0, server-side only) application with my company's Keycloak authentication services. I need to use the existing .NET Authentication/Authorization libraries with the Keycloak - the Keycloak will hold all the relevant User data I need to access (e.g. ID, name, passwords, etc.) and use that data as query parameters to access the data stored in PostgreSQL. I've seen that this is possible with Microsoft SQL Server, so I'm wondering if the following is even possible:
Using something other than Microsoft SQL Server or SQLite to handle Authentication with .NET
Using a remote server database to handle Authentication instead of a local .db migration
Accessing Keycloak data for authentication instead of data stored in said local .db migration
If all of this is possible on Blazor Server instead of WebAssembly
There's tons of documentation on how to use SQL Server in a WebAssembly for authentication, but what little documentation exists for Blazor Server, and Keycloak, is for older .NET versions (usually 2.0) and very, very basic use cases. There's also questions already asked but haven't been answered. I'm still very new to Web development and Blazor, so if this isn't even possible, I wouldn't be surprised.
I am using WSO2 Identity Server 5.7.0 and WSO2 API Manager 2.6.0. We want to use the user management and role & permissions management of WSO2 itself, but the as per requirement we cannot use WSO2 carbon management GUI for user creattion, role mapping etc.
We need to have a separate GUI but integrate with WSO2 User, Role and Permission management.
For this purpose, WSO2 must have some kind of APIs exposed for third party application integration?
For example, I have checked user creation, user update etc operations are having corresponding SCIM REST APIs which can be used by our applications.
Is there similar APIs for :
1) Creating Service providers
2) Creating permissions at service provider level
3) Creating role mapping at service provider level
4) Creating roles
5) Associating permissions with roles
6) Associating Users with Roles.
Please let me know details of such REST APIs provided by WSO2 if any.
I would like to find out what the best practices are for managing developers' access to a sub-set of resources on a client's subscription?
I've searched Google and the Azure documentation looking for definitive answers, but I have yet to come across an article that puts it all together. Because Azure is still developing so rapidly I often find it difficult to determine whether a particular article may still be relevant.
To sum up our situation:
I've been tasked with researching and implementing the Azure infrastructure for a web site our company is developing for a client. At the moment our manager and I have access to the client's entire subscription on the Azure Portal by means of the Service Administrator's credentials, even though we're managing only:
Azure Cloud Service running a Web-Role (2-instances with Production and Staging environments).
Azure SQL Database.
Azure Blob Storage for deployments, diagnostics etc.
We're now moving into a phase where more of the developers in the team will require access to perform maintenance type tasks such as performing a VIP swap, retrieving diagnostic info etc.
What is the proper way to manage developer's access on such a project?
The approach I've taken was to implement Role Based Access Control (https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/)
Move 1, 2, and 3 above into a new Resource Group according to http://blog.kloud.com.au/2015/03/24/moving-resources-between-azure-resource-groups/
Creating a new User Group for our company, say "GroupXYZ".
Adding the "GroupXYZ" to the Contributor role.
Adding the particular developer's company accounts to "GroupXYZ"
Motivation for taking the role-based approach
From what I understand giving everyone access as a Co-Administrator would mean that they have full access to every subscription in the portal.
Account-based authentication is preferable to certificate-based authentication due to the complexity added by managing the certificates.
What caused me to question my approach was the fact that I could not perform a VIP swap against the Cloud Service using PowerShell; I received an error message stating that a certificate could not be found.
Do such role-based accounts only have access to Azure by means of the Resource Manager Commandlets?
I had to switch PowerShell to the Azure Service Manager (ASM) Mode before having access to the Move-AzureDeployment commandlet.
Something else I'm not sure of is whether or not Visual Studio will have access to those resources (in the Resource Group) when using Role Based Access Control.
When you apply RBAC to Azure as you have or just in general, give access to an account via RBAC, then those accounts can only access Azure via the Azure Resource Manager APIs, whether that's PowerShell, REST or VS.
VS 2015 can access Azure resources via RBAC when using the 2.7 SDK. VS 2013 will have support for it soon.
Can someone please explain the major differences between IBM Tivoli Access Manager and Tivoli Federated Identity Manager?
Does TAM support SAML?
Updated Answer: SAML is now supported with ISAM v9.
The names and versions of the products have been updated/changed. Basically, TFIM and TAM are now old names and products. All of the functionality and code of TFIM has been rolled into to ISAM v9. ISAM v9 now has Web, AAC, and Federation components. (ISAM v8 did not have the Federation componentm ISAM 8 only had Web and Mobile)
ISAM 9 Web - reverse proxy that handles authentication/authorization to back-end web servers
ISAM 9 AAC (Advanced Access Control) - more advanced authorization functions tailored toward mobile devices like device fingerprinting, geolocation awareness, and IP reputation
ISAM 9 Federation - all the old TFIM code with updates
old Tivoli Access Manager (TAM) -> new IBM Security Access Manager (ISAM)
old Tivoli Federated Identity Manager -> new ISAM v9 Federation
I will elaborate a bit more since nzpcmad 's answer fails to address TFIM at all.
IBM Tivoli Access Manager ( now IBM Security Access Manager) handles the authentication and authorization part of your IAM infastructure.
IBM Tivoli Federated Identity Manager allows for federated and web Single Sign On. It can be used with ISAM, for example in a scenario that ISAM delegates the authentication part to TFIM for certain resources/cases.
ISAM does not speak SAML by itself, but it can leverage TFIM that does.
Other than that, you would have to ask something more specific in order to get concrete answers.
In general, an Identity Manager provisions users into an identity repository e.g. AD / LDAP. It also provides password self-service etc. The provisioning includes user attributes and roles.
An Access Manager provides authentication (using the identity repository) and authorization based on the users attributes, roles and credentials provisioned by the Identity Manager.
I am trying to build a web part to be hosted on SharePoint online (part of Office 365). I want to use Entity Framework to connect to a DB in SQL Azure. Is this even possible? I tried deploying one solution, but I get very unhelpful error saying "Web Part Error: Sandboxed code execution request failed.".
Anyone get this combination working?
I found out that this is not possible. The reason is due to the restricted permissions in the Sandbox and cannot use a proxy to bypass that. The only way to access SQL Azure from within SharePoint online in Office 365 is via a web service exposing operations on the entities residing in SQL Azure. I am currently investigating that approach and once I have more info, I can update this answer.
Update 7/27: Using a web service serving SQL Azure data, we can integrate SQL Azure with SharePoint. The component in SharePoint that enables this integration is called 'Business Connectivity Services'.
More can be found here: http://blogs.msdn.com/b/donovanf/archive/2012/06/25/office-365-o365-business-connectivity-services-bcs-hands-on-lab-wiring-up-o365-bcs-to-a-windows-azure-service-for-office-2010-and-sharepoint-online-solutions.aspx