WSO2 Identity Server Authentication - server

I have a requirement that, I need to authenticate the User Credentials via WSO2 Identity Server. The user credentials are stored in the separate Database. Can anyone explain how to achieve this?

All of the WSO2 products are based on WSO2 Carbon framework (an award-winning, light-weight, service-oriented platform for all WSO2 products), and can be configured to use a existing centralized user management systems as the user store.
In WSO2 Carbon-based products, there are four user store manager classes that implement the AbstractUserStoreManager class. You can select one of those classes according to the user store that you have in your environment.
org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager
org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager
org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager
org.wso2.carbon.user.core.ldap.ActiveDirectoryLDAPUserStoreManager
You can write a custom JDBC user store manager, if your data in RDBM system. Have a look on Writing a Custom User Store Manager, specially check on Implementing a custom JDBC user store manager

When a JDBC user store is used as a primary or secondary user store, the user details will be stored in “UM_USER” table upon user creation. Following are the columns of the table.
UM_ID
UM_USER_NAME
UM_USER_PASSWORD
UM_SALT_VALUE
UM_REQUIRE_CHANGE
UM_CHANGED_TIME
UM_TENANT_ID
All WSO2 products are defult shipped with H2 database internally. H2 database stores registry and user management data.
This H2 data can easily achived by enabling the H2DatabaseConfiguration in carbon.xml that located /repository/conf.
Follow the following configuration steps to achive H2 database in browser.
Open the carbon.xml file and paste the H2DatabaseConfiguration as follows.
Note: Don't uncomment the H2DatabaseConfiguration which already there.
<H2DatabaseConfiguration>
<property name="web"/>
<property name="webPort">8082</property>
<property name="webAllowOthers"/>
</H2DatabaseConfiguration>
Start the server.
Direct your browser to http://localhost:8082
Fill the JDBC url, username and password as follows.
JDBC url: jdbc:h2:/repository/database/WSO2CARBON_DB
username: wso2carbon
password: wso2carbon
If anyone want replace H2 database with different kind of databases like MySQL you can do it as follows. Refer[1].
[1] https://docs.wso2.com/display/IS500/Setting+up+MySQL

Related

How to synchronize user's data with users stored by keycloak in a Jhipster-App?

I wanted to create an webapp using JHipster with Keycloak and ran into a problem:
There is no deal to create new users using Keycloak or connecting user specific data to these users.
But if I want to delete a user I have to do that via Keycloak too, so the entry in JHipsters JHI_USER, the role-assignments and all the data created by this user will not be affected from these deletion.
So what I can do to make it possible to delete these user's data as well?
If Keycloak supported SCIM, you could use Apache SCIMple to sync your users. Here's a demo script that shows how to do it with Okta:
https://github.com/mraible/okta-scim-spring-boot-example/blob/main/demo.adoc

Can Keycloak store user data encryted in postgres

I want to use keycloak as openId Connect implementation via docker with a postgres db.
I could not find a resource where it is documented whether keycloak stores user data encrypted. Only passwords seem to be hashed.
Postgres provides pgcrypto as a way to execute encryption and decryption at runtime.
Is there a way to enable crypto for user data with keycloak?
Keycloak provides an option called User Storage SPI https://www.keycloak.org/docs/latest/server_development/#_user-storage-spi
With this, you can build a bridge between keycloak and your DB.
You will have the freedom to store your data in DB as per your convenience and when keycloak invokes the User storage SPI method you will have to return as per keycloak's specifications.

Does Keycloak need a database

I have setup Keycloak as a SAML broker, and authentication is done by an external IdP provided by the authorities. Users logging in using this IdP are all accepted and all we need from Keycloak is an OAuth token to access our system.
I have tried both the default setup using H2 and running with an external MariaDB.
The external IdP provides us with a full name of the user and a personal ID. Both data are covered by GDPR and I really do not like the sound of storing that data in a database running in the DMZ. Opening up for Keycloak to access a database in the backend is also not a good solution, especially when I do not need users to be stored.
The benefit of running without a database is that I have a simpler DMZ setup as I really do not need to store anything about the users but on the backend.
Do I need a database, and if not how do I run Keycloak without it?
Do I need a database, and if not how do I run Keycloak without it?
Yes, however, out-of-the-box Keycloak runs without having to deploy any external DB. From the Keycloak official documentation section Relational Database Setup one can read:
Keycloak comes with its own embedded Java-based relational database
called H2. This is the default database that Keycloak will use to
persist data and really only exists so that you can run the
authentication server out of the box.
So out-of-the-box you cannot run Keycloak without a DB.
That being said from the same documentation on can read:
We highly recommend that you replace it with a more production ready external database. The H2 database is not very viable in high concurrency situations and should not be used in a cluster either.
So regarding this:
The benefit running without a database is that I have a simpler DMZ
setup as I really do not need to store anything about the users but
on the backend.
You would still be better offer deploying another DB, because Keycloak stores more than just the users information in DB (e.g., realm information, groups, roles and so on).
The external IdP provides us with a full name of the user and a
personal ID. Both data are covered by GDPR and I really do not like
the sound of storing that data in a database running in the DMZ.
Opening up for Keycloak to access a database in the backend is also
not a good solution, especially when I do not need users to be stored.
You can configured that IDP and Keycloak in a manner that the users are not imported to the Keycloak whenever those user authenticate.

Keycloak server embedded in a Spring Boot application with custom User Storage SPI

I have managed to set up a Keycloak server embedded in a Spring Boot Application successfully, following this tutorial:
Keycloak Embedded in a Spring Boot Application
in order to avoid setting it up manually.
Since I am dealing with an old implementation that already has it's own DB, I decided to use Keycloak's User Storage SPI to connect to an external postgresql DB and use this for authentication instead of Keycloak DB.
To do this, I followed the tutorial on Keycloak documentation, but it envolves a standalone Keycloak server, creating a .jar with the custom provider and injecting it to <pathToKeycloak>/standalone/deployments/.
I have created an implementation that works with a standalone Keycloak server, but now I want to include it to the embedded one. Is it possible to use a Keycloak server Embedded in a Spring Boot Application and also have an embedded custom User Storage Provider, to avoid setting up manually?
If you have already implemented the provider and the provider factory, you only need to declare the provider factory class in the resources/META-INF/services/org.keycloak.storage.UserStorageProviderFactory file.
Then you can log in to the administration console and enable user storage provider on the User Federation page.

Can we add custom user attributes to Cloud Directory identity source of Bluemix SSO Service?

I am using Bluemix SSO service for user authentication and configured the Cloud Directory identity source as my identity provider. The SSO implementation is working perfectly fine for the Bluemix applications.
However, I have a need to add few custom user attributes and retrieve them as part of the user profile details once the authentication is successful. The Cloud Directory identity source only supports name & email as the user attributes and doesn't provide any feature to add additional custom attributes.
Is it possible to add any custom user attributes to Cloud Directory identity source? If not, what is the best way to configure the custom user attributes when using Bluemix SSO service?
It is not possible to add additional custom attributes using the Cloud Directory of Bluemix SSO (example: roles). There is not a best way to configure the custom user attributes, but you could develop your own login system. For example if you are using Bluemix nodejs runtime you could use the passport module and store all user information in a specific table of your DB. In this way you can manage the login and other custom fields. An alternative is to use SSO Cloud Directory, retrieve the username information from the SSO service in the session and use it as a key to retrieve other DB fields (roles, numbers, address).