WSO2 Identity Server PAP and PDP separation - deployment

I am trying to figure how do I deploy/config WSO2 IS PAP and PDP separately so that the servers have specific role. WSO2 comes up with one full package. Once I separate I would like to know how do I publish policies from PAP to PDP.
Thanks
Raj

Currently, You can not remove PDP or PAP functions from an WSO2 Identity Server instance completely. But you can disable PDP function using entitlement.properies file. But this would not remove management UI from the instance. However you can do the logic separation. Say you can run one instances as PAP and several other instances as PDP... Then your PAP instance can be used to create policies. And you can register PDP instances as the policy subscribers using the policy publisher management UI. Here you need to provide the PDP server url, user name (admin) and password (admin). So you can register one subscriber for each PDP instances. Using policy administration UI of the PAP, you can use publish option to publish policies to selected subscribers. More details on policy publishing can be found at here

Related

Connecting to MS Forms connector using Service Principal within logic app

I am creating a logic app that will trigger when a form request is submitted.
The MS Form connector requires me to sign in. This is acceptable during development, but we have a lot of logic apps and so use DevOps to automate deployment.
With the current connector, after deployment we still have to:
manually open the logic app in the portal.
connect using authorized credentials.
save the logic app.
This manual process completely defeats the point of using DevOps with Logic Apps.
Its a similar issue when using the Outlook connector.
Is there a way to supply server principal credentials to these connectors, so that they are correct at deployment time and require no manual intervention?
It seems that it's not supported to login on MS Forms connector with service principal. Connectors that can use service principal authentication will have "Connect with Service Principal" option, like Azure Data explorer. You can give your voice on this feedback to promote this feature.
API Connections with OAuth authentication, like Office 365 and Microsoft Team connectors etc, require manual consent. Unfortunately, at this point in time, authentication for those cannot be fully automated.
Here is a ticket you can refer to.

WSO2 Identity Server - REST APIs for permission and roles

I am using WSO2 Identity Server 5.7.0 and WSO2 API Manager 2.6.0. We want to use the user management and role & permissions management of WSO2 itself, but the as per requirement we cannot use WSO2 carbon management GUI for user creattion, role mapping etc.
We need to have a separate GUI but integrate with WSO2 User, Role and Permission management.
For this purpose, WSO2 must have some kind of APIs exposed for third party application integration?
For example, I have checked user creation, user update etc operations are having corresponding SCIM REST APIs which can be used by our applications.
Is there similar APIs for :
1) Creating Service providers
2) Creating permissions at service provider level
3) Creating role mapping at service provider level
4) Creating roles
5) Associating permissions with roles
6) Associating Users with Roles.
Please let me know details of such REST APIs provided by WSO2 if any.

WSO2 IS and WSO2 APIM - Role change

I followed the steps mentioned in the below WSO2 documentation to use WSO2 IS as an Identity Server with WSO2 APIM.
I use WSO2 IS 5.3.0 and WSO2 APIM 2.1.0.
https://docs.wso2.com/display/AM210/Configuring+WSO2+Identity+Server+as+a+Key+Manager
I am able to access the carbon admin console in both the WSO2 IS and WSO2 APIM (in two ports)
https://localhost:9443/carbon/admin/login.jsp
https://localhost:9444/carbon/admin/login.jsp
When I use WSO2 IS console (9443) to change the user roles, most of the times it is getting reflected immediately, using the same access token. How can it be possible ? An access token is provided by WSO2 with some pre configured scopes. Within the same login session, even before the access token expires, If we change the roles of the logged in user, the roles changes are applied immediately and my access rights are changed ? Is it a valid ?
Assume a user "USER1" got an access token with privileged rights and he/she is able to access privileged APIs. Suddenly if the roles are changed and user "USER1" is assigned a normal user rights, and the user is not able to access the privileged APIs within the same login session. Is this how OAuth works ?
Please help me understand.
If I change the roles in WSO2 APIM (9444), the roles are not getting reflected immediately. Some times, it wait for the access token to expire and the gets a new access token. Sometimes, role changes are getting applied even before the access token expire.
What is the synchronization interval between WSO2 IS and WSO2 APIM, to sync the roles?
I couldn't find these roles in mysql db or ldap. Where are they stored in the backend ?
There are differences in IS as a key manager and the inbuilt key manager of API Manager. The key manager comes with API Manager is not a full fledged Identity solution. Hence its role to scope mapping, access control, etc. are somewhat limited in the point of view of Identity Management aspects.
Identity server acting as a key manager provides the full access control mechanism, hence the change in the role should affect fast as possible, even for issues keys. This is one of the reasons of using IS as a key manager.
Question 1
Ans:
Lets say a user has an admin right when he got the access token. The enterprise may decide the user has no longer needs this right and changes that on their LDAP. It should be reflected on key validation as fast as possible. Otherwise the user has continued access to the service as privileged user until key expires, which is undesirable. So the behavior is valid.
Question 2
Ans: Yes, API Manager is strong on managing APIs. However, it is not a use/role management system. Hence there will be considerable delay in reflecting the role change. So, make sure you use IS to manage the user/roles, etc. when your API Manager is configured with IS.
Where is your configured roles
It should be in WSO2UM_DB configured (UM_ROLE table), if JDBC user store is your primary UserStore.

Access/use roles and custom info from OpenId Connect profile within Dynamics 365 Portal?

I am starting to work with Dynamics 365 Portal add-on (Online, not on-prem), which I've configured to use an external authentication provider in the form of Identity Server with OpenId Connect. The problem with this is that I don't have access to the under-the-hood portal authentication process, there's just a few basic config settings and users can authenticate using the external IdP. I can't access roles, claims, or any custom info that might come back as part of the OpenId Connect user's profile (userinfo object response). I need to get at that data to customize the portal user experience. I've looked through whatever documentation I could find on the portal but can't find anything. Am I missing something or is it just not possible to access that info and customize the portal login process? Since it doesn't seem possible to do anything server-side within the portal because it's Online, can I do anything client-side within the portal to get the OpenID access token and call the UserInfo endpoint with that?
I had a case open with Microsoft and finally got an answer from them: In Dynamics CRM Online with the Online Portal add-on, there is currently no way to access anything coming back from an external identity provider. So for example, if you've configured the portal to use an external identity provider such Google, Facebook, etc, or like in my case an Identity Server instance with OpenId Connect, you can't access the claims or any other info coming back from the provider.
UPDATE:
I got another response from Microsoft support: they have confirmed their dev teams are working on making this available but don't have an ETA yet. At least it's on their radar.

SSO with keycloak

We are considering to use the keycloak as our SSO framework.
According to the keycloak documentation for multi-tenancy support the application server should hold all the keycloak.json authentication files, the way to acquire those files is from the keycloak admin, is there a way to get them dynamically via API ? or at least to get the realm public key ? we would like to avoid to manually add this file for each realm to the application server (to avoid downtime, etc).
Another multi-tenancy related question - according to the documentation the same clients should be created for each realm, so if I have 100 realms and 10 clients, I should define the same 10 clients 100 times ? is there an alternative ?
One of our flows is backend micro-service that should be authenticated against an application (defined as keycloak client), we would like to avoid keeping user/psw on the server for security reasons, is there a way that an admin can acquire a token and place it manually on the server file system for that micro service ? is there a option to generate this token in the keycloak UI ?
Thanks in advance.
All Keycloak functionality is available via the admin REST API, so you can automate this. The realm's public key is available via http://localhost:8080/auth/realms/{realm}/
A realm for each tenant will give a tenant-specific login page. Therefore this is the way to go - 10 clients registered 100 times. See more in the chapter Client Registration of the Keycloak documentation. If you don't need specific themes, you can opt to put everything in one realm, but you will lose a lot of flexibility on that path.
If your backend micro service should appear like one (technical) user, you can issue an offline token that doesn't expire. This is the online documentation for offline tokens. Currently there is no admin functionality to retrieve an offline token for a user by an admin. You'll need to build this yourself. An admin can later revoke offline tokens using the given admin API.