I like to request an advice about the configuration options in the WSO2 Identity Server to adjust the layout of a corporate LDAP directory and reuse it as a Secondary Read Only User store in the IdP. Is there a mapping function available that correlates the WSO2 field terminology to the context of the corporate directory, mapping the mandatory WSO2 identity fields like [ First Name, Last Name, Address, Phone Number and others]?
This question is complementary to my previous question about the access locking.
WSO2 Admin Secondary User Store - Delete Icon is not Working
Thanks in advance for your advice how to integrate an external LDAP repository.
You can use claim management in WSO2 identity server. In the Identity Server, each user store attribute can be mapped as a claim. Therefore, you can use the claim management functionality available in the Identity Server and properly map your LDAP/AD/JDBC user store attributes with the claim URIs defined by the Identity Server. You can also add different claim URIs and manage them using claim management.
Please refer the below links to find how to do user attribute mapping.
https://docs.wso2.com/display/IS500/Managing+User+Attributes
https://docs.wso2.com/display/IS500/Adding+New+Claim+mapping
You can add your corporate LDAP directory as secondary user store.
You can follow the below steps to configure secondary user stores manually or using the management console:
configure the [IS_HOME]\repository\conf\user-mgt.xml file as given below.
Using management console:
Log in to the management console and click User Store Management sub menu under Configure menu.
List item
The User Store Management page opens
Click Add Secondary User Store.
In the User Store Manager Class list, select the type of user store you are creating (in here u can populate this drop-down list with custom user store manager implementations by adding them to the server.)
Enter a unique domain name with no underscore (_) characters, and optionally enter a description for this user store.
Enter values for the properties, using the descriptions in the Descriptions column for guidance. The properties that appear vary based on the user store manager class you selected, and there may be additional properties in an Optional or Advanced section at the bottom of the screen.
Ensure that all the mandatory fields are filled and a valid domain name is given and click Add.
A message appears saying that the user stores are being added. (The message does not imply that the user store is added successfully. It simply means that the server is attempting to add the new user store to the end of the available chain of stores.)
Refresh the page after a few seconds to check the status.
If the new user store is successfully added, it will appear in the User Store Management page.
After adding to the server, you can edit the properties of the new secondary user store and enable/disable it in a dynamic manner.
Using manually:
You can find the primary user store configuration in [IS_HOME]\repository\conf\ the user-mgt.xml file. When you create a secondary user store using the management console, its configuration is saved to an XML file with the same name as the domain name you specify. Alternatively, you can create this XML file manually and save it as follows:
When you configure multiple user stores, you must give a unique domain name to each user store in the <domainname> element. If you configure a user store without specifying a domain name, the server throws an exception at start up.
If it is the configuration of a super tenant, save the secondary user store definitions in <product_home>/repository/deployment/server/userstores directory.
If it is a general tenant, save the configuration in <product_home>/repository/tenants/<tenantid>/userstores directory.
The secondary user store configuration file must have the same name as the domain with an underscore (_) in place of the period. For example, if the domain is wso2.com, name the file as wso2_com.xml.
One file only contains the definition for one user store domain.
You can follow the below steps:
Related
I am developing an inventory management system. I am using AppWithinMinutes (AWM). Only administrator can add, edit and delete. In this system, the user name is entered in the user field. Other fields are entering other information. How can users see only their own children when they log in to xwiki with their own name? And how can not he see the other kids?
You could implement and EventListener in your application so that, whenever an entry in your application is created, an XWikiRights object is added to the page to allow view access only to the user that created it and some admin group (that is allowed to see all the entries of all the users).
Note that it would be recommended to implement your EventListener as a WikiComponent so that it is automatically registered when your XWiki instance is restarted.
We have integrated Websphere commerce with LDAP and the proper login flow is working fine.
We have a requirement that user can have an option to login using his phone number and also his membership card.
Currently we are storing the ph.no and membership card in LDAP database also.
We are unable to use these fields for login as well. Can someone give some pointers on the same?
WAS has Standalone and Federated LDAP authentication.
Standalone LDAP configs in WebSphere allow you to construct your own LDAP search that's used to map a web username to a DN. You can list multiple attributes using LDAP filter syntax (|(phone=%v)(membershipcard=%v)...
https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_ldapfilter.html
Modify the user filter, if necessary. The user filter is used for
searching the registry for users and is typically used for the
security role-to-user assignment. The filter is also used to
authenticate a user with the attribute that is specified in the
filter. The filter specifies the property that is used to look up
users in the directory service. In the following example, the property
that is assigned to %v, which is the short name of the user, must be a
unique key. Two LDAP entries with the same object class cannot have
the same short name. To look up users based on their user IDs (uid)
and to use the inetOrgPerson object class, specify the following
syntax: (&(uid=%v)(objectclass=inetOrgPerson)
Federated registries take a semi-colon separated list of LDAP attribute names used for the same purpose.
https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/twim_ldap_settings.html :
All login properties are searched during login. If multiple entries or
no entries are found, an exception is thrown. For example, if you
specify the login properties as uid;mail and the login ID as Bob, the
search filter searches for uid=Bob or mail=Bob. When the search
returns a single entry, then authentication can proceed. Otherwise, an
exception is thrown.
Both are covered in gory detail in the manual.
I have OIM and ODSEE installed and LDAP Sync is enabled. In ODSEE, we have created custom object class and custom attributes. When user is created in OIM, LDAP Sync creates users in ODSEE with all attributes populated automatically. We have 2 custom attributes(Date attributes) specific to ODSEE like ghWhenCreated and ghWhenChanged which stores date values when user is created or modified in OIM. Currently we are populating these 2 attributes through event handlers in OIM. But we need these attributes to be populated automatically in ODSEE if there is add or modify requests in ODSEE since we are seeing issues when create/modification request happens in OIM. Does any one know how to update current date on custom attributes when soem entry is created or modified in ODSEE directly.
Let me know if you need further details.
I am creating an app in ai2 that connects to one of my fusion tables as a high score datastore.
If I use traditional Oauth2 flow then each user would be presented with an oauth login for their fusiontable, which is not what I want.
I have set up a
Client ID for Android application
in the google developer console which gave me
Client ID xxxxxxxxx.apps.googleusercontent.com
Redirect URIs
urn:xxx:xxx:xxx
http://localhost
Package name appinventor.ai_xxxxxxxx.xxxxxxxx
Certificate fingerprint (SHA1) 12:34:56 etc
Deep linking Disabled
What I want is for my app to connect to my fusiontable using my credentials regardless of which device or which user. How do I do that?
Thanks
This document is a very simple and straight-forward guide to creating a fusion table for your app.
https://docs.google.com/document/d/1HifuZqz5xu0KPS-e4oUv-t-nQoUQ8VMNyh_y6OjZkc0/pub
Steps:
First, you have to create a project at console.developers.google.com.
Then go to the API manager in the menu. Search for and enable the fusion tables API.
Now create a service account key. You may have to look in the credentials menu for this setting. Choose "enable Google apps-wide delegation". A service account is a localized email address that your app can use when you share the fusion table with that account. It provides more security than the anyone with the link can edit setting.
Now go to New Credentials > Service account key. Select P12, and the file will automatically download. If the name of the file has spaces, remove them.
Next, create a google fusion table.
Now share the table with the service email you created. Set the permission to Can Edit. Uncheck the notify box and hit Share.
Now, go to App Inventor. You need:
Your Service Account Email address (also called service account ID)
Service Account key file (.p12)
Fusion Table ID code (don't worry about this yet)
First, upload the key file.
In the fusion tables component property menu, set the KeyFile property to the key file. Copy the email address you created earlier and paste it in the ServiceAccountEmail property. Check the Use Service Authentication box.
Last thing: In the fusion table, go to File > About This Table. Copy the table Id. When you do operations with the table, you will need this id. You can store it in a variable if you want.
This property means that you can share and use multiple different tables with the same service account. Just share the other table(s) you will use with the service account and use that table's id when you do operations with that table.
I'm currently using openAM to protect a small webapp of mine using a Java EE web agent. Someone tries to access the app, they get redirected to the openAM instance, they login, they go to the app. Simple stuff.
What I'd like is for openAM to pass the username that was successfully used to the web app. It's my understanding that "session attributes" should be used for this. When in the admin, I go to my Java EE webagent and open up the "Application" tab to see the "Session Attributes Processing". I see that HTTP_COOKIE is a choice for fetching.
1) is it the case that I should expect to see the username, if properly set up, as plaintext in the cookie?
2) what value do I enter in the session mapping to get the username? How do I find what value in the data store corresponds to this?
Thanks
We are using HTTP_HEADER with our agents. So if you are already using agents (which sounds like you are), then the following should work for you. In OpenAM web console:
Access Control > Top Level Realm > Agents > Web / J2EE / etc. > click on an agent
Application tab > Profile Attributes Processing section > Profile Attribute Fetch Mode:
Click on the "HTTP_HEADER" choice
Profile Attribute Mapping:
Map Key: [uid] ... Corresponding Map Value: uid
Click Add. It should look like [uid]=uid once you've added it. Add any other mapping you need that matches attributes to your backend authentication system. Ours is ldap.
In your web application, retrieve the HTTP Header elements and look for the token. It should look something like this: AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.AAJTSQABMDE.
You can then use the OpenAM REST interface to validate and retrieve attributes associated with the token such as user name, password, cn, etc. To retrieve all attributes, the URL would be like this:
http://<OpenAM_Host>:<Port>/<deploy_uri>/identity/attributes?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*
You can also specify attributes you want like this:
http://<OpenAM_Host>:<Port>/<deploy_uri>/identity/attributes?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*&attributenames=uid&attributenames=userpassword
References:
https://wikis.forgerock.org/confluence/display/openam/Use+OpenAM+RESTful+Services
http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/dev-guide/index/chap-rest.html
1) yes, the agent will create plaintext cookies (and if the user sends malicious ones it will recreate them just fine), however using HTTP_HEADER method to pass on attributes is considered as a better solution (since it's not stored on the client side).
2) Session Attributes Processing only works if you actually stored something in the session. For that you can either use the "User Attribute Mapping to Session Attribute" feature in Authentication All Core Settings or write some custom module to save derivative values. Otherwise if you just want to get the uid of the user, then use Profile Attributes Processing (uid key HTTP_UID value and your app will see a HTTP_UID cookie/header).