Sunday, October 18, 2015

Deploy Service Provide in WSO2 Identity Server using Configuration Files.

Hi, we can deploy a Service provider in WSO2 Identity Server using,
        1. Management Console
        2. Admin Services.
        3. Configuration Files.

This blog will explain how to deploy a SP using configuration files.
I have used WSO2 IS 5.0.0 and Travelocity web app for this scenario.



Please follow the steps given below to create service provider using configuration files.

1.Goto <IS_HOME>/repository/conf/security/sso-idp-config.xml file and add the following configuration to it. This adds the travelocity application as a service provider.



<ServiceProvider>
<Issuer>travelocity.com</Issuer>
<AssertionConsumerService>http://localhost:8080/travelocity.com/home.jsp</AssertionConsumerService>
<SignAssertion>true</SignAssertion>
<SignResponse>true</SignResponse>
<EnableAttributeProfile>true</EnableAttributeProfile>
<IncludeAttributeByDefault>true</IncludeAttributeByDefault>
<EnableSingleLogout>true</EnableSingleLogout>
<Claims>
<Claim>http://wso2.org/claims/givenName</Claim>
</Claims>
<LogoutUrl></LogoutUrl>
<EnableAudienceRestriction>false</EnableAudienceRestriction>
<ConsumingServiceIndex>2104589</ConsumingServiceIndex>
</ServiceProvider>


2. Create a file named travelocity.com.xml in the <IS_HOME>/repository/conf/identity/service-providers directory.

3. Add the following configurations into the travelocity.com.xml file you created. This adds the necessary SAML configurations to the travelocity service provider.


<ServiceProvider>
<ApplicationID>3</ApplicationID>
<ApplicationName>travelocity.com</ApplicationName>
<Description>travelocity Service Provider</Description>
<IsSaaSApp>false</IsSaaSApp>
<InboundAuthenticationConfig>
<InboundAuthenticationRequestConfigs>
<InboundAuthenticationRequestConfig>
<InboundAuthKey>travelocity.com</InboundAuthKey>
<InboundAuthType>samlsso</InboundAuthType>
<Properties></Properties>
</InboundAuthenticationRequestConfig>
</InboundAuthenticationRequestConfigs>
</InboundAuthenticationConfig>
<LocalAndOutBoundAuthenticationConfig>
<AuthenticationSteps>
<AuthenticationStep>
<StepOrder>1</StepOrder>
<LocalAuthenticatorConfigs>
<LocalAuthenticatorConfig>
<Name>BasicAuthenticator</Name>
<DisplayName>basicauth</DisplayName>
<IsEnabled>true</IsEnabled>
</LocalAuthenticatorConfig>
</LocalAuthenticatorConfigs>
<FederatedIdentityProviders>
</FederatedIdentityProviders>
<SubjectStep>true</SubjectStep>
<AttributeStep>true</AttributeStep>
</AuthenticationStep>
</AuthenticationSteps>
</LocalAndOutBoundAuthenticationConfig>
<RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs>
<InboundProvisioningConfig></InboundProvisioningConfig>
<OutboundProvisioningConfig></OutboundProvisioningConfig>
<ClaimConfig>
<AlwaysSendMappedLocalSubjectId>true</AlwaysSendMappedLocalSubjectId>
</ClaimConfig>
<PermissionAndRoleConfig></PermissionAndRoleConfig>
</ServiceProvider>



4. Start the Identity server.

5. Use the instructions given under “Configuring the SSO web application” topic in https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0#ConfiguringSingleSign-OnwithSAML2.0-ConfiguringtheSSOwebapplication to diploy travelocoty sample.


6. Run the sample app.




8. Since you need to use SAML2 for this Sample, click the first link, i.e., Click here to login with SAML from Identity ServerYou are redirected to the Identity Server for authentication.

9. Enter the default admin credentials (admin/admin).

10. Now you are logged in and you can see the home page of the travelocity.com app.

Monday, October 5, 2015

Lock/Unlock user accounts in WSO2 Identity Server



Hi, this blog will explain, how to configure WSO2 Identity Server for Lock/Unlock user accounts that are available.

Environment: WSO2 Identity Server 5.0.0, SoapUI 5.0.0.

We can achieve this by sending a SOAP request. Admin can lock the user account by modifying the account lock attribute of the user. Then user can’t be authenticated.  Admin can again unlock it when it is needed. 
However, if user has already authenticated session, admin may not able to terminate it and it will remains till it is expired.




Please follow the steps given below,

1. Goto <IS_HOME>/repository/conf/carbon.xml file and disable the hide admin services property. 
        <HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>

2. Goto <IS_HOME>/repository/conf/security/identity-mgt.properties file and enable the identity listener.
        Identity.Listener.Enable=true

3. Start the Identity Server.

4. Create new SOAP project in SoapUI using “https://localhost:9443/services/UserIdentityManagementAdminService?wsdl”.

5. Use “lock user account” request under UserIdentityManagementAdminServiceSoap11Bindings and add new Authorization with below configurations,
        Authorization Type: Basic
        UserName: Admin user name
        Password: Admin password

6. Use below request with the username that needs to be lock.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://services.mgt.identity.carbon.wso2.org">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:lockUserAccount>
         <!--Optional:-->
         <ser:userName>username</ser:userName>
      </ser:lockUserAccount>
   </soapenv:Body>
</soapenv:Envelope>





7. Same as the above, you can use “unlock user account” request under UserIdentityManagementAdminServiceSoap11Bindings to unlock user.










Admin can use management console to lock/unlock account by modifying the user's account lock attribute via user profile view. If you just want to do that way, please follow the steps given below,

1. Goto <IS_HOME>/repository/conf/security/identity-mgt.properties file and enable the identity listener.
        Identity.Listener.Enable=true
        Authentication.Policy.Enable=true

2. Start the Identity Server.

3. Login as admin and go to configure tab and select claim Management. Then select 'http://wso2.org/claims' link and click edit the ‘Account Lock claim’.  Click the Supported by Default checkbox and save the changes.

4. Then go to User profile Edit page and type ‘true’ in Account Locked Field. Then the user is locked. (For the first time you have to lock user by entering ‘true’ in account lock field, After that it will be a checkbox)






If you need to do some additional configuration. You can refer,