How to retrieve user attributes through SAML in WSO2 Identity Server - attributes

I'm doing a sample webapp that authenticates against WSO2 Identity Server through SAML. It works fine but now I wanted to retrieve user attributes and roles for authorization and I'm completely lost.
Reading some SAML docs I know that I must send an AttributeQuery request but not how and I've made up that I should use a SOAP request but I don´t know how the server works. I don´t know if WSO2-IS offers a web service or other method. If yes, which would be the wsdl URL to generate the client? And if not, which method should I follow. It could be also possible that the same authentication response includes the user attributes.
Thank you for your help and sorry if the solution is obvious. I haven't found anything about this in your docs and I'm not familiar with security enviromnents and I don´t understand all the options the admin console shows.

While attribute request can be sent to get the details of one or more user attributes, you can get all the information through one call (authentication request) - all the attributes of the user (attributes in the default profile) and the roles of the user.
There is a basic demo application available.
To get attributes, you should use WSO2 4.0 M8 release (which supports the attribute profile).
Once a Service Provider is registered, we can select the required attributes that should be returned. More information about this and the link to get the WSO2 4.0 M8 release can be got from the comment section of "SAML2.0 SSO with the WSO2 Identity Server".

This article provides a detailed description to get user details after SAML Authentication

Related

Handle the Identity provider side of SAML using Node.js

I need to implement an Identity provider service (using node.js) that should be able to.
Get, validate and parse (using private key and cretificate) the authentication request from SP example
If everything is valid, respond with a signed XML response example
Is there a tool in node.js that can handle the IdP side of SAML protocol. i'm familiar with samlify, saml2, passport-saml, and all of them seem to handle the Service provider side of the protocol.
If the packages mentioned here can serve to my needs, could you specify how exactly they handle this.
Any other directions and/or hints may be helpful.
Thanks
This is what my research say about this modules .
Passport-saml - Provider service provider only
Saml2-js - Provide service provider
Samlify - Idp in experimental phase , You can check idp implementation here. https://github.com/tngan/samlify/blob/f2b6a2f8c36dc0ff887d0442c48cd0f2c0a4a778/examples
Node-samlp - IDP which provide saml assertion but user authorization we need to do our own
Saml-idp - It says IDP we can create but again it refer to online IDP
I have used samlify to make my existing node js application as identity provider to third party service provider.
It has many configuration options. Intially it took time to successfully implement.

How to include configured claims in ADFS (as IDP) metadata.xml or know them in advance (before the profile object returned)?

I am using Saml SSO with ADFS (as IDP), in ADFS UI I configured all the needed data for my SP (third party) application including roles (claims).
Now in ADFS there is an option to copy a link of the federation metadata xml with all of my configured data.
My problem is: in this metadata xml link ADFS gave me I can’t find the roles (claims) that I defined (I can see them in the profile respond object that returned after a successful authentication but not in the metadata xml).
My questions are:
1. Does the ADFS metadata xml should include my claims?
2. If yes, can you explain me please how can I include them?
3. Else, can you suggest a way for me to know which claims (keys) are going to return in the profile object in front?
Thanks.
No - metadata is server specific not user specific
You only get the claims you configure on ADFS

Azure AD Login/logout implementation for Spring cloud microservices

I want to implement login and logout functionality and retrive user details like username and user role using Azure Active Directory.
We are using Docker to deploy Spring cloud microservices project on Azure cloud. Could you please suggest me steps to get user details?
Do we need to secure all microservices edge points using Spring cloud OAuth2 security using JWT or just we can secure one web microservice ? Do I need any permission ,specific user roles to implement this?
You can find Azure's documentation about OAuth 2.0 support for AAD here
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-protocols-oauth-code
I've got an application that's using OAuth 2.0 with a different Authentication Server, and I'm about to see if I can use AAD as the Authentication Server. But, whatever ends up being your Auth Server, the rest of the application should be the same...
The Auth Server handles the log in (typically as a Single-Sign On pattern)
The Auth Server will return a Json Web Token (at some point, depending on the Grant Type being used to retrieve it)
The JWT should be included in each subsequent request to ensure the caller has authorization
From a Spring perspective, you'll need at least a SSO Client (denoted by the #EnableOAuthSSO annotation). If everything in hosted by that process, you'll need that JWT to call subsequent methods. If you have processes hosted in other processes, it's likely you'll want them secured as well. Using the #EnableResourceServer annotation will configure Spring Security to look for the JWT, just not attempt to retrieve one if the request does not have it.
Unless the endpoint is meant to be publicly accessible, you will want to secure it. Of course, I really don't know the context of your application, so this statement is purely an uninformed opinion based on zero knowledge of what you're trying to do with your application. Take it for what it's worth.
EDIT
This has become a little more complex than I originally thought. I have been able to write some code to dynamically retrieve the public key from Microsoft in order to validate the returned JWT.
But, the main issue is the fact the Azure AD supports Open Id Connect when acting as an Identity/Authentication Server. And, at the moment, spring-security-oauth2 doesn't support Open Id Connect.
I was able to make some small changes to the spring code, but I did ask the question to the Spring group and they are actively working on adding support for Open Id Connect. They hope to have a release two months (ish?).
For the short term, the oauth2 support doesn't support Open Id Connect. Given this is the protocol used by AAD, the current version of oauth2 won't work with AAD. That said, I will be happy to wait for the official support which shouldn't be too long.

Secure WSO2 AS with WSO2 IS

I want to configure a WSO2 identity server as security repository for my WSO2 application server. I've read the application server online documentation but I didn't find any reference to this configuration.
Is there any tutorial?
Simple Scenario : I have a Web app configured to use Basic Auth in the web.xml file , and i want to use wso2is as the user store for authentication and authorization.
It is possible to use web service API to integrate with WSO2 Identity Server. WSO2 IS has user-mgt,entitlement APIs.For any user-mgt action and check authorization action, we can call these APIs from any product. Sorry I couldn't find any tutorial describing this.
Hope following blog post may helpful to you at some point, as it is recommend you to have external LDAP user store. It describes how to connect external LDAP with WSO2 Identity Server.
http://blog.facilelogin.com/2009/06/connecting-wso2-identity-server-20-to.html
Do you want to use the Identity Server for authentication?
Or do you just need a user store?
Or do you need a Token-Service to secure the communication between App-Server and Web-Services?
It is not clear what exactly you want to use th Identity server for. In JBoss for example you also can use authentication with an LDAP, thus you wouldn't need the Identity Server.

Liferay json web services authentication

I want to integrate liferay with my existing application, for that i want to use JSON web services offered by liferay, Most of these services (listed at /api/jsonws) ask for authentication token "p_auth", however i don't find any log in or authenticate method in these services which can give me this p_auth token.
My application is php and i am not expert in java, so looking for some REST and/or SOAP based http method to log in/authenticate. Is there any way to do so?
Liferay added p_auth key to links marked with #ActionMapping annotation for preventing CSRF attacks. You can disable this token with
auth.token.check.enabled=false
on the Liferay side (portal-ext.properties file), but in this case anyone could be able to log in in such method.
You can read more here

Resources