I have created a secondary User store using LDAP. By default, all users of the secondary store have no permission. Is it a way to assign the suscriber role to all users in one operation or I have to do it manually for each user ?
Thanks
Since by default WSO2 uses groupId('Organization) of the user to share the Application in the Devpotal as mentioned here in the documentation: sharing applications
You can go to the Carbon UI and search for the LDAP users among which you want to share an Application. Next to the User click on the 'User Profile' tab. There you can edit the value next to the 'Organization' column. For this, your secondary user store should be 'ReadWriteLDAPUserStore'. Similarly, edit the value for each user in the secondary user store to the same value to share the Application among them.
In fact, in the ldap user store if you configure LDAP groups there are automatically created as a role and you can apply permissions to a role which will be apply to all users of your LDAP group.
But I didn't find a way to share applications between users of a LDAP group ...
Here is a better way to achieve it. In the official documentation it is mentioned that it allows the Applications to be shared if we have common roles, in as you said WSO2 treats AD groups as roles. Lets assume you have two users user1 and user2 in your LDAP store both of which are the part of AD group 'AD_Group'.
So mention the AD group name common to the users among which application needs to be shared : -
Also change the configuration as following in the deployment.toml file : -
[apim.devportal]
enable_application_sharing = true
#application_sharing_type = "default"
application_sharing_claim=http://wso2.org/claims/role
Related
I have a website on ASP.NET consisting of web app and web API. In my website sign in used to be done with username and password, and then after few encryption database checks the user and start the session.
Now, after adding Aure AD single sign-in, how to make sure specific user enters into webiste. Like I have read in Azure documentation that in Token from Azure AD we can get claim (sub + tid) which are unique and immutable. Should I add a column in my database to store the value of these two (sub+tid) in order to select the specific user?
Is there any better way to do it?
The tid claim will identify the Azure AD tenant used to authenticate the user. If you allow users to sign in from any tenant, this is a good one to store.
If you only allow one tenant, then it might not be necessary to store.
There are two claims that can be used to identify a user. You can choose which one you use.
sub will uniquely identify the user in the context of that application and is immutable.
It is the standard OpenID Connect identifier for a user.
If the user signs in to another application, the value will be different there.
This value cannot be known before the user signs in to your application, they are not available through any UI or API.
oid uniquely identifies the user and is the user's objectId.
This is also immutable.
If you want to make queries to e.g. Microsoft Graph API to get user info, you will need this value as it is what is used in APIs to identify the user.
The objectId can be known in advance before the user logs in to your application (someone in their tenant can look at user list and see the ids there) and that can be an advantage in certain situations.
I am trying out the multi tenent features in Azure Active Directory for my company. We want to offer single sign on and claims based authentication and authorization for users of our web applications. Some customers have their own Azure AD, while others will get users in an Azure AD that we own. We would like to allow all users from other approved Azure tenants to authenticate, but only specific users should be authorized since we charge the customer per user per application. Hopefully, our Azure AD groups can be used for this purpose. I have succesfully created a test app that allows users from both my Azure AD and from another tenent to log in to our application.
My question is this: Is it possible to add users from another Azure AD (that we do not control) to groups in our Azure AD, so that we can use the group membership of users to allow access to different applications that we build? Is this possible or have I missunderstood something fundamental? :) Should we abandon Azure AD groups and use our own sepperate database to store claims that can be assigned to users from all tenents during the ASP security pipeline instead?
The application I tested got read access to the other Azure AD and read/write access to our Azure AD. I was unable to assign users (from another Azure AD) to our groups through the Azure managment portal ("No user exists with this user name in a directory to which you have access.") and I have thus far been unable to do it with the graph api from the application. Adding users that I create in our Azure AD to our groups works fine.
Fundementally, you will need a database to keep your user mapping.
As we're here, consider Stackoverflow - you can create an identity with stackechange, but you can also use your existing identity from google, yhaoo or facebook. This means that SO needs to keep a record of your identity in some database, and next to it what you're allowed and not allowed to do.
In many respects though, you could consider WaaD simply as a database for that matter and automatically create the user record, but keep in mind that the user will not be authenticated to your AD. you will simply be using the graph API to query based on a key and this may be done more efficiently on a dedicated database or, arguably, something like Azure table storage.
Given that you will need to query the WaaD graph API to get group membership anyway (it is not provided with the initial claim-set) you could query table storage instead.
for your specific case of "No user exists with this user name in a directory to which you have access", YES, this can be met and you can add the user of one Azure AD(abc.onmicrosoft.com) to another(def.onmicrosoft.com).
Necessary Condition:
1. you have to be at least a global-admin-user & co-admin in the Azure AD in which you have to add the user from another Azure AD.
2. you should be explicitly added in the other Azure AD, whose user you are registering in the current Azure AD, with at least a "User" privilege.
Boom!! User added with "Sourced from: Another Azure AD" tag.
You can try B2B invitation from your Azure AD to the members of different domain. As you said you have to allow people from multiple tenants, create a group and add the users via B2B invitation and map that group to your app. This is really handy because that will work for a single go as well as being easy to maintain.
I need to give roles (including the Member role), memberdata, and user folders to certain OpenID users before they first log in to my Plone site. That is, I need to programmatically add OpenID users to my Plone site. portal_registration.addMember cannot add an OpenID user. plone.openid has its own PAS plugin which does not create member objects. What do I do that is replicable in a setuphandler? The usual way to do this is to manually log in the OpenID user, then add roles, memberdata, and sharing after the login. Howwever, that user story is not programmatically replicable.
The only thing that should matter is the user id generated for each user. It should be possible to just create regular members beforehand with user ids matching the open id identity urls, assing them roles and then use openid (only) as an alternative authentication method for those users.
Update: As Chris commented below, it's not possible to add users with URL as their id through Plone UI, but they must be created directly into PAS users folder through ZMI (Zope Management Interface).
I have a different access role for each of the pages in my application (using Windows Authentication) to restrict users from access, using SqlRoleProvider. So to add users to role, I would go,
Roles.AddUserToRole(userName, roleName);
Now, I need integrate the company's AD groups into my application, such that each AD groups will be assigned these access roles as well, and users part of a certain AD group will automatically "inherit" the roles.
My questions are:
Can I continue to use my SQL tables like aspnet_Users, aspnet_Roles etc?
How do I go about integrating AD groups? And how do I assign roles to AD groups? (So far, I can check all the AD groups a user is part of using Directory Entry).
As a user logs in to the application using Windows Authentication, after I check that they are part of a particular AD group, how do I "give" or "assign" them the roles as per AD group?
Would deeply appreciate your help with these questions.
The AD ASP.NET Membership and Roles system ties directly into AD, your database tables are ignored. An AD Group becomes an ASP.NET Membership Role.
The rest of my post is concerned with applications modifying AD groups directly:
You can, with great difficulty, but in that case it is not recommended.
Active Directory group membership is assigned by another user who is a member of the Domain Admins group, or is delegated the permission to assign users to other groups.
In order to do this from code (using ADSI) your program would then need to run under (or use an impersonation token of) a user identity that is a member of the Domain Admins group or is delegated that user right.
...this means that your program is suddenly trusted with an ability that if hacked or abused, can wreck havok in your security domain. I do not recommend doing this.
Documentation is available on MSDN: http://msdn.microsoft.com/en-us/library/windows/desktop/aa706022%28v=vs.85%29.aspx
I am trying to find a way to handle two types of users for an intranet system. There are users who login and there are those who do not. I need to store both types of users in the membership db. Does anyone have a common solution to this problem?
This is for an event booking system. The users who are in AD will see the app. We need to store the O/S Name along with a few other attributes from AD in our membership db. The O/S Name gets captured using the Request.ServerVariables(). We need to store those "requester" details along with other details about the event that is being booked.. In addition to those users, there are users that actually log into the system. I was hoping to store both types of users in the membership db, so that when an event is retrieved, the user details will get retrieved from the membership db as wel
If you can use 'Integrated Windows Authentication' you have access to some information about the user connecting to your system.
Therefore you could use this information for the general case, without the login.
If a user then want's more access, he can logon to the site with a special username/pwd.
A membership DB would typically restrict access to a set of users for a particular application on an Intranet site. Only those who are in Active Directory as network users would even see the Intranet in the first place. And only a subset of those network users who have been granted privileges for your application in its membership system would see the link and/or be able to gain access in one role or another. Can you be a little more specific with respect to what you are trying to achieve? :-)