how to add users to roles using SCIM in WSO2 - wso2-api-manager

I want to add roles to users programatically in WSO2 Identity server.
I am able to create users by SCIM API's.But cant find an API to add a user to a role.
I tried giving the user name as "userName":"role/myusername" in the wso2/scim/Users POST API. But its not working ; not sure if its the correct approach.
Can someone tell me how to add a role to an existing user and also add a role to a new user?
Thanks

The answer here shows how to do that with SCIM PUT command.
Also From IS 5.1.0 onwards you can also use the PATCH operation as mentioned in the docs
Add user AMRSNGHE/groupUSR001 to group AMRSNGHE/ngioletGR
curl -k --user admin:admin -X PATCH -d '{"displayName": 'AMRSNGHE/ngioletGR',"members": [{"value":"","display": 'AMRSNGHE/groupUSR001'}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups/<id returned in the response when creating the group AMRSNGHE/ngioletGR>

Related

Is there a file upload function in salt stack to upload a jar to JFrog Artifactory?

I am using saltstack state script to create a jar from BitBucket and upload the jar to Artifactory. When uploading to Artifactory I see an authorization error. I am not sure if this is the right approach to achieve the upload to Artifactory.
I tried using CURL to achieve upload. I need to provide -u myUser:myPassword along the CURL command for it to work. I cannot provide the credentials in my salt state scripts. I am looking for a better option to achieve the upload without using login credentials. How to upload artifacts to artifactory using saltstack?
curl -X PUT -T /tmp/Batch.jar http://artifactory/artifactory/Batch.jar
Error:
stdout:
{
\"errors\" : [ {
\"status\" : 401,
\"message\" : \"Unauthorized\"
} ]
}
I've run into this sort of thing a couple of times. The easiest solution is to write a small salt execution module to do this work. This way you can store the artifactory credentials as pillar data and use the normal python requests or salt http helpers to make the web requests.
Looks like salt stack provides a module for artifactory alread: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.artifactory.html
It may not do exactly what you're looking for, but you could definitely extend it: https://github.com/saltstack/salt/blob/develop/salt/modules/artifactory.py
The saltstack docs for writing execution modules can be here:
https://docs.saltstack.com/en/latest/ref/modules/
According to Artifactory documentation, the REST API supports these forms of authentication:
Basic authentication using your username and password
[Simplest] Basic authentication using your username and API Key.
Using a dedicated header (X-JFrog-Art-Api) with your API Key.
Using an access token instead of a password for basic authentication.
[Recommended] Using an access token as a bearer token in an authorization header
(Authorization: Bearer) with your access token.
You will have to choose one of the above.

What LinkedIn API permission am I missing to get organization target name?

Using LinkedIn API v2.0 I'm currently trying to get a list of organisation ids and names for authenticated user that they are administrator of. I'm able to get all organisation ids using:
https://api.linkedin.com/v2/organizationalEntityAcls?q=roleAssignee&role=ADMINISTRATOR&start=0&count=100&fields=organizationalTarget&oauth2_access_token={{OAUTH_ACCESS_TOKEN}}
but when I add "organizationTarget~" as apart of fields parameter I get an error saying
"not enough permissions to access field organizationalTarget~ for
GET-roleAssignee /organizationalEntityAcls"
Should I be using a different endpoint to get this data or what permission am I missing? I currently am using r_basicprofile, rw_company_admin, and rw_organization scopes while authenticating.
I found the answer on this page: https://learn.microsoft.com/en-us/linkedin/shared/references/migrations/permissions-resources-mapping
"rw_organization_admin" is the missing scope.
You can try with this API call:
curl -i -X GET \
-H "Authorization:Bearer <ACCESS-TOKEN>" \
'https://api.linkedin.com/v2/organizationalEntityAcls?q=roleAssignee&role=ADMINISTRATOR&projection=(elements*(organizationalTarget~(localizedName)))'
Hope this help

How to get an Azure MSI access token for a specific user assigned identity on a VM/VMSS?

I'd like to assign multiple user assigned managed service identities to a VM Scale Set in Azure. I can do so by following the the docs.
What I have not figured out yet is how I can request a token for a specific identity.The docs for requesting a token via the IMDS endpoint do not mention any request parameters for specifying e.g. a clientId.
Any clues?
Christian,
You can request tokens for a particular managed identity, by passing in the client_id or object_id in the request. For example: curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/&object_id=<USERASSIGNED_OBJECT_ID>' -H Metadata:true -s
Our docs are being updated right now to properly include this info. Thanks for the note! :)
-Arturo
Previous answers provide the right pointer.
If you are using Azure SDKs to write your code, then you can use Azure.Identity library and the DefaultAzureCredential object as described here - https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme#specifying-a-user-assigned-managed-identity-with-the-defaultazurecredential

WSO2 APIM not providing custom claims with user schema

I using WSO2 APIM (API Manager) version 1.9.1 release working on JWT assertion concept. I found some useful links, shown below:
http://sanjeewamalalgoda.blogspot.in/2015/05/use-openid-with-oauth-20-in-wso2-api.html
http://xacmlinfo.org/2015/03/09/openid-connect-support-with-resource-owner-password-grant-type/#comment-21792
I created my own SP (service provide) and created some custom claims their under Claim Configuration and Inbound Authentication Configuration,OAuth/OpenID Connect Configuration
As per link:
curl -k -d "grant_type=password&username=admin&password=admin&scope=openid" -H "Authorization: Basic M1J6RFNrRFI5ZmQ5czRqY296R2xfVjh0QU5JYTpXeElqSkFJd0dqRWVYOHdHZGFfcGM1Wl94RjRh, Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token
It gives us
{"scope":"openid","token_type":"Bearer","expires_in":3600,
"refresh_token":"65af3dbea3294b1524832d3869361e3e",
"id_token":"eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0MzA0NTY4MzM5OTgsImV4cCI6MTQzMDQ2MDQzNDAxNCwic3ViIjoiYWRtaW5AY2FyYm9uLnN1cGVyIiwiYXpwIjoiM1J6RFNrRFI5ZmQ5czRqY296R2xfVjh0QU5JYSIsImF0X2hhc2giOiJNV013WXpreVl6UmxPVGhsTkRNM01XTTVNVFEyTTJWbE0yWXlNamcwWXc9PSIsImF1ZCI6WyIzUnpEU2tEUjlmZDlzNGpjb3pHbF9WOHRBTklhIl0sImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyZW5kcG9pbnRzXC90b2tlbiIsImlhdCI6MTQzMDQ1NjgzNDAxNH0.Fc4DO8A22euo04vnBoE87RVBtDQ-73Z2hNZ8_WpeKslkumhEuUVcf6y03D5HZBlGDUi8zC1SUHewg4WEE8HvI6wA59wp8BErK6pY3Zb02pWbJsPh7VBHwky2g5PtvKSsGiy0rd2tuehY-_dAy7LBKNSUOhkmGdLXkSSThuIQxKOHDAJKHCY4I_36B9OH1scs34EG9MKG4vSNdfdcf4mSg0KUD98Jdw_NS-T4pRZK_sCeT-1BBodYEabEVREHxfcDr7BGYugMiiWThVUzd4WIHD83bVwxXP17POzuo6dS_l78pBWZtBBMPKXqhd9VMNZpc-sR07DS7KkHoV6Fp3l0oA",
"access_token":"1c0c92c4e98e4371c91463ee3f2284c"}
But when we called following we're only getting default user schema details, it's not showing our custom claims in output.
curl -k -v -H "Authorization: Bearer 1c0c92c4e98e4371c91463ee3f2284c" https://localhost:9443/oauth2/userinfo?schema=openid
{
"phone_number":"54326643565",
"email":"mkyong#yahoo.com",
"family_name":"Yong",
"country":"Japan"
}
Why it's not giving anyother custom claims configured with SP? Any help ?
{
"iss":"wso2.org/products/am",
"exp":1391029971429,
"http://wso2.org/claims/subscriber":"admin",
"http://wso2.org/claims/applicationid":"1",
"http://wso2.org/claims/applicationname":"DefaultApplication",
"http://wso2.org/claims/applicationtier":"Unlimited",
"http://wso2.org/claims/apicontext":"/pizzashack/menu",
"http://wso2.org/claims/version":"1.0.0",
"http://wso2.org/claims/tier":"Bronze",
"http://wso2.org/claims/keytype":"PRODUCTION",
"http://wso2.org/claims/usertype":"APPLICATION",
"http://wso2.org/claims/enduser":"admin",
"http://wso2.org/claims/enduserTenantId":"-1234"
}
Basically in api manger after subscribe to application, API Store would register an OAuth subscription automatically. Therefore unnecessary to configure service provider for OAuth subscription.
The custom claim configuration not enabled there in the api-manager.xml by default. Therefore, you must add the configuration parameters to the API authentication handler.
To configure custom dialect copy the following into the  <APIM_HOME>/repository/conf/api-manager.xml file under the <APIConsumerAuthentication> tag.
<SecurityContextHeader>X-JWT-Assertion</SecurityContextHeader>
<ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
<ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI>
<SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
<EnableTokenGeneration>true</EnableTokenGeneration>
<TokenGeneratorImpl>org.wso2.carbon.apimgt.impl.token.JWTGenerator</TokenGeneratorImpl>
After configuring custom dialect add new claim mapping.While adding the custom claim mappings select “Supported by Default” ( Supported by Default=true). Once complete go to Home > Configure > Users and Roles > User. Select the user and update the newly added field appear in the user profile. You may see the user details in the JWT.
Refernce -https://docs.wso2.com/display/AM190/Passing+Enduser+Attributes+to+the+Backend+Using+JWT
https://docs.wso2.com/display/IS500/Adding+New+Claim+Mapping

I cannot enable basic HTTP authentication in a SOAPInput node (Websphere Message Broker)

I have tried enabling http authentication to a SOAPInput node in my message flow, however it does not seem to take effect. I don't have to pass any credentials and I still get a reply. These are the steps I have taken:
1.) created a security profile with the following commands:
## Set up the security id
mqsisetdbparms DEV_ESB30_AP01 -n basicSecurityId -u user1 -p testPass1
## Set up the security profile
mqsicreateconfigurableservice DEV_ESB30_AP01 -c SecurityProfiles -o orsSecurityProfile -n "propagation,idToPropagateToTransport,transportPropagationConfig" -v "TRUE,STATIC ID,basicSecurityId"
2.) I set the security profile in the BAR to basicSecurityId
Am I missing something?
Did I define the security profile correctly?
This security profile authenticates correctly when used in a SOAPRequest node, but completely ignored in a SOAPInput node. Thanks for any help you can give.
You need to tell broker how to authenticate by setting and authentication provider in the security profile (ie/ LDAP, WS-TRUST).
The security profile you have posted just tells broker to put the ID in the properties folder, not actually to do anything with it.
Note that is it not currently possible to do both WS-Security and Basic Auth at the same time so if you have a policyset configured basic auth will not work.

Resources