From 71e0778cae146d3eaf5e32ac6e3464b9cfacb180 Mon Sep 17 00:00:00 2001 From: gomathyK Date: Mon, 16 Sep 2019 19:37:08 +0530 Subject: [PATCH 1/2] add connector docs --- en/docs/develop/amazon-authenticator.md | 144 ++- .../develop/authenticators-and-connectors.md | 3 +- .../develop/aws-cloud-directory-user-store.md | 34 +- en/docs/develop/basecamp-authenticator.md | 225 +++- en/docs/develop/bitly-authenticator.md | 162 ++- en/docs/develop/cas-inbound-authenticator.md | 183 ++- .../configuring-amazon-authenticator.md | 388 ------ .../configuring-basecamp-authenticator.md | 236 ---- .../configuring-bitly-authenticator.md | 161 --- .../configuring-cas-inbound-authenticator.md | 196 --- ...uring-certificate-revocation-validation.md | 79 +- .../configuring-dropbox-authenticator.md | 154 --- .../configuring-facebook-authenticator.md | 349 ------ .../configuring-foursquare-authenticator.md | 598 --------- .../configuring-github-authenticator.md | 224 ---- .../configuring-instagram-authenticator.md | 251 ---- en/docs/develop/configuring-jwt-grant-type.md | 257 ---- .../configuring-linkedin-authenticator.md | 468 ------- .../configuring-mailchimp-authenticator.md | 244 ---- .../configuring-mepin-authenticator.md | 405 ------ ...nfiguring-mobile-connect-authenticator.md} | 114 +- ...ulti-factor-authentication-using-smsotp.md | 584 --------- ...ulti-factor-authentication-using-token2.md | 485 -------- .../configuring-nuxeo-authenticator.md | 415 ------- ...nfiguring-password-policy-authenticator.md | 235 ---- .../configuring-pinterest-authenticator.md | 255 ---- .../configuring-reddit-authenticator.md | 191 --- .../configuring-rsa-securid-authenticator.md | 258 ---- ...iguring-scim-2.0-provisioning-connector.md | 1087 ----------------- .../configuring-symantec-vip-authenticator.md | 194 --- .../develop/configuring-totp-authenticator.md | 230 ++-- .../configuring-twitter-authenticator.md | 205 ---- .../configuring-wordpress-authenticator.md | 197 --- .../configuring-yammer-authenticator.md | 177 --- ...-connector-and-publishing-in-wso2-store.md | 37 +- en/docs/develop/dropbox-authenticator.md | 139 ++- ...cator.md => duo-security-authenticator.md} | 107 +- ...=> duo-security-provisioning-connector.md} | 74 +- en/docs/develop/emailotp-authenticator.md | 845 ++++++++++++- en/docs/develop/facebook-authenticator.md | 336 ++++- en/docs/develop/foursquare-authenticator.md | 583 ++++++++- en/docs/develop/getting-support.md | 4 +- en/docs/develop/github-authenticator.md | 223 +++- en/docs/develop/instagram-authenticator.md | 233 +++- ...thenticator.md => inwebo-authenticator.md} | 89 +- ...provisioning.md => inwebo-provisioning.md} | 60 +- en/docs/develop/jwt-grant-type-for-oauth2.md | 263 +++- en/docs/develop/linkedin-authenticator.md | 416 ++++++- en/docs/develop/mailchimp-authenticator.md | 236 +++- en/docs/develop/mepin-authenticator.md | 408 ++++++- .../microsoft-azure-ad-authenticator.md | 267 +++- ...zure-ad-outbound-provisioning-connector.md | 377 ++++++ .../develop/mobile-connect-authenticator.md | 59 +- en/docs/develop/nuxeo-authenticator.md | 398 +++++- .../develop/password-policy-authenticator.md | 215 +++- en/docs/develop/pinterest-authenticator.md | 237 +++- en/docs/develop/reddit-authenticator.md | 176 ++- en/docs/develop/rsa-securid-authenticator.md | 235 +++- .../scim-2.0-provisioning-connector.md | 1016 ++++++++++++++- en/docs/develop/smsotp-authenticator.md | 557 ++++++++- en/docs/develop/token2-authenticator.md | 467 ++++++- en/docs/develop/twitter-authenticator.md | 186 ++- en/docs/develop/upgrading-an-authenticator.md | 12 +- en/docs/develop/using-the-totp-api.md | 30 +- en/docs/develop/wordpress-authenticator.md | 170 ++- ...x509-authenticator-with-ssl-termination.md | 227 ++++ .../develop/x509certificate-authenticator.md | 709 ++++++++++- en/docs/develop/yammer-authenticator.md | 171 ++- 68 files changed, 9887 insertions(+), 9063 deletions(-) delete mode 100644 en/docs/develop/configuring-amazon-authenticator.md delete mode 100644 en/docs/develop/configuring-basecamp-authenticator.md delete mode 100644 en/docs/develop/configuring-bitly-authenticator.md delete mode 100644 en/docs/develop/configuring-cas-inbound-authenticator.md delete mode 100644 en/docs/develop/configuring-dropbox-authenticator.md delete mode 100644 en/docs/develop/configuring-facebook-authenticator.md delete mode 100644 en/docs/develop/configuring-foursquare-authenticator.md delete mode 100644 en/docs/develop/configuring-github-authenticator.md delete mode 100644 en/docs/develop/configuring-instagram-authenticator.md delete mode 100644 en/docs/develop/configuring-jwt-grant-type.md delete mode 100644 en/docs/develop/configuring-linkedin-authenticator.md delete mode 100644 en/docs/develop/configuring-mailchimp-authenticator.md delete mode 100644 en/docs/develop/configuring-mepin-authenticator.md rename en/docs/develop/{configuring-mobile-connect-as-a-federated-authenticator.md => configuring-mobile-connect-authenticator.md} (68%) delete mode 100644 en/docs/develop/configuring-multi-factor-authentication-using-smsotp.md delete mode 100644 en/docs/develop/configuring-multi-factor-authentication-using-token2.md delete mode 100644 en/docs/develop/configuring-nuxeo-authenticator.md delete mode 100644 en/docs/develop/configuring-password-policy-authenticator.md delete mode 100644 en/docs/develop/configuring-pinterest-authenticator.md delete mode 100644 en/docs/develop/configuring-reddit-authenticator.md delete mode 100644 en/docs/develop/configuring-rsa-securid-authenticator.md delete mode 100644 en/docs/develop/configuring-scim-2.0-provisioning-connector.md delete mode 100644 en/docs/develop/configuring-symantec-vip-authenticator.md delete mode 100644 en/docs/develop/configuring-twitter-authenticator.md delete mode 100644 en/docs/develop/configuring-wordpress-authenticator.md delete mode 100644 en/docs/develop/configuring-yammer-authenticator.md rename en/docs/develop/{configuring-duo-security-authenticator.md => duo-security-authenticator.md} (71%) rename en/docs/develop/{configuring-duo-security-provisioning-connector.md => duo-security-provisioning-connector.md} (68%) rename en/docs/develop/{configuring-inwebo-authenticator.md => inwebo-authenticator.md} (71%) rename en/docs/develop/{configuring-inwebo-provisioning.md => inwebo-provisioning.md} (77%) create mode 100644 en/docs/develop/microsoft-azure-ad-outbound-provisioning-connector.md create mode 100644 en/docs/develop/x509-authenticator-with-ssl-termination.md diff --git a/en/docs/develop/amazon-authenticator.md b/en/docs/develop/amazon-authenticator.md index 243b8444d9..f679a4d80e 100644 --- a/en/docs/develop/amazon-authenticator.md +++ b/en/docs/develop/amazon-authenticator.md @@ -34,7 +34,7 @@ following sections. !!! note If you want to upgrade the Amazon Authenticator (.jar) in your existing IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) + instructions.](../../develop/upgrading-an-authenticator) 2. Navigate to , click **App Console.** @@ -74,7 +74,7 @@ app](../../connectors/deploying-the-sample-app). Now you must configure the WSO2 Identity Server by [adding a new identity -provider](../../learn/configuring-an-identity-provider) +provider](../../using-wso2-identity-server/configuring-an-identity-provider) . 1. Download the WSO2 Identity Server from @@ -108,7 +108,11 @@ provider](../../learn/configuring-an-identity-provider) - Select both checkboxes **Enable** and **Default** to enable the Amazon Authenticator and to make it the default authenticator. - ![Add New Identity Provider screen](../../assets/img/connectors/add-new-identity-provider-as-amazon.png) + IS 5.3.0: + ![Add New Identity Provider screen](../../assets/img/connectors/add-new-identity-provider-as-amazon.png) + + IS 5.1.0/IS 5.2.0: + ! [Add New IDP for older versions](../../assets/img/connectors/amazon-idp-older-version.png) 7. Click **Update**. @@ -117,6 +121,9 @@ You have now added the identity provider. ### Step 4 - Configure the service provider The next step is to configure the service provider. + +#### Configuring a service provider with IS 5.3.0 upwards + 1. Return to the management console. 2. In the **Service Providers** section under the **Main** tab, click @@ -157,7 +164,7 @@ The next step is to configure the service provider. 8. Configure the Local and Outbound Authentication for Amazon. For more information, see [Configuring Local and Outbound Authentication for a Service - Provider](../../learn/configuring-local-and-outbound-authentication-for-a-service-provider). + Provider](../../using-wso2-identity-server/configuring-local-and-outbound-authentication-for-a-service-provider). 1. Click on the **Federated Authentication** radio button. @@ -173,12 +180,47 @@ The next step is to configure the service provider. You have now added and configured the service provider. +#### Configuring a service provider with IS 5.1.0 or IS 5.2.0 + +1. Return to the management console. + +2. In the **Service Providers** section under the **Main** tab, click **Add**. + +3. Since you are using travelocity as the sample, enter travelocity.com in the **Service Provider Name** text box and click **Register**. + +4. In the **Inbound Authentication Configuration** section, click **Configure** under the **SAML2 Web SSO Configuration** section. + +5. Now set the configuration as follows: + 1. **Issuer**: travelocity.com + 2. **Assertion Consumer URL**: http://localhost:8080/travelocity.com/home.jsp + +6. Select the following check-boxes: + 1. Enable Response Signing. + 2. Enable Single Logout. + 3. Enable Attribute Profile. + 4. Include Attributes in the Response Always. + +7. Click **Update** to save the changes. Now you will be sent back to the **Service Providers** page. + +8. Go to the **Local and Outbound Authentication Configuration** section. + +9. Select the identity provider you created from the drop-down list under **Federated Authentication**. + + ![amazon-federated-auth](../../assets/img/connectors/amazon-federated-auth.png) + +10. Ensure that the **Federated Authentication** radio button is selected and click **Update** to save the changes. + +You have now added and configured the service provider. + ### Step 5 - Configure claims + Add a new claim mapping for various user attributes related to Amazon. +#### Configuring claims with IS 5.3.0 upwards + !!! info For more information, see [Adding Claim - Mapping](../../learn/adding-claim-mapping). + Mapping](../../using-wso2-identity-server/adding-claim-mapping). 1. Sign in to the [Management Console](../../setup/getting-started-with-the-management-console) @@ -256,6 +298,98 @@ Add a new claim mapping for various user attributes related to Amazon. 7. Click **Update**. +#### Configuring claims with IS 5.1.0 or IS 5.2.0 + +1. Sign in to the [Management + Console](../../setup/getting-started-with-the-management-console) + by entering your username and password. + +2. In the **Main** menu, click **Add** under **Claims**. + +3. Click **Add Claim Dialect** to create the Amazon authenticator + specific claim dialect. + ![dialect-details-old-version](../../assets/img/connectors/dialect-details-old-version.png) + + - Use the Dialect Uri as - http://wso2.org/amazon/claims + - Enter the values for mandatory fields. It will create the claim for the given user field under the Amazon claim dialect. + + + + + + + + + + + + + + + + + + + + + + +
Display NameUser ID
DescriptionClaim to user ID
Mapped Attributeuid
Claim URLhttp://wso2.org/amazon/claims/user_id
Supported by Defaultselected
+ +4. Click Add New Claim. + +5. Select the Dialect from the dropdown provided and enter the required information. + +6. Add the following claims under the dialect http://wso2.org/amazon/claims. + + + + + + + + + + + + + + + + + + + + + +
Display NameEmail Address
DescriptionClaim to Email Address
Mapped Attributemail
Claim URLhttp://wso2.org/amazon/claims/email
Supported by DefaultLselected
+ + + + + + + + + + + + + + + + + + + + + + +
Display NameName
DescriptionClaim to Name
Mapped AttributegivenName
Claim URLhttp://wso2.org/amazon/claims/name
Supported by DefaultLselected
+ +6. Similarly, you can create the claims for all the public information of the Amazon user. + ![claims-for-amazon-info](../../assets/img/connectors/claims-for-amazon-info.png) + ### Step 6 - Configure requested claims for travelocity.com 1. In the **Identity** section under the **Main** tab, click **List** diff --git a/en/docs/develop/authenticators-and-connectors.md b/en/docs/develop/authenticators-and-connectors.md index c344720a9b..92428f1b49 100644 --- a/en/docs/develop/authenticators-and-connectors.md +++ b/en/docs/develop/authenticators-and-connectors.md @@ -2,8 +2,7 @@ !!! tip "Before you begin" - Download [WSO2 Identity - Server](https://wso2.com/identity-and-access-management). + Download [WSO2 Identity Server](https://wso2.com/identity-and-access-management). Each authenticator provides you a way to authenticate the user using diff --git a/en/docs/develop/aws-cloud-directory-user-store.md b/en/docs/develop/aws-cloud-directory-user-store.md index 9058fa4feb..eea49edec1 100644 --- a/en/docs/develop/aws-cloud-directory-user-store.md +++ b/en/docs/develop/aws-cloud-directory-user-store.md @@ -16,7 +16,6 @@ the class to configure AWS user store manager. !!! tip - The AWS user store extension is compatible with WSO2 Identity Server 5.5.0, 5.6.0 as well as 5.7.0. @@ -25,18 +24,6 @@ The following topics provide information on how you can configure the AWS user store extension with WSO2 Identity Server and then use AWS as the primary or secondary user store in WSO2 Identity Server: -- [Prerequisites](#AWSCloudDirectoryUserStore-Prerequisites) -- [Adding AWS user store extension to WSO2 Identity - Server](#AWSCloudDirectoryUserStore-addAddingAWSuserstoreextensiontoWSO2IdentityServer) -- [Configuring AWS as the secondary user - store](#AWSCloudDirectoryUserStore-ConfiguringAWSasthesecondaryuserstore) -- [Configuring AWS as the primary user - store](#AWSCloudDirectoryUserStore-ConfiguringAWSastheprimaryuserstore) -- [AWS user store manager - properties](#AWSCloudDirectoryUserStore-propertiesAWSuserstoremanagerproperties) - - - ### Prerequisites 1. Create a cloud directory by uploading the schema for the objects via @@ -99,9 +86,6 @@ as the primary or secondary user store in WSO2 Identity Server: ``` !!! note - - Note - If you are going to maintain a set of claims such as ` givenName `, ` mail `, ` sn `, and @@ -251,12 +235,11 @@ Follow the steps below to configure AWS as the secondary user store. fields. 3. Enter appropriate values for all the mandatory properties. For information on each property, see [AWS user store manager - properties](#AWSCloudDirectoryUserStore-properties). + properties](#aws-user-store-manager-properties). ### Configuring AWS as the primary user store !!! tip - Configuring AWS as the secondary user store is straightforward once you add the AWS user store extension to WSO2 Identity Server,. However, if you want to use AWS as the primary user store in WSO2 Identity Server, @@ -267,16 +250,13 @@ Follow the steps below to configure AWS as the primary user store in WSO2 Identity Server: 1. Follow steps 1 and 2 under [Adding AWS user store extension to WSO2 - Identity Server](#AWSCloudDirectoryUserStore-add). + Identity Server](#adding-aws-user-store-extension-to-wso2-identity-server). 2. Edit the ` /repository/conf/user-mgt.xml ` file and add the following configuration: !!! note - - Note - When you add the following configuration, be sure to specify applicable values for the following properties: @@ -285,7 +265,6 @@ WSO2 Identity Server: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ``` - **user-mgt.xml** ``` java @@ -374,7 +353,7 @@ between the ` Users ` object and ` Roles ` object. Therefore, the directory structure should be similar to what is depicted in the following diagram: -![](attachments/97561749/103326406.png) +![](../../assets/img/97561749/103326406.png) For example, if you assign multiple roles such as Role1 and Role2 to User1, and you want to establish a relationship between the objects, you @@ -383,8 +362,6 @@ have to create the following typed links: - User1 → Role1 - User1 → Role2 - - **Scenario 2 :** Let's take a look at how you can maintain different object relationship details (i.e., ` Users `, ` Roles ` ) as an attribute inside the @@ -433,7 +410,7 @@ ownership relationship between the ` Users ` object and ` Roles ` object. Therefore, the directory structure should be similar to what is depicted in the following diagram: -![](attachments/97561749/103326407.png) +![](../../assets/img/97561749/103326407.png) For example, if you assign multiple roles such as Role1 and Role2 to User1, then the relationship between the objects should be kept as an @@ -623,10 +600,7 @@ Default value is ^[\S]{5,30}$

- - !!! note - The ` listObjectChildren ` REST API operation is used to get the list of users/roles. This operation does not guarantee that all object children of ` PathToUsers ` or diff --git a/en/docs/develop/basecamp-authenticator.md b/en/docs/develop/basecamp-authenticator.md index 0dda85dbe8..1eed7dead0 100644 --- a/en/docs/develop/basecamp-authenticator.md +++ b/en/docs/develop/basecamp-authenticator.md @@ -4,19 +4,224 @@ The Basecamp authenticator is configured as a federated authenticator in WSO2 Identity Server to authenticate Basecamp users to log in to your organization’s applications. -![](attachments/49092836/76746249.png) +![](../../assets/img/49092836/76746249.png) -### Getting started +!!! info + To download the authenticator and other artifacts, go to + [https://store.wso2.com/store/assets/isconnector/basecamp](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22basecamp%22). -To get started with the authenticator, go to [Configuring Basecamp -Authenticator](https://docs.wso2.com/display/ISCONNECTORS/Configuring+Basecamp+Authenticator) -. Once you have completed your configurations, you can perform -authentication with the Basecamp authenticator. +This page provides instructions on how to configure the Basecamp +authenticator and Identity Server using a sample app. You can find more +information in the following sections. -### Additional information +!!! info + This is tested with the product Basecamp 2. Basecamp Authenticator is + supported by Identity Server 5.1.0 upwards. -To download the authenticator and other artifacts, go to -[https://store.wso2.com/store/assets/isconnector/basecamp](https://store.wso2.com/store/assets/isconnector/list?q=%22-default%22%3A%22basecamp%22) +### Deploying Basecamp artifacts + +- Place the authenticator .jar + file (org.wso2.carbon.identity.authenticator.basecamp-1.0.0.jar) into + the ` /repository/components/dropins ` + directory. + + !!! note + If you want to upgrade the Basecamp Authenticator (.jar) in your + existing IS pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + + !!! info "Need to do this configuration" + If you are using WSO2 Identity Server 5.5.0, be sure to disable + consent management for single-sign-on (SSO) authentication. To + disable consent management for SSO authentication, go to the + ` /repository/conf/identity/identity.xml ` + file, and set the + ` EnableSSOConsentManagement ` parameter to + ` false ` . + + ``` java + + + false + + ``` + + If you do not disable consent management for SSO authentication, you + will get an error when you try to configure the authenticator with + WSO2 Identity Server 5.5.0. + +### Configuring the Basecamp App + +1. Create a basecamp account using the following URL: + . +2. Log in to [integrate.37signals.com](https://integrate.37signals.com/) to + register an app. Then you will be redirected to the page like below. + Select Basecamp 2 under integration. + ![](../../assets/img/49092838/57759606.jpg) +3. Us e as the redirect URL when + you register the client. +4. Now you can get clientId and clientSecret of your created app. + +### Deploying travelocity.com sample app + +The next step is to [deploy the sample app](../../develop/deploying-the-sample-app) +in order to use it in this scenario. + +Once this is done, you can configure the WSO2 Identity Server by adding +an [identity +provider](../../learn/adding-and-configuring-an-identity-provider) +and [service +provider](../../learn/adding-and-configuring-a-service-provider) . - +### Configuring the identity provider + +Now you can configure WSO2 Identity Server by [adding a new identity +provider](../../learn/adding-and-configuring-an-identity-provider) +. + +1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/). +2. Go to in your browser, and then click the + HTTPS trust icon on the address bar (e.g., the padlock next to the + URL) to download the certificate. + +3. Import that certificate into the IS client keystore. + ` keytool -importcert -file -keystore /repository/resources/security/client-truststore.jks -alias "Basecamp" ` + + !!! info + The default password of the client-truststore.jks is "wso2carbon" + +4. Run the [WSO2 Identity + Server](../../setup/running-the-product). +5. Log in to the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. +6. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add**. +7. Give a suitable name for **Identity Provider Name**. + + ![](../../assets/img/49092838/51252027.png) +8. Navigate to **Basecamp Configuration** under **Federated + Authenticators**. + +9. Enter the values as given in the above figure. + + - **Client Id** : Client Id for your app. + - **Client Secret** : Client Secret for your app. + - **Callback URL** : Service Provider's URL where code needs to be + sent . + +10. Select both checkboxes to **Enable** the Basecamp authenticator and + make it the **Default**. + +11. Click **Register**. + +??? note "Click here to see descriptions about configuration property values" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionSample values
EnableSelecting this option enables Basecamp to be used as an authenticator for users provisioned to the Identity Server.Selected
DefaultSelecting the Default checkbox signifies that Basecamp is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
Client IDThis is the username from the Basecamp application8437ce9b8cfdf282c92b
Client SecretThis is the password from the Basecamp application. Click the Show button to view the value you enter.7219bb5e92f4287cb5134b73760e039e55d235d
Callback URLThis is the URL to which the browser should be redirected after the authentication is successful. It should have this format: https://(host-name):(port)/acs .https://localhost:9443/commonauth
+ +You have now added the identity provider. + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the management console. + +2. In the **Service Providers** section, click **Add** under the + **Main** tab. + +3. Since you are using travelocity as the sample, enter travelocity.com + in the **Service Provider Name** text box and click **Register**. + +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. + +5. Now set the configuration as follows: + + 1. **Issuer** : travelocity.com + + 2. **Assertion Consumer URL** : + + +6. Select the following check-boxes: + 1. **Enable Response Signing**. + + 2. **Enable Single Logout**. + + 3. **Enable Attribute Profile**. + + 4. **Include Attributes in the Response Always**. + ![](../../assets/img/49092838/103332609.png) + +7. Click **Update** to save the changes. Now you will be sent back to + the **Service Providers** page. + +8. Navigate to the **Local and Outbound Authentication Configuration** + section. + +9. Select the identity provider you created from the dropdown list + under **Federated Authentication**. + + ![](../../assets/img/49092838/49227070.png) + +10. Ensure that the **Federated Authentication** radio button is + selected and click **Update** to save the changes. + +You have now added and configured the service provider. + +### Testing the sample + +1. To test the sample, go to the following URL: + ` http://:/travelocity.com ` + E.g., + +2. Log in with SAML from the WSO2 Identity Server. + + ![](../../assets/img/49092838/103332635.png) + +3. Enter your Basecamp credentials in the prompted login page of + Basecamp. Once you login successfully you will be taken to the home + page of the travelocity.com app. + diff --git a/en/docs/develop/bitly-authenticator.md b/en/docs/develop/bitly-authenticator.md index 6aac580914..4fe3beccd3 100644 --- a/en/docs/develop/bitly-authenticator.md +++ b/en/docs/develop/bitly-authenticator.md @@ -4,17 +4,159 @@ The Bitly authenticator is configured as a federated authenticator in WSO2 Identity Server to authenticate Bitly users to log in to your organization’s applications. -![](attachments/50518501/76746252.png) +![](../../assets/img/50518501/76746252.png) -### Getting started -To get started with the authenticator, go to [Configuring bitly -Authenticator](https://docs.wso2.com/display/ISCONNECTORS/Configuring+Bitly+Authenticator) -. Once you have completed your configurations, you can perform -authentication with the Bitly authenticator. +!!! info + To download the authenticator and other artifacts, go to + [https://store.wso2.com/store/assets/isconnector/bitly](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22Bitly%22) + . -### Additional information +# Configuring Bitly Authenticator -To download the authenticator and other artifacts, go to -[https://store.wso2.com/store/assets/isconnector/bitly](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22Bitly%22) -. +This page provides instructions on how to configure the Bitly +authenticator and Identity Server using a sample app. You can find more +information in the following sections. + +!!! info + This is tested for the Bitly API version 3. Bitly Authenticator is supported by Identity Server 5.1.0 upwards. + + +### Deploying Bitly artifacts + +- Download the Bitly Authenticator and artifcats from [the WSO2 + store](https://store.wso2.com/store/assets/isconnector/details/83ec7d04-46f1-426a-b4cb-1a169846212c) + . + +- Place the + ` org.wso2.carbon.identity.authenticator.bitly.connector-x.x.x.jar ` + file into the + ` /repository/components/dropins ` + directory. + + !!! note + If you want to upgrade the Bitly Authenticator (.jar) in your existing IS pack, please refer [upgrade instructions.](../../develop/upgrading-an-authenticator) + + +### Configuring the Bitly App + +1. Create a bitly account using the URL " + ". +2. Register your app at . + ![](../../assets/img/50518515/51251641.png) + +3. Use as the authorization + callback URL when you register the client. + +4. Now you can get the clientId and clientSecret of your created app. + ![](../../assets/img/50518515/51252818.png) + +### Deploying travelocity.com sample app + +The next step is to [deploy the sample app](../../develop/deploying-the-sample-app) +in order to use it in this scenario. + +Once this is done, the next step is to configure the WSO2 Identity +Server by adding an [identity +provider](../../learn/adding-and-configuring-an-identity-provider) +and [service provider](../../learn/adding-and-configuring-a-service-provider). + +### Configuring the identity provider + +Now you have to configure WSO2 Identity Server by [adding a new identity +provider](../../learn/adding-and-configuring-an-identity-provider). + +1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/). + +2. Run the [WSO2 Identity + Server](../../setup/running-the-product). +3. Log in to the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. +4. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add**. +5. Give a suitable name for **Identity Provider Name**. + ![](../../assets/img/50518515/51251655.png) + +6. Navigate to **Bitly Configuration** under **Federated + Authenticators**. + +7. Enter the values as given in the above figure. + + | Field | Description | Sample Value | + |---------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------| + | Enable | Selecting this option enables Bitly to be used as an authenticator for users provisioned to the Identity Server. | Selected | + | Default | Selecting the **Default** checkbox signifies that Bitly is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators. | Selected | + | Client Id | This is the client ID received from the Bitly application. | 3889862b0a9517bf2bcb2eed8d43f0be0576e735 | + | Client Secret | This is the client secret received from the Bitly application. Click the **Show** button to view the value you enter. | f841934f19cc59d1914f0865f3694b453b5fe583 | + | Callback URL | This is the URL to which the browser should be redirected after the authentication is successful. It should have this format: https://(host-name):(port)/acs . | https://localhost:9443/commonauth | + +8. Select both checkboxes to **Enable** the Bitly authenticator and + make it the **Default** authenticator. + +9. Click **Register**. + +You have now added the identity provider. + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the management console. + +2. In the **Service Providers** section, click **Add** under the + **Main** tab. + +3. Since you are using travelocity as the sample, enter + ` travelocity.com ` in the **Service Provider + Name** text box and click **Register**. + +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. + +5. Now set the configuration as follows: + + 1. **Issuer** : travelocity.com + + 2. **Assertion Consumer URL** : + + +6. Select the following check-boxes: + 1. **Enable Response Signing**. + + 2. **Enable Single Logout**. + + 3. **Enable Attribute Profile**. + + 4. **Include Attributes in the Response Always**. + +7. Click **Update** to save the changes. Now you will be sent back to + the **Service Providers** page. + +8. Navigate to the **Local and Outbound Authentication Configuration** + section. + +9. Select the identity provider you created from the drop-down list + under **Federated Authentication**. + + ![](../../assets/img/50518515/51252329.png) + +10. Ensure that the **Federated Authentication** radio button is + selected and click **Update** to save the changes. + +You have now added and configured the service provider. + +### Testing the sample + +1. To test the sample, go to the following URL: + ` http://:/travelocity.com/index.jsp ` + . E.g., + +2. Login with SAML from the WSO2 Identity Server. + + ![](../../assets/img/50518515/103332428.png) + +3. Enter your Bitly credentials in the prompted login page of Bitly . + Once you log in successfully you will be taken to the home page of + the travelocity.com app. diff --git a/en/docs/develop/cas-inbound-authenticator.md b/en/docs/develop/cas-inbound-authenticator.md index 89318b007d..3508c50b9a 100644 --- a/en/docs/develop/cas-inbound-authenticator.md +++ b/en/docs/develop/cas-inbound-authenticator.md @@ -5,15 +5,180 @@ for the web services through the WSO2 Identity Server. CAS is a single-sign-on protocol for the web and it is simple and powerful ticket-based protocol. -### Getting started +!!! info + To download the CAS inbound authenticator and other artifacts, go to + [https://store.wso2.com/store/assets/isconnector/cas](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22cas%20inbound%22) -To get started with the CAS inbound authenticator, go to [Configuring -CAS Inbound -Authenticator](https://docs.wso2.com/display/ISCONNECTORS/Configuring+CAS+Inbound+Authenticator) -. Once you have completed your configurations, you can perform -single-sign-on for the web services. +# Configuring CAS Inbound Authenticator -### Additional information +This topic provides instructions on how to configure the CAS inbound +authenticator and the WSO2 Identity Server and demonstrates this +integration using a sample app (cas-client-webapp). + +!!! info + This procedure was tested using Java 8. The current version of the CAS + Inbound authenticator is not supported with a tenant user. CAS Version + 1.0.2 Inbound Authenticator is supported by WSO2 Identity Server + versions 5.2.0 and CAS Version 2.0.1 Inbound Authenticator is supported + by WSO2 Identity Server versions 5.3.0. + + !!! note + If you are using CAS authenticator version 2.0.2, go to the [v2.0.2 + tag](https://github.com/wso2-extensions/identity-inbound-auth-cas/tree/v2.0.2/docs) + of the identity-outbound-auth-cas GitHub repository to view the + documentation + +See the following sections for more information on configuring this +integration. + + +### Prerequisites + +- Download WSO2 Identity Server from the [WSO2 Identity Server product + page](http://wso2.com/products/identity-server) and install it by + following the instructions in the [Installing the + Product](../../setup/installing-the-product) + topic. + +- Download the sample CAS client webapp (cas-client-webapp.war) from + + +- Download the CAS Version 1.0.2 Inbound Authenticator JAR from [the + store for this + authenticator](https://store.wso2.com/store/assets/isconnector/details/593aac68-3139-425c-b9ca-f66a65a0917a) + and CAS Version 2.0.1 Inbound Authenticator JAR from [the store for + this + authenticator](https://store.wso2.com/store/assets/isconnector/details/593aac68-3139-425c-b9ca-f66a65a0917a) + . + + !!! note + If you want to upgrade the CAS Inbound Authenticator (.jar) in your + existing IS pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +- The CAS login URL is required if you want to use it in your own app. + It must be: ` https://:9443/ ` + ` identity/cas/login ` + +### Configuring cas-client-webapp + +1. **Generate Keystore** to enable 'https' request in your web + container (e.g., Tomcat). + 1. Use the following "keytool" command inside the + "web-container/bin" (e.g., + ` ` ) directory to + create a keystore with the self-signed certificate. During the + keystore creation process, you need to assign a password and + fill in the certificate’s details. + ` keytool -genkey -alias localhost -keyalg RSA -keystore "PATH_TO_CREATE_KEYSTORE/KEYSTORE_NAME". ` + + !!! tip + Here ` localhost ` is the same + name as the machine's hostname. + + + 2. Add the following connector in the + ` server.xml ` file in your web-container + (e.g., ` /conf/server.xml ` + ) + + ``` xml + + ``` + + !!! tip + KEYSTORE\_PASSWORD is the password you assigned to + your keystore via the "keytool" command. + + +2. To establish the trust between cas-client-webapp and CAS-Server ( + WSO2 IS ), take the following steps: + 1. Go to the + ` /repository/resources/security/ ` + directory and execute the following command to create a + certificate file for the wso2carbon JKS. + ` keytool -export -alias wso2carbon -file wso2.crt -keystore wso2carbon.jks -storepass wso2carbon ` + 2. Inside the above directory use the following command to import + the CAS server certificate ( ` wso2.crt ` ) + into the system truststore of the CAS client. You will be + prompted for the keystore password, which is by default changeit + . + ` keytool -import -alias wso2carbon -file wso2.crt -keystore PATH-TO-jre/lib/security/cacerts ` + +### Deploying CAS artifacts + +1. Place the ` cas-client-webapp.war ` file into the + webapps directory of the web-container (e.g., + ` /webapps ` ). +2. Place the + ` org.wso2.carbon.identity.sso.cas-1.0.2.jar ` file + (for Identity Server 5.3.0, use the + ` cas-2.0.1.jar ` file instead as described in the + note below) into the + ` /repository/components/dropins ` + directory and restart the Identity Server. + +!!! note + If you are using WSO2 Identity Server 5.3.0, make sure to take the WUM + updated product since this feature needs some core fixes done to the + product. + +### Configuring the service provider + +Now, you are ready to configure WSO2 Identity Server by adding a new +service provider . + +1. [Run WSO2 Identity + Server](../../setup/running-the-product). +2. Log in to the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. +3. In the **Identity** section under the **Main** tab, click **Add** + under **Service Providers**. + +4. Enter **cas-client-webapp** in the **Service Provider Name** text + box and click **Register**. + ![](../../assets/img/57005726/57008598.png) + +5. In the **Inbound Authentication Configuration** section, click **CAS + Configuration**. + +6. Configure the **Service Url** : + [https://localhost:8443/cas-client-webapp/](https://localhost:8080/cas-sample-java-webapp/) + + ![](../../assets/img/57005726/68710333.png) + + !!! info + Service URL refers to the URL of the application that the client is + trying to access. + +7. Go to **Claim Configuration** and click **Define Custom Claim + Dialect** to add the requested claims. (This is required to show + requested claims as user attributes in the cas-client-webapp; + otherwise, no attributes will be shown.) Add the **Service Provider + Claim** name that corresponds to the **Local Claim** URI and mark it + as **Requested Claim**. + ![](../../assets/img/57005726/72418344.png) + +8. Click **Update** to save the changes. Now you have configured the + service provider. + +### Testing the sample + +1. To test the sample, navigate to + ` https://[server-address]/cas-client-webapp/ ` in + your browser (i.e., go to the following URL: + ). +2. The basic authentication page appears. Use your IS username and + password. + ![](../../assets/img/57005726/57737891.png) +3. If you have successfully logged in, you will see the following CAS + Home page of cas-client-webapp with the authenticated user and user + attributes. + ![](../../assets/img/57005726/57739209.png) -To download the CAS inbound authenticator and other artifacts, go to -[https://store.wso2.com/store/assets/isconnector/cas](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22cas%20inbound%22) diff --git a/en/docs/develop/configuring-amazon-authenticator.md b/en/docs/develop/configuring-amazon-authenticator.md deleted file mode 100644 index 2eb9faefa9..0000000000 --- a/en/docs/develop/configuring-amazon-authenticator.md +++ /dev/null @@ -1,388 +0,0 @@ -# Configuring Amazon Authenticator - -This page provides instructions on how to configure the Amazon -authenticator and the WSO2 Identity Server using a sample app to -demonstrate authentication. You can find more information in the -following sections. - -To know more about the WSO2 Identity Server versions supported by this -connector, see the [WSO2 -store](https://store.wso2.com/store/assets/isconnector/details/462ce8e9-8274-496c-a1c3-8aa40168bb1b) -. - -- [Step 1 - Configure the Amazon - App](#ConfiguringAmazonAuthenticator-Step1-ConfiguretheAmazonApp) -- [Step 2 - Deploy travelocity.com sample - app](#ConfiguringAmazonAuthenticator-Step2-Deploytravelocity.comsampleapp) -- [Step 3 - Configure the identity provider - (IdP)](#ConfiguringAmazonAuthenticator-Step3-Configuretheidentityprovider(IdP)) -- [Step 4 - Configure the service - provider](#ConfiguringAmazonAuthenticator-Step4-Configuretheserviceprovider) -- [Step 5 - Configure - claims](#ConfiguringAmazonAuthenticator-Step5-Configureclaims) -- [Step 6 - Configure requested claims for - travelocity.com](#ConfiguringAmazonAuthenticator-Step6-Configurerequestedclaimsfortravelocity.com) -- [Step 7 - Test the - sample](#ConfiguringAmazonAuthenticator-Step7-Testthesample) - -### Step 1 - Configure the Amazon App - -1. Place the authenticator .jar file into the - ` /repository/components/dropins ` - directory. You can download the .jar ( - ` org.wso2.carbon.extension.identity.authenticator.amazon.connector-1.x.x.jar ` - ) file from [wso2 - store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22amazon%22) - . - - !!! note - - If you want to upgrade the Amazon Authenticator (.jar) in your - existing IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -2. Navigate to , click **App Console.** - -3. Click **Sign in to App Console** and sign in. - -4. Click **Register new application** to register a new app. For more - information, see [Amazon Services - documentation](http://login.amazon.com/website). - -5. Enter the following information and click **Save**. - - 1. **Name -** AmazonWSO2 - - 2. **Description -** An app to test authentication using Amazon - 3. **Privacy Notice URL -** The privacy policy URL for your - application. Ex: - - ![](attachments/49092381/76748460.png) - You have now finished configuring Amazon. - -6. Expand the **Web Settings** section. Copy the **Client ID** and - **Client Secret,** you will need these values when configuring the - identity provider. -7. Click **Edit** and enter the redirect URL as - in the window that appears and - save it. - ![](attachments/49092381/76748466.png) - -### Step 2 - Deploy travelocity.com sample app - -The next step is to deploy the travelocity.com sample app in order to -use it in this scenario. See [deploying travelocity.com sample -app](Deploying-the-Sample-App). - -### Step 3 - Configure the identity provider (IdP) - -Now you must configure the WSO2 Identity Server by [adding a new -identity -provider](https://docs.wso2.com/display/IS530/Configuring+an+Identity+Provider) -. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/) and [run - it](https://docs.wso2.com/display/IS530/Running+the+Product). -2. Log in to the [Management - Console](../../setup/getting-started-with-the-management-console) - as an administrator. -3. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add**. -4. Give a suitable name for **Identity Provider Name** (e.g., Amazon) - and click **Register**. - -5. Navigate to the **Amazon Configurations** under ****Federated - Authenticators**** - - In IS 5.1.0 or 5.2.0, go to **AmazonAuthenticator - Configuration** under **Federated Authenticators**. - - In IS 5.3.0, go to **Amazon Configuration** under **Federated - Authenticators**. - -6. Enter the IdP related details. - - **Client Id** : Enter the [client - ID](#ConfiguringAmazonAuthenticator-clientID) of the app that - you created in Amazon. - - - **Client Secret** : Enter the [client - secret](#ConfiguringAmazonAuthenticator-clientID) of the app - that you created in Amazon. - - **Callback URL** : Service Provider's URL where the code needs - to be sent (e.g., https://localhost:9443/commonauth ) - - Select both checkboxes **Enable** and **Default** to enable the - Amazon Authenticator and to make it the default authenticator. - - - [**IS 5.3.0**](#7955f4c7cdf8449db5dd8f0ccc6bfce2) - - [**IS 5.1.0/IS 5.2.0**](#2a00a4664741430ca8cf6a84fd08e8fc) - - ![](attachments/49092381/76748472.png) - - ![](attachments/49092381/49226486.png) - -7. Click **Update**. - -You have now added the identity provider. - -### Step 4 - Configure the service provider - -The next step is to configure the service provider based on the WSO2 -Identity Server version that you are working on. - -- [Configuring a service provider with IS 5.3.0 - upwards](#ConfiguringAmazonAuthenticator-ConfiguringaserviceproviderwithIS5.3.0upwards) -- [Configuring a service provider with IS 5.1.0 or IS - 5.2.0](#ConfiguringAmazonAuthenticator-ConfiguringaserviceproviderwithIS5.1.0orIS5.2.0) - -#### Configuring a service provider with IS 5.3.0 upwards - -1. Return to the management console. -2. In the **Service Providers** section under the **Main** tab, click - **Add**. -3. As you are using travelocity as the sample, enter travelocity.com in - the **Service Provider Name** text box and click **Register**. -4. In the **Inbound Authentication Configuration** section, click - **SAML2 Web SSO** **Configuration**, and then click **Configure**. -5. Add the service provider details as follows: - 1. **Select Mode** : Manual Configuration - For more information on the SAML2 Web Single-Sign-On - Configuration methods, see [Configuring SAML2 Web - Single-Sign-On](https://docs.wso2.com/display/IS530/Configuring+SAML2+Web+Single-Sign-On) - in the WSO2 IS 5.3.0 guide. - 2. **Issuer** : travelocity.com - 3. **Assertion Consumer URL** : Enter - http://localhost:8080/travelocity.com/home.jsp and click **Add** - . - 4. Select the following check-boxes: - - **Enable Response Signing**. - - **Enable Single Logout**. - - **Enable Attribute Profile**. - - **Include Attributes in the Response Always**. - - ![](attachments/49092381/76748599.png) -6. Click **Register** to save the changes. Now you will be sent back to - the **Service Providers** page. -7. Go to the **Local and Outbound Authentication Configuration** - section. -8. Configure the Local and Outbound Authentication for Amazon. - For more information, see [Configuring Local and Outbound - Authentication for a Service - Provider](../../learn/configuring-local-and-outbound-authentication-for-a-service-provider) - in the WSO2 IS 5.3.0 guide. - 1. Click on the **Federated Authentication** radio button. - 2. Select the identity provider you created from the drop-down list - under **Federated Authentication**. - 3. Select the following options: - - Use tenant domain in local subject identifier. - - - Use user store domain in local subject identifier. - - ![](attachments/49092381/76748602.png) -9. Click **Update** to save the changes. - -#### Configuring a service provider with IS 5.1.0 or IS 5.2.0 - -1. Return to the management console. -2. In the **Service Providers** section under the **Main** tab, click - **Add**. -3. Since you are using travelocity as the sample, enter travelocity.com - in the **Service Provider Name** text box and click **Register**. -4. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section. - ![](https://lh6.googleusercontent.com/qsYmfJRbhzqeKB_WHare-nLYmSL3DItCUqx3627JsK8aF0AibTUNO-s4DyG5Zx_bp0wfH_10Ap6dJ2ngKNYBtlgOCHZBSoKqhNbVac0DEWZ49C4Gpej3mzFoQpP2Z6XFP6iYkUCf) -5. Now set the configuration as follows: - 1. **Issuer** : travelocity.com - 2. **Assertion Consumer URL** : - http://localhost:8080/travelocity.com/home.jsp -6. Select the following check-boxes: - 1. **Enable Response Signing**. - 2. **Enable Single Logout**. - 3. **Enable Attribute Profile**. - 4. **Include Attributes in the Response Always**. -7. Click **Update** to save the changes. Now you will be sent back to - the **Service Providers** page. -8. Go to the **Local and Outbound Authentication Configuration** - section. -9. Select the identity provider you created from the drop-down list - under **Federated Authentication**. - ![](attachments/49091441/49224551.png) -10. Ensure that the **Federated Authentication** radio button is - selected and click **Update** to save the changes. - -You have now added and configured the service provider. - -### Step 5 - Configure claims - -Add a new claim mapping for various user attributes related to Amazon -based on the WSO2 Identity Server version that you are working on. - -- [Configuring claims with IS 5.3.0 - upwards](#ConfiguringAmazonAuthenticator-ConfiguringclaimswithIS5.3.0upwards) -- [Configuring claims with IS 5.1.0 or IS - 5.2.0](#ConfiguringAmazonAuthenticator-ConfiguringclaimswithIS5.1.0orIS5.2.0) - -#### Configuring claims with IS 5.3.0 upwards - -For more information, see [Adding Claim -Mapping](../../using-the-identity-server/adding-claim-mapping) in -WSO2 IS guide. - -1. Sign in to the [Management - Console](../../setup/getting-started-with-the-management-console) - by entering your username and password. -2. In the **Main** menu, click **Add** under **Claims**. -3. Click **Add Claim Dialect** to create the Amazon authenticator - specific claim dialect. -4. Specify the Dialect URI as http://wso2.org/amazon/claims and click - **Add** to create the claim dialect. -5. Map a new external claim to an existing local claim dialect. - You need to map at least one claim under this new dialect. - Therefore, let's map the claim for the Amazon user ID. - ![](attachments/49092381/76748608.png) - 1. In the **Main** menu, click **Add** under **Claims**. - 2. Click **Add External Claim** to add a new claim to the Amazon - claim dialect. - 3. Select the Dialect URI as - http://wso2.org/amazon/claims - 4. Enter the External Claim URI based on the following claim - mapping information. - 5. Select the Mapped Local Claim based on the following claim - mapping information. - Claim mapping for ID ** - ** - - | | | - |--------------------|----------------------------------------| - | Dialect URI | http://wso2.org/amazon/claims | - | External Claim URI | http://wso2.org/amazon/claims/user\_id | - | Mapped Local Claim | http://wso2.org/claims/username | - - 6. Click **Add** to add the new external claim. - -6. Similarly, you can create claims for all the public information of - the Amazon user by repeating step 5 with the following claim mapping - information. - - - Claim mapping for email - - | | | - |--------------------|-------------------------------------| - | Dialect URI | http://wso2.org/amazon/claims | - | External Claim URI | http://wso2.org/amazon/claims/email | - | Mapped Local Claim | http://wso2.org/claims/emailaddress | - - - Claim mapping for name - - | | | - |--------------------|------------------------------------| - | Dialect URI | http://wso2.org/amazon/claims | - | External Claim URI | http://wso2.org/amazon/claims/name | - | Mapped Local Claim | http://wso2.org/claims/givenname | - -7. Click **Update**. - -#### Configuring claims with IS 5.1.0 or IS 5.2.0 - -1. Sign into the [Management - Console](../../setup/getting-started-with-the-management-console) - by entering your username and password. -2. In the **Main** menu, click **Add** under **Claims**. -3. Click **Add New Claim Dialect** to create the Amazon authenticator - specific claim dialect. - ![](attachments/49092381/57749018.png){height="250"} - - - Use the Dialect Uri as - - ` http://wso2.org/amazon/claims ` - - Enter the values for mandatory fields. It will create the claim - for the given user field under the Amazon claim dialect. - - | | | - |----------------------|----------------------------------------| - | Display Name | User ID | - | Description | Claim to user ID | - | Mapped Attribute | uid | - | Claim URL | http://wso2.org/amazon/claims/user\_id | - | Supported by Default | selected | - -4. Click Add New Claim. -5. Select the **Dialect** from the dropdown provided and enter the - required information. -6. Add the following claims under the dialect - **http://wso2.org/amazon/claims**. - - | | | - |:---------------------|:------------------------------------| - | Display Name | Email Address | - | Description | Claim to Email Address | - | Mapped Attribute | mail | - | Claim URL | http://wso2.org/amazon/claims/email | - | Supported by Default | selected | - - | | | - |:---------------------|:-----------------------------------| - | Display Name | Name | - | Description | Claim to Name | - | Mapped Attribute | givenName | - | Claim URL | http://wso2.org/amazon/claims/name | - | Supported by Default | selected | - -Similarly, you can create the claims for all the public information of -the Amazon user. - -![](attachments/49092381/57749022.png){height="250"} - -### Step 6 - Configure requested claims for travelocity.com - -1. In the **Identity** section under the **Main** tab, click **List** - under **Service Providers**. -2. Click **Edit** to edit the [travelocity.com](http://travelocity.com) - service provider. -3. Expand the **Claim Configuration** section. -4. Click on **Add Claim URI** under **Requested Claims** to add the - requested claims as indicated in the image below. - - - [**IS 5.3.0**](#c60e0335cf484ab987fa2583cab2df11) - - [**IS 5.1.0/IS 5.2.0**](#6872e6d4197944208101b224d4ff8fe1) - - Select the Mandatory Claim checkbox for all the claim URIs that you - added. - - ![](attachments/49092381/76748622.png){height="250"} - - You should add the claims you mapped in the Identity Provider claim - configuration and select the Claim URI. - - ![](attachments/49092381/57749030.png){height="250"} - -5. Select the Subject Claim URI as - to define the authenticated - user identifier that will return with the authentication response to - the service provider. - -6. Click **Update** to save your service provider changes. - -### Step 7 - Test the sample - -1. To test the sample, go to the following URL: - ` http://:/travelocity.com/index.jsp ` - . - E.g., -2. Click the link to log in with SAML from WSO2 Identity Server. You - can use either the Rediect Biniding or the Post Binding option. - ![](attachments/49092381/76748627.png) -3. You are redirected to the Amazon login page. Enter your Amazon - credentials. - ![](attachments/49092381/57749032.png) -4. Allow user to authenticate and click **Continue**. - ![](attachments/49092381/57749033.png) -5. You are taken to the home page of the travelocity.com app. - ![](attachments/49092381/57749034.png) - -1254 - -510 - -960 - -1296 - -434 diff --git a/en/docs/develop/configuring-basecamp-authenticator.md b/en/docs/develop/configuring-basecamp-authenticator.md deleted file mode 100644 index 47869b2cd6..0000000000 --- a/en/docs/develop/configuring-basecamp-authenticator.md +++ /dev/null @@ -1,236 +0,0 @@ -# Configuring Basecamp Authenticator - -This page provides instructions on how to configure the Basecamp -authenticator and Identity Server using a sample app. You can find more -information in the following sections. - -This is tested with the product Basecamp 2. Basecamp Authenticator is -supported by Identity Server 5.1.0 upwards. - -- [Deploying Basecamp - artifacts](#ConfiguringBasecampAuthenticator-DeployingBasecampartifactsDeployingBasecampartifacts) -- [Configuring the Basecamp - App](#ConfiguringBasecampAuthenticator-ConfiguringtheBasecampAppConfiguringtheBasecampApp) -- [Deploying travelocity.com sample - app](#ConfiguringBasecampAuthenticator-Deployingtravelocity.comsampleappDeployingtravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringBasecampAuthenticator-ConfiguringtheidentityproviderConfiguringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringBasecampAuthenticator-ConfiguringtheserviceproviderConfiguringtheserviceprovider) -- [Testing the - sample](#ConfiguringBasecampAuthenticator-TestingthesampleTestingthesample) - -### Deploying Basecamp artifacts - -- Place the authenticator .jar - file (org.wso2.carbon.identity.authenticator.basecamp-1.0.0.jar) into - the ` /repository/components/dropins ` - directory. - - !!! note - - If you want to upgrade the Basecamp Authenticator (.jar) in your - existing IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - - Need to do this configuration - - If you are using WSO2 Identity Server 5.5.0, be sure to disable - consent management for single-sign-on (SSO) authentication. To - disable consent management for SSO authentication, go to the - ` /repository/conf/identity/identity.xml ` - file, and set the - ` EnableSSOConsentManagement ` parameter to - ` false ` . - - ``` java - - - false - - ``` - - If you do not disable consent management for SSO authentication, you - will get an error when you try to configure the authenticator with - WSO2 Identity Server 5.5.0. - -### Configuring the Basecamp App - -1. Create a basecamp account using the following URL: - . -2. Log in to - [integrate.37signals.com](https://integrate.37signals.com/) to - register an app. Then you will be redirected to the page like below. - Select Basecamp 2 under integration. - ![](attachments/49092838/57759606.jpg) -3. Us e as the redirect URL when - you register the client. -4. Now you can get clientId and clientSecret of your created app. - -### Deploying travelocity.com sample app - -The next step is to [deploy the sample app](Deploying-the-Sample-App) -in order to use it in this scenario. - -Once this is done, you can configure the WSO2 Identity Server by adding -an [identity -provider](https://docs.wso2.com/display/IS530/Configuring+an+Identity+Provider) -and [service -provider](https://docs.wso2.com/display/IS530/Configuring+a+Service+Provider) -. - -### Configuring the identity provider - -Now you can configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/display/IS530/Configuring+an+Identity+Provider) -. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/). -2. Go to in your browser, and then click the - HTTPS trust icon on the address bar (e.g., the padlock next to the - URL) to download the certificate. - -3. Import that certificate into the IS client keystore. - ` keytool -importcert -file -keystore /repository/resources/security/client-truststore.jks -alias "Basecamp" ` - - - - The default password of the client-truststore.jks is "wso2carbon" - -4. Run the [WSO2 Identity - Server](https://docs.wso2.com/display/IS530/Running+the+Product). -5. Log in to the [management - console](../../setup/getting-started-with-the-management-console) - as an administrator. -6. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add**. -7. Give a suitable name for **Identity Provider Name**. - - ![](attachments/49092838/51252027.png) -8. Navigate to **Basecamp Configuration** under **Federated - Authenticators**. - -9. Enter the values as given in the above figure. - - - **Client Id** : Client Id for your app. - - **Client Secret** : Client Secret for your app. - - **Callback URL** : Service Provider's URL where code needs to be - sent . - -10. Select both checkboxes to **Enable** the Basecamp authenticator and - make it the **Default**. - -11. Click **Register**. - -![](images/icons/grey_arrow_down.png){.expand-control-image} Click here -to see descriptions about configuration property values - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PropertyDescriptionSample values
EnableSelecting this option enables Basecamp to be used as an authenticator for users provisioned to the Identity Server.Selected
DefaultSelecting the Default checkbox signifies that Basecamp is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
Client IDThis is the username from the Basecamp application8437ce9b8cfdf282c92b
Client SecretThis is the password from the Basecamp application. Click the Show button to view the value you enter.7219bb5e92f4287cb5134b73760e039e55d235d
Callback URLThis is the URL to which the browser should be redirected after the authentication is successful. It should have this format: https://(host-name):(port)/acs .https://localhost:9443/commonauth
- - - -You have now added the identity provider. - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the management console. - -2. In the **Service Providers** section, click **Add** under the - **Main** tab. - -3. Since you are using travelocity as the sample, enter travelocity.com - in the **Service Provider Name** text box and click **Register**. - -4. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section. - -5. Now set the configuration as follows: - - 1. **Issuer** : travelocity.com - - 2. **Assertion Consumer URL** : - - -6. Select the following check-boxes: - 1. **Enable Response Signing**. - - 2. **Enable Single Logout**. - - 3. **Enable Attribute Profile**. - - 4. **Include Attributes in the Response Always**. - ![](attachments/49092838/103332609.png){height="250"} - -7. Click **Update** to save the changes. Now you will be sent back to - the **Service Providers** page. - -8. Navigate to the **Local and Outbound Authentication Configuration** - section. - -9. Select the identity provider you created from the dropdown list - under **Federated Authentication**. - - ![](attachments/49092838/49227070.png) - -10. Ensure that the **Federated Authentication** radio button is - selected and click **Update** to save the changes. - -You have now added and configured the service provider. - -### Testing the sample - -1. To test the sample, go to the following URL: - ` http://:/travelocity.com ` - E.g., - -2. Log in with SAML from the WSO2 Identity Server. - - ![](attachments/49092838/103332635.png){height="250"} - -3. Enter your Basecamp credentials in the prompted login page of - Basecamp. Once you login successfully you will be taken to the home - page of the travelocity.com app. diff --git a/en/docs/develop/configuring-bitly-authenticator.md b/en/docs/develop/configuring-bitly-authenticator.md deleted file mode 100644 index 9b7d02e78d..0000000000 --- a/en/docs/develop/configuring-bitly-authenticator.md +++ /dev/null @@ -1,161 +0,0 @@ -# Configuring Bitly Authenticator - -This page provides instructions on how to configure the Bitly -authenticator and Identity Server using a sample app. You can find more -information in the following sections. - -This is tested for the Bitly API version 3. Bitly Authenticator is -supported by Identity Server 5.1.0 upwards. - -- [Deploying Bitly - artifacts](#ConfiguringBitlyAuthenticator-DeployingBitlyartifactsDeployingBitlyartifacts) -- [Configuring the Bitly - App](#ConfiguringBitlyAuthenticator-ConfiguringtheBitlyAppConfiguringtheBitlyApp) -- [Deploying travelocity.com sample - app](#ConfiguringBitlyAuthenticator-Deployingtravelocity.comsampleappDeployingtravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringBitlyAuthenticator-ConfiguringtheidentityproviderConfiguringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringBitlyAuthenticator-ConfiguringtheserviceproviderConfiguringtheserviceprovider) -- [Testing the - sample](#ConfiguringBitlyAuthenticator-TestingthesampleTestingthesample) - -### Deploying Bitly artifacts - -- Download the Bitly Authenticator and artifcats from [the WSO2 - store](https://store.wso2.com/store/assets/isconnector/details/83ec7d04-46f1-426a-b4cb-1a169846212c) - . - -- Place the - ` org.wso2.carbon.identity.authenticator.bitly.connector-x.x.x.jar ` - file into the - ` /repository/components/dropins ` - directory. - - !!! note - - If you want to upgrade the Bitly Authenticator (.jar) in your - existing IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -### Configuring the Bitly App - -1. Create a bitly account using the URL " - ". -2. Register your app at . - ![](attachments/50518515/51251641.png) -3. Use as the authorization - callback URL when you register the client. -4. Now you can get the clientId and clientSecret of your created app. - ![](attachments/50518515/51252818.png) - -### Deploying travelocity.com sample app - -The next step is to [deploy the sample app](Deploying-the-Sample-App) -in order to use it in this scenario. - -Once this is done, the next step is to configure the WSO2 Identity -Server by adding an [identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -and [service provider](https://docs.wso2.com/display/IS510). - -### Configuring the identity provider - -Now you have to configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/). - -2. Run the [WSO2 Identity - Server](https://docs.wso2.com/display/IS510/Running+the+Product). -3. Log in to the [management - console](https://docs.wso2.com/display/IS510/Getting+Started+with+the+Management+Console) - as an administrator. -4. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add**. -5. Give a suitable name for **Identity Provider Name**. - ![](attachments/50518515/51251655.png) -6. Navigate to **Bitly Configuration** under **Federated - Authenticators**. - -7. Enter the values as given in the above figure. - - | Field | Description | Sample Value | - |---------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------| - | Enable | Selecting this option enables Bitly to be used as an authenticator for users provisioned to the Identity Server. | Selected | - | Default | Selecting the **Default** checkbox signifies that Bitly is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators. | Selected | - | Client Id | This is the client ID received from the Bitly application. | 3889862b0a9517bf2bcb2eed8d43f0be0576e735 | - | Client Secret | This is the client secret received from the Bitly application. Click the **Show** button to view the value you enter. | f841934f19cc59d1914f0865f3694b453b5fe583 | - | Callback URL | This is the URL to which the browser should be redirected after the authentication is successful. It should have this format: https://(host-name):(port)/acs . | https://localhost:9443/commonauth | - -8. Select both checkboxes to **Enable** the Bitly authenticator and - make it the **Default** authenticator. - -9. Click **Register**. - -You have now added the identity provider. - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the management console. - -2. In the **Service Providers** section, click **Add** under the - **Main** tab. - -3. Since you are using travelocity as the sample, enter - ` travelocity.com ` in the **Service Provider - Name** text box and click **Register**. - -4. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section. - -5. Now set the configuration as follows: - - 1. **Issuer** : travelocity.com - - 2. **Assertion Consumer URL** : - - -6. Select the following check-boxes: - 1. **Enable Response Signing**. - - 2. **Enable Single Logout**. - - 3. **Enable Attribute Profile**. - - 4. **Include Attributes in the Response Always**. - -7. Click **Update** to save the changes. Now you will be sent back to - the **Service Providers** page. - -8. Navigate to the **Local and Outbound Authentication Configuration** - section. - -9. Select the identity provider you created from the drop-down list - under **Federated Authentication**. - - ![](attachments/50518515/51252329.png) - -10. Ensure that the **Federated Authentication** radio button is - selected and click **Update** to save the changes. - -You have now added and configured the service provider. - -### Testing the sample - -1. To test the sample, go to the following URL: - ` http://:/travelocity.com/index.jsp ` - . E.g., - -2. Login with SAML from the WSO2 Identity Server. - - ![](attachments/50518515/103332428.png){height="250"} - -3. Enter your Bitly credentials in the prompted login page of Bitly . - Once you log in successfully you will be taken to the home page of - the travelocity.com app. diff --git a/en/docs/develop/configuring-cas-inbound-authenticator.md b/en/docs/develop/configuring-cas-inbound-authenticator.md deleted file mode 100644 index d9a471f64b..0000000000 --- a/en/docs/develop/configuring-cas-inbound-authenticator.md +++ /dev/null @@ -1,196 +0,0 @@ -# Configuring CAS Inbound Authenticator - -This topic provides instructions on how to configure the CAS inbound -authenticator and the WSO2 Identity Server and demonstrates this -integration using a sample app (cas-client-webapp). - -This procedure was tested using Java 8. The current version of the CAS -Inbound authenticator is not supported with a tenant user. CAS Version -1.0.2 Inbound Authenticator is supported by WSO2 Identity Server -versions 5.2.0 and CAS Version 2.0.1 Inbound Authenticator is supported -by WSO2 Identity Server versions 5.3.0. - -!!! note - - If you are using CAS authenticator version 2.0.2, go to the [v2.0.2 - tag](https://github.com/wso2-extensions/identity-inbound-auth-cas/tree/v2.0.2/docs) - of the identity-outbound-auth-cas GitHub repository to view the - documentation - - - - -See the following sections for more information on configuring this -integration. - -- [Prerequisites](#ConfiguringCASInboundAuthenticator-Prerequisites) -- [Configuring - cas-client-webapp](#ConfiguringCASInboundAuthenticator-Configuringcas-client-webapp) -- [Deploying CAS - artifacts](#ConfiguringCASInboundAuthenticator-DeployingCASartifacts) -- [Configuring the service - provider](#ConfiguringCASInboundAuthenticator-Configuringtheserviceprovider) -- [Testing the - sample](#ConfiguringCASInboundAuthenticator-TestingthesampleTestingthesample) - -### **Prerequisites** - -- Download WSO2 Identity Server from the [WSO2 Identity Server product - page](http://wso2.com/products/identity-server) and install it by - following the instructions in the [Installing the - Product](https://docs.wso2.com/display/IS520/Installing+the+Product) - topic. - -- Download the sample CAS client webapp (cas-client-webapp.war) from - - -- Download the CAS Version 1.0.2 Inbound Authenticator JAR from [the - store for this - authenticator](https://store.wso2.com/store/assets/isconnector/details/593aac68-3139-425c-b9ca-f66a65a0917a) - and CAS Version 2.0.1 Inbound Authenticator JAR from [the store for - this - authenticator](https://store.wso2.com/store/assets/isconnector/details/593aac68-3139-425c-b9ca-f66a65a0917a) - . - - !!! note - - If you want to upgrade the CAS Inbound Authenticator (.jar) in your - existing IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -- The CAS login URL is required if you want to use it in your own app. - It must be: ` https://:9443/ ` - ` identity/cas/login ` - -### **Configuring cas-client-webapp** - -1. **Generate Keystore** to enable 'https' request in your web - container (e.g., Tomcat). - 1. Use the following "keytool" command inside the - "web-container/bin" (e.g., - ` ` ) directory to - create a keystore with the self-signed certificate. During the - keystore creation process, you need to assign a password and - fill in the certificate’s details. - ` keytool -genkey -alias localhost -keyalg RSA -keystore "PATH_TO_CREATE_KEYSTORE/KEYSTORE_NAME". ` - - !!! tip - - **Tip** : Here ` localhost ` is the same - name as the machine's hostname. - - - 2. Add the following connector in the - ` server.xml ` file in your web-container - (e.g., ` /conf/server.xml ` - ) - - ``` xml - - ``` - - !!! tip - - **Tip** : KEYSTORE\_PASSWORD is the password you assigned to - your keystore via the "keytool" command. - - -2. To establish the trust between cas-client-webapp and CAS-Server ( - WSO2 IS ), take the following steps: - 1. Go to the - ` /repository/resources/security/ ` - directory and execute the following command to create a - certificate file for the wso2carbon JKS. - ` keytool -export -alias wso2carbon -file wso2.crt -keystore wso2carbon.jks -storepass wso2carbon ` - 2. Inside the above directory use the following command to import - the CAS server certificate ( ` wso2.crt ` ) - into the system truststore of the CAS client. You will be - prompted for the keystore password, which is by default changeit - . - ` keytool -import -alias wso2carbon -file wso2.crt -keystore PATH-TO-jre/lib/security/cacerts ` - -### **Deploying CAS artifacts** - -1. P lace the ` cas-client-webapp.war ` file into the - webapps directory of the web-container (e.g., - ` /webapps ` ). -2. Place the - ` org.wso2.carbon.identity.sso.cas-1.0.2.jar ` file - (for Identity Server 5.3.0, use the - ` cas-2.0.1.jar ` file instead as described in the - note below) into the - ` /repository/components/dropins ` - directory and restart the Identity Server. - -!!! note - - **If you are using WSO2 Identity Server 5.3.0, make sure to take the WUM - updated product since this feature needs some core fixes done to the - product. - ** - - - - -### Configuring the service provider - -Now, you are ready to configure WSO2 Identity Server by adding a new -service provider . - -1. [Run WSO2 Identity - Server](https://docs.wso2.com/display/IS530/Running+the+Product). -2. Log in to the [management - console](../../setup/getting-started-with-the-management-console) - as an administrator. -3. In the **Identity** section under the **Main** tab, click **Add** - under **Service Providers**. - -4. Enter **cas-client-webapp** in the **Service Provider Name** text - box and click **Register**. - ![](attachments/57005726/57008598.png) - -5. In the **Inbound Authentication Configuration** section, click **CAS - Configuration**. - -6. Configure the **Service Url** : - [https://localhost:8443/cas-client-webapp/](https://localhost:8080/cas-sample-java-webapp/) - ![](attachments/57005726/68710333.png) - - Service URL refers to the URL of the application that the client is - trying to access. - - - -7. Go to **Claim Configuration** and click **Define Custom Claim - Dialect** to add the requested claims. (This is required to show - requested claims as user attributes in the cas-client-webapp; - otherwise, no attributes will be shown.) Add the **Service Provider - Claim** name that corresponds to the **Local Claim** URI and mark it - as **Requested Claim**. - ![](attachments/57005726/72418344.png) - -8. Click **Update** to save the changes. Now you have configured the - service provider. - -### Testing the sample - -1. To test the sample, navigate to - ` https://[server-address]/cas-client-webapp/ ` in - your browser (i.e., go to the following URL: - ). -2. The basic authentication page appears. Use your IS username and - password. - ![](attachments/57005726/57737891.png) -3. If you have successfully logged in, you will see the following CAS - Home page of cas-client-webapp with the authenticated user and user - attributes. - ![](attachments/57005726/57739209.png) - - -** -** diff --git a/en/docs/develop/configuring-certificate-revocation-validation.md b/en/docs/develop/configuring-certificate-revocation-validation.md index 4d073face5..68b578513d 100644 --- a/en/docs/develop/configuring-certificate-revocation-validation.md +++ b/en/docs/develop/configuring-certificate-revocation-validation.md @@ -12,11 +12,12 @@ Certificate Revocation List (CRL) and OCSP (Online Certificate Status Protocol) are two protocols that are used to check whether a given X509 certificate is revoked by its issuer. -- **CRL** is a list of digital certificates that have been revoked by - the issuing CA. -- **OCSP** is an internet protocol that is used for obtaining the - revocation status of an X509 digital certificate using the - certificate serial number. +!!! info + - **CRL** is a list of digital certificates that have been revoked by + the issuing CA. + - **OCSP** is an internet protocol that is used for obtaining the + revocation status of an X509 digital certificate using the + certificate serial number. WSO2 X509 authenticator, which perms client X509 certificate authentication supports certificate validation with CRL and OCSP. At the @@ -27,18 +28,15 @@ certificate is revoked, it indicates that the certificate is no longer trusted by the CA, i.e., the SSL connection to the peer is terminated. !!! note - To learn about configuring the X509 certificate authenticator, see [Configuring X509Certificate - Authenticator](Configuring-X509Certificate-Authenticator). + Authenticator](../../develop/x509-certificate-authenticator). Explore the following sections below to configure CRL and OCCP for certificate validation. -!!! tip - - **Before you begin** +!!! tip "Before you begin" Locate the ` /repository/conf/security/certificate-validation.xml ` @@ -62,7 +60,7 @@ certificate validation. -``` + ``` #### Enabling and Disabling Certificate Validation @@ -80,13 +78,14 @@ Follow the steps below to enable or disable certificate validation. ` true ` or ` false ` respectively. - These configurations are added to the tenant registry at - ` /_system/governance/repository/security/certificate/validator ` - during the tenant creation. There will be separate registry resource - for each validator with the properties such as name, enable, and - priority. During the certificate validation process, all the - validator configurations are loaded from the registry and based on - the status and priority, the corresponding validator gets invoked. + !!! info + These configurations are added to the tenant registry at + ` /_system/governance/repository/security/certificate/validator ` + during the tenant creation. There will be separate registry resource + for each validator with the properties such as name, enable, and + priority. During the certificate validation process, all the + validator configurations are loaded from the registry and based on + the status and priority, the corresponding validator gets invoked. #### Prioritizing Certificate Validation @@ -100,15 +99,11 @@ Follow the steps below to prioritize certificate validation. 2. To prioritize certificate validation, set a priority value to the ` ` element. - !!! note - - **Validation when both CRL and OCSP methods are enabled** - + !!! note "Validation when both CRL and OCSP methods are enabled" If the highest priority method returns a successful validation or status is not "Unknown", the second method is not attempted. The methods with the second and beyond proprieties are used as backup. - #### Configuring Full-Chain Certificate Validation The certificate chain is a list of certificates that enables the @@ -125,14 +120,13 @@ When the full-chain certificate validation is enabled, the system validates with the CRL/OCSP of every intermediate certificate within the trust chain for the client except for the root CA certificate. -**Sample full-chain certificate validation** - -The intermediate CA CRL is used to verify whether the client certificate -is valid. The root CA CRL is used to verity whether the Intermediate CA -Cert is valid. +!!! info "Sample full-chain certificate validation" + The intermediate CA CRL is used to verify whether the client certificate + is valid. The root CA CRL is used to verity whether the Intermediate CA + Cert is valid. -Root CA (root CA CRL) Cert ==\> Intermediate CA Cert (inter CA CRL) ==\> -Client Cert + Root CA (root CA CRL) Cert ==\> Intermediate CA Cert (inter CA CRL) ==\> + Client Cert Follow the steps below to configure full-chain certificate validation. @@ -214,14 +208,13 @@ certificates. #### Testing Certificate Revocation +**Certificate Revocation with CRL** + After revoking the client certificate, test the X509 authentication with CRL validation by the self signed CA as mentioned below. !!! note - - As mentioned in [Configure CRL and OCSP - URLs](https://docs.wso2.com/display/IS570/Working+with+Certificates#WorkingwithCertificates-Step03:ConfigureCRLandOCSPURLs){.toc-link} - , the is a CRL URL of a  well-known + The is a CRL URL of a  well-known CA. In order to test the revocation of certificates through a CRL from our end, generate an own CRL and upload it to the own CRL URL. The CRL URL should be configured in the @@ -259,14 +252,13 @@ CRL validation by the self signed CA as mentioned below. 6. Once the certificate is revoked and the CRL is updated, upload it so that a new version can be downloaded from the CRL URL. +**Certification Revocation with OCSP** + After revoking the client certificate, test the X509 authentication with OCSP validation by the self signed CA as mentioned below. !!! note - - As mentioned in [Configure CRL and OCSP - URLs](https://docs.wso2.com/display/IS570/Working+with+Certificates#WorkingwithCertificates-Step03:ConfigureCRLandOCSPURLs){.toc-link} - , the is an OCSP URL of a  well-known + The is an OCSP URL of a  well-known CA. In order to test the revocation of certificates through OCSP from our end, generate an own OCSP. This OCSP should be configured in the ` validation.cnf ` file. @@ -349,11 +341,12 @@ OCSP validation by the self signed CA as mentioned below. certificate is revoked. Test the X509 authentication, by enabling the OCSP validation. With this, validation should be failed. +**Update Validator Configurations** + Follow the steps below to change the priority of the validators of any other validator configurations. !!! note - File-based configurations are taken only at the initial start up, after which the changes are to be made in the registry via the WSO2 Identity Server Management Console. @@ -369,11 +362,13 @@ other validator configurations. ``` 2. On the **Main** tab, click **Registry \> Browse**. - ![](attachments/103328122/103328123.png) + ![](../../assets/img/103328122/103328123.png) + 3. Enter the registry path ` /_system/governance/repository/security/certificate/validator ` to the **Location** text box and click **Go**. - ![](attachments/103328122/103328124.png) + ![](../../assets/img/103328122/103328124.png) + 4. To update the properties, expand **Properties**. - ![](attachments/103328122/103328125.png) + ![](../../assets/img/103328122/103328125.png) diff --git a/en/docs/develop/configuring-dropbox-authenticator.md b/en/docs/develop/configuring-dropbox-authenticator.md deleted file mode 100644 index 798c3685c5..0000000000 --- a/en/docs/develop/configuring-dropbox-authenticator.md +++ /dev/null @@ -1,154 +0,0 @@ -# Configuring Dropbox Authenticator - -This page provides instructions on how to configure the Dropbox -authenticator and the WSO2 Identity Server to log in to a sample app. -You can find more information in the following sections. - -This is tested for the Dropbox API version 1.0. Dropbox Authenticator is -supported by WSO2 Identity Server versions 5.1.0, 5.2.0 and 5.3.0. - -- [Configuring the Dropbox - App](#ConfiguringDropboxAuthenticator-ConfiguringtheDropboxApp) -- [Deploying travelocity.com sample - app](#ConfiguringDropboxAuthenticator-Deployingtravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringDropboxAuthenticator-Configuringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringDropboxAuthenticator-Configuringtheserviceprovider) -- [Testing the - sample](#ConfiguringDropboxAuthenticator-Testingthesample) - -### Configuring the Dropbox App - -1. Place the authenticator .jar file into the - ` /repository/components/dropins ` - directory. You can download the - .jar(org.wso2.carbon.identity.authenticator.dropbox) file from the - [wso2 - store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22dropbox%22) - . - - !!! note - - If you want to upgrade the Dropbox Authenticator (.jar) in your - existing IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -2. Navigate to and create a - new app. You must create or have a Dropbox account for this. - - ![](attachments/49091441/75106368.png) - -3. Enter the name of your new app and click **Create App**. -4. Specify the redirect URI as in - the window that appears. -5. Now you have finished configuring Dropbox. Copy the **App key** and - **App Secret** from the above page. - -### Deploying travelocity.com sample app - -The next step is to deploy the travelocity.com sample app in order to -use it in this scenario. - -To configure this, see [deploying travelocity.com sample -app](Deploying-the-Sample-App). - -### Configuring the identity provider - -Now you have to configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/) and [run - it](https://docs.wso2.com/display/IS510/Running+the+Product). -2. Log in to the [management - console](https://docs.wso2.com/display/IS510/Getting+Started+with+the+Management+Console) - as an administrator. -3. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add**. -4. Give a suitable name for **Identity Provider Name**. - ![](attachments/49091441/75106398.png) -5. Go to **Dropbox Configuration** under **Federated Authenticators**. -6. Enter the values as given in the above figure. - - | Field | Description | Sample Value | - |---------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------| - | Enable | Selecting this option enables Dropbox to be used as an authenticator for users provisioned to WSO2 Identity Server. | Selected | - | Default | Selecting the **Default** checkbox specifies Dropbox as the main/default form of authentication. If selected, any other authenticators that have been selected as **Default** will be unselected by WSO2 IS. | Selected | - | Cliend Id | The app key from the Dropbox application. | owqfgrlhowmgypa | - | Client Secret | The app secret from the Dropbox application. Click the **Show** button to see the value. | lmcbrqwb14algwy\| | - | Callback URL | The URL to which the browser should be redirected to after the authentication is successful. Follow this format: https://(host-name):(port)/acs . | | - -7. Click **Register**. - -You have now added the identity provider. - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the management console. -2. In the **Service Providers** section under the **Main** tab, click - **Add**. -3. Since you are using travelocity as the sample, enter travelocity.com - in the **Service Provider Name** text box and click **Register**. -4. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section. - ![](attachments/49091441/49224550.png){height="250"} -5. Now set the configuration as follows: - 1. Issuer: travelocity.com - 2. Assertion Consumer URL: - -6. Select the following check-boxes: - 1. Enable Response Signing. - 2. Enable Single Logout. - 3. Enable Attribute Profile. - 4. Include Attributes in the Response Always. -7. Click **Update** to save the changes. Now you will be sent back to - the **Service Providers** page. -8. Go to the **Local and Outbound Authentication Configuration** - section. -9. Select the identity provider you created from the dropdown list - under **Federated Authentication**. - - ![](attachments/49091441/49224551.png) -10. Ensure that the **Federated Authentication** radio button is - selected and click **Update** to save the changes. - -You have now added and configured the service provider. - -### Testing the sample - -1. To test the sample, navigate to the following URL: - ` http://:/travelocity.com/index.jsp ` - . E.g., - [![](attachments/49091441/49224552.png) ](http://localhost:8080/travelocity.com) -2. Click the link to log in with SAML from the WSO2 Identity Server. -3. You are redirected to the Dropbox login page. Enter your Dropbox - credentials. - - ![](attachments/49091441/49224553.png) -4. You are then taken to the home page of the travelocity.com app. - ![](attachments/49091441/49224554.png) - - - -3544 - -4301 - -6422 - -1257 - -512 - -961 - -1585 - -1791 - -1795 diff --git a/en/docs/develop/configuring-facebook-authenticator.md b/en/docs/develop/configuring-facebook-authenticator.md deleted file mode 100644 index 3fc02ab995..0000000000 --- a/en/docs/develop/configuring-facebook-authenticator.md +++ /dev/null @@ -1,349 +0,0 @@ -# Configuring Facebook Authenticator - -Current trends require usage of services from hundreds of websites in a -connected world. Most of these websites need the user to create an -account with them by providing a valid email address and password. -Remembering all the different user IDs and passwords that you use can be -difficult and cumbersome. To make the life easier most websites now -provide the user with an option to log in using their Facebook account, -Twitter account or Google account. Since most of the internet users have -one of these accounts, it makes creating a new account an instant -action. - -WSO2 Identity Server enables users to log in to the Identity Server -using their Facebook account. To do that, first you have to create a -Facebook app after registering as a Facebook developer. - -!!! note - - **Note** : This is relevant for WSO2 Identity Server versions 5.2.0 and - 5.3.0. For older product versions, you have to configure this - differently. Refer to [WSO2 IS 5.1.0 - documentation](https://docs.wso2.com/display/IS510/How+To%253A+Login+to+the+Identity+Server+using+Facebook+Credentials) - on doing this. - - -This topic provides instructions on how to configure the Facebook app -and the Identity Server to integrate using a sample app. See the -following sections for more information. - -- [Deploying the required - artifacts](#ConfiguringFacebookAuthenticator-Deployingtherequiredartifacts) -- [Configuring the Facebook - app](#ConfiguringFacebookAuthenticator-ConfiguringtheFacebookapp) -- [Deploying travelocity.com sample - app](#ConfiguringFacebookAuthenticator-Deployingtravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringFacebookAuthenticator-Configuringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringFacebookAuthenticator-Configuringtheserviceprovider) -- [Configuring claim mappings for - Facebook](#ConfiguringFacebookAuthenticator-ConfiguringclaimmappingsforFacebook) -- [Configuring requested claims - for travelocity.com](#ConfiguringFacebookAuthenticator-Configuringrequestedclaimsfortravelocity.com) -- [Testing the - sample](#ConfiguringFacebookAuthenticator-Testingthesample) - -### Deploying the required artifacts - -1. Download the .jar file associated with this authenticator from [the - connector - store](https://store.wso2.com/store/assets/isconnector/details/9edb106b-05ee-4810-8d47-81d0639f8c2b) - . -2. Copy the .jar file you downloaded into the - ` /repository/components/dropins ` - folder. - - !!! note - - If you want to upgrade the Facebook Authenticator in your existing - IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -3. Restart the WSO2 Identity Server if it is already running. - -### Configuring the Facebook app - -1. Go to and log in using your - Facebook credentials. -2. Click on **My Apps** and then click **Create a New App**. - ![](attachments/68686690/68686671.png) -3. Choose the platform you wish to use. Select **Website** here when - working with this sample. - ![](attachments/68686690/68686672.png) -4. Enter the name of your new app in the window that appears and click - **Create New Facebook App ID**. - ![](attachments/68686690/68686673.png){height="250"} -5. Enter a Display Name, Contact Email and select an appropriate - category from the dropdown. Click **Create App ID**. - ![](attachments/68686690/68686674.png){height="250"} -6. This will lead you to the quick start guide. You can view the - configuration there and skip the quick start guide to access the - developer dashboard. - ![](attachments/68686690/68686675.png) -7. This will take you to the app **Dashboard** where you can find the - **App ID** and **App Secret** as shown in the image below. Click - **Show** to view the **App Secret**. - - **App ID** is the Client ID and the **App Secret** is the Client - Secret in OAuth terminology. The API Version is Facebook’s API that - is used to create the application. - - ![](attachments/68686690/68686676.png) - -8. Click **Settings** on the left menu and navigate to the **Basic** - tab. Add the **App Domains** (since WSO2 IS is running on localhost, - you can add localhost as the App Domain) and click **Add Platform** - . - ![](attachments/68686690/68686677.png) - -9. Select **Website** as the platform for the application and enter the - following as the site URL: - [https://localhost:9443](https://localhost:9443/). Click **Save - Changes**. - ![](attachments/68686690/68686678.png) - ![](attachments/68686690/68686679.png) -10. On the left panel, click **Add Product** and click **Get Started** - for a **Facebook Login** product. - ![](attachments/68686690/68686680.png){height="250"} - -11. You can configure the **Client OAuth Settings** on the window that - appears. - ![](attachments/68686690/68686681.png) - - 1. **Client OAuth Login** should be set to **Yes**. - 2. **Web OAuth Login** should be set to **Yes**. - 3. **Valid OAuth redirect URIs** should be set to - . - -12. Scroll down and click the **Save Changes** button to save the - changes. - -Now you have finished configuring Facebook as an Identity Provider. - -About accessing the app - -The app is not available to general public yet. To make to app available -to every Facebook user, you have to submit the app for review. After a -review, Facebook makes the app available to every Facebook user. You can -find more information on the review process by clicking on **App -Review** in the left navigation menu of your app's dashboard. - -The review process may take some time, so for the purposes of this -sample, you can specify some Facebook users as Developers or Testers. -Only the users specified here can use this app to log in with Facebook -until the app goes public. To do this, click on **Roles** in the left -navigation menu of the dashboard and specify the required Facebook users -as Developers or Testers. - -![](attachments/68686690/68686682.png) - -### Deploying travelocity.com sample app - -The next step is to deploy the travelocity.com sample app in order to -use it in this scenario. - -1. You can download the travelocity.com.war file from - [here](https://drive.google.com/file/d/0B6TqW_IScmilVzdsSUNVWEQ0UWs/edit?usp=sharing) - . -2. Deploy this sample web app on a web container. - 1. Use the Apache Tomcat server to do this. - 2. Since this sample is written based on Servlet 3.0, it needs to - be deployed on Tomcat 7.x. - 3. Copy the .war file into the webapps folder. For example, - ` /apache-tomcat-7.0.50/webapps ` - . - -Once this is done, the next step is to configure the WSO2 Identity -Server by adding a service provider and identity provider. - -### Configuring the identity provider - -Now you have to configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/display/IS520/Configuring+an+Identity+Provider) -. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/) and [run - it](https://docs.wso2.com/display/IS520/Running+the+Product). -2. Log in to the [Management - Console](https://docs.wso2.com/display/IS520/Getting+Started+with+the+Management+Console) - as an administrator. -3. In the **Identity** section under the **Main** tab of the Management - Console, click **Add** under **Identity Providers**. -4. Give a suitable name as the **Identity Provider Name**. - ![](attachments/68686690/68686683.png) -5. Go to **Facebook Configuration** under **Federated Authenticators** - . - -6. Enter the following values in the form that appears: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldDescriptionSample Value
App IDThis refers to the Client Id you received from the Facebook app you created.<Application ID of the Facebook App>
App SecretThis refers to the Client Secret you received from the Facebook app you created.<App Secret of the Facebook App>
ScopeDefines the permission to access particular information from a Facebook profile. See the Permissions Reference for a list of the different permission groups in Facebook APIs.email
-
-
User Information FieldsThese are the claims related to the user account on Facebook. WSO2 Identity Server requests these fields from Facebook when a user is authenticated with Facebook through the IS. See public_profile permission for more information about these fields.id,name,gender,email,first_name,last_name,age_range,link
- - ![](attachments/68686690/68686684.png) - -7. Select both checkboxes to **Enable Facebook Authenticator** and make - it the **Default**. - -8. Click **Register**. - -You have now added the identity provider. - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the Management Console. -2. In the **Identity** section under the **Main** tab, click **Add** - under **Service Providers**. -3. Enter [travelocity.com](http://travelocity.com/) in the **Service - Provider Name** text box and click **Register**. -4. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section. - ![](attachments/68686690/68686685.png) - - Now set the configuration as follows: - 1. Enter the following values: - - **Issuer** : [travelocity.com](http://travelocity.com/) - - **Assertion Consumer URL** : - - - 2. Select the following check-boxes: - - Enable Response Signing - - Enable Single Logout - - Enable Attribute Profile - - Include Attributes in the Response Always - -5. Click **Register**. Now you will be sent back to the **Service - Providers** page. - -6. Go to the **Local and Outbound Authentication Configuration** - section. - -7. Select the **Federated Authentication** radio button and select the - Identity Provider you created from the dropdown list under - **Federated Authentication**. - ![](attachments/68686690/68686686.png) - -8. Click **Update** to save the changes. - -You have now added and configured the service provider. - -!!! note - - The default client-truststore.jks found in the - ` /repository/resources/security/ ` directory - contains the Facebook certificate by default. - - -### Configuring claim mappings for Facebook - -The next step is to configure claims in the Identity Server and map them -with Facebook. - -1. In the **Identity** section under the **Main** tab, click **List** - under **Identity Providers**. -2. Click **Edit** to edit the facebook identity provider you created. -3. Under **Claim Configuration**, go to **Basic Claim Configuration** - . -4. Select the **Define Custom Claim Dialect** option under **Select - Claim mapping Dialect**. -5. Click **Add Claim Mapping** to add custom claim mappings as - follows. - ![](attachments/68686690/68686687.png) -6. You can retrieve all the public information of the user and the - email address. The following are some common attribute names. - - id - email - name - first\_name - last\_name - link - gender - locale - age\_range - - More information is available from the following link: - - - You can map these attributes to any **Local Claim URI** that is - suitable. - -7. Select a suitable **User ID Claim URI** (e.g., email). -8. Click **Update** to save changes. - -### Configuring requested claims for [travelocity.com](http://travelocity.com/) - -1. In the **Identity** section under the **Main** tab, click **List** - under **Service Providers**. -2. Click **Edit** to edit the - [travelocity.com](http://travelocity.com/) service provider. -3. Go to **Claim Configuration**. -4. Click on **Add Claim URI** under **Requested Claims** to add the - requested claims as follows. Here you should add the claims you - mapped in the Identity Provider claim configuration. - ![](attachments/68686690/68686688.png) -5. Select a suitable claim for the **Subject Claim URI**. - - !!! note - - **Note:** To use email address as the **Subject Claim URI**, you - have to allow the usage of email addresses as usernames in the - ` /repository/conf/carbon.xml ` file. - To allow using email address as usernames, uncomment the following - in the **carbon.xml** file. - - ` ` - - -Now you have configured the Identity Server. - -### Testing the sample - -1. To test the sample, go to the following URL: - . - ![](attachments/68686690/68686689.png) -2. Click the link to log in with SAML from WSO2 Identity Server. -3. You are redirected to the Facebook Login page. Enter your Facebook - credentials and you will be taken to the home page of the - [travelocity.com](http://travelocity.com/) app. diff --git a/en/docs/develop/configuring-foursquare-authenticator.md b/en/docs/develop/configuring-foursquare-authenticator.md deleted file mode 100644 index a445180fcd..0000000000 --- a/en/docs/develop/configuring-foursquare-authenticator.md +++ /dev/null @@ -1,598 +0,0 @@ -# Configuring Foursquare Authenticator - -This page provides instructions on how to configure Foursquare -authenticator and Identity Server for using a sample app. You can find -more information in following sections. - -This is tested with the Foursquare API version 2. Foursquare -Authenticator is supported by Identity Server 5.1.0 upwards. - -- [Configuring the Foursquare - App](#ConfiguringFoursquareAuthenticator-ConfiguringtheFoursquareApp) -- [Deploying travelocity.com sample - app](#ConfiguringFoursquareAuthenticator-Deployingtravelocity.comsampleappDeployingtravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringFoursquareAuthenticator-ConfiguringtheidentityproviderConfiguringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringFoursquareAuthenticator-ConfiguringtheserviceproviderConfiguringtheserviceprovider) -- [Configuring - claims](#ConfiguringFoursquareAuthenticator-Configuringclaims) -- [Configuring requested claims for - travelocity.com](#ConfiguringFoursquareAuthenticator-Configuringrequestedclaimsfortravelocity.com) -- [Testing the - sample](#ConfiguringFoursquareAuthenticator-TestingthesampleTestingthesample) - -### Configuring the Foursquare App - -1. Place the authenticator .jar file ( - ` org.wso2.carbon.extension.identity.authenticator.foursquare.connector-1.x.x.jar ` - ) into the - ` /repository/components/dropins ` - directory. You can download the .jar file from the [WSO2 - Store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22foursquare%22) - . - - !!! note - - If you want to upgrade the Foursquare Authenticator in your existing - IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -2. Go to and login with your Foursquare - account. - - !!! tip - - If you do not have a Foursquare account, create an account by - clicking **Sign Up** or sign in with your Facebook credentials. - - -3. Go to and click **Log-in**. You - can create a new app in the **My Apps** section by clicking **Create - a New App**. - ![](attachments/49088044/76747590.png) - - - -4. Enter the following in the window that appears: - - - **App name** - TravelocityApp - - - **Application Url** - http://localhost:8080/travelocity.com - - - **Redirect URL** as  https://localhost:9443/commonauth - ![](attachments/49088044/76744023.png) - -5. You can select **Create App without Verifying** link at the end in - order to try out the authenticator. - ![](attachments/49088044/76744027.png) - -6. Save your changes. - This takes you to the app Dashboard where you can find the Client Id - and Client Secret as shown in the image below. - ![](attachments/49088044/76744028.png) - -Now you have finished configuring Foursquare as an identity provider. - -### Deploying travelocity.com sample app - -The next step is to [deploy the sample -app](https://docs.wso2.com/display/ISCONNECTORS/Deploying+the+Sample+App) -in order to use it in this scenario. - -Once this is done, the next step is to configure the WSO2 Identity -Server by adding a [service -provider](https://docs.wso2.com/display/IS510/Configuring+a+Service+Provider) -and [identity -provider.](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) - -### Configuring the identity provider - -Now you have to configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/) and [run - it](https://docs.wso2.com/display/IS510/Running+the+Product). -2. Log in to the [management - console](https://docs.wso2.com/display/IS510/Getting+Started+with+the+Management+Console) - as an administrator. -3. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add**. -4. Give a suitable name for **Identity Provider Name** (e.g., - foursquare). - Refer [Adding and Configuring an Identity - Provider](https://docs.wso2.com/display/IS530/Adding+and+Configuring+an+Identity+Provider) - for more information related to the identity provider configuration. -5. Go to **Foursquare Configuration** under **Federated - Authenticators**. - ![](attachments/49088044/49221977.png) - -6. Enter the IdP related details. - - - **Client Id** : [Client - Id](#ConfiguringFoursquareAuthenticator-clientID) for the app - that you created in Foursquare. - - **Client Secret** : [Client - Secret](#ConfiguringFoursquareAuthenticator-clientID) for for - the app that you created in Foursquare. - - **Callback URL** : Service Provider's URL where code needs to be - sent. Example: https://localhost:9443/commonauth - - **Profile Version** : The appropriate pass date can be added for - versioning field - OR the - version of your foursquare account can be added from the API - explorer - - . - Example: 20171114 from - https://api.foursquare.com/v2/users/self?oauth\_token=xxx&v=20171114 - -7. Select both checkboxes **Enable** and **Default** to enable the - Foursquare Authenticator and make it the default. - -8. Click **Register**. - -You have now added the identity provider. - -### Configuring the service provider - -The next step is to configure the service provider based on the WSO2 -Identity Server version that you are working on. - -- [Configuring a service provider with IS 5.3.0 - upwards](#ConfiguringFoursquareAuthenticator-ConfiguringaserviceproviderwithIS5.3.0upwards) -- [Configuring a service provider with IS 5.1.0 or IS - 5.2.0](#ConfiguringFoursquareAuthenticator-ConfiguringaserviceproviderwithIS5.1.0orIS5.2.0) - -#### Configuring a service provider with IS 5.3.0 upwards - -1. Return to the management console. - -2. In the **Service Providers** section under the **Main** tab, click - **Add**. - -3. As you are using travelocity as the sample, enter travelocity.com in - the **Service Provider Name** text box. - -4. Configure the SAML2 Web SSO Configuration details. - For more information on theSAML2 Web Single-Sign-On Configuration - methods, see [Configuring SAML2 Web - Single-Sign-On](https://docs.wso2.com/display/IS530/Configuring+SAML2+Web+Single-Sign-On) - . - 1. In the **Inbound Authentication Configuration** section, click - **SAML2 Web SSO Configuration**, and then click - ****Configure****. - - ![](attachments/49088044/76747573.png) - - 2. Now set the configuration as follows: - - 1. **Select Mode** : Manual Configuration - - 2. **Issuer** : travelocity.com - - 3. **Assertion Consumer URL** : Enter the Assertion Consumer - URL as and - click **Add**. - - 3. Select the following check-boxes: - 1. **Enable Response Signing** - - 2. **Enable Single Logout** - - 3. **Enable Attribute Profile** - - 4. **Include Attributes in the Response Always** - -5. Click **Register** to save the changes. Now you will be sent back to - the **Service Providers** page. - -6. Click **Edit** to edit the travelocity.com service provider. - -7. Configure the Local and Outbound Authentication for Foursquare. - For more information, see [Configuring Local and Outbound - Authentication for a Service - Provider](../../learn/configuring-local-and-outbound-authentication-for-a-service-provider) - in the WSO2 IS 5.3.0 guide. - - 1. Go to the **Local and Outbound Authentication Configuration** - section. - - 2. Select the identity provider you created from the dropdown list - under **Federated Authentication**. - ![](attachments/49088044/76747587.png) - - 3. Ensure that the **Federated Authentication** radio button is - selected. - -8. Click **Update** to save the changes. - -#### Configuring a service provider with IS 5.1.0 or IS 5.2.0 - -1. Return to the management console. - -2. In the **Service Providers** section under the **Main** tab, click - **Add**. - -3. As you are using travelocity as the sample, enter travelocity.com in - the **Service Provider Name** text box and click **Register**. - -4. In the **Inbound Authentication Configuration** section, click - **SAML2 Web SSO Configuration**, and then click ****Configure****. - - ![](attachments/49088044/49221980.png) - -5. Now set the configuration as follows: - - 1. **Issuer** : travelocity.com - - 2. **Assertion Consumer URL** : - http://localhost:8080/travelocity.com/home.jsp - -6. Select the following check-boxes: - 1. **Enable Response Signing** - - 2. **Enable Single Logout** - - 3. **Enable Attribute Profile** - - 4. **Include Attributes in the Response Always** - -7. Click **Register** to save the changes. Now you will be sent back to - the **Service Providers** page. - -8. Go to the **Local and Outbound Authentication Configuration** - section. - -9. Select the identity provider you created from the dropdown list - under **Federated Authentication**. - -10. Ensure that the **Federated Authentication** radio button is - selected and click **Update** to save the changes. - -You have now added and configured the service provider. - -### Configuring claims - -[Add a new claim -mapping](../../using-the-identity-server/adding-claim-mapping) for -various user attributes related to Foursquare based on the WSO2 Identity -Server version that you are working on. - -- [Configuring claims with IS 5.3.0 - upwards](#ConfiguringFoursquareAuthenticator-ConfiguringclaimswithIS5.3.0upwards) -- [Configuring claims with IS 5.1.0 or IS - 5.2.0](#ConfiguringFoursquareAuthenticator-ConfiguringclaimswithIS5.1.0orIS5.2.0) - -#### Configuring claims with IS 5.3.0 upwards - -1. Sign in to the [Management - Console](../../setup/getting-started-with-the-management-console) - by entering your username and password. -2. In the **Main** menu, click **Add** under **Claims**. -3. Click **Add Claim Dialect** to create the Foursquare authenticator - specific claim dialect. - -4. Specify the Dialect URI as and - click **Add** to create the claim dialect. - -5. Map a new external claim to an existing local claim dialect. - You need to map at least one claim under this new claim dialect. - Therefore, let's map the claim for the Foursquare user ID. - 1. In the **Main** menu, click **Add** under **Claims**. - 2. Click **Add External Claim** to add a new claim to the - Foursquare claim dialect. - - 3. Select the **Dialect URI** as - - - 4. Enter the **External Claim URI** based on the following claim - mapping information. - 5. Select the **Mapped Local Claim** based on the following claim - mapping information. - - Claim mapping for ID ** - ** - - | | | - |--------------------|--------------------------------------| - | Dialect URI | http://wso2.org/foursquare/claims | - | External Claim URI | http://wso2.org/foursquare/claims/id | - | Mapped Local Claim | http://wso2.org/claims/username | - - 6. Click **Add** to add the new external claim. - -6. Similarly, you can create claims for all the public information of - the Foursquare user by repeating step 5 with the following claim - mapping information. - - - Claim mapping for email - - | | | - |--------------------|-----------------------------------------| - | Dialect URI | http://wso2.org/foursquare/claims | - | External Claim URI | http://wso2.org/foursquare/claims/email | - | Mapped Local Claim | http://wso2.org/claims/emailaddress | - - - Claim mapping for first name - - | | | - |--------------------|---------------------------------------------| - | Dialect URI | http://wso2.org/foursquare/claims | - | External Claim URI | http://wso2.org/foursquare/claims/firstName | - | Mapped Local Claim | http://wso2.org/claims/givenname | - - - Claim mapping for last name - - | | | - |--------------------|--------------------------------------------| - | Dialect URI | http://wso2.org/foursquare/claims | - | External Claim URI | http://wso2.org/foursquare/claims/lastName | - | Mapped Local Claim | http://wso2.org/claims/lastname | - - - Claim mapping for gender - - | | | - |--------------------|------------------------------------------| - | Dialect URI | http://wso2.org/foursquare/claims | - | External Claim URI | http://wso2.org/foursquare/claims/gender | - | Mapped Local Claim | http://wso2.org/claims/gender | - - - Claim mapping for home city - - | | | - |--------------------|--------------------------------------------| - | Dialect URI | http://wso2.org/foursquare/claims | - | External Claim URI | http://wso2.org/foursquare/claims/homeCity | - | Mapped Local Claim | http://wso2.org/claims/location | - - - Claim mapping for canonical URL - - | | | - |--------------------|------------------------------------------------| - | Dialect URI | http://wso2.org/foursquare/claims | - | External Claim URI | http://wso2.org/foursquare/claims/canonicalUrl | - | Mapped Local Claim | http://wso2.org/claims/url | - -7. The next step is to configure claims in the Identity Server and map - them with Foursquare. - - 1. In the **Identity** section under the **Main** tab, click - **List** under **Identity Providers**. - 2. Click **Edit** to edit the Foursquare identity provider you - created. - 3. Under **Claim Configuration**, go to **Basic Claim - Configuration**. - ![](attachments/49088044/76747747.png) - 4. Select the **Define Custom Claim Dialect** option under **Select - Claim mapping Dialect**. - 5. Click **Add Claim Mapping** to add custom claim mappings as - follows. - - | Identity Provider URI | Local Claim URI | - |------------------------------------------------|-------------------------------------| - | http://wso2.org/foursquare/claims/id | http://wso2.org/claims/username | - | http://wso2.org/foursquare/claims/email | http://wso2.org/claims/emailaddress | - | http://wso2.org/foursquare/claims/firstName | http://wso2.org/claims/givenname | - | http://wso2.org/foursquare/claims/lastName | http://wso2.org/claims/lastname | - | http://wso2.org/foursquare/claims/gender | http://wso2.org/claims/gender | - | http://wso2.org/foursquare/claims/homeCity | http://wso2.org/claims/location | - | http://wso2.org/foursquare/claims/canonicalUrl | http://wso2.org/claims/url | - - 6. Select the User ID Claim URI as - - http://wso2.org/foursquare/claims/id - - 7. Click **Update**. - -#### Configuring claims with IS 5.1.0 or IS 5.2.0 - -1. Sign into the [Management - Console](https://docs.wso2.com/display/IS510/Getting+Started+with+the+Management+Console) - by entering your username and password. -2. In the **Main** menu, click **Add** under **Claims**. -3. Click **Add New Claim Dialect** to create the Foursquare - authenticator specific claim dialect. - ![](attachments/49088044/57749020.png){height="250"} - Specify the Dialect Uri as and - create claims. It is required to create at least one claim under - this new dialect. Therefore, create the claim for the Foursquare - user ID while creating the claim dialect. Enter the following values - the form. - - | | | - |----------------------|--------------------------------------| - | Display Name | User ID | - | Description | Claim to user ID | - | Mapped Attribute | uid | - | Claim URL | http://wso2.org/foursquare/claims/id | - | Supported by Default | selected | - -4. Click **Add** to add the new claim. -5. Similarly, you can create claims for all the public information of - the Foursquare user. Add the following claims under the dialect - **http://wso2.org/foursquare/claims** - - | | | - |:---------------------|:----------------------------------------| - | Display Name | Email Address | - | Description | Claim to email address | - | Mapped Attribute | mail | - | Claim URL | http://wso2.org/foursquare/claims/email | - | Supported by Default | selected | - - | | | - |:---------------------|:--------------------------------------------| - | Display Name | First Name | - | Description | Claimtofirstname | - | Mapped Attribute | givenName | - | Claim URL | http://wso2.org/foursquare/claims/firstName | - | Supported by Default | selected | - - | | | - |:---------------------|:-------------------------------------------| - | Display Name | LastName | - | Description | Claim to last name | - | Mapped Attribute | sn | - | Claim URL | http://wso2.org/foursquare/claims/lastName | - | Supported by Default | selected | - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Display NameGender
DescriptionClaim to the gender of the user
Mapped Attribute

gender

Claim URLhttp://wso2.org/foursquare/claims/gender
Supported by Defaultselected
- - | | | - |----------------------|--------------------------------------------| - | Display Name | Home City | - | Description | Claim to Home city | - | Mapped Attribute | locality | - | Claim URL | http://wso2.org/foursquare/claims/homeCity | - | Supported by Default | selected | - - | | | - |----------------------|------------------------------------------------| - | Display Name | Canonical Url | - | Description | Claim to the canonical Url | - | Mapped Attribute | url | - | Claim URL | http://wso2.org/foursquare/claims/canonicalUrl | - | Supported by Default | selected | - - ![](attachments/49088044/57749023.png){height="250"} - -6. The next step is to configure claims in the Identity Server and map - them with Foursquare. - - 1. In the **Identity** section under the **Main** tab, click - **List** under **Identity Providers**. - 2. Click **Edit** to edit the foursquare identity provider you - created. - 3. Under **Claim Configuration**, go to **Basic Claim - Configuration**. - 4. Select the **Define Custom Claim Dialect** option under **Select - Claim mapping Dialect**. - 5. Click **Add Claim Mapping** to add custom claim mappings as - follows. - 6. Select the User ID Claim URI as - - - - 7. Click **Update**. - ![](attachments/49088044/61669807.png){height="400"} - -#### Local claim mapping - -Navigate to the **Main** menu, and click **Add** under **Claims** in the -Management Console. The list of claims appear. Click the - claim, and thereafter click **email**. This -shows you that by default, the local claim -**http://wso2.org/claims/emailaddress** is created with the map -attribute **mail.** - -- [**IS 5.3.0**](#9952824b428a4bfe8461ed0ee2ce46c4) -- [**IS 5.1.0/IS 5.2.0**](#d1c18575f9984094ae75bd8ada1e81fa) - -![](attachments/49088044/76747781.png){height="250"} - -![](attachments/49088044/57749027.png){height="250"} - -In the configuration, **http://wso2.org/foursquare/claims/email** is -mapped to the **mail** attribute in the Foursquare claim, and -**http://wso2.org/claims/emailAddress** is mapped to the **mail** -attribute in WSO2 local claim. - -** -Creating a new local claim to map it with the Foursquare claim** -You can create the local claim **http://wso2.org/claims/id** with the -map attribute **uid** as follows: - -- [**IS 5.3.0**](#966c70f11de54c1fa4920dcca8562087) -- [**IS 5.1.0/IS 5.2.0**](#3de64f7cd8ec43adb35d62c388f14e83) - -1. In the **Main** menu, click **Add** under **Claims**. -2. Click **Add Local Claim** to create a new local claim. - -3. Specify the following: - - - **Claim URI** - - - - **Display Name** - ID - - - **Description** - Identifier - - **Mapped Attribute (s)** - uid - - **Supported by Default** - Select this option. - ![](attachments/49088044/76747798.png) - -4. Click **Add**. - -1. In the **Main** menu, click **Add** under **Claims**. -2. Click **Add New Claim Dialect** to create the wso2.org specific - claim dialect. - - ![](attachments/49088044/57749026.png){height="250"} - -3. Click **Add**. - -### Configuring requested claims for travelocity.com - -1. In the **Identity** section under the **Main** tab, click **List** - under **Service Providers**. -2. Click **Edit** to edit the travelocity.com service provider. -3. Expand the **Claim Configuration** section. -4. Click on **Add Claim URI** under **Requested Claims** to add the - requested claims as indicated in the image below. Here you must add - the claims you mapped in the Identity Provider claim configuration. - - - [**IS 5.3.0**](#60f10e1b28fc4aa6b1c6003302c0c34b) - - [**IS 5.1.0/IS 5.2.0**](#a0cfc3dd8fae4fc3ad1c3c46a1b710a3) - - Select the Mandatory Claim checkbox for all the claim URIs that you - added. - - ![](attachments/49088044/112364021.png) - - ![](attachments/49088044/57749029.png) - -5. Select the Subject Claim URI as http://wso2.org/claims/emailaddress - to define the authenticated user identifier that will return with - the authentication response to the service provider. - -6. Click **Update** to save your service provider changes. - -### Testing the sample - -1. To test the sample, go to the following URL: - ` http://:/travelocity.com/index.jsp ` - E.g., - -2. Click the link to log in with SAML from WSO2 Identity Server. You - can use either the redirect binding or the post binding option. - ![](attachments/49088044/76748625.png) -3. You are redirected to the Foursquare Login page. Enter your - Foursquare credentials and you will be taken to the home page of the - travelocity.com app. - ![](attachments/49088044/76747861.png) diff --git a/en/docs/develop/configuring-github-authenticator.md b/en/docs/develop/configuring-github-authenticator.md deleted file mode 100644 index d663ffa534..0000000000 --- a/en/docs/develop/configuring-github-authenticator.md +++ /dev/null @@ -1,224 +0,0 @@ -# Configuring Github Authenticator - -!!! warning - - For latest instructions on how to configuring the Github authenticator, - see Github Authenticator [Github - repository](https://github.com/wso2-extensions/identity-outbound-auth-github/tree/master/docs) - . - - -This page provides instructions on how to configure the Github -authenticator and Identity Server using a sample app. You can find more -information in the following sections. - -Github Authenticator  is supported by Identity Server 5.1.0 upwards. - -- [Deploying Github - artifacts](#ConfiguringGithubAuthenticator-DeployingGithubartifactsDeployingGithubartifacts) -- [Configuring the Github - App](#ConfiguringGithubAuthenticator-ConfiguringtheGithubAppConfiguringtheGithubApp) -- [Deploying travelocity.com sample - app](#ConfiguringGithubAuthenticator-Deployingtravelocity.comsampleappDeployingtravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringGithubAuthenticator-ConfiguringtheidentityproviderConfiguringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringGithubAuthenticator-ConfiguringtheserviceproviderConfiguringtheserviceprovider) -- [Testing the - sample](#ConfiguringGithubAuthenticator-TestingthesampleTestingthesample) - -### Deploying Github artifacts - -- Download the artifacts for this authenticator from [the - store](https://store.wso2.com/store/assets/isconnector/details/bfed96a9-0d79-4770-9c55-22378d3a2812) - . - -- Place the org.wso2.carbon.identity.authenticator.github-1.0.0.jar - file into the - ` /repository/components/dropins ` - directory. - - !!! note - - If you want to upgrade the Github Authenticator (.jar) in your - existing IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -### Configuring the Github App - -1. Go to , and create a github account. -2. Register your app at - . - ![](attachments/49774670/49971235.png) -3. Use ` https://localhost:9443/commonauth ` as the - authorization callback URL when you register the client. -4. Now you can get the clientId and clientSecret of your created app. - ![](attachments/49774670/49971238.png) - -### Deploying travelocity.com sample app - -The next step is to [deploy the sample app](Deploying-the-Sample-App) -in order to use it in this scenario. - -Once this is done, the next step is to configure the WSO2 Identity -Server by adding an [identity -provider](https://docs.wso2.com/identity-server/Adding+and+Configuring+an+Identity+Provider) -and [service -provider](https://docs.wso2.com/identity-server/Adding+and+Configuring+a+Service+Provider) -. - -### Configuring the identity provider - -Now you have to configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/identity-server/Adding+and+Configuring+an+Identity+Provider) -. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/). - -2. Run the [WSO2 Identity - Server](https://docs.wso2.com/identity-server/Running+the+Product). -3. Log in to the [management - console](https://docs.wso2.com/identity-server/Getting+Started+with+the+Management+Console) - as an administrator. -4. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add**. -5. Give a suitable name for **Identity Provider Name**. - ![](attachments/49774670/49971239.png) -6. Navigate to **Github Configuration** under **Federated - Authenticators**. - -7. Enter the values as given in the above figure. - - - **Client Id** : Client Id for your app. - - **Client Secret** : Client Secret for your app. - - **Scope** : Scope of the authorize token. For information on - available scopes, see - [Scopes](https://developer.github.com/apps/building-oauth-apps/scopes-for-oauth-apps/) - . - - **Callback URL** : Service Provider's URL where code needs to be - sent . - -8. Select both checkboxes to **Enable** the Github authenticator and - make it the **Default**. - - ![](images/icons/grey_arrow_down.png){.expand-control-image} Click - here to see descriptions about configuration property values - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PropertyDescriptionSample Value
EnableSelecting this option enables github to be used as an authenticator for users provisioned to the Identity Server.Selected
DefaultSelecting the Default checkbox signifies that github is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
ClientIDThis is the username from the github application8437ce9b8cfdf282c92b
Client SecretThis is the password from the github application. Click the Show button to view the value you enter.7219bb5e92f4287cb5134b73760e039e55d235d
ScopeScope of the authorize token. For information on available scopes, see Scopes .
-
Callback URL
-

This is the URL to which the browser should be redirected after the authentication is successful. The URL should be specified in the following format:
- https://<HOST_NAME>:<PORT>/acs

-
https://localhost:9443/commonauth
- -9. Click **Register**. - -You have now added the identity provider. - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the management console. - -2. In the **Service Providers** section, click **Add** under the - **Main** tab. - -3. Since you are using travelocity as the sample, enter travelocity.com - in the **Service Provider Name** text box and click **Register**. - -4. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section. - -5. Now set the configuration as follows: - - 1. **Issuer** : travelocity.com - - 2. **Assertion Consumer URL** : - ` http://localhost:8080/travelocity.com/home.jsp ` - -6. Select the following check-boxes: - 1. **Enable Response Signing**. - - 2. **Enable Single Logout**. - - 3. **Enable Attribute Profile**. - - 4. **Include Attributes in the Response Always**. - - ![](attachments/49774670/85361222.png) -7. Click **Update** to save the changes. Now you will be sent back to - the **Service Providers** page. - -8. Navigate to the **Local and Outbound Authentication Configuration** - section. - -9. Select the identity provider you created from the drop-down list - under **Federated Authentication**. - - ![](attachments/49774670/49971240.png) - -10. Ensure that the **Federated Authentication** radio button is - selected and click **Update** to save the changes. - -You have now added and configured the service provider. - -### Testing the sample - -1. To test the sample, go to the following URL: - ` http://:/travelocity.com/index.jsp ` - . E.g., ` http://localhost:8080/travelocity.com ` - -2. Login with SAML from the WSO2 Identity Server. - - ![](attachments/49774670/85361224.jpeg) - -3. Enter your Github credentials in the prompted login page of Github. - Once you log in successfully you will be taken to the home page of - the travelocity.com app. diff --git a/en/docs/develop/configuring-instagram-authenticator.md b/en/docs/develop/configuring-instagram-authenticator.md deleted file mode 100644 index 0b0bb9288f..0000000000 --- a/en/docs/develop/configuring-instagram-authenticator.md +++ /dev/null @@ -1,251 +0,0 @@ -# Configuring Instagram Authenticator - -This page provides instructions on how to configure the Instagram -authenticator and Identity Server using a sample app. You can find more -information in the following sections. - -This is tested with the Instagram API version 1.0 (v1). Instagram -authenticator is supported by Identity Server 5.1.0 upwards. - -- [Deploying Instagram - artifacts](#ConfiguringInstagramAuthenticator-DeployingInstagramartifactsDeployingInstagramartifacts) -- [Configuring the Instagram - App](#ConfiguringInstagramAuthenticator-ConfiguringtheInstagramAppConfiguringtheInstagramApp) -- [Deploying travelocity.com sample - app](#ConfiguringInstagramAuthenticator-Deployingtravelocity.comsampleappDeployingtravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringInstagramAuthenticator-ConfiguringtheidentityproviderConfiguringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringInstagramAuthenticator-ConfiguringtheserviceproviderConfiguringtheserviceprovider) -- [Configuring - claims](#ConfiguringInstagramAuthenticator-Configuringclaims) -- [Configuring requested claims for - travelocity.com](#ConfiguringInstagramAuthenticator-Configuringrequestedclaimsfortravelocity.com) -- [Testing the - sample](#ConfiguringInstagramAuthenticator-TestingthesampleTestingthesample) - -### Deploying Instagram artifacts - -- Place the Instagram authenticator .jar file ( - ` org.wso2.carbon.extension.identity.authenticator.instagram.connector-X.X.X.jar ` - ) into the - ` /repository/components/dropins ` - directory. You can download this from [the - store](https://store.wso2.com/store/assets/isconnector/details/175db9b2-1aae-4402-adee-94c4acd751d2) - . - - !!! note - - If you want to upgrade the Instagram Authenticator (.jar) in your - existing IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -### Configuring the Instagram App - -1. Download the **Instagram** app for iOS from the App Store, Android - from Google Play Store or Windows Phone from the Windows Phone - Store. -2. Once the app is installed, tap to open it. -3. Sign up and create an account using your email ID. -4. Navigate to and log in using the - credentials that you used to create the account. -5. Navigate to and click the ' - **Register Your Application** ' button and register a new client. -6. Use as the redirect URL when you - register the client. - ![](attachments/49091422/49224545.png) - - !!! note - - If you are getting an error while registering you may have to - "Disable Content Security Policy". It is recommended to enable - content security policy, once you registered into the app. - - -7. From the app dashboard you can get the **clientId** and - **clientSecret** for your created app. - -### Deploying travelocity.com sample app - -The next step is to [deploy the sample app](Deploying-the-Sample-App) -in order to use it in this scenario. - -Once this is done, the next step is to configure the WSO2 Identity -Server by adding an [identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -and [service -provider](https://docs.wso2.com/display/IS510/Configuring+a+Service+Provider) -. - -### Configuring the identity provider - -Now you have to configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/). -2. Go to in your browser, and then click - the HTTPS trust icon on the address bar (e.g., the padlock next to - the URL) to download the certificate. If you are using google chrome - please follow the steps of [inspecting certificates in - chrome](https://textslashplain.com/2017/05/02/inspecting-certificates-in-chrome/) - to export the certificate. - -3. Import that certificate into the IS client keystore by running the - following command on your command line. - ` keytool -importcert -file -keystore < IS_HOME >/repository/resources/security/client-truststore.jks -alias "Instagram" ` - - !!! note - - Note that 'wso2carbon' is the keystore password of the default - client-truststore.jks file. We need the certificate in order to - validate the signature. Otherwise, it is unable to prove that the - response is sent by the relevant identity provider we configured. - - -4. [Run the WSO2 Identity - Server](https://docs.wso2.com/display/IS510/Running+the+Product). -5. Log in to the [management - console](https://docs.wso2.com/display/IS510/Getting+Started+with+the+Management+Console) - as an administrator. -6. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add**. -7. Give a suitable name for **Identity Provider Name** and configure - the authenticator. To do this, navigate to **Instagram - Configuration** under **Federated Authenticators** and fill the - form. - ![](attachments/49091422/51251951.png) - Do the following configurations. - - | Field | Description | Sample value | - |---------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------| - | Enable | Selecting this option enables Instagram to be used as an authenticator for users provisioned to the Identity Server. | Selected | - | Default | Selecting the **Default** checkbox signifies that Instagram is the main/default form of authentication. This removes the selection made for any other **Default** checkboxes for other authenticators. | Selected | - | Client Id | This is the username from the Instagram application. | aa6f12fd086e4b58a6707d5b61377a71 | - | Client Secret | This is the password from the Instagram application. Click the **Show** button to view the value you enter. | fffc3f4808f34e01b0bc529ce78f5980 | - | Callback URL | This is the URL to which the browser should be redirected after the authentication is successful. It should have this format: https://(host-name):(port)/acs. | https://localhost:9443/commonauth | - -8. Select both checkboxes to **Enable** the Instagram authenticator and - make it the **Default**. - -9. Click Register. - -You have now added the identity provider. - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the management console. - -2. In the **Service Providers** section, click **Add** under the - **Main** tab. - -3. Since you are using Travelocity as the sample, enter travelocity.com - in the **Service Provider Name** text box and click Register. - -4. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section. - -5. Now set the configuration as follows: - - 1. **Issuer** : travelocity.com - - 2. **Assertion Consumer URL** : - - -6. Select the following check-boxes: - 1. **Enable Response Signing**. - - 2. **Enable Single Logout**. - - 3. **Enable Attribute Profile**. - - 4. **Include Attributes in the Response Always**. - - ![](https://lh6.googleusercontent.com/qsYmfJRbhzqeKB_WHare-nLYmSL3DItCUqx3627JsK8aF0AibTUNO-s4DyG5Zx_bp0wfH_10Ap6dJ2ngKNYBtlgOCHZBSoKqhNbVac0DEWZ49C4Gpej3mzFoQpP2Z6XFP6iYkUCf) - -7. Click **Update** to save the changes. Now you will be sent back to - the **Service Providers** page. - -8. Navigate to the **Local and Outbound Authentication Configuration** - section. - -9. Select the identity provider you created from the dropdown list - under **Federated Authentication**. - - ![](attachments/49091422/49227071.png) - -10. Ensure that the **Federated Authentication** radio button is - selected and click **Update** to save the changes. - -You have now added and configured the service provider. - -**Related Topics** - -For more information on service provider configuration, see [Configuring -Single -Sign-On](https://docs.wso2.com/display/IS530/Configuring+Single+Sign-On) -. - -### Configuring claims - -This involves [adding a new claim -mapping](https://docs.wso2.com/display/IS520/Adding+Claim+Mapping) for -various user attributes related to Instagram. - -- In the **Main** menu, click **Add** under **Claims**. -- Click **Add New Claim Dialect** to create the Instagram - authenticator specific claim dialect. - ![](attachments/49091422/58473586.png) -- Specify the Dialect Uri as and - create claims. It is required to create at least one claim under - this new dialect. Therefore, create the claim for the Instagram user - ID while creating the claim dialect. Enter the following values the - form. -- Click **Add** to add the new claim. -- Similarly, you can create claims for all the public information of - the Instagram user. Add the following claims under the dialect - - ![](attachments/49091422/58473593.png) - -![](attachments/49091422/58473594.png) - - - -- You can create the local claim to map it with the Instagram claim. - Create the local claim **http://wso2.org/claims/profilepicture** - with the map attribute **profile picture**. - -![](attachments/49091422/58473595.png) - - - -### Configuring requested claims for travelocity.com - -1. In the **Identity** section under the **Main** tab, click **List** - under **Service Providers**. -2. Click **Edit** to edit the travelocity.com service provider. -3. Expand the **Claim Configuration** section. -4. Click on **Add Claim URI** under **Requested Claims** to add the - requested claims as indicated in the image below. Here you must add - the claims you mapped in the Identity Provider claim configuration. - -![](attachments/49091422/58473599.png) - -### Testing the sample - -1. To test the sample, go to the following URL: - ` http://:/travelocity.com/index.jsp ` - . E.g., - -2. Click the option available to login with SAML from the WSO2 Identity - Server. - -3. Enter your Instagram credentials in the prompted login page of - Instagram. Once you login successfully you will be taken to the home - page of the [travelocity.com](http://travelocity.com) app. - -![](attachments/49091422/58473600.png) diff --git a/en/docs/develop/configuring-jwt-grant-type.md b/en/docs/develop/configuring-jwt-grant-type.md deleted file mode 100644 index 759646f454..0000000000 --- a/en/docs/develop/configuring-jwt-grant-type.md +++ /dev/null @@ -1,257 +0,0 @@ -# Configuring JWT Grant Type - -This topic provides instructions on how to configure the JWT grant type. -See the following sections for more information. - -- [Deploying artifacts](#ConfiguringJWTGrantType-Deployingartifacts) -- [Configure the JWT grant - type](#ConfiguringJWTGrantType-ConfiguretheJWTgranttype) -- [The flow](#ConfiguringJWTGrantType-Theflow) -- [JWT Bearer Grant](#ConfiguringJWTGrantType-JWTBearerGrant) - -### Deploying artifacts - -1. Place the - ` org.wso2.carbon.identity.oauth2.grant.jwt-1.0.5.jar ` - downloaded from - [store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22jwt%22) - in the - ` /repository/components/dropins ` - directory. - - !!! note - - If you want to upgrade the JWT Grant Type (.jar) that is available - in your existing WSO2 Identity Server distribution, see [upgrade - instructions.](../../develop/upgrading-an-authenticator) - - -2. To register the JWT grant type, configure the - ` /repository/conf/identity/identity.xml ` - file by adding a new entry under the - ` ` element. Add a - unique identifier between the ` ` - tags as seen in the code block below. - - ``` xml - - urn:ietf:params:oauth:grant-type:jwt-bearer - org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler - org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator - - ``` - -3. To store ` AUTHZ_USER ` and - ` USER_DOMAIN ` values separately, add the - ` SplitAuthzUser3Way ` property to the OAuth - section of the - ` /repository/conf/identity/identity.xml ` - file as follows: - ` true ` - -4. Add the audience values to the JWT token (ID token) in the - ` /repository/conf/identity/identity.xml ` - file as follows - - ``` xml - - https://localhost:9443/oauth2/token - - ``` - -5. Restart the server. - -### Configure the JWT grant type - -1. Sign in to the WSO2 Identity Server. Enter your username and - password to log on to the [Management - Console](../../setup/getting-started-with-the-management-console) - . -2. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add**. -3. Provide the following values to configure the IDP: - - **Identity Provider Name:** Enter a issuer name (this is used to - generate the JWT assertion) as the identity provider name. - - **Identity Provider Public Certificate :** The certificate used - to sign the JWT assertion. You can find more information about - adding certificate in [Configuring an Identity - Provider](https://docs.wso2.com/display/IS530/Configuring+an+Identity+Provider) - . - - - **Alias** : Give the name of the alias if the Identity Provider - identifies this token endpoint by an alias (e.g., - ` https://localhost:9443/oauth2/token) ` - - See [Adding a new identity - provider](https://docs.wso2.com/display/IS530/Configuring+an+Identity+Provider) - for more information. - - ![](attachments/50507537/50685934.png) -4. Navigate to the **Main** menu to access the **Identity** menu. Click - **Add** under **Service Providers**. -5. Fill in the **Service Provider Name** and provide a brief - **Description** of the service provider. See [Adding a Service - Provider](https://docs.wso2.com/display/IS500/Adding+a+Service+Provider) - for more information. -6. Expand the **OAuth/OpenID Connect Configuration** and click - **Configure**. -7. Enter a **Callback URL**. For example, use - ` http://localhost:8080/playground2/oauth2client ` - and click **Add**. -8. The **OAuth Client Key** and **OAuth Client Secret** will now be - visible. - ![](attachments/50507537/50685935.png) - -!!! note While configuring the JWT grant type, the IAT validating time - period can also be configured in the **identity.xml** file. - - IAT validity period is configured as 30 minutes by default. This can be - modified by changing the value in the **identity.xml** file in - **\/repository/conf** as shown below. - - ``` xml - - - true - - 30 - - ``` - - -### The flow - -The CURL commands below can be used to retrieve the access token and -refresh the token using a JWT. - -**Request** - -``` java -curl -i -X POST -u : -k -d 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=' -H 'Content-Type: application/x-www-form-urlencoded' https://localhost:9443/oauth2/token -``` - -The **-u** flag should specify the “ -` : ` ” value. The assertion -parameter value is the signed base64 encoded JWT. The value of the -assertion parameter **MUST** contain a **single JWT**. You can refer -[JWT Bearer Grant](#ConfiguringJWTGrantType-JWTBearerGrant) for more -information about assertion. - -If you have configured the service provider and identity provider in a -tenant, you have to add the tenant domain as a query parameter to the -access token endpoint. - -If the tenant domain is *wso2.com*, the access token endpoint will be -as follows. - -Access Token Endpoint: -https://localhost:9443/oauth2/token?tenantDomain=wso2.com - -**Sample request** - -``` java -curl -i -X POST -H 'Content-Type: application/x-www-form-urlencoded' -u bBhEoE2wIpU1zB8HA3GfvZz8xxAa:RKgXUC3pTRQg9xPpNwyuTPGtnSQa -k -d 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0NTgxNjY5ODUsInN1YiI6ImFkbWluIiwibmJmIjoxNDU4MTA2OTg1LCJhdWQiOlsiaHR0cHM6XC9cL2xvY2FsaG9zdDo5NDQzXC9vYXV0aDJcL3Rva2VuIiwid3NvMi1JUyJdLCJpc3MiOiJqd3RJRFAiLCJqdGkiOiJUb2tlbjU2NzU2IiwiaWF0IjoxNDU4MTA2OTg1fQ.ZcxdoTVEsWoil80ne42QzmsfelMWyjRZJEjUK1c2vMZJjjtrZnsWExyCA5tN6iXYFAXC_7rkFuuNSgOlBi51MNLPZw3WcgGI52j6apGEW92V2tib9zRRWOeLQLAdo8ae8KzLp7kuKZ2XunfQ2WYU9TvvLDm_vp5ruuYz3ZZrJOc' https://localhost:9443/oauth2/token -``` - -You would have now received the response from the token endpoint. The -response would contain the access token, refresh token, expiry time and -token type . - -**Sample response** - -``` java -{"token_type":"Bearer","expires_in":3600,"refresh_token":"b1b4b78e2b0ef4956acb90f2e38a8833","access_token":"615ebcc943be052cf6dc27c6ec578816"}  -``` - - - -### JWT Bearer Grant - -JWT contains three parts that are separated by dots ".": header, -payload, and a signature. The header identifies which algorithm is used -to generate the signature. - -For example, see the following code block. - -**Sample header** - -``` groovy -{ - "alg":"RS256" -} -``` - -The payload contains the claims mentioned below: - -- ` iss ` (issuer) - The JWT must contain an - ` iss ` (issuer) claim that contains a unique - identifier that identifies the identity provider that issued the - JWT. -- ` sub ` (subject) - The JWT must contain a - ` sub ` (subject) claim that identifies the entity - that the identity provider or the entity that issued the JWT vouches - for. -- ` aud ` (audience) - The JWT must contain an - ` aud ` (audience) claim which containing a value - that identifies the authorization server as an intended audience. - This value should be registered as token endpoint alias in the - Identity Provider. -- ` exp ` (expiration time) - The JWT must contain an - ` exp ` (expiration) claim that limits the time - window during which the JWT can be used. -- ` nbf ` (not before) - The JWT may contain a - ` nbf ` (not before time) claim that forces a JWT - to be used only after a specified time. -- ` iat ` (issued at) - The JWT may contain an - ` iat ` (issued at) claim that identifies the time - at which the JWT was issued. -- ` jti ` (json web token Id) - The JWT may contain - ` jti ` (JWT ID) claim that provides a unique - identifier for the token. -- Other custom claims - JWT may contain claims other than the above - mentioned ones. This is the extension point of the JWT - specification. - -For example, see the following code block. - -**Sample payload** - -``` groovy -{ - "sub":"admin", - "aud":[ - "https://localhost:9443/oauth2/token" - ], - "nbf":1507546100, - "iss":"jwtIDP", - "exp":1507606100, - "iat":1507546100, - "jti":"Token56756" -} -``` - -The signature is calculated by base64 URL encoding the header and -payload and concatenating them with a period as a separator and signing -it: - -` Signature = sign(encodeBase64(header) + '.' + encodeBase64(payload)) ` - -The signature must then be base64 URL encoded. JWT assertion can be -generated by concatenating these three encoded values with a separator -dot ".". - -***assertion*** = ***encodeBase64(header) + '.' + encodeBase64(payload) -+ '.' + ***encodeBase64(s****** ***ignature)*** - -The result is as follows: - -**Sample assertion** - -``` java -eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6WyJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iXSwibmJmIjoxNTA3NTQ2MTAwLCJpc3MiOiJqd3RJRFAiLCJleHAiOjE1MDc2MDYxMDAsImlhdCI6MTUwNzU0NjEwMCwianRpIjoiVG9rZW41Njc1NiJ9.iGMhjibB0W2QFQlM27gnHp6z47Eybv8cAHk2o2i-xqo2S4uJ_1VppFI4CCJXTj4qzV9vmkJ5HKNAayiTa6wOMXGL4XnwYwpOAoKXvboznlEDNRpw3htW34nLvyUu6PjHbdvAPVjh8kPRwf7esRr2p-luecGvC21mjWdhyGzM4hE -``` diff --git a/en/docs/develop/configuring-linkedin-authenticator.md b/en/docs/develop/configuring-linkedin-authenticator.md deleted file mode 100644 index 231e88392f..0000000000 --- a/en/docs/develop/configuring-linkedin-authenticator.md +++ /dev/null @@ -1,468 +0,0 @@ -# Configuring LinkedIn Authenticator - -This page provides instructions on how to configure the LinkedIn -authenticator and the WSO2 Identity Server using a sample app to -demonstrate authentication.You can find more information in the -following sections. - -This is tested for the LinkedIn API version 1.0. LinkedIn Authenticator - is supported by Identity Server 5.1.0 upwards. - -- [Step 1 - Configure the LinkedIn - App](#ConfiguringLinkedInAuthenticator-Step1-ConfiguretheLinkedInApp) -- [Step 2 - Deploy the travelocity.com sample - app](#ConfiguringLinkedInAuthenticator-Step2-Deploythetravelocity.comsampleapp) -- [Step 3 - Configure the identity provider - (IdP)](#ConfiguringLinkedInAuthenticator-Step3-Configuretheidentityprovider(IdP)) -- [Step 4 - Configure the service - provider](#ConfiguringLinkedInAuthenticator-Step4-Configuretheserviceprovider) -- [Step 5 - Configure - claims](#ConfiguringLinkedInAuthenticator-Step5-Configureclaims) -- [Step 6 - Configure requested claims for - travelocity.com](#ConfiguringLinkedInAuthenticator-Step6-Configurerequestedclaimsfortravelocity.com) -- [Step 7 - Test the - sample](#ConfiguringLinkedInAuthenticator-Step7-Testthesample) - -### Step 1 - Configure the LinkedIn App - -1. Place the authenticator .jar file into the - ` /repository/components/dropins ` - directory. You can download the .jar file ( - ` org.wso2.carbon.extension.identity.authenticator.linkedin.connector-1.x.x ` - ) from the [WSO2 - Store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22LinkedIn%22) - . Next restart the WSO2 IS server. - - !!! note - - If you want to upgrade the LinkedIn (.jar) in your existing IS pack, - please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -2. Create a new app as described in the [LinkedIn Services - documentation](https://developer.linkedin.com/docs/oauth2). - 1. Navigate to the following URL: - - 2. Enter the required details. - - Enter your company details. - - Upload an image that you wish to use at the company logo. - - Select the checkbox to agree to the LinkedIn terms and - conditions. - 3. Click **Submit**. You will redirect to a page with **Client - ID** and **Client Secret** as shown in point 5. - ![](attachments/50507126/76748920.png) -3. Enter the Authorized Redirect URL in the following format and click - **Add**. ** - ** - ` https://{hostname}:{port}/commonauth ` - The default redirect URL in WSO2 Identity Server is - - -4. Click **Update**. - You have now finished configuring LinkedIn. Copy the **Client ID** - and **Client Secret** from the resulting page. - ![](attachments/50507126/50685689.png) - -### Step 2 - Deploy the travelocity.com sample app - -The next step is to deploy the travelocity.com sample app in order to -use it in this scenario. - -To configure this, see [deploying travelocity.com sample -app](Deploying-the-Sample-App). - -### Step 3 - Configure the identity provider (IdP) - -Now you have to configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/display/IS530/Configuring+an+Identity+Provider) -. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/) and [run - it](https://docs.wso2.com/display/IS530/Running+the+Product). -2. Log in to the [Management - Console](../../setup/getting-started-with-the-management-console) - as an administrator. -3. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add**. -4. Enter a suitable name as the **Identity Provider Name** (e.g., - LinkedIn). - As our resident Identity Provider is WSO2 IS, the Alias will appear - as follows - https://(host-name):(port)/oauth2/token -5. **Optionally**, you can add the LinkedIn public certificate by - uploading it. ** - ** You can do this by clicking the **Browse** button next to the - **Identity Provider Public Certificate** field, and uploading the - file from your local directory. Some browsers let us download the - public certificate. If not you can skip this step. - - !!! note - - In cryptography, a **public** **key** **certificate**, also known - as a **digital** **certificate** or **identity** **certificate**, - is an electronic document used to prove the ownership of a - **public** **key**. - - -6. Navigate to the **LinkedIn Authenticator** **Configurations** under - ****Federated Authenticators. - **** - - - [**IS 5.3.0**](#38b513b8fa1d430fbaf06fbd5d393554) - - [**IS 5.1.0/IS 5.2.0**](#8fe59de24be84e3abc17d57cbe85c877) - - ![](attachments/50507126/76748968.png) - - ![](attachments/50507126/57737954.png) - -7. Enter the IdP related details as follows: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldDescriptionSample Value
EnableSelecting this option enables LinkedIn to be used as an authenticator for users provisioned to the Identity Server.Selected
DefaultSelecting the Default checkbox signifies that LinkedIn is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
Client IdThis is a unique public identifier for apps which is usually given as a 32-character hex string. Enter the client ID of the app that you created in LinkedIn.81b05d91toz66e
Client SecretThis is a secret known only to the application and the authorization server. Enter the client ID of the app that you created in LinkedIn.otYR21HMW1PchfwZ
Callback URLThis is the URL to which the browser should be redirected after the authentication is successful. It should have this format:
- https://(host-name):(port)/commonauth 		https://localhost:9443/commonauth
- -8. Click **Register**. - -You have now added the identity provider. - -### Step 4 - Configure the service provider - -The next step is to configure the service provider based on the WSO2 -Identity Server version that you are working on. - -- [Configuring a service provider with IS 5.3.0 - upwards](#ConfiguringLinkedInAuthenticator-ConfiguringaserviceproviderwithIS5.3.0upwards) -- [Configuring a service provider with IS 5.1.0 or IS - 5.2.0](#ConfiguringLinkedInAuthenticator-ConfiguringaserviceproviderwithIS5.1.0orIS5.2.0) - -#### Configuring a service provider with IS 5.3.0 upwards - -Return to the management console. - -In the **Service Providers** section under the **Main** tab, click -**Add**. - -As you are using travelocity as the sample, enter -[travelocity.com](http://travelocity.com) in the **Service Provider -Name** text box and click **Register**. - -In the **Inbound Authentication Configuration** section, click **SAML2 -Web SSO** **Configuration**, and then click **Configure**. - -Add the service provider details as follows: - -**Select Mode** : Manual Configuration -For more information on the SAML2 Web Single-Sign-On Configuration -methods, see [Configuring SAML2 Web -Single-Sign-On](https://docs.wso2.com/display/IS530/Configuring+SAML2+Web+Single-Sign-On) -in the WSO2 IS 5.3.0 guide. - -**Issuer** : [travelocity.com](http://travelocity.com) - -**Assertion Consumer URL** : Enter - and click **Add**. - -Select the following check-boxes: - -- **Enable Response Signing**. -- **Enable Single Logout**. -- **Enable Attribute Profile**. -- **Include Attributes in the Response Always**. - -![](attachments/50507126/76748957.png) - -Click **Register** to save the changes. Now you will be sent back to the -**Service Providers** page. - -Go to the **Local and Outbound Authentication Configuration** section. - -Configure the Local and Outbound Authentication for LinkedIn. -For more information, see [Configuring Local and Outbound Authentication -for a Service -Provider](../../learn/configuring-local-and-outbound-authentication-for-a-service-provider) -in the WSO2 IS 5.3.0 guide. - -1. Click on the **Federated Authentication** radio button. -2. Select the identity provider you created from the drop-down list - under **Federated Authentication**. -3. Select the following options: - - Use tenant domain in local subject identifier. - - - Use user store domain in local subject identifier. - -Click **Update** to save the changes. -![](attachments/50507126/76748972.png) - -#### Configuring a service provider with IS 5.1.0 or IS 5.2.0 - -1. Return to the management console. -2. In the **Service Providers** section under the **Main** tab, click - **Add**. -3. Since you are using travelocity as the sample, enter travelocity.com - in the **Service Provider Name** text box and click **Register**. -4. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section. - ![](https://lh6.googleusercontent.com/qsYmfJRbhzqeKB_WHare-nLYmSL3DItCUqx3627JsK8aF0AibTUNO-s4DyG5Zx_bp0wfH_10Ap6dJ2ngKNYBtlgOCHZBSoKqhNbVac0DEWZ49C4Gpej3mzFoQpP2Z6XFP6iYkUCf) -5. Now set the configuration as follows: - - **Issuer** : travelocity.com - - **Assertion Consumer URL** : - http://localhost:8080/travelocity.com/home.jsp -6. Select the following check-boxes: - - **Enable Response Signing**. - - **Enable Single Logout**. - - **Enable Attribute Profile**. - - **Include Attributes in the Response Always**. -7. Click **Update** to save the changes. Now you will be sent back to - the **Service Providers** page. -8. Go to the **Local and Outbound Authentication Configuration** - section. -9. Select the identity provider you created from the dropdown list - under **Federated Authentication**. - ![](attachments/50507126/50685694.png) -10. Ensure that the **Federated Authentication** radio button is - selected and click **Update** to save the changes. - -### Step 5 - Configure claims - -Add a new claim mapping for various user attributes related to LinkedIn -based on the WSO2 Identity Server version that you are working on. - -- [Configuring claims with IS 5.3.0 - upwards](#ConfiguringLinkedInAuthenticator-ConfiguringclaimswithIS5.3.0upwards) -- [Configuring claims with IS 5.1.0 or IS - 5.2.0](#ConfiguringLinkedInAuthenticator-ConfiguringclaimswithIS5.1.0orIS5.2.0) - -#### Configuring claims with IS 5.3.0 upwards - -For more information, see [Adding Claim -Mapping](../../using-the-identity-server/adding-claim-mapping) in -WSO2 IS guide. - -1. Sign in to the [Management - Console](../../setup/getting-started-with-the-management-console) - by entering your username and password. -2. In the **Main** menu, click **Add** under **Claims**. -3. Click **Add Claim Dialect** to create the LinkedIn authenticator - specific claim dialect. -4. Specify the Dialect URI as follows: - ` http://wso2.org/linkedin/claims ` -5. Click **Add** to create the claim dialect. - ![](attachments/50507126/76748975.png) -6. Map a new external claim to an existing local claim dialect. - You need to map at least one claim under this new dialect. - Therefore, let's map the claim for last name. - 1. In the **Main** menu, click **Add** under **Claims**. - 2. Click **Add External Claim** to add a new claim to the LinkedIn - claim dialect. - 3. Select the Dialect URI as - http://wso2.org/linkedin/claims - 4. Enter the External Claim URI based on the following claim - mapping information. - 5. Select the Mapped Local Claim based on the following claim - mapping information. - Claim mapping for last name ** - ** - - | | | - |--------------------|------------------------------------------| - | Dialect URI | http://wso2.org/linkedin/claims | - | External Claim URI | http://wso2.org/linkedin/claims/lastName | - | Mapped Local Claim | http://wso2.org/claims/lastname | - - 6. Click **Add** to add the new external claim. - ![](attachments/50507126/76748979.png) - -7. Similarly, you can create claims for all the public information of - the LinkedIn user by repeating step 6 with the following claim - mapping information. - - - Claim mapping for first name - - | | | - |--------------------|-------------------------------------------| - | Dialect URI | http://wso2.org/linkedin/claims | - | External Claim URI | http://wso2.org/linkedin/claims/firstName | - | Mapped Local Claim | http://wso2.org/claims/givenname | - - - Claim mapping for email - - | | | - |--------------------|----------------------------------------------| - | Dialect URI | http://wso2.org/linkedin/claims | - | External Claim URI | http://wso2.org/linkedin/claims/emailAddress | - | Mapped Local Claim | http://wso2.org/claims/emailaddress | - - - Claim mapping for industry - - | | | - |--------------------|------------------------------------------| - | Dialect URI | http://wso2.org/linkedin/claims | - | External Claim URI | http://wso2.org/linkedin/claims/industry | - | Mapped Local Claim | http://wso2.org/claims/organization | - - - Claim mapping for headline - - | | | - |--------------------|------------------------------------------| - | Dialect URI | http://wso2.org/linkedin/claims | - | External Claim URI | http://wso2.org/linkedin/claims/headline | - | Mapped Local Claim | http://wso2.org/claims/title | - -8. Click **Update**. - -#### Configuring claims with IS 5.1.0 or IS 5.2.0 - -1. Sign into the [Management - Console](../../setup/getting-started-with-the-management-console) - by entering your username and password. -2. In the **Main** menu, click **Add** under **Claims**. -3. Click **Add New Claim Dialect** to create the Linkedin authenticator - specific claim dialect. - - Use the Dialect Uri as follows: - ` http://wso2.org/linkedin/claims ` - ![](attachments/50507126/76748975.png) - -4. Click [Add New - Claim](../../using-the-identity-server/adding-claim-mapping). -5. Select the **Dialect** from the dropdown provided and enter the - required information. You must add the following claims under the - dialect - - | | | - |:---------------------|:-----------------------------------------| - | Display Name | LastName | - | Description | Claim to the last name | - | Mapped Attribute | sn | - | Claim URL | http://wso2.org/linkedin/claims/lastName | - | Supported by Default | selected | - - | | | - |:---------------------|:------------------------------------------| - | Display Name | First Name | - | Description | Claim to the first name | - | Mapped Attribute | givenName | - | Claim URL | http://wso2.org/linkedin/claims/firstName | - | Supported by Default | selected | - - | | | - |:---------------------|:---------------------------------------------| - | Display Name | Email Address | - | Description | Claim to email address | - | Mapped Attribute | mail | - | Claim URL | http://wso2.org/linkedin/claims/emailAddress | - | Supported by Default | selected | - - | | | - |:---------------------|:-----------------------------------------| - | Display Name | Industry | - | Description | Claim to industry | - | Mapped Attribute | organizationName | - | Claim URL | http://wso2.org/linkedin/claims/industry | - | Supported by Default | selected | - - | | | - |:---------------------|:-----------------------------------------| - | Display Name | Headline | - | Description | Claim to the headline of the user | - | Mapped Attribute | title | - | Claim URL | http://wso2.org/linkedin/claims/headline | - | Supported by Default | selected | - - Likewise, you can create the claims for all the public information - of the LinkedIn user. - - ![](attachments/50507126/57749001.png){height="250"} - -### Step 6 - Configure requested claims for travelocity.com - -1. In the **Identity** section under the **Main** tab, click **List** - under **Service Providers**. -2. Click **Edit** to edit the travelocity.com service provider. -3. Go to **Claim Configuration**. -4. Click on **Add Claim URI** under **Requested Claims** to add the - requested claims as follows. - - - [**IS 5.3.0**](#b3c29b8e4ab64260b995c28bfd899aa5) - - [**IS 5.1.0/IS 5.2.0**](#5847f6ea9d364048b1c32d5bd5a147d0) - - Select the Mandatory Claim checkbox for all the claim URIs that you - added. - - ![](attachments/50507126/76748980.png) - - You should add the claims you mapped in the Identity Provider claim - configuration and select the Claim URI. - - ![](attachments/50507126/57749003.png) - -5. Select the Subject Claim URI as - to define the authenticated - user identifier that will return with the authentication response to - the service provider. - -6. Click **Update** to save your service provider changes. - -### Step 7 - Test the sample - -1. To test the sample, go to the following URL: - ` http://:/ travelocity.com/index.jsp ` - E.g., -2. Click the link to log in with SAML from WSO2 Identity Server. You - can use either the Rediect Biniding or the Post Binding option. - ![](attachments/50507126/76748991.png) -3. You are redirected to the LinkedIn sign in page. Enter your LinkedIn - credentials. - ![](attachments/50507126/57749004.png) -4. Authenticate the user by clicking **Allow access**. - You are taken to the home page of the travelocity.com app - ![](attachments/50507126/57749005.png) - -30 - -850 - -516 - -517 - -963 - -1524 - -1778 - -1782 diff --git a/en/docs/develop/configuring-mailchimp-authenticator.md b/en/docs/develop/configuring-mailchimp-authenticator.md deleted file mode 100644 index a2e782320d..0000000000 --- a/en/docs/develop/configuring-mailchimp-authenticator.md +++ /dev/null @@ -1,244 +0,0 @@ -# Configuring MailChimp Authenticator - -This page provides instructions on how to configure the MailChimp -authenticator and Identity Server using a sample app. You can find more -information in the following sections. - -This is tested with the mailChimp API version 2.0. MailChimp -Authenticator is supported by Identity Server 5.1.0 upwards. - -- [Deploying MailChimp - artifacts](#ConfiguringMailChimpAuthenticator-DeployingMailChimpartifactsDeployingMailChimpartifacts) -- [Configuring the MailChimp - App](#ConfiguringMailChimpAuthenticator-ConfiguringtheMailChimpAppConfiguringtheMailChimpApp) -- [Deploying travelocity.com sample - app](#ConfiguringMailChimpAuthenticator-Deployingtravelocity.comsampleappDeployingtravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringMailChimpAuthenticator-ConfiguringtheidentityproviderConfiguringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringMailChimpAuthenticator-ConfiguringtheserviceproviderConfiguringtheserviceprovider) -- [Testing the - sample](#ConfiguringMailChimpAuthenticator-TestingthesampleTestingthesample) - -### Deploying MailChimp artifacts - -- Place the authenticator .jar file into the - ` /repository/components/dropins ` - directory. You can download the mailchimpAuthenticator jar file from - [wso2 - store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22MailChimp%22) - . - - !!! note - - If you want to upgrade the MailChimp Authenticator (.jar) in your - existing IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - - Need to do this configuration - - If you are using WSO2 Identity Server 5.5.0, be sure to disable - consent management for single-sign-on (SSO) authentication. To - disable consent management for SSO authentication, go to the - ` /repository/conf/identity/identity.xml ` - file, and set the - ` EnableSSOConsentManagement ` parameter to - ` false ` . - - ``` java - - - false - - ``` - - If you do not disable consent management for SSO authentication, you - will get an error when you try to configure the authenticator with - WSO2 Identity Server 5.5.0. - -### Configuring the MailChimp App - -1. Navigate to to create account - for MailChimp. You receive an email to confirm your account and you - must provide your details before you get started. -2. Navigate to and log in using the - credentials you used to create the account. -3. Once you have logged in, navigate to your profile and click the - **Extras** tab. -4. Click the **Registered Apps** tab next. This is done so that you can - register an App. -5. Use h ` ttps://localhost:9443/commonauth ` - as redirect URL when you register the client. Here you can use - 127.0.0.1 instead of localhost. - ![](attachments/49092781/49226960.png) -6. From the app dashboard you can get clientId and clientSecret for - your created app. - -### Deploying travelocity.com sample app - -The next step is to [deploy the sample app](Deploying-the-Sample-App) -in order to use it in this scenario. - -Once this is done, the next step is to configure the WSO2 Identity -Server by adding an [identity -provide](https://docs.wso2.com/identity-server/Configuring+an+Identity+Provider) -r and [service -provider](https://docs.wso2.com/identity-server/Configuring+a+Service+Provider) -. - -Need to do this configuration - -Change the **SAML2.IdPURL** to -` https://127.0.0.1:9443/samlsso ` -instead of ` https://localhost:9443/samlsso ` in -` /webapps/travelocity.com/WEB-INF/classes/travelocity.properties ` - -### Configuring the identity provider - -Now you have to configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/identity-server/Configuring+an+Identity+Provider) -. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/). -2. Run the [WSO2 Identity - Server](https://docs.wso2.com/identity-server/Running+the+Product). -3. Log in to the [management - console](https://docs.wso2.com/identity-server/Getting+Started+with+the+Management+Console) - as an administrator. -4. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add**. -5. Give a suitable name for **Identity Provider Name**. - ![](attachments/49092781/56994052.png) -6. Navigate to **MailChimp Configuration** under **Federated - Authenticators**. - -7. Enter the values as given in the above figure. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldDescriptionValue
EnableSelecting this option enables MailChimp to be used as an authenticator for users provisioned to WSO2 Identity Server.Selected
DefaultSelecting the Default checkbox signifies that MailChimp is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
Client IdClient Id of your app.
-
Client SecretClient Secret of your app.
-
Callback URLThis is the URL to which the browser should be redirected after the authentication is successful. It should have this format: https://(host-name):(port)/acs.
-
userInfoEndpoint
-

The endpoint to get the user information for MailChimp It should have this format: https://.api.mailchimp.com/2.0/users/profile.

-
-

How to get mailChimpInstanceValue

-

The URL after sign up will be similiar to the following URL: https://us12.admin.mailchimp.com/account/.

-

In the example URL, us12 is the mailChimpInstanceValue . Replace the <mailChimpInstanceValue> tag with the instance value you receive. The userInfoEndpoint for the example URL is https://us12.api.mailchimp.com/2.0/users/profile.

-
-
- -
-
-
-

-
- -8. Click **Register**. - -You have now added the identity provider. - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the management console. - -2. In the **Service Providers** section, click **Add** under the - **Main** tab. - -3. Since you are using travelocity as the sample, enter travelocity.com - in the **Service Provider Name** text box and click **Register**. - -4. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section. - -5. Now set the configuration as follows: - - 1. **Issuer** : travelocity.com - - 2. **Assertion Consumer URL** : - http://localhost:8080/travelocity.com/home.jsp - -6. Select the following check-boxes: - 1. **Enable Response Signing**. - - 2. **Enable Single Logout**. - - 3. **Enable Attribute Profile**. - - 4. **Include Attributes in the Response Always**. - ![](attachments/49092781/103332418.png){height="400"} - -7. Click **Update** to save the changes. Now you will be sent back to - the **Service Providers** page. - -8. Navigate to the **Local and Outbound Authentication Configuration** - section. - -9. Select the identity provider you created from the dropdown list - under **Federated Authentication**. - -10. Ensure that the **Federated Authentication** radio button is - selected and click **Update** to save the changes. - -You have now added and configured the service provider. - -### Testing the sample - -1. To test the sample, go to the following URL: - ` http://:/travelocity.com/index.jsp ` - . E.g., - -2. Click “Login with SAML” to log in with SAML from the WSO2 Identity - Server. - - ![](attachments/49092781/51251955.png) - -3. Enter your MailChimp credentials in the prompted login page of - MailChimp. - ![](attachments/49092781/49226963.png) - -4. Once you login successfully you will be taken to the home page of - the travelocity.com app. - ![](attachments/49092781/51251954.png) diff --git a/en/docs/develop/configuring-mepin-authenticator.md b/en/docs/develop/configuring-mepin-authenticator.md deleted file mode 100644 index a8e4b4121f..0000000000 --- a/en/docs/develop/configuring-mepin-authenticator.md +++ /dev/null @@ -1,405 +0,0 @@ -# Configuring MePIN Authenticator - -This topic provides instructions on how to configure the MePIN app and -the Identity Server to integrate using a sample app. - -This is tested for the MePIN API version 3.0. - -See the following sections for more information. - -- [Configuring the MePIN - app](#ConfiguringMePINAuthenticator-ConfiguringtheMePINapp) -- [Deploying travelocity.com sample - app](#ConfiguringMePINAuthenticator-Deployingtravelocity.comsampleapp) -- [Deploying MePIN - artifacts](#ConfiguringMePINAuthenticator-DeployingMePINartifacts) -- [Configuring the identity - provider](#ConfiguringMePINAuthenticator-Configuringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringMePINAuthenticator-Configuringtheserviceprovider) -- [Testing the - sample](#ConfiguringMePINAuthenticator-Testingthesample) - -### Configuring the MePIN app - -1. Install - [Android](https://play.google.com/store/apps/details?id=com.mepin.android3) - or [IOS](https://itunes.apple.com/app/id1062845220) application on - your mobile device. -2. Log in to [MePIN developer - portal](https://developer.mepin.com/welcome) using your app. -3. Get your application identifier and credentials. - - 1. Edit your organization. - 2. Create an application by providing the app name and domain name - and get the appId / clientId. - 3. Create credentials (username and password). - -4. Contact MePin support to activate the application identifier. - -### Deploying MePIN artifacts - -1. Place the mepinauthenticationendpoint.war file into the - ` /repository/deployment/server/webapps ` - directory. -2. Place the org.wso2.carbon.identity.authenticator.mepin-2.0.0.jar - file into the - ` /repository/components/dropins ` - directory. - - !!! note - - If you want to upgrade the MePIN Authenticator in your existing IS - pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -3. Add the following configurations in the - ` /repository/conf/identity/application-authentication.xml ` - file under the ` ` - section. - - ``` xml - - https://localhost:9443/mepinauthenticationendpoint/mepin.jsp - https://localhost:9443/mepinauthenticationendpoint/mepinError.jsp - false - true - association - primary - - ``` - - The following table includes the definition of the parameters and - the various values you can configure. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ValueDescription
MepinAuthenticationEndpointURL
The mepin page which shows in the flows such as link with mepin and login with mepin.
MepinAuthenticationEndpointErrorPage
The mepin error page will be shown if there is issue in the authentication flow.
MepinEnableByUserClaim
This field makes it possible to disable the 'Mepin disabling by user' functionality. The value can be true or false . If the value is true , user can enable and disable the Mepin according to admin selection ( MepinMandatory parameter value).
MepinMandatory
If the value is true , the second step will be enabled by the admin. The user cannot be authenticated without Mepin authentication. This parameter is used for both super tenant and tenant in the configuration. The value can be true or false.
usecase This field can take one of the following values: local , association , userAttribute , subjectUri . If you do not specify any usecase , the default value is local . See below for more details.
secondaryUserstore

The user store configuration is maintained per tenant as comma separated values. For example, <Parameter name="secondaryUserstore">jdbc, abc, xyz</Parameter>.
-

- - An admin can change the priority of the Mepin authenticator by - changing the ` MepinMandatory ` value ( - ` true ` or ` false ` ). - - - If Admin specify that Mepin is mandatory ( - ` true ` - , then you must enable Mepin in the user’s profile by adding - claim value true in order to authenticate the user. If this is - not done, the Mepin error page appears. - - If Admin specify that Mepin is optional ( - ` false ` - and you enable Mepin in the user's profile, then the - authenticator will allow the user to login with Mepin - authentication as a second step (multi-step authentication). If - Admin specify that Mepin is optional and you do not enable Mepin - in the user's profile, the Mepin authenticator will proceed to - log the user in as the first step (basic authentication). - - The first step may be local authenticator (basic) or a federated - authenticator (e.g., Facebook, Twitter, etc.). In federated - authenticator support in first step, the following parameters are - used according to the scenario. - - association - jdbc - - usecase value can be local, association, userAttribute or subjectUri. - - - - - - - - - - - - - - - - - - - - -
local

This is based on the federated username. This is the default. You must set the federated username in the local userstore. Basically, the federated username must be the same as the local username.

association

The federated username must be associated with the local account in advance in the Dashboard. So the local username is retrieved from the association. To associate the user, log into the end user dashboard and go to Associated Account by clicking View details .

userAttribute
-

The name of the  federated authenticator's user attribute. That is, the local user name which is contained in a federated user's attribute. When using this, add the following parameter under the <AuthenticatorConfig name="MePINAuthenticator" enabled="true"> section in the <IS_HOME>/repository/conf/identity/application-authentication.xml file and put the value (e.g., email, screen_name, id, etc.).

-
-
- -
-
-

If you use, OpenID Connect supported authenticators such as LinkedIn, Foursquare, etc., or in the case of multiple social login options as the first step and Mepin as second step, you need to add similar configuration for the specific authenticator in the <IS_HOME>/repository/conf/identity/application-authentication.xml file under the < AuthenticatorConfigs > section as follows (the following shows the configuration for Foursquare,LinkedIn and Facebook authenticator respectively).

-

Inside the AuthenticatorConfig (i.e., Foursquare), add the specific userAttribute with a prefix of the (current step) authenticator name (i.e., MePINAuthenticator-userAttribute).

-
-
- -
-
-
-
- -
-
-
-
- -
-
-

Likewise, you can add the AuthenticatorConfig for Amazon,Google,Twitter and Instagram with relevant values.

-
subjectUri

When configuring the federated authenticator, select the attribute in the subject identifier under the service provider section in UI, this is used as the username of the Mepin authenticator.

- - If you use the secondary userstore, enter all the userstore values - for the particular tenant as comma separated values. - - The user store configuration is maintained per tenant: - - - If you use a **super tenant,** put all the parameter values into - the - ` /repository/conf/identity/application-authentication.xml ` - file under the ` AuthenticatorConfigs ` - section. - - - - - If you use a **tenant**, upload the same XML file ( - ` application-authentication.xml ` ) - into a specific registry location ( - ` /_system/governance/MePINAuthenticator) ` - . Create the collection named ` Mepin ` - , add the resource and upload the - ` application-authentication.xml ` file - into the registry). While doing the authentication, first it - checks whether there is an XML file uploaded to the registry. If - that is so, it reads it from the registry but does not take the - local file. If there is no file in the registry, then it only - takes the property values from the local file. This is how the - userstore configuration is maintained per tenant. You can use - the registry or local file to get the property values. - - 4. Add the user claim - [http://wso2.org/claims/identity/mepin](http://wso2.org/claims/identity/mepinid) - [id](http://wso2.org/claims/identity/mepinid) [. This is a mandatory - claim in Mepin authentication. The claim configuration shows under - **Configuring User Claim** - section.](http://wso2.org/claims/identity/mepinid) - -### Deploying travelocity.com sample app - -The next step is to [deploy the sample app](Deploying-the-Sample-App) -in order to use it in this scenario. - -Once this is done, the next step is to configure the WSO2 Identity -Server by adding an [identity -provider](http://docs.wso2.com/identity-server/Configuring%2520an%2520Identity%2520Provider) -and [service -provider](http://docs.wso2.com/identity-server/Working+with+the+Service+Provider) -. - -### Configuring the identity provider - -Now you have to configure WSO2 Identity Server by [adding a new identity -provider](http://docs.wso2.com/identity-server/Configuring%2520an%2520Identity%2520Provider) -. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/) and [run - it](http://docs.wso2.com/identity-server/Running%2520the%2520Product) - . -2. Log in to the [management - console](http://docs.wso2.com/identity-server/Getting%20Started%20with%20the%20Management%20Console) - as an administrator. -3. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add**. -4. Give a suitable name as the **Identity Provider Name**. - - ![](attachments/48283197/49222048.png) -5. Go to MePIN Configuration under Federated Authenticators . - -6. Enter the values as given in the above figure. - - - **Username** : The username that you have generated from MePIN - Developer Portal. - - **Password** : The password that you have generated from MePIN - Developer Portal. - - **Application Id** : The application id that you have received - from MePIN Developer Portal. - - **Callback URL** : Service Provider's URL where the transaction - status callback is sent when the user has reacted to the push - notification. - - **Client Id** : The Service Provider's pre-configured - application-specific identifier. - - **Confirmation Policy** : The method required from the end user - to confirm the transaction (e.g., tap, pin, swipe, fp). - - **Expiry Time** : Expiry time in seconds. - - **Header** : Header message to be displayed by the MePIN Device - App. - - **Message** : Message to be displayed once the App is launched. - - **Short Message** : Short message to display for push - notifications. - -7. Select both checkboxes to **Enable** MePIN Authenticator and make it - the **Default**. - -8. Click **Register**. - -You have now added the identity provider. - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the management console. - -2. In the Service Providers section under the Main tab, click Add. - -3. Since you are using travelocity as the sample, enter travelocity.com - in the Service Provider Name text box and click Register . - -4. In the Inbound Authentication Configuration section, click Configure - under the SAML2 Web SSO Configuration section. - ![](attachments/48283197/48220892.png) - -5. Now set the configuration as follows: - - 1. **Issuer** : travelocity.com - - 2. **Assertion Consumer URL** : - - -6. Select the following check-boxes: - 1. **Enable Response Signing**. - - 2. **Enable Single Logout**. - - 3. **Enable Attribute Profile**. - - 4. **Include Attributes in the Response Always**. - - ![](attachments/48283197/49222047.png) - -7. Click **Update** to save the changes. Now you will be sent back to - the Service Providers page. - -8. Go to **Local and Outbound Authentication Configuration** section. - -9. Select the **Advanced** configuration radio button option. - -10. Using the available drop-down list, add the **basic** authentication - as the first step and MePIN authentication as the second step and - click **Update** to save the changes. - ![](attachments/48283197/48221108.png) - -You have now added and configured the service provider. - -### Configuring User Claim - -1. On the **Main** tab in the Management Console, click **List** under - **Users and Roles**. -2. Click **Users**. This link is only visible to users with the Admin - role. -3. From the list of users that appear in the resulting page, identify - the user whose attributes you want to modify and click **User - Profile**. -4. In the **Main** menu, click **Add** under **Claims**. -5. Click [Add New - Claim](http://docs.wso2.com/identity-server/Adding+Claim+Mapping). -6. Select the **Dialect** from the drop down provided and enter the - required information. -7. Add the user claim as - following under ' http://wso2.org/claims' . This claim is mandatory - for mepin authentication. - ![](attachments/48283197/61053762.png) -8. Add the user claim - [http://wso2.org/claims/identity/mepin\_disabled](http://wso2.org/claims/identity/emailotp_disabled) - as following under ' http://wso2.org/claims' . - - ![](attachments/48283197/61053763.png) - -### Testing the sample - -1. To test the sample, go to the following URL: - ` http://:/ travelocity.com/index.jsp ` - E.g: [http://localhost:8080/travelocity.com - ](http://localhost:8080/travelocity.com) - -2. Click the link to log in with SAML from WSO2 Identity Server. - - ![](attachments/48283197/48220894.png) - -3. The basic authentication page appears. Use your username and - password to log in. - ![](attachments/48283197/57007838.png) -4. I f you are enrolling for the first time, then you are directed to - MePIN authentication page as shown below. - ![](attachments/48283197/57007836.png) -5. Once you hit the Link MePIN button, you will be shown a MePIN login - dialogue. Enter there your app’s nickname and get a random access - code. Enter or scan the given access code to your app and finally - confirm the linking. - ![](attachments/48283197/57007837.png) -6. If the linking succeeds, you will be taken to the home page of the - travelocity.com app. After that, your MePIN app has been linked to - the service and can be used for secure login. - ![](attachments/48283197/57007839.png) -7. If you are already linked, you will be directed to MePIN - authentication page like below. You need to click "Login with - MePIN". - ![](attachments/48283197/57007840.png) -8. Once you confirmed the login through your app, you will be taken to - the home page of the travelocity.com app. - - For the confirmation policy - swipe you will be prompted to - confirm as follows - ![](attachments/48283197/48220946.png) - - For the confirmation policy - tap you will be prompted to - confirm as follows - ![](attachments/48283197/51252037.png) - -- - For the confirmation policy - pin you will be prompted to - confirm as follows - ![](attachments/48283197/51252038.png) - - For the confirmation policy - fingerprint you will be prompted - to confirm as follows - ![](attachments/48283197/51252039.png) - - diff --git a/en/docs/develop/configuring-mobile-connect-as-a-federated-authenticator.md b/en/docs/develop/configuring-mobile-connect-authenticator.md similarity index 68% rename from en/docs/develop/configuring-mobile-connect-as-a-federated-authenticator.md rename to en/docs/develop/configuring-mobile-connect-authenticator.md index b9e8afd3d1..71aeb46fe1 100644 --- a/en/docs/develop/configuring-mobile-connect-as-a-federated-authenticator.md +++ b/en/docs/develop/configuring-mobile-connect-authenticator.md @@ -4,47 +4,33 @@ This topic provides instructions on how to configure the Mobile Connect as a federated authenticator with WSO2 Identity Server. This scenario is illustrated using a sample application. -Before you begin +!!! info "Before you begin" -Look through the following prior to configuring the Mobile Connect -authenticator. + Look through the following prior to configuring the Mobile Connect + authenticator. -- For a high-level overview of Mobile Connect and its use cases with - WSO2 Identity Server, see [Mobile Connect - Authenticator](Mobile-Connect-Authenticator). -- Download the WSO2 Identity Server from [the WSO2 Identity Server - product page](http://wso2.com/products/identity-server/) and extract - the .zip file. That folder is referred to as - ` ` in this topic. + - For a high-level overview of Mobile Connect and its use cases with + WSO2 Identity Server, see [Mobile Connect + Authenticator](../../develop/mobile-connect-authenticator). + - Download the WSO2 Identity Server from [the WSO2 Identity Server + product page](http://wso2.com/products/identity-server/) and extract + the .zip file. That folder is referred to as + ` ` in this topic. -- Ensure that you have Apache Maven installed if you want to build - this authenticator from the source. -- You can also follow the [webinar conducted on this - topic](http://wso2.com/library/webinars/2016/11/securing-access-to-saas-apps-with-gsma-mobile-connect/) - . + - Ensure that you have Apache Maven installed if you want to build + this authenticator from the source. + - You can also follow the [webinar conducted on this + topic](http://wso2.com/library/webinars/2016/11/securing-access-to-saas-apps-with-gsma-mobile-connect/). The following are the various sections available in this topic. -- [Deploying the Mobile Connect - authenticator](#ConfiguringMobileConnectasaFederatedAuthenticator-DeployingtheMobileConnectauthenticator) -- [Configuring Mobile - Connect](#ConfiguringMobileConnectasaFederatedAuthenticator-ConfiguringMobileConnect) -- [Deploying the sample - application](#ConfiguringMobileConnectasaFederatedAuthenticator-Deployingthesampleapplication) -- [Configuring the Identity - Server](#ConfiguringMobileConnectasaFederatedAuthenticator-ConfiguringtheIdentityServer) -- [Testing the federated authentication - flow](#ConfiguringMobileConnectasaFederatedAuthenticator-Testingthefederatedauthenticationflow) -- [Configuring the Identity Server as multi-step - authenticator](#ConfiguringMobileConnectasaFederatedAuthenticator-ConfiguringtheIdentityServerasmulti-stepauthenticator) - Let's get started. ### Deploying the Mobile Connect authenticator There are two ways to deploy the Mobile Connect authenticator. -**[Download it from the store](#c9526bdfdc9e45a8b01dd92fca2f8024)** +**Download it from the store** 1. The authenticator and the artifacts associated with it can be downloaded from the [WSO2 connector and authenticator @@ -63,7 +49,7 @@ There are two ways to deploy the Mobile Connect authenticator. ` other_artifacats.zip ` archive downloaded from the store. -**[Build it from the source](#bddc5958075d4b04bb3daf15d400d58a)** +**Build it from the source** 1. Download or clone the code from github using the link: @@ -106,34 +92,33 @@ Mobile Connect and use it to integrate with the WSO2 Identity Server. Now that this is configured, you can log in using your mobile phone. 3. Once you log in, click **My Apps** from the left menu and click **Add Application**. - ![](attachments/72423834/72426246.png){height="250"} + ![](../../assets/img/72423834/72426246.png) 4. Fill in the required information to create an application and click **Create**. - ![](attachments/72423834/72426475.png){height="250"} + ![](../../assets/img/72423834/72426475.png) Fill in the following details. - **Name** : Travelocity (any name you prefer) - **URL** : localhost:8080/travelocity.com/index.jsp (any URL that describes your application) - - **Description** : Any description that provides information + - **Description** : Any description that provides infor mation about the application - **Redirect URI** : https://localhost:9443/commonauth 5. Click **My Operators** and click **Accept Terms and Conditions for all operators**. - ![](attachments/72423834/72427944.png) + ![](../../assets/img/72423834/72427944.png) 6. Go to **My Account** and click **My Test Numbers**. Add the test numbers and sandbox operators and click **Update**. - ![](attachments/72423834/72427946.png) + ![](../../assets/img/72423834/72427946.png) ### Deploying the sample application Checkout the travelocity code and build the app as mentioned -[here](https://docs.wso2.com/display/IS530/Configuring+Single+Sign-On#ConfiguringSingleSign-On-ConfiguringtheSSOwebapplication){.markup--anchor -.markup--p-anchor} or download travelocity.com.war file from +[here](../../learn/configuring-single-sign-on#configuring-the-sso-web-application) or download travelocity.com.war file from [here](https://drive.google.com/file/d/0B3vvUbeVZ38wVDRQQ2V2YU05dEE/view?usp=sharing) . @@ -149,17 +134,6 @@ Use the following steps to deploy the web app in the web container: The configurations to be done in the WSO2 Identity Server involve configuring different functionality. These are listed as follows. -- [Configuring Mobile Connect authenticator - parameters](#ConfiguringMobileConnectasaFederatedAuthenticator-ConfiguringMobileConnectauthenticatorparameters) -- [Configuring the identity - provider](#ConfiguringMobileConnectasaFederatedAuthenticator-Configuringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringMobileConnectasaFederatedAuthenticator-Configuringtheserviceprovider) -- [Testing the on-net - flow](#ConfiguringMobileConnectasaFederatedAuthenticator-Testingtheon-netflow) -- [Testing the off-net - flow](#ConfiguringMobileConnectasaFederatedAuthenticator-Testingtheoff-netflow) - #### Configuring Mobile Connect authenticator parameters This configuration empowers the Identity Server to enable certain @@ -202,20 +176,17 @@ available in the Identity Server. form and click and expand the **Mobile Connect Configurations** section. This section is available to you after configuring the Mobile Connect authenticator parameters. - ![](attachments/72423834/72428054.png) + ![](../../assets/img/72423834/72428054.png) In this section, configure the following. - | Field | Configuration | Description | - |------------------------------------|---------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| - | Enable | Selected | Ensure that this checkbox is selected to enable the authenticator. | + | Field | Configuration | Description | | Enable | Selected | Ensure that this checkbox is selected to enable the authenticator. | | Mobile Connect Authentication Type | on-net | There are two possible configuration values here. In **off-net** authentication, during the federated authentication process, the Identity Server provides a UI requesting users to provide their mobile number and carries out the authentication process. In **on-net** authentication, the Mobile Connect servers identify the internet connection being used and identifies the MNO automatically. If it fails to identify this, Mobile Connect provide one of their UIs and obtain the necessary details. | | Mobile Connect Key | xxxxxxxxxxxx | Enter the key value provided by Mobile Connect when you create the application. | | Mobile Connect Secret | xxxxxxxxxxxx | Enter the secret value provided by Mobile Connect when you create the application. | - | Mobile Connect Scope | openid | You can add multiple values with a space in between (e.g., **openid profile** ) *.* | + | Mobile Connect Scope | openid | You can add multiple values with a space in between (e.g., **openid profile** ) *.* | | Mobile Connect ACR Values | 2 | The Level of Assurance required by the client for the use case can be used here. Default value is **2**. The values accespted here are **2** and **3**. According to the OpenID Connect specification, **acr\_values** is an optional parameter. However, in the Mobile Connect specification it is a mandatory parameter. The **acr\_values** parameter in the Mobile Connect request is an indication of what authentication methods to be used by the identity provider. The authentication methods to be used are linked to the level-of-assurance (LOA) values passed in the **acr\_values ** parameter *.* The level-of-assurance, as defined by the by [ISO/IEC 29115 standard](https://www.oasis-open.org/committees/download.php/44751/285-17Attach1.pdf), describes the degree of confidence in the processes leading up to and including an authentication. It provides assurance that the entity claiming a particular identity, is the entity to which that identity was assigned. During a Mobile Connect authentication request, the service provider specifies the degree of confidence that is required in the returned (asserted) identity, via the **acr\_values ** parameter *.* | - 4. Click **Register** to add the identity provider. #### Configuring the service provider @@ -250,11 +221,11 @@ service provider to the Identity Server. See the following screen for a sample of how this configuration looks like. - ![](attachments/72423834/72436884.png) + ![](../../assets/img/72423834/72436884.png) 5. Navigate to the **Local and Outbound Authentication Configuration** section. Select the **Federated Authentication** radio button and select **Mobile Connect** from the dropdown list. - ![](attachments/72423834/72436900.png) + ![](../../assets/img/72423834/72436900.png) 6. Click **Update** to save your changes. ### Testing the federated authentication flow @@ -268,20 +239,20 @@ configured an on-net or off-net flow. ` http://:/ travelocity.com/index.jsp ` and click the link to log in with SAML using the WSO2 Identity Server. - ![](attachments/72423834/80723064.png) + ![](../../assets/img/72423834/80723064.png) 2. If you are on the web application you are redirected to the endpoint application and you must provide the mobile number there. If you are in the mobile application, you will not see this page and you will be redirected to the page in step 3. - ![](attachments/72423834/80723069.png) + ![](../../assets/img/72423834/80723069.png) 3. Once you click **Next** you are redirected to the Mobile Connect Authorization Page, which is one of the network operators page you are registered with. - ![](attachments/72423834/80723070.png) + ![](../../assets/img/72423834/80723070.png) 4. When the authorization page appears, you are asked to confirm your identity via your mobile phone. - ![](attachments/72423834/80723071.png) + ![](../../assets/img/72423834/80723071.png) 5. Once you confirm your identity via the mobile device, you are taken to the home page of the travelocity sample application. @@ -291,17 +262,15 @@ configured an on-net or off-net flow. ` http://:/travelocity.com/index.jsp ` and click the link to log in with SAML using the WSO2 Identity Server. - ![](attachments/72423834/80723064.png) + ![](../../assets/img/72423834/80723064.png) 2. You are redirected to the Mobile Connect authentication endpoint web application. Here you need to provide the mobile number. - ![](attachments/72423834/80723065.png) -3. Once you provide the mobile number and click on **Mobile Connect - Log-in**, you are redirected to the Authorization Page as in the + ![](../../assets/img/72423834/80723065.png) +3. Once you provide the mobile number and click on **Mobile Connect Log-in**, you are redirected to the Authorization Page as in the on-net scenario and there is a popup to confirm your identity. Once you confirm your identity via the mobile device, you are taken to the home page of the travelocity sample application. - ### Configuring the Identity Server as multi-step authenticator @@ -315,32 +284,29 @@ configuration to configure the identity server as a multi-step authenticator. 1. Configure the first 4 steps in the [Configuring the service - provider](#ConfiguringMobileConnectasaFederatedAuthenticator-Configuringtheserviceprovider) + provider](#configuring-the-service-provider) section of this document and expand the **Local & Outbound Authentication** **Configuration** section as described in step 5. Select the **Advanced Configuration** option. - ![](attachments/72423834/80723084.png) + ![](../../assets/img/72423834/80723084.png) 2. Here you can use the basic authentication and mobile authentication as authentication steps (this can vary depending on your scenario and these are used for as a demonstration). You can add two steps by clicking **Add Authentication Step**. - ![](attachments/72423834/80723096.png) + ![](../../assets/img/72423834/80723096.png) 3. In step 1, add a basic authenticator to demonstrate this scenario. Select this from the drop-down under **Local Authenticators**. Click **Add Authenticator** to add the basic authenticator. Similarly, for step 2, add Mobile Connect as the federated authenticator by selecting it from the dropdown and clicking **Add Authenticator**. - ![](attachments/72423834/80723120.png) - !!! tip + ![](../../assets/img/72423834/80723120.png) - **Tip** : You can add multiple steps and multiple authenticators. + !!! tip + You can add multiple steps and multiple authenticators. For example, if you have configured Facebook as an authenticator, you can select the basic authenticator as the first step, Mobile Connect as the second step, and Facebook as the third step. - - - 4. Click **Update**, the service provider is updated with the multi-step authentication option. diff --git a/en/docs/develop/configuring-multi-factor-authentication-using-smsotp.md b/en/docs/develop/configuring-multi-factor-authentication-using-smsotp.md deleted file mode 100644 index 233835a02c..0000000000 --- a/en/docs/develop/configuring-multi-factor-authentication-using-smsotp.md +++ /dev/null @@ -1,584 +0,0 @@ -# Configuring Multi-factor Authentication using SMSOTP - -This topic provides instructions on how to configure the SMS OTP -connector and the WSO2 Identity Server (WSO2 IS) to integrate using a -sample app. This is configured so that SMSOTP is a second authentication -factor for the sample application. See the following sections for more -information. - -To know more about the WSO2 Identity Server versions supported by this -connector, see the [WSO2 -store](https://store.wso2.com/store/assets/isconnector/details/462ce8e9-8274-496c-a1c3-8aa40168bb1b) -. - -This connector is supported by default from WSO2 Identity Server 5.4.0 -onwards. For more information, see [Configuring SMS -OTP](https://docs.wso2.com/identity-server/Configuring+SMS+OTP). - -- [Deploying SMS OTP - artifacts](#ConfiguringMulti-factorAuthenticationusingSMSOTP-DeployingSMSOTPartifacts) -- [Deploying travelocity.com - sample](#ConfiguringMulti-factorAuthenticationusingSMSOTP-Deployingtravelocity.comsampleDeployingtravelocity.comsample) -- [Configuring the identity - provider](#ConfiguringMulti-factorAuthenticationusingSMSOTP-Configuringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringMulti-factorAuthenticationusingSMSOTP-Configuringtheserviceprovider) -- [Configuring - claims](#ConfiguringMulti-factorAuthenticationusingSMSOTP-Configuringclaims) -- [Testing the - sample](#ConfiguringMulti-factorAuthenticationusingSMSOTP-Testingthesample) - -!!! note - - **Note** : These configurations work with 2.0.9 to 2.0.12 version of the - connector. If you have a older version, upgrade the connector and - artifacts to the latest version from the [connector - store](https://store.wso2.com/store/assets/isconnector/details/ec6a18ae-4763-4958-bc61-8e12f5b441ac) - . - - The connector that is shipped OOTB with WSO2 Identity Server 5.3.0 is - connector version 2.0.6. Therefore, if you are using WSO2 IS 5.3.0, - upgrade the connector and artifacts to version 2.0.9 before you begin. - Also the connector that is shipped OOTB with WSO2 Identity Server 5.7.0 - is connector version 2.0.15. - - -### Deploying SMS OTP artifacts - -The artifacts can be obtained from [the store for this -authenticator](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22smsotp%22) -. - -1. P lace the ` smsotpauthenticationendpoint.war ` - file inside the - ` /repository/deployment/server/webapps ` - directory. -2. Place the - ` org.wso2.carbon.extension.identity.authenticator.smsotp.connector-2.X.X.jar ` - file inside the - ` /repository/components/dropins ` - directory. - - !!! note - - If you want to upgrade the SMS OTP Authenticator in your existing - WSO2 IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -3. Add the following configurations in the - ` /repository/conf/identity/application-authentication.xml ` - file under the ` ` - section. - - ``` xml - - https://localhost:9443/smsotpauthenticationendpoint/smsotp.jsp - https://localhost:9443/smsotpauthenticationendpoint/smsotpError.jsp - https://localhost:9443/smsotpauthenticationendpoint/mobile.jsp - true - true - true - false - false - association - primary - true - false - - ``` - - The following table includes the definition of the parameters and - the various values you can configure. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ValueDescription
RetryEnable
This field makes it possible to retry the code if the user uses the wrong code. This value can be true or false. 
ResendEnable
This parameter makes it possible to resend the code in the same page if user enters the wrong code. This value can be true or false. 
SMSOTPEnableByUserClaim
This field makes it possible to disable the 'SMS OTP disabling by user' functionality. The value can be true or false . If the value is true , the user can enable and disable the SMS OTP according to what the admin selects ( SMSOTPMandatory parameter value).
BackupCode
The backup code is used instead of the actual SMS code. The value can be true or false . If you do not want backup codes, set this as false . You can skip the steps 6.a and 7 in the Configuring claims section. 
SMSOTPMandatory
If the value is true , the second step is enabled by the admin. The user cannot be authenticated without the SMS OTP authentication. This parameter is used for both the super tenant and tenant in the configuration. The value can be true or false. 
SendOTPDirectlyToMobile
In the SMSOTPMandatory case, if the user does not exist in user store and if the admin enables SendOTPDirectlyToMobile as true, then the user can enter the mobile number during the time of authentication and the OTP will directly send to that mobile number.
CaptureAndUpdateMobileNumber
In the SMSOTPMandatory case, if the user or admin forgets to update the mobile number in the user's profile and this property is true, then the user can update a mobile claim during the time of authentication (logging in for the first time) and ask the user to enter the mobile number to send the OTP.
- This update functionality happen when logging in for the first time only. Once the user updates the mobile number, the next time the user logs in the mobile number is taken from specific user's profile.
usecase This field can take one of the following values: local , association , userAttribute , subjectUri . If you do not specify any usecase , the default value is local .
secondaryUserstore

The user store configuration is maintained per tenant as comma separated values. For example, <Parameter name="secondaryUserstore">jdbc , abc , and xyz</Parameter> .
-

screenUserAttribute If you need to show n digits of mobile number or any other user attribute value in the User Interface (UI), This parameter is used to pick the claim URI.
order Define the order of the n numbers you provide, such as the from the first or last or vice versa. The possible values for this property is backward or forward.
noOfDigits The number of digits of claim value to show in UI. If the mobile claim selected for the property screenUserAttribute and if the noOfDigitsproperty has the value 4 then we can show the mobile number according to the property order. If the order is backward, then we can show the last 4 digits of mobile claim in the UI.
- - An admin can change the priority of the SMSOTP authenticator by - changing the ` SMSOTPMandatory ` value ( - ` true ` or ` false ` - ). - - - If the Admin specifies that SMS OTP is mandatory ( - ` true) ` - , you must enable SMS OTP in the user’s profile by adding the - claim value as true in order to authenticate the user. If this - is not done, the SMSOTP error page appears. - - If the Admin specifies that SMSOTP is optional ( - ` false) ` - and you enable SMS OTP in the user's profile, the authenticator - allows the user to login with the SMS OTP authentication as a - second step (multi-step authentication). If the Admin - specifies that the SMS OTP is optional and you do not enable SMS - OTP in the user's profile, the SMSOTP authenticator proceeds to - log the user in as the first step (basic authentication). - - The first step may be a local authenticator (basic) or a federated - authenticator (e.g., Facebook, Twitter, etc.) . In federated - authenticator support in first step, the following parameters are - used according to the scenario. - - ``` java - association - jdbc - ``` - - The usecase value can be local, association, - ` userAttribute ` or - ` subjectUri ` . - - - - - - - - - - - - - - - - - - - - -
local

This is based on the federated username. This is the default value. You must set the federated username in the localuserstore. Basically, the federated username must be the same as the local username.

association

The federated username must be associated with the local account in advance in the Dashboard. So the local username is retrieved from the association. To associate the user, log into the end user dashboard and go to Associated Account by clicking View details .

userAttribute
-

The name of the  federatedauthenticator's user attribute. That is,the local user namewhich is contained in a federated user's attribute. When using this, add the following parameter under the <AuthenticatorConfig name="SMSOTP" enabled="true"> section in the <IS_HOME>/repository/conf/identity/application-authentication.xml file and put the value (e.g., email, screen_name, id, etc.).

-
-
- -
-
-

If you use, OpenID Connect supported authenticators such as LinkedIn, Foursquare, etc., or in the case of multiple social login options as the first step and SMSOTP as secondstep, you need to add similar configuration for the specific authenticator in the <IS_HOME>/repository/conf/identity/application-authentication.xml file under the < AuthenticatorConfigs > section as follows (the following shows the configuration forFoursquare,LinkedIn and Facebook authenticator respectively).

-

Inside the AuthenticatorConfig (i.e., Foursquare), add the specific userAttribute with a prefix of the (current step) authenticator name (i.e., SMSOTP-userAttribute).

-
-
- -
-
-
-
- -
-
-
-
- -
-
-

Likewise, you can add the AuthenticatorConfig forAmazon,Google,Twitterand Instagram with relevant values.

-
subjectUri

When configuring the federated authenticator, select the attribute in the subject identifier under the service provider section in UI, this is used as the username of the SMSOTP authenticator.

- - If you use the secondary userstore, enter all the userstore values - for the particular tenant as comma separated values. - - The user store configuration is maintained per tenant: - - - If you use a **super tenant,** put all the parameter values into - the - ` /repository/conf/identity/application-authentication.xml ` - file under the - ` AuthenticatorConfigs ` section. - - - - - If you use a **tenant**, upload the same XML file ( - ` application-authentication.xml ` ) - into a specific registry location ( - ` /_system/governance/SMSOTP) ` . - Create the collection named - ` SMSOTP `, add the resource and - upload the - ` application-authentication.xml ` - file into theregistry). While doing the authentication, first it - checks whether there is an XML file uploaded to the registry. If - that is so, it reads it from the registry but does not take the - local file. If there is no file in the registry, then it only - takes the property values from the local file. This is how - theuserstore configuration is maintained per tenant. You can use - the registry or local file to get the property values. - - If you need to show last n digits of mobile number or any other user - attribute value in UI,  the following parameters can be used  - according to the scenario. For example, we can use the following - parameters to get last 4 digits from mobile number. - - ``` xml - http://wso2.org/claims/mobile - 4 - backward - ``` - -The SMS provider is the entity that is used to send the SMS. The SMSOTP -connector has been configured such that it can be used with most types -of SMS APIs. Some use the GET method with the client secret and API Key -encoded in the URL (e.g., Nexmo), while some may use the POST method -when sending the values in the headers and the message and telephone -number in the payload (e.g., Clickatell). Note that this could change -significantly between different SMS providers. The configuration of the -connector in the identity provider would also change based on this. - -### Deploying [travelocity.com](http://travelocity.com) sample - -The next step is to [deploy the sample app](Deploying-the-Sample-App) -in order to use it in this scenario. - -O nce this is done, the next step is to configure the WSO2 Identity -Server by adding an [identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -and a [service provider](https://docs.wso2.com/display/IS510). - -### Configuring the identity provider - -Now you have to configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/) and - [run it](https://docs.wso2.com/display/IS510/Running+the+Product). -2. Download the certificate of the SMS provider. Go to the link (eg:- - [https://www.nexmo.com)](https://www.nexmo.com/) in your browser, - and then click the HTTPS trust icon on the address bar (e.g., the - padlock next to the URL in Chrome) -3. Import that certificate into the IS client keystore. - ` keytool -importcert -file -keystore /repository/resources/security/client-truststore.jks -alias "Nexmo" ` - - Default client-truststore.jks password is "wso2carbon" - -4. Log into the [management - console](https://docs.wso2.com/display/IS510/Getting+Started+with+the+Management+Console) - as an administrator. - -5. In the **Identity** section under the **Main** tab of the management - console, click **Add** under **Identity Providers**. - -6. Give a suitable name (e.g., SMSOTP) as the **Identity Provider - Name**. - -7. Go to the **SMSOTP Configuration** under **Federated - Authenticators**. - -8. Select both checkboxes to **Enable SMSOTP Authenticator** and make - it the **Default**. - -9. Enter the SMS URL and the HTTP Method used (e.g., GET or POST). - Include the headers and payload if the API uses any. If the text - message and the phone number are passed as parameters in any field, - then include them as $ctx.num and $ctx.msg respectively. You must - also enter the HTTP Response Code the SMS service provider sends - when the API is successfully called. Nexmo API and Bulksms API send - 200 as the code, while Clickatell and Plivo send 202. If this value - is unknown, leave it blank and the connector checks if the response - is 200, 201 or 202. - - **Note** : If Nexmo is used as the SMS provider, - - 1. Go to and click free - signup and register. - 2. Under **API Settings** in **Settings**, copy and save the API - key and Secret. - 3. The Nexmo API requires the parameters to be encoded in the URL, - so the SMS URL would be as follows. - - | | | - |-------------|------------------------------------------------------------------------------------------------------------------------------------| - | SMS URL | *https://rest.nexmo.com/sms/json?api\_key=\*\*\*\*\*\*\*\*\*&api\_secret=\*\*\*\*\*\*\*\*&from=NEXMO&to= $ctx.num &text= $ctx.msg* | - | HTTP Method | GET | - - **Note** : If Clickatell is used as the SMS provider, - - 1. Go to and create - an account. - 2. The auth token is provided when you register with Clickatell. - - 3. Clickatell uses a POST method with headers and the text message - and phone number are sent as the payload. So the fields would be - as follows. - - | | | - |--------------|-------------------------------------------------------------------------------------------------------------| - | SMS URL | https://api.clickatell.com/rest/message | - | HTTP Method | POST | - | HTTP Headers | X-Version: 1,Authorization: bearer \*\*\*\*\*\*\*\*,Accept: application/json,Content-Type: application/json | - | HTTP Payload | {"text":" $ctx.msg ","to":\[" $ctx.num "\]} | - - **Note** : If Plivo is used as the SMS provider, - - 1. Sign up for a free [Plivo trial - account](https://manage.plivo.com/accounts/register/?utm_source=send%bulk%20sms&utm_medium=sms-docs&utm_campaign=internal) - . - 2. Phone numbers must be verified at the [Sandbox - Numbers](https://manage.plivo.com/sandbox-numbers/) page (add at - least two numbers and verify them). - - 3. The Plivo API is authenticated with Basic Auth using your - ` AUTH ID ` and - ` AUTH TOKEN `, Your Plivo - ` AUTH ID ` and - ` AUTH TOKEN ` can be found when you - log in to your [dashboard.](https://manage.plivo.com/dashboard/) - 4. Plivo uses a POST method with headers, and the text message and - phone number are sent as the payload. So the fields would be as - follows. - - - - - - - - - - - - - - - - - - - - - - - - -
SMS URL

https://api.plivo.com/v1/Account/{auth_id}/Message/

HTTP MethodPOST
HTTP HeadersAuthorization: Basic ********,Content-Type: application/json
HTTP Payload{"src":"+94*********","dst":"$ctx.num","text":"$ctx.msg"}
- - **Note** : If Bulksms is used as the SMS provider, - - 1. Go to and create an account. - 2. While registering the account, verify your mobile number and - click **Claim** to get free credits. - ![](attachments/48276901/51449676.png) - - 3. Bulksms API authentication is performed by providing username - and password request parameters. - 4. Bulksms uses a POST method and the required parameters are to be - encoded in the URL. So the fields would be as follows. - - | | | - |--------------|-----------------------------------------------------------------------------------------------------------------------------------------| - | SMS URL | https://bulksms.vsms.net/eapi/submission/send\_sms/2/2.0?username=\*\*\*\*\*\*\*&password=\*\*\*\*\*\*&message=$ctx.msg&msisdn=$ctx.num | - | HTTP Method | POST | - | HTTP Headers | Content-Type: application/x-www-form-urlencoded | - - - - **Note** : If Twilio is used as the SMS provider, - - 1. Go to and create an account. - 2. While registering the account, verify your mobile number and - click on console home to get - free credits (Account SID and Auth Token). - - 3. Twilio uses a POST method with headers and the text message and - phone number are sent as the payload. So the fields would be as - follows. - - | | | - |--------------|---------------------------------------------------------------------------| - | SMS URL | https://api.twilio.com/2010-04-01/Accounts/{AccountSID}/SMS/Messages.json | - | HTTP Method | POST | - | HTTP Headers | Authorization: Basic base64{AccountSID:AuthToken} | - | HTTP Payload | Body=$ctx.msg&To=$ctx.num&From=urlencode{FROM\_NUM} | - - - -10. Click **Update** and you have now added and configured the - Identity provider. - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the management console. - -2. In the **Identity** section under the **Main** tab, click **Add** - under **Service Providers**. - -3. Enter **[travelocity.com](http://travelocity.com)** in the **Service - Provider Name** text box and click **Register**. - -4. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section. - - ![](attachments/48276901/48211841.png?effects=border-simple,blur-border) - -5. Now set the configuration as follows: - - 1. **Issuer** : [travelocity.com](http://travelocity.com) - - 2. **Assertion Consumer URL** : - http://localhost:8080/travelocity.com/home.jsp - -6. Select the following check-boxes: - 1. **Enable Response Signing** - - 2. **Enable Single Logout** - - 3. **Enable Attribute Profile** - - 4. **Include Attributes in the Response Always** - -7. Click **Update** to save the changes. Now you will be sent back to - the Service Providers page. - -8. Go to **Claim configuration** and select the mobile claim. - - ![](attachments/48276901/48211842.png?effects=border-simple,blur-border) - -9. Go to **Local and Outbound Authentication Configuration** section. - -10. Select the **Advanced configuration** radio button option. - -11. Add the **basic** authentication as first step and **SMSOTP** - authentication as a second step. Adding basic authentication as a - first step ensures that the first step of authentication will be - done using the user's credentials that are configured with the WSO2 - Identity Server. SMSOTP is a second step that adds another layer of - authentication and security. - ![](attachments/48276901/49222039.png?effects=border-simple,shadow-kn) - -12. Alternatively, federated authentication as the first step and SMSOTP - authentication as the second step and click **Update** to save the - changes. - -You have now added and configured the service provider. - -### Configuring claims - -1. Select **List** under **Users** **and** **Roles** in the IS - Management Console. -2. Go to the **User Profile** and update the mobile number (this number - must be registered with Nexmo in order to send SMS). - ![](attachments/48276901/49222049.png?effects=border-simple,shadow-kn) - **Note:** If you wish to use the backup codes to authenticate, you - can add the following claim, otherwise you can leave it. -3. In the **Main** menu, click **Add** under **Claims**. -4. Click [Add New - Claim](https://docs.wso2.com/display/IS510/Adding+New+Claim+Mapping) - . -5. Select the **Dialect** from the dropdown provided and enter the - required information. -6. Add the following user claims under ' http://wso2.org/claims' . - 1. Add the claim Uri - - http://wso2.org/claims/identity/smsotp\_disabled . This is an - optional claim for SMSOTP. - 2. Add the claim Uri - http://wso2.org/claims/otpbackupcodes - The backup code claim is an optional. -7. Once you add the above claim, Go to Users → admin →User Profile and - update the Backup codes and user can disable SMS OTP by clicking - "Disable SMS OTP". - - ![](attachments/48276901/57749623.png) - -### Testing the sample - -1. To test the sample, go to the following URL: - [http://localhost:8080/travelocity.com - ](http://localhost:8080/travelocity.com) - - [![](attachments/48276901/48211814.png?effects=border-simple,blur-border) - ](http://localhost:8080/travelocity.com) - -2. Click the link to log in with SAML from WSO2 Identity Server. - -3. The basic authentication page will be visible. Use your WSO2 - Identity Server credentials to sign in. - ![](attachments/48276901/48211843.png?effects=border-simple,blur-border) - -4. You will get a token to your mobile phone.Type the code to - authenticate, You will be taken to the home page of the - [travelocity.com](http://travelocity.com) app - - !!! note - - **Note** : In case, If you forget the mobile phone number or do not - have access to it, you can use the backup codes to authenticate and - you will be taken to the home page of the - [travelocity.com](http://travelocity.com) application. - - - ![](attachments/48276901/49221144.png?effects=border-simple,shadow-kn) - - ![](attachments/48276901/49222070.png?effects=border-simple,shadow-kn){width="500" - height="222"} - - - - - - - - diff --git a/en/docs/develop/configuring-multi-factor-authentication-using-token2.md b/en/docs/develop/configuring-multi-factor-authentication-using-token2.md deleted file mode 100644 index 1066d7fe17..0000000000 --- a/en/docs/develop/configuring-multi-factor-authentication-using-token2.md +++ /dev/null @@ -1,485 +0,0 @@ -# Configuring Multi-factor Authentication using Token2 - -This section provides instructions on how to configure the Token2 -authenticator and WSO2 Identity Server using a sample app. See the -following sections for more information. - -Token2 Authenticator is supported by WSO2 Identity Server versions 5.1.0 -and 5.2.0. - -- [Deploying Token2 - artifacts](#ConfiguringMulti-factorAuthenticationusingToken2-DeployingToken2artifacts) -- [Configuring the Token2 hardware - device](#ConfiguringMulti-factorAuthenticationusingToken2-ConfiguringtheToken2HWDeviceConfiguringtheToken2hardwaredevice) -- [Deploying travelocity.com - sample](#ConfiguringMulti-factorAuthenticationusingToken2-Deployingtravelocity.comsampleDeployingtravelocity.comsample) -- [Configuring the identity - provider](#ConfiguringMulti-factorAuthenticationusingToken2-ConfiguringtheidentityproviderConfiguringtheidentityprovider) -- [Configuring user - claims](#ConfiguringMulti-factorAuthenticationusingToken2-ConfiguringUserClaimsConfiguringuserclaims) -- [Configuring the service - provider](#ConfiguringMulti-factorAuthenticationusingToken2-Configuringtheserviceprovider) -- [Testing the - sample](#ConfiguringMulti-factorAuthenticationusingToken2-TestingthesampleTestingthesample) - -### Deploying Token2 artifacts - -The artifacts can be obtained from [the store for this -authenticator](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22token2%22) -. - -1. P lace the ` token2authenticationendpoint. ` war - file into the - ` /repository/deployment/server/webapps ` - directory. -2. Place the - ` org.wso2.carbon.extension.identity.authenticator.token2.connector-1.0.0.jar ` - file into the - ` /repository/components/dropins ` - directory. - - !!! note - - If you want to upgrade the Token2 Authenticator in your existing IS - pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -### Configuring the Token2 hardware device - -1. Register a Token2 account using " ". - Ensure that you do the following. - 1. Enter the **Mobile phone number** in e164 format (+ 94 77 \*\* - \*\* \*\*\* ) - 2. Select **SMS Based** as the **User type**. - 3. Click **Register**. - ![](attachments/53120841/53284895.png) -2. Once you have registered with Token2, log in using your email, - password and the OTP that is sent to the registered mobile number - through Token2. -3. Add a new site using " " and obtain the - API Key and site\_id for the site. -4. As mentioned in the [Token2 API - page](https://token2.com/?content=api), create the user and you can - find the userid in the response . -5. You have to obtain the hardware token device and send the userid, - site\_id and token serial number to Token2 support to enable it. -6. Then logout and login again with your email, password and use the - token generated in the hardware token device . - -You have now enabled the token2 hardware device. - -### Deploying [travelocity.com](http://travelocity.com) sample - -The next step is to [deploy the sample app](Deploying-the-Sample-App) -in order to use it in this scenario. - -O nce this is done, the next step is to configure the WSO2 Identity -Server by adding an [identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -and a [service provider](https://docs.wso2.com/display/IS510). - -### Configuring the identity provider - -Now you have to configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/). - -2. [Run the WSO2 Identity - Server](https://docs.wso2.com/display/IS510/Running+the+Product). -3. Log in to the [management - console](https://docs.wso2.com/display/IS510/Getting+Started+with+the+Management+Console) - as an administrator. -4. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add**. -5. Give a suitable name for **Identity Provider Name** (e.g., token2 ). -6. Navigate to **Token2Authenticator Configuration** under **Federated - Authenticators**. -7. Select both check boxes to **Enable** the Token2 authenticator and - make it the **Default**. - ![](attachments/53120841/53284908.png) - -8. Enter the following values: - - | Field | Description | Sample Value | - |--------------|------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------| - | ApiKey | This is the API key you obtained when [configuring the Token2 hardware device](../../develop/configuring-multi-factor-authentication-using-token2). | ` 7cf6eof73be1c38952ca81dd68a ` | - | Callback URL | This is the service provider's URL to which the code is sent. | ` https://localhost:9443/commonauth ` | - -9. Click **Register**. - You have now added the identity provider. - -### Configuring user claims - -1. In the **Main** menu, click **Add** under **Claims**. -2. Click [Add New - Claim](https://docs.wso2.com/display/IS510/Adding+Claim+Mapping). -3. Click **Add Local Claim**. The **Dialect URI** will be - automatically set to - ` http://wso2.org/claims ` - , which is the internal claim dialect . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claim detailsDescriptionSample
Claim URIThis is the URI defined under the dialect, specific to the claim. There are different URIs available in the Identity Server and these equate to user attributes displayed in the profile of users. These URIs are mapped to the attributes in the underlying user store. http://wso2.org/claims/identity/userid
Display NameThis is the name of the claim displayed on the UI. This can be viewed in the user's profile by navigating to the Main tab in the management console and clicking List in Users and Roles . In the resulting page, click Users and in the list of users that is displayed, click User Profile next to the one you wish to check. User Id
DescriptionThis gives you the option to describe the functionality of the claim. Claim to User Id
Mapped Attribute
-

This is the corresponding attribute name from the underlying user store that is mapped to the Claim URI value.
-
- When you have multiple user stores connected to the Identity Server, this maps the equivalent attribute in all of them to the Claim URI you are configuring.
- For example, if you specify the cn attribute, this is mapped to the cn attribute in all the connected user stores. If you want to specify the attribute in a specific user store, you must add the domain name in addition to the mapped claim. For example, in a scenario where you have a primary user store configured called PRIMARY and secondary user stores called AD (representing Active Directory), you can map an attribute from each of these user stores to the Claim URI value by clicking Add Attribute Mapping, selecting the respective user store from the drop-down list, and mentioning the attribute of the userstore the attribute needs to be mapped to.
- Example:
-

-
stateOrProvinceName
Regular ExpressionThis is the regular expression used to validate inputs. Example : For a claim URI like http://wso2.org/claims/email the regex should be something like ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ . This will validate the claim value and will not let other values except an email.
-
Display OrderThis enables you to specify the order in which the claim is displayed, among the other claims defined under the same dialect.
-
Supported by DefaultIf unchecked, this claim will not be prompted during user registration.
-
RequiredThis specifies whether this claim is required for user registration.
-
Read-onlyThis specifies whether the claim is read-only or not. If the claim is read-only, it can't be updated by the user.
-
Additional PropertiesThese properties are not currently used in current WSO2 Identity server. If we need to write an extension using current claims, we can use these property values.
-
- - ![](attachments/53120841/76748580.png) - -4. Next click **List** under **Main \> Identity \> Users and Roles**. -5. Click **User Profile** under **Admin** and update the - ` User Id ` . - ![](attachments/53120841/76748586.png) - -Now you have configured the claim. - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the management console. - -2. In the **Identity** section under the **Main** tab, click **Add** - under **Service Providers**. - -3. Enter **[travelocity.com](http://travelocity.com)** in the **Service - Provider Name** text box and click **Register**. - -4. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section . - ![](attachments/53120841/53284577.png) - - ![](images/icons/grey_arrow_down.png){.expand-control-image} Click - here to view the field definitions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldDescriptionSample value
IssuerSpecify the Issuer . This is the <saml:Issuer> element that contains the unique identifier of the service provider. This is also the issuer value specified in the SAML Authentication Request issued by the service provider. When configuring single-sign-on across Carbon servers, ensure that this value is equal to the ServiceProviderID value mentioned in the <IS_HOME>/repository/conf/security/authenticators.xml file of the relying party Carbon server.travelocity.com
Assertion Consumer URLsSpecify the Assertion Consumer URLs . This is the URL to which the browser should be redirected to after the authentication is successful. This is the Assertion Consumer Service (ACS) URL of the service provider. The identity provider redirects the SAML2 response to this ACS URL. However, if the SAML2 request is signed and SAML2 request contains the ACS URL, the Identity Server will honor the ACS URL of the SAML2 request. It should have this format: https://(host-name):(port)/acs . You can add multiple assertion consumer URLs for the service provider by entering the URL and clicking the Add button.http://wso2is.local:8080/travelocity.com/home.jsp
Default Assertion Consumer URL
-

Since there can be multiple assertion consumer URLs, you must define a Default Assertion Consumer URL in case you are unable to retrieve it from the authentication request.

- !!! tip -

Tip : In a service provider initiated single sign-on setup, the following needs to be considered.

-
    -
  • If no ACS URL is given in the < AuthnRequest >, the Identity Server sends the response to the default ACS URL of the service provider (whether the request is signed or not).
    • -
  • If the ACS URL in < AuthnRequest > matches with one of the registered URLs, the Identity Server sends the response to the matched one.
    • -
  • If the ACS URL in < AuthnRequest > does not match any of the registered ACS URLs and if the request is signed, the Identity Server sends the response to the ACS URL in the request only if the signature is valid. Alternatively, the < AuthnRequest > is rejected.
    • -
-

In an identity provider initiated single sign-on setup, the following needs to be considered.

-
    -
  • If the “acs” query parameter is not present in the request, the Identity Server sends the response to default ACS URL of the service provider.
    • -
  • If the "acs” parameter is present and the value of that parameter matches with any of the registered ACS URLs of the service provider, then the Identity Server sends the response to the matched one.
    • -
-
http://wso2is.local:8080/travelocity.com/home.jsp
NameID format
-

Specify the NameID format . This defines the name identifier formats supported by the identity provider. The service provider and identity provider usually communicate with each other regarding a specific subject. That subject should be identified through a Name-Identifier (NameID), which should be in some format so that It is easy for the other party to identify it based on the format. Name identifiers are used to provide information regarding a user.

-
-

About NameID formats

-

For SSO interactions, you can use the following types of NameID formats.

-
    -
  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    • -
  • urn:oasis:names: tc :SAML:2.0: nameid -format:transient
    • -
  • urn:oasis:names: tc :SAML:1.1: nameid -format:
    • -
  • emailAddressurn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    • -
  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
    • -
  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
    • -
  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
    • -
  • urn:oasis:names:tc:SAML:2.0:nameid-format:entity
    • -
-

This specifies the name identifier format that the Identity Server wants to receive in the subject of an assertion from a particular identity provider. The following is the default format used by the identity provider.

-
    -
  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    • -
-
-

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Certificate Alias

Select the Certificate Alias from thedropdown. This is used to validate the signature of SAML2 requests and is used to generate encryption.Basically the service provider’s certificate must be selected here. Note that this can also be the Identity Server tenant's public certificate in a scenario where you are doing atenant specific configuration.

wso2carbon
Response Signing Algorithm

Specifies the ‘SignatureMethod’ algorithm to be used in the ‘Signature’ element in POST binding. The default value can be configured in the <IS_HOME>/repository/conf/identity.xml file, in the SSOService element with SAMLDefaultSigningAlgorithmURI tag. If it is not provided the default algorithm is RSA­SHA 1, at URI http:// www.w3.org/2000/09/xmldsig#rsa­sha1 ‘ ’ .

http://www.w3.org/2000/09/xmldsig#rsa­sha1
Response Digest Algorithm

Specifies the ‘DigestMethod’ algorithm to be used in the ‘Signature’ element in POST binding. The default value can be configured in the <IS_HOME>/repository/conf/identity.xml file, in the SSOService element with SAMLDefaultDigestAlgorithmURI tag. If it is not provided the default algorithm is SHA 1, at URI ‘ http://www.w3.org/2000/09/xmldsig#sha1 ’ .

http://www.w3.org/2000/09/xmldsig#sha1
Enable Response SigningSelect Enable Response Signing to sign the SAML2 Responses returned after the authentication process.Selected
Enable SignatureValidation inAuthentication Requests and Logout RequestsSelect Enable Signature Validation in Authentication Requests and Logout Requests if you need this functionality configured. This specifies whether the identity provider must validate the signature of the SAML2 authentication request and the SAML2 logout request thatare sent by the service provider.Unselected
Enable Assertion EncryptionEnable Assertion Encryption, if you wish to encrypt the assertion.Unselected
Enable Single LogoutSelect Enable Single Logout so that all sessions are terminated once the user signs out from one server. If single logout is enabled, the identity provider sends logout requests to all service providers. Basically, the identity provider acts according to the single logout profile. If the service provider supports a different URL for logout, you can enter a SLO Response URL and SLO Request URL for logging out. These URLs indicate where the request and response should go to. If you do not specify this URL, the identity provider uses the Assertion Consumer Service (ACS) URL.Selected
Enable Attribute ProfileSelect Enable Attribute Profile to enable this and add a claim by entering the claim link and clicking the Add Claim button. The Identity Server provides support for a basic attribute profile where the identity provider can include the user’s attributes in the SAML Assertions as part of the attribute statement. Once you select the checkbox to Include Attributes in the Response Always, the identity provider always includes the attribute values related to the selected claims in the SAML attribute statement.Unselected
Enable Audience RestrictionSelect Enable Audience Restriction to restrict the audience. You may add audience members using the Audience text box and clicking the Add button.Unselected
Enable Recipient ValidationSelect this if you require validation from the recipient of the response.Unselected
Enable IdP Initiated SSOSelect the Enable IdP Initiated SSO checkbox to enable this functionality. When this is enabled, the service provider is not required to send the SAML2 request.Unselected
Enable IdP Initiated SLOSelect the Enable IdP Initiated SLO checkbox to enable this functionality. You must specify the URL.Unselected
Enable Assertion Query Request ProfileSelect the Enable Assertion Query Request Profile checkboxto query assertions that are persisted to the database when you loginto the service provider application. For more information, see Querying SAML Assertions .Unselected
- -5. Now set the configuration as follows: - - 1. **Issuer** : [travelocity.com](http://travelocity.com) - - 2. **Assertion Consumer URL** : - - -6. Select the following check-boxes: - 1. **Enable Response Signing** - - 2. **Enable Single Logout** - - 3. **Enable Attribute Profile** - - 4. **Include Attributes in the Response Always** - -7. Click **Update** to save the changes. Now you will be sent back to - the Service Providers page. - -8. Go to **Claim configuration** and select the userId claim as Subject - Claim URI. - ![](attachments/53120841/53284903.png) - -9. Go to **Local and Outbound Authentication Configuration** section . - -10. Select the **Advanced configuration** radio button option . - -11. Add the **basic** authentication as a first step and **token2** - authentication as a second step . This is done to configure - multi-step authentication. What this means is that a user who logs - in would first have to enter their credentials that are configured - with the Identity Server and then get authenticated using Token2 as - the second step. This is an added security measure and a common use - of the Token2 authenticator. - ![](attachments/53120841/53284914.png) - - ![](images/icons/grey_arrow_down.png){.expand-control-image} Click - here to view the field definitions - - - - - - - - - - - - - - - - - - - - - - - - - - -
Authentication TypeDetails
Default
-

This is the default authenticator sequence for a configured service provider in the Identity Server. This sequence can be modified by updating following section in the <IS_HOME>/repository/conf/identity/application-authentication. xml file.

-
-
- -
-
-
LocalAuthentication

In this case, Identity Server itself authenticate the user. There are three types of local authenticators OOTB in a fresh Identity Server pack.

-
    -
  • The basic authenticator is used to authenticate the user using the credentials available in the Identity Server.
    • -
  • IWA stands for Integrated Windows Authentication and involves automatically authenticating users using their Windows credentials.
    • -
  • FIDO authenticator is a local authenticator that comes with the WSO2 Identity Server. This will handle FIDO authentication requests related key validation against stored keys, the public key,keyhandler, and the counter, attestation certificate of FIDO registered users.
    • -
FederatedAuthenticationIn this case, Identity Server trust third-party Identity provider to perform the user authentication. These Identity providers use various protocols to transfer authentication/authorization related messages. Currently, the Identity Server only supports the following federated authenticators OOTB. -
    -
  • SAML2 Web SSO
    • -
  • OAuth2/OpenID Connect
    • -
  • WS-Federation (Passive)
    • -
  • Facebook
    • -
  • Microsoft (Hotmail, MSN, Live)
    • -
  • Google
    • -
  • SMS OTP
    • -
  • Email OTP
    • -
  • Twitter
    • -
  • Yahoo
    • -
  • IWA Kerberos
    • -
  • Office365
    • -
Advanced ConfigurationAdvanced configurations enable you to add multiple options or steps in authentication. When multiple authentication steps exist, the user is authenticated based on each and every one of these steps. If only one step is added then the user is only authenticated based on the local and/or federated authenticators added in a single step. However, in the case of local and/or federated authenticators, the authentication happens based on any one of the available authenticators.
- -You have now added and configured the service provider. - -### Testing the sample - -1. To test the sample, go to the following URL: - - [![](attachments/53120841/76748573.png) ](http://localhost:8080/travelocity.com) -2. Click the link to log in with SAML from WSO2 Identity Server. - -3. Basic authentication page will be visible, use your IS username and - password. - ![](attachments/53120841/76748574.png) - -4. Enter the code that is generated with token2 hardware device to - authenticate. You are directed to the home page of the - [travelocity.com](http://travelocity.com) app. - - ![](attachments/53120841/53284612.png) - - ![](attachments/53120841/53284615.png) - - - - - - - - diff --git a/en/docs/develop/configuring-nuxeo-authenticator.md b/en/docs/develop/configuring-nuxeo-authenticator.md deleted file mode 100644 index 7ae3736046..0000000000 --- a/en/docs/develop/configuring-nuxeo-authenticator.md +++ /dev/null @@ -1,415 +0,0 @@ -# Configuring Nuxeo Authenticator - -The topics in this page provide instructions on how to configure the -Nuxeo authenticator with WSO2 Identity Server. Here, a sample -application is used to demonstrate the integration. - -Note - -- Nuxeo Authenticator is supported with WSO2 Identity Server 5.5.0. -- Configuring the Nuxeo authenticator is tested with Nuxeo Server - version 10.1. - -Follow the instructions in the topics below to configure the Nuxeo -authenticator with WSO2 Identity Server: - -- [Deploying Nuxeo - artifacts](#ConfiguringNuxeoAuthenticator-DeployingNuxeoartifactsDeployingNuxeoartifacts) -- [Configuring the Nuxeo - application](#ConfiguringNuxeoAuthenticator-ConfiguringtheNuxeoAppConfiguringtheNuxeoapplication) -- [Deploying the travelocity.com sample - app](#ConfiguringNuxeoAuthenticator-Deployingtravelocity.comsampleappDeployingthetravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringNuxeoAuthenticator-ConfiguringtheidentityproviderConfiguringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringNuxeoAuthenticator-ConfiguringtheserviceproviderConfiguringtheserviceprovider) -- [Configuring - claims](#ConfiguringNuxeoAuthenticator-ConfiguringclaimsConfiguringclaims) -- [Configuring requested claims for - travelocity.com](#ConfiguringNuxeoAuthenticator-TestingthesampleConfiguringrequestedclaimsfortravelocity.com) -- [Testing the - sample](#ConfiguringNuxeoAuthenticator-TestingthesampleTestingthesample) - -### Deploying Nuxeo artifacts - -- Download the artifacts for this authenticator from [the - store](https://store.wso2.com/store/assets/isconnector/details/c7003ffb-18a1-48ed-9a99-6274796fa978) - . -- Copy the downloaded - ` org.wso2.carbon.identity.authenticator.nuxeo-x.x.x.jar ` - file to the - ` /repository/components/dropins ` - directory. - -!!! note - - If you want to upgrade the Nuxeo Authenticator (.jar) that is packaged - with your existing WSO2 IS distribution to the latest, see [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -### Configuring the Nuxeo application - -1. Go to , download the server - and unzip the archive. The path to the sever will be referred to as - ` ` throughout this page. -2. Navigate to the ` /bin ` directory - and use the following command to install the JSF UI add-on: - - ``` java - ./nuxeoctl mp-install nuxeo-jsf-ui - ``` - -3. Start the Nuxeo server using the commands given below: - - ``` java - $ chmod +x ./nuxeoctl - $ ./nuxeoctl start - ``` - - !!! note - - After the first time server start, follow the consequence - instructions in the nuxeo console to setup the nuxeo server. - - -4. Once the server starts, follow the steps below to setup the nuxeo - server. - 1. Go to and sign in with - Administrator/Administrator credentials. - 2. Click **Admin**, then click **Cloud Services**, and then click - the **Consumers** tab. - 3. Click **Add** under the **OAuth2 Clients** section. - 4. Specify values for the **Name**, **Client ID**, **Client - Secret**, and **Redirect URI**. You can use - as the **Redirect URI**. - 5. Click **Create**. - ![](attachments/92526518/92534118.png) - - - -Now you have configured the Nuxeo application . - -Next let's deploy the the [travelocity.com](http://travelocity.com/) -sample app so that it can be used in this scenario. - -### Deploying the [travelocity.com](http://travelocity.com) sample app - -To download and deploy the travelocity sample application, follow the -instructions in [deploying travelocity.com sample -app](https://docs.wso2.com/display/ISCONNECTORS/Deploying+the+Sample+App) -. - -!!! note - - If you are running the Nuxeo server and apache tomcat on the same port - (eg: 8080), be sure to change the port that you run apache tomcat. - - Follow the steps below to change the port on which apache tomcat runs: - - 1. Navigate to the ` /conf/server.xml ` - file and change the values of - ` Connector port, Server port ` - parameters. - - ``` text - - - - - - - - ``` - - 2. Navigate to the - ` /webapps/travelocity.com/WEB-INF/classes/travelocity.properties ` - file and change the port in the URL of the SAML 2.0 assertion - consumer. - - ``` text - #The URL of the SAML 2.0 Assertion Consumer - SAML2.AssertionConsumerURL=http://localhost:8080/travelocity.com/home.jsp - ``` - - -### Configuring the identity provider - -Follow the steps below to add a new identity provider via the management -console of WSO2 Identity Server. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/). -2. Run the [WSO2 Identity - Server](https://docs.wso2.com/identity-server/Running+the+Product). -3. Log in to the [management - console](https://docs.wso2.com/identity-server/Getting+Started+with+the+Management+Console) - as an administrator. -4. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add.** -5. Specify an appropriate name as the **Identity Provider Name**. - ![](attachments/92526518/112363883.png) -6. Expand the **Federated Authenticators** section, and then expand the - **Nuxeo Configuration** section. -7. Select **Enable** to enable the Nuxeo authenticator for the identity - provider. -8. Select **Default** to set Nuxeo as the default authenticator for the - identity provider. -9. Specify appropriate values for the following fields depending on - the - 1. Select both checkboxes to **Enable** the Nuxeo authenticator and - make it the **Default**. - 2. **Client Id** **:** The client Id of the Nuxeo application you - created. - - 3. **Client Secret** **:** The client secret of the Nuxeo - application you created. - - 4. **Callback URL** **:** The service provider's URL where code - needs to be sent. - - 5. **Nuxeo Server URL** **:** The Nuxeo server URL. - [http://localhost:8080](http://localhost:8080/) - - - - ![](images/icons/grey_arrow_down.png){.expand-control-image} - Click here to see detailed descriptions for each configuration - property - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PropertyDescriptionSample Value
EnableSelect this to enable the Nuxeo to be used as an authenticator to provision users to the Identity Server.Selected
DefaultSelecting the Default checkbox signifies that github is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
ClientIDThis is the Client Id from the Nuxeo AppclientApp
Client SecretThis is the Client Secret from the Nuxeo App. Click the Show button to view the value you enter.clientsecret
Callback URLThis is the URL to which the browser should be redirected after the authentication is successful. The URL should be specified in the following format:
- https://<HOST_NAME>:<PORT>/acs 		https://localhost:9443/commonauth
Nuxeo server URLThe Nuxeo server URL.http://localhost:8080
- -10. Click **Register**. - -Now that you have added the identity provider. Next, let's configure the -service provider. - -### Configuring the service provider - -Follow the steps below to configure the service provider. - -1. On the WSO2 IS management console, click **Add** under **Service - Providers**. -2. Since you are using travelocity as the sample, enter - [travelocity.com](http://travelocity.com/) as the **Service Provider - Name**. -3. Click **Register**. -4. Expand the **Inbound Authentication Configuration** section, then - expand the **SAML2 Web SSO Configuration** section, and then click - **Configure**. -5. Specify values as follows: - 1. **Issuer** : [travelocity.com](http://travelocity.com) - 2. **Assertion Consumer URL** : - - 3. Select the following: - - **Enable Response Signing** - - **Enable Single Logout** - - **Enable Attribute Profile.** - - **Include Attributes in the Response Always** -6. Click **Update** to save the changes. Now you will be sent back to - the **Service Providers** page. -7. Expand the **Local and Outbound Authentication Configuration** - section. - -8. From the drop-down list under **Federated Authentication**, select - the identity provider you created. - -9. Ensure that the **Federated Authentication** radio button is - selected and click **Update** to save the changes. - -Now you have added the service provider. Next, let's configure claims. - -### Configuring claims - -Follow the steps below to configure claims. For more information on -configuring claims, see [Adding Claim -Mapping](../../using-the-identity-server/adding-claim-mapping) in -the WSO2 IS documentation. - -1. Sign in to the [Management - Console](../../setup/getting-started-with-the-management-console) - with your username and password. -2. On the **Main** menu, click **Add** under **Claims**. - -3. Click **Add Claim Dialect** to create the Nuxeo authenticator - specific claim dialect. - -4. Specify the Dialect URI as - ` http://wso2.org/nuxeo/claims ` - . - -5. Click **Add** to create the claim dialect. - -6. Map the new external claim to an existing local claim dialect. Be - sure to map at least one claim under the new dialect. Here, let's - map the claim for the last name. - - 1. On the **Main** menu, click **Add** under **Claims**. - - 2. Click **Add External Claim** to add a new claim to the Nuxeo - claim dialect. - - 3. Select the Dialect URI as - ` http://wso2.org/nuxeo/claims ` - . - - 4. Enter the **External Claim URI** based on the following claim - mapping information. - - 5. Select the **Mapped Local Claim** based on the following claim - mapping information. - - Claim mapping for last name - - | | | - |------------------------|-------------------------------------------------------------------------------------------------------------| - | **Dialect URI** | ` http://wso2.org/nuxeo/claims ` | - | **External Claim URI** | ` http://wso2.org/nuxeo/claims/lastName ` | - | **Mapped Local Claim** | ` http://wso2.org/claims/lastname ` | - - 6. Click **Add** to add the new external claim. - -7. Similarly, repeat step 6 for the following claim mappings to create - claims for all the public information of the Nuxeo user. - - Claim mapping for the first name: - - | | | - |------------------------|----------------------------------------| - | **Dialect URI** | http://wso2.org/nuxeo/claims | - | **External Claim URI** | http://wso2.org/nuxeo/claims/firstName | - | **Mapped Local Claim** | http://wso2.org/claims/givenname | - - Claim mapping for the email: - - | | | - |------------------------|-------------------------------------| - | **Dialect URI** | http://wso2.org/nuxeo/claims | - | **External Claim URI** | http://wso2.org/nuxeo/claims/email | - | **Mapped Local Claim** | http://wso2.org/claims/emailaddress | - - Claim mapping for groups: - - | | | - |------------------------|-------------------------------------| - | **Dialect URI** | http://wso2.org/nuxeo/claims | - | **External Claim URI** | http://wso2.org/nuxeo/claims/groups | - | **Mapped Local Claim** | http://wso2.org/claims/role | - - Claim mapping for user id: - - | | | - |------------------------|---------------------------------| - | **Dialect URI** | http://wso2.org/nuxeo/claims | - | **External Claim URI** | http://wso2.org/nuxeo/claims/id | - | **Mapped Local Claim** | http://wso2.org/claims/userid | - - Claim mapping for extended group: - - | | | - |------------------------|---------------------------------------------| - | **Dialect URI** | http://wso2.org/nuxeo/claims | - | **External Claim URI** | http://wso2.org/nuxeo/claims/extendedGroups | - | **Mapped Local Claim** | http://wso2.org/claims/group | - - Claim mapping for user name: - - | | | - |------------------------|---------------------------------------| - | **Dialect URI** | http://wso2.org/nuxeo/claims | - | **External Claim URI** | http://wso2.org/nuxeo/claims/username | - | **Mapped Local Claim** | http://wso2.org/claims/username | - - Claim mapping for entity type: - - | | | - |------------------------|------------------------------------------| - | **Dialect URI** | http://wso2.org/nuxeo/claims | - | **External Claim URI** | http://wso2.org/nuxeo/claims/entity-type | - | **Mapped Local Claim** | http://wso2.org/claims/userType | - -8. Click **Update**. - -### Configuring requested claims for travelocity.com - -1. On the Main tab of the management console, click **List** under - **Service Providers**. - -2. Click **Edit** to edit the [travelocity.com](http://travelocity.com) - service provider. - -3. Expand the **Claim Configuration** section. - -4. Click **Add Claim URI** under **Requested Claims** and add the - requested claims as follows: - - ![](attachments/92526518/92534139.png) - -5. Select the **Subject Claim** URI as - ` http://wso2.org/claims/username ` - to define the authenticated user identifier that will return with - the authentication response to the service provider. - -6. Click **Update**. This saves the service provider changes. - -### Testing the sample - -1. To test the sample, go to - ` http://:/travelocity.com/index.jsp ` - . For example, . -2. Click the appropriate link to log in with SAML from WSO2 Identity - Server. - ![](attachments/92526518/92526852.png) -3. Enter your Nuxeo credentials in the log in prompt of Nuxeo. Once you - log in successfully you will be taken to the homepage of the t - ` ravelocity.com ` application. - -Now that you understand how to use Nuxeo as a federated authenticator -with WSO2 Identity Server, you can configure the Nuxeo authenticator as -required to authenticate Nuxeo users to log in to your organization’s -applications. - - diff --git a/en/docs/develop/configuring-password-policy-authenticator.md b/en/docs/develop/configuring-password-policy-authenticator.md deleted file mode 100644 index 734fdae5f5..0000000000 --- a/en/docs/develop/configuring-password-policy-authenticator.md +++ /dev/null @@ -1,235 +0,0 @@ -# Configuring Password Policy Authenticator - -!!! note - - **If you are using Password Policy Authenticator version 1.0.8, go to - the WSO2 identity-outbound-auth-passwordPolicy** **[GitHub - repository](https://github.com/wso2-extensions/identity-outbound-auth-passwordPolicy/tree/v1.0.8/docs) - to view the latest documentation.** - - -- [Deploying Password Policy - artifacts](#ConfiguringPasswordPolicyAuthenticator-DeployingPasswordPolicyartifactsDeployingPasswordPolicyartifacts) -- [Add claim - mapping](#ConfiguringPasswordPolicyAuthenticator-Addclaimmapping) -- [Deploying travelocity.com - sample](#ConfiguringPasswordPolicyAuthenticator-Deployingtravelocity.comsampleDeployingtravelocity.comsample) -- [Configuring the Service - Provider](#ConfiguringPasswordPolicyAuthenticator-ConfiguringtheserviceproviderConfiguringtheServiceProvider) -- [Testing the - sample](#ConfiguringPasswordPolicyAuthenticator-TestingthesampleTestingthesample) - -### Deploying Password Policy artifacts - -1. Download the [Password Policy Authenticator and - artifacts](https://store.wso2.com/store/assets/isconnector/details/502efeb1-cc59-4b62-a197-8c612797933c) - from the WSO2 connector store. - -2. Add the following lines to the - ` identity-event.properties ` file in the - ` /repository/conf/identity/ ` - directory ` . ` - - ``` java - module.name.13=passwordExpiry - passwordExpiry.subscription.1=POST_UPDATE_CREDENTIAL - passwordExpiry.subscription.2=POST_UPDATE_CREDENTIAL_BY_ADMIN - passwordExpiry.subscription.3=POST_ADD_USER - passwordExpiry.passwordExpiryInDays=30 - passwordExpiry.enableDataPublishing=false - passwordExpiry.priorReminderTimeInDays=0 - ``` - - !!! note - - The value of xx in ` module.name.xx ` should be - decided based on the highest module number that is already available - in the ` identity-event.properties ` file . For - example, if the last module number mentioned in the file is - ` module.name .11 ` - , the above entry should be renamed as - ` module.name.12=passwordExpiry ` . - - -3. Place the authentication pwd-reset.jsp file  into the - ` /repository/deployment/server/webapps/authenticationendpoint ` - directory. - - !!! note - - Before pasting the pwd-reset.jsp file, the server needs to be - started at least once to ensure that the folder is available for the - web app to be deployed. - - -4. Place the authenticator .jar file ( - ` org.wso2.carbon.extension.identity.authenticator.passwordpolicy.connector-1.0.3.jar ` - ) into the directory - ` /repository/components/dropins ` . ( - To download the authenticator, go to - [https://store.wso2.com/store/assets/isconnector/passwordpolicy](https://store.wso2.com/store/assets/isconnector/details/502efeb1-cc59-4b62-a197-8c612797933c) - ) - - !!! note - - If you want to upgrade the Password Policy Authenticator in your - existing IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -5. Edit the ` identity-mgt.properties ` found in - the ` /repository/conf/identity ` - directory and add the following property. This value must be an - integer. - - ``` java - Authentication.Policy.Password.Reset.Time.In.Days=20 - ``` - - If the property is not added to the file, by default, the password - reset time is 30 days. - -### Add claim mapping - -A claim is a piece of information about a particular subject. It can be -anything that the subject is owned by or associated with, such as name, -group, preferences, etc. In this instance, the claim in question is -` lastPasswordChangedTimestamp ` and this needs to be -linked to a claim that is local to WSO2 Identity Server. This claim is -required because the WSO2 Identity Server needs to know if the password -is expired or not for this flow to work. - -For more information about claim mappings, see [Adding a claim -mapping](https://docs.wso2.com/identity-server/Adding+Claim+Mapping). - -1. Navigate to the **Identity** section under the **Main** tab of the - [management - console](https://docs.wso2.com/identity-server/Getting+Started+with+the+Management+Console) - . -2. Click **Add** under **Claims** and then click **Add Local Claim**. -3. Add a new claim for - ` lastPasswordChangedTimestamp ` with - ` http://wso2.org/claims/lastPasswordChangedTimestamp ` - as the **Claim Uri.** - - Note - - When adding a new claim, use an attribute which is mapped to an - existing unused claim if the secondary user-store is an LDAP and use - any attribute name as the mapped attribute if it is a JDBC user - store. - - ** - ![](attachments/50511336/97551782.png) - ** - -### Deploying travelocity.com sample - -The next step is to [deploy the sample app](Deploying-the-Sample-App) -in order to use it in this scenario. - -Once this is done, the next step is to configure the WSO2 Identity -Server by adding a [service -provider](https://docs.wso2.com/display/IS530/Adding+and+Configuring+a+Service+Provider) -. - -### Configuring the Service Provider - -The next step is to configure the service provider. - -1. Return to the Management Console. - -2. In the **Identity** section under the **Main** tab, click **Add** - under **Service Providers**. - -3. Enter travelocity.com in the **Service Provider Name** text box and - click **Register**. - -4. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section. - -5. Configure the sample application (travelocity) as the service - provider. - ![](attachments/50511336/50688127.png) - Do the following configurations. - - 1. **Issuer** : travelocity.com - - 2. **Assertion Consumer URL** : - - - Select the following check-boxes: - - !!! note - - Remember! - - The following check-boxes are enabled or disabled according to the - properties available in your service provider. For "travelocity.com" - the relevant properties file can be seen inside the webapp - travelocy.com/WEB-INF/classes/ called "travelocity **.properties** - ". - - - - - 1. **Enable Response Signing** - - 2. **Enable Single Logout** - - 3. **Enable Attribute Profile** - - 4. **Include Attributes in the Response Always** - -6. Click **Register** to save the changes. Now you will be sent back to - the **Service Providers** page. - -7. Go to **Local and Outbound Authentication Configuration** section. - -8. Select the **Advanced** **configuration** radio button option . - -9. Add the basic authentication as first step and - password-reset-enforcer authentication as second step. - - !!! tip - - **Tip** : The **Use attributes from this step** option is unchecked - when the second step is added and selected. - - - ![](attachments/50511336/50688128.png) - -You have now added and configured the service provider. - -### Testing the sample - -1. To test the sample, the password needs be expired. So select - "Supported by Default" checkbox in the - ` lastPasswordChangedTimestamp ` that has the - **http://wso2.org/claims/lastPasswordChangedTimestamp** claim. - - !!! note - - In a production setup, you need to **deselect** "Supported by - Default" checkbox in the lastPasswordChangedTimestamp claim mapping - configuration. - - - ![](attachments/50511336/51252088.png) - -2. Enter a date and time of the past for the Password Changed Time - field. Make sure to provide the value in the Epoch format. - ![](attachments/50511336/51252089.png) -3. Go to the following URL: http://localhost:8080/travelocity.com -4. Click the link to log in with SAML from WSO2 Identity Server. - ![](attachments/50511336/50688116.png) - -5. The basic authentication page appears. Use your WSO2 Identity Server - credentials. - -6. During the authentication flow, if the password is expired, you will - be prompted to reset the password. - ![](attachments/50511336/50688130.png) -7. Enter the current password, new password and repeat password. If the - authentication is successful, you are taken to the home page of the - travelocity.com app. diff --git a/en/docs/develop/configuring-pinterest-authenticator.md b/en/docs/develop/configuring-pinterest-authenticator.md deleted file mode 100644 index abef6f7abe..0000000000 --- a/en/docs/develop/configuring-pinterest-authenticator.md +++ /dev/null @@ -1,255 +0,0 @@ -# Configuring Pinterest Authenticator - -This page provides instructions on how to configure the Pinterest -authenticator and the WSO2 Identity Server using a sample app to -demonstrate authentication. You can find more information in the -following sections. - -This is tested for the Pinterest API version 1.0. Pinterest -Authenticator is supported by Identity Server version 5.3.0 upwards. - -- [Configuring the Pinterest - App](#ConfiguringPinterestAuthenticator-ConfiguringthePinterestApp) -- [Deploying travelocity.com sample - app](#ConfiguringPinterestAuthenticator-Deployingtravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringPinterestAuthenticator-Configuringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringPinterestAuthenticator-Configuringtheserviceprovider) -- [Configuring claim mappings for - Pinterest](#ConfiguringPinterestAuthenticator-ConfiguringclaimmappingsforPinterest) -- [Configuring requested claims for - travelocity.com](#ConfiguringPinterestAuthenticator-Configuringrequestedclaimsfortravelocity.com) -- [Testing the - sample](#ConfiguringPinterestAuthenticator-Testingthesample) - -### Configuring the Pinterest App - -1. Place the authenticator .jar file into the - ` /repository/components/dropins ` - directory. You can download the .jar file ( - ` org.wso2.carbon.extension.identity.authenticator.Pinterest.connector ` - ) from [the WSO2 - Store](https://store.wso2.com/store/assets/isconnector/list?q=%2522_default%2522%253A%2522Pinterest%2522) - . - - !!! note - - If you want to upgrade the Pinterest Authenticator (.jar) in your - existing IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - - - -2. Navigate to and create a - new app as described in the [Pinterest Getting Started - documentation](https://developers.pinterest.com/docs/api/overview/) - . -3. Enter the **Name** and **Description** of your new app and then - click the **Create** button. - ![](attachments/60096589/60096627.png){height="400"} -4. Enter the redirect URL as in the - page that appears. - This is the WSO2 IS endpoint to which Pintrest, who is the federated - authenticator, needs to send the authentication response. - ![](attachments/60096589/60096629.png){height="400"} -5. You have now finished configuring Pinterest. Copy the **App ID** and - **App secret** from the resulting page. - ![](attachments/60096589/60096630.png){height="400"} - -### Deploying travelocity.com sample app - -The next step is to deploy the travelocity.com sample app in order to -use it in this scenario. - -For more information on how to do this, see [Deploying travelocity.com -sample app](Deploying-the-Sample-App). - -### Configuring the identity provider - -Now you must configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/) and [run - it](https://docs.wso2.com/display/IS510/Running+the+Product). -2. Log in to the [Management - Console](https://docs.wso2.com/display/IS510/Getting+Started+with+the+Management+Console) - as an administrator. -3. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add**. -4. Give a suitable name for **Identity Provider Name** and configure - Pinterest as the identity provider. Refer - [this](https://docs.wso2.com/display/IS530/Configuring+an+Identity+Provider#ConfiguringanIdentityProvider-Addinganidentityprovider) - document for more information regarding the identity provider - configurations. - ![](attachments/60096589/60096632.png) - Do the following configurations. - - | Field | Description | Sample Value | - |---------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------| - | Enable | Selecting this option enables pinterest to be used as an authenticator for users provisioned to the Identity Server. | Selected | - | Default | Selecting the **Default** checkbox signifies that Pinterest is the main/default form of authentication. This removes the selection made for any other **Default** checkboxes for other authenticators. | Selected | - | Client Id | This is the username from the Pinterest application. | 4927778446347615595 | - | Client Secret | This is the password from the Pinterest application. Click the **Show** button to view the value you enter. | 7514127b86f6a5b6a5f4625cb9ba967f10ba0cdb3fef5bf20a91b0cc7b261818 | - | Callback URL | This is the URL to which the browser should be redirected after the authentication is successful. It should have this format: https://(host-name):(port)/acs. | https://localhost:9443/commonauth | - -5. Go to **Pinterest Authenticator Configuration** under **Federated - Authenticators**. -6. Enter the values as given in the above figure. - - **Client Id** : App ID for your app. - - **Client Secret** : App secret for your app. - - **Callback URL** : Service Provider's URL where code needs to be - sent . - -You have now added the identity provider. - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the management console. -2. In the **Service Providers** section under the **Main** tab, click - **Add**. -3. Since you are using travelocity as the sample, enter travelocity.com - in the **Service Provider Name** text box and click **Register**. -4. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section. - ![](attachments/60096589/60096633.png) -5. Now set the configuration as follows: - - **Issuer** : travelocity.com - - **Assertion Consumer URL** : - -6. Select the following check-boxes: - - **Enable Response Signing**. - - **Enable Single Logout**. - - **Enable Attribute Profile**. - - **Include Attributes in the Response Always**. -7. Click **Update** to save the changes. Now you will be sent back to - the **Service Providers** page. -8. Go to the **Local and Outbound Authentication Configuration** - section. -9. Select the identity provider you created from the dropdown list - under **Federated Authentication**. - ![](attachments/60096589/60096634.png) -10. Ensure that the **Federated Authentication** radio button is - selected and click **Update** to save the changes. - -### Configuring claim mappings for Pinterest - -1. Sign into the [Management - Console](../../setup/getting-started-with-the-management-console) - by entering your username and password. -2. In the **Main** menu, click **Add** under **Claims**. -3. Click **Add Claim Dialect** to create the Pinterest authenticator - specific claim dialect. - -4. Specify the **Dialect URI** as http://wso2.org/pinterest/claims. - ![](attachments/60096589/60489892.png) - -5. Click [Add external - claim](https://docs.wso2.com/display/IS530/Adding+Claim+Mapping#AddingClaimMapping-Addexternalclaim) - . Use the Dialect Uri as http://wso2.org/pinterest/claims. You can - create the external claims here. - **![](attachments/60096589/60490348.png) ** - Create the claim for Pinterest user id while creating the claim - dialect. - - | | | - |--------------------|-------------------------------------| - | Dialect URI | http://wso2.org/pinterest/claims | - | External Claim URI | http://wso2.org/pinterest/claims/id | - | Mapped Local Claim | http://wso2.org/claims/userid | - - Create the claim for Pinterest first name while creating the claim - dialect. - - | | | - |--------------------|----------------------------------------------| - | Dialect URI | http://wso2.org/pinterest/claims | - | External Claim URI | http://wso2.org/pinterest/claims/first\_name | - | Mapped Local Claim | http://wso2.org/claims/givenname | - - Create the claim for Pinterest last name while creating the claim - dialect. - - | | | - |--------------------|---------------------------------------------| - | Dialect URI | http://wso2.org/pinterest/claims | - | External Claim URI | http://wso2.org/pinterest/claims/last\_name | - | Mapped Local Claim | http://wso2.org/claims/lastname | - - Create the claim for Pinterest URL while creating the claim dialect. - - | | | - |--------------------|---------------------------------------| - | Dialect URI | http://wso2.org/pinterest/claims | - | External Claim URI | http://wso2.org/pinterest/claims/ur l | - | Mapped Local Claim | http://wso2.org/claims/url | - - Likewise, you can create the claims for all the public information - of the Pinterest user. - -6. The next step is to configure claims in the Identity Server and map - them to Pinterest. - - !!! note - - For more details on configuring claims for a service provider, - Please refer - [this](https://docs.wso2.com/display/IS540/Configuring+Claims+for+a+Service+Provider) - . - - - - - 1. In the **Identity** section under the **Main** tab, click - **List** under **Identity Providers**. - 2. Click **Edit** to edit the pinterest identity provider you - created. - 3. Under **Claim Configuration**, go to **Basic Claim - Configuration**. - 4. Select the **Define Custom Claim Dialect** option under **Select - Claim mapping Dialect**. - 5. Click **Add Claim Mapping** to add custom claim mappings as - follows. - ![](attachments/60096589/61047736.png){height="400"} - 6. Select a suitable **User ID Claim URI** (e.g., - http://wso2.org/pinterest/claims/id ). - 7. Click **Update** to save changes. - -Here, we are mapping claims in the Identity Server and with the claims -of Pinterest. So that once the user is authenticated from the Printrest, -the identity server can obtain the necessary claim values of the -authenticated user from the Pinterest side. These claims can be used by -the service provider for different purposes. - -### Configuring requested claims for travelocity.com - -1. In the **Identity** section under the **Main** tab, click **List** - under **Service Providers**. -2. Click **Edit** to edit the [travelocity.com](http://travelocity.com) - service provider. -3. Go to **Claim Configuration**. -4. Click on **Add Claim URI** under **Requested Claims** to add the - requested claims as follows. Here you should add the claims you - mapped in the Identity Provider claim configuration. - ![](attachments/60096589/72437732.png) - -### Testing the sample - -1. To test the sample, go to the following URL: - ` http://:/travelocity.com/index.jsp ` - . E.g., - ![](attachments/60096589/60096639.png){height="400"} -2. Click the link to log in with SAML from the WSO2 Identity Server. -3. You are redirected to the Pinterest sign in page. Enter your - Pinterest credentials and click **Log in**. - ![](attachments/60096589/60096640.png){height="400"} -4. Authenticate the user by clicking **Allow access**. -5. You are taken to the home page of the travelocity.com app. - ![](attachments/60096589/60490392.png){height="400"} - - diff --git a/en/docs/develop/configuring-reddit-authenticator.md b/en/docs/develop/configuring-reddit-authenticator.md deleted file mode 100644 index c63a5560ad..0000000000 --- a/en/docs/develop/configuring-reddit-authenticator.md +++ /dev/null @@ -1,191 +0,0 @@ -# Configuring Reddit Authenticator - -This page provides instructions on how to configure the Reddit -authenticator and Identity Server using a sample app. You can find more -information in the following sections. - -This is tested for the Reddit API version 1.0. Reddit Authenticator is -supported by Identity Server 5.1.0 upwards. - -- [Deploying Reddit - artifacts](#ConfiguringRedditAuthenticator-DeployingRedditartifactsDeployingRedditartifacts) -- [Configuring the Reddit - App](#ConfiguringRedditAuthenticator-ConfiguringtheRedditAppConfiguringtheRedditApp) -- [Deploying travelocity.com sample - app](#ConfiguringRedditAuthenticator-Deployingtravelocity.comsampleappDeployingtravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringRedditAuthenticator-ConfiguringtheidentityproviderConfiguringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringRedditAuthenticator-ConfiguringtheserviceproviderConfiguringtheserviceprovider) -- [Testing the - sample](#ConfiguringRedditAuthenticator-TestingthesampleTestingthesample) - -### Deploying Reddit artifacts - -- Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/). - -- Download the Reddit authenticator from - [here](https://store.wso2.com/store/assets/isconnector/details/45092602-8b7b-4f29-9d66-cc5b39990907) - and add it to the - ` /repository/components/dropins ` - directory. - - !!! note - - If you want to upgrade the Reddit Authenticator (.jar) in your - existing IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -### Configuring the Reddit App - -1. Create a reddit account using the URL - [https://www.reddit.com/](https://www.reddit.com/.) and log in. -2. Navigate to https://www.reddit.com/prefs/apps and click are you a - developer?create an app on the top left corner. Example: -3. Create a web app. - Use - ` https://localhost:9443/commonauth ` - as the **about url** and **redirect uri** when creating the web - app. - ![](attachments/50520620/51252148.png) -4. Now you can get the clientId and clientSecret of your created app. - ![](attachments/50520620/51252150.png) - -### Deploying travelocity.com sample app - -The next step is to [deploy the sample app](Deploying-the-Sample-App) -in order to use it in this scenario. - -Once this is done, the next step is to configure the WSO2 Identity -Server by adding an [identity -provider](#ConfiguringRedditAuthenticator-ConfiguringanIdentityProvider) -and [service -provider](#ConfiguringRedditAuthenticator-ConfiguringaServiceProvider). - -### Configuring the identity provider - -Now you have to configure WSO2 Identity Server by adding a new identity -provider. For more information about the Identity Providers, see -[Configuring an Identity -Provider](http://docs.wso2.com/identity-server/Configuring+an+Identity+Provider) -. - -1. Go to in your browser, and click the HTTPS - trust icon on the address bar (e.g., the padlock next to the URL in - Chrome) to download the certificate. - Based on the  browser the steps to download the certificate changes. - Click valid under Certificate (Chrome) or click Show certificate - (Safari), expand the **Details** section and click the URL under CA - Issuer to download the certificate. - Example: On Chrome - - ![](attachments/50520620/75109985.png) - - !!! note - - This is supported on Firefox and Safari browsers by default but it - is not supported on some Chrome browsers. - - ![](images/icons/grey-arrow-down.png){.expand-control-image} Click - here to know how to enable certificate downloading on Chrome. - - 1. Navigate to . - 2. Click Enable to view the certificates. - ![](attachments/50520620/75109981.png) - 3. Relaunch Chrome. - - -2. Import that certificate into the IS client keystore. - ` keytool -importcert -file -keystore /repository/resources/security/client-truststore.jks -alias "Reddit" ` - - The default password of the client-truststore.jks is "wso2carbon". - -3. Run the [WSO2 Identity - Server](https://docs.wso2.com/display/IS530/Running+the+Product). -4. Log in to the [management - console](../../setup/getting-started-with-the-management-console) - as an administrator. -5. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add**. -6. Give a suitable name for **Identity Provider Name**. - ![](attachments/50520620/51252182.png) -7. Navigate to **RedditAuthenticator Configuration** under **Federated - Authenticators**. -8. Enter the values as given in the above figure. - - - **Client Id** : Client Id for your web app. - - **Client Secret** : Client Secret for your web app. - - **Callback URL** : Service Provider's URL where code needs to be - sent . - -9. Select both checkboxes to **Enable** the Reddit authenticator and - make it the **Default**. - -10. Click **Register**. - -You have now added the identity provider. - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the management console. - -2. In the **Service Providers** section, click **Add** under the - **Main** tab. - -3. Since you are using travelocity as the sample, enter travelocity.com - in the **Service Provider Name** text box and click **Register**. - -4. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section. - -5. Now set the configuration as follows: - - 1. **Issuer** : travelocity.com - - 2. **Assertion Consumer URL** : - http://localhost:8080/travelocity.com/home.jsp - -6. Select the following check-boxes: - 1. **Enable Response Signing**. - - 2. **Enable Single Logout**. - - 3. **Enable Attribute Profile**. - - 4. **Include Attributes in the Response Always**. - ![](https://lh6.googleusercontent.com/qsYmfJRbhzqeKB-WHare-nLYmSL3DItCUqx3627JsK8aF0AibTUNO-s4DyG5Zx-bp0wfH-10Ap6dJ2ngKNYBtlgOCHZBSoKqhNbVac0DEWZ49C4Gpej3mzFoQpP2Z6XFP6iYkUCf){width="800" - height="796"} - -7. Click **Update** to save the changes. Now you will be sent back to - the **Service Providers** page. - -8. Navigate to the **Local and Outbound Authentication Configuration** - section. - -9. Select the identity provider you created from the dropdown list - under **Federated Authentication**. - ![](attachments/50520620/51252181.png) - -10. Ensure that the **Federated Authentication** radio button is - selected and click **Update** to save the changes. - -You have now added and configured the service provider. - -### Testing the sample - -1. To test the sample, go to the following URL: - ` http://:/travelocity.com ` - . - E.g., http://localhost:8080/travelocity.com - -2. Login with SAML from the WSO2 Identity Server. - - ![](https://lh5.googleusercontent.com/q-O2Xna03g229TP1WsGtz8vzXC8zH1-LHkxdlw-FoYfYLgtvsQEFd8ABiatklW3DYP-CajueLWBVVPwIGLcP9Pvts5iGlzL8ni-S-a-bPrp--IEWJf9AnqzXzY8NSXjnZyn3qF2o) - -3. Enter your Reddit credentials in the prompted login page of Reddit. - Once you log in successfully you will be taken to the home page of - the travelocity.com app. diff --git a/en/docs/develop/configuring-rsa-securid-authenticator.md b/en/docs/develop/configuring-rsa-securid-authenticator.md deleted file mode 100644 index 85acdfdb5b..0000000000 --- a/en/docs/develop/configuring-rsa-securid-authenticator.md +++ /dev/null @@ -1,258 +0,0 @@ -# Configuring RSA SecurID Authenticator - -This page provides instructions on how to configure the RSA SecurID -authenticator and the WSO2 Identity Server using a sample app to -demonstrate authentication. You can find more information in the -following sections. - -- [Configuring the RSA Authentication - Manager](#ConfiguringRSASecurIDAuthenticator-ConfiguringtheRSAAuthenticationManager) -- [Configuring the NTP Server on RSA Authentication Manager - operational - console](#ConfiguringRSASecurIDAuthenticator-ConfiguringtheNTPServeronRSAAuthenticationManageroperationalconsole) -- [Adding a user to the internal database of RSA Authentication - Manager](#ConfiguringRSASecurIDAuthenticator-AddingausertotheinternaldatabaseofRSAAuthenticationManager) -- [Importing token - records](#ConfiguringRSASecurIDAuthenticator-Importingtokenrecords) -- [Assigning the token to the - user](#ConfiguringRSASecurIDAuthenticator-Assigningthetokentotheuser) -- [Self-enrollment of users and setting or resetting the - PIN](#ConfiguringRSASecurIDAuthenticator-Self-enrollmentofusersandsettingorresettingthePIN) -- [Configuring the RSA custom - agent](#ConfiguringRSASecurIDAuthenticator-ConfiguringtheRSAcustomagent) -- [Deploying RSA SecurID Authenticator - artifacts](#ConfiguringRSASecurIDAuthenticator-DeployingRSASecurIDAuthenticatorartifacts) -- [Add a claim mapping for RSA user - id](#ConfiguringRSASecurIDAuthenticator-AddaclaimmappingforRSAuserid) -- [Configuring the service - provider](#ConfiguringRSASecurIDAuthenticator-Configuringtheserviceprovider) -- [Testing the - sample](#ConfiguringRSASecurIDAuthenticator-Testingthesample) - - - -### Configuring the RSA Authentication Manager - -RSA Authentication Manager 8.1 supports a VMware virtual appliance, -Hyper-V virtual appliance, and the hardware appliance. The same -functionality is provided by each type of appliance. See [the setup and -configuration guide for RSA Authentication Manager -8.1](https://www.emc.com/collateral/15-min-guide/h12284-am8-setup-config-guide.pdf) -for more information on setting this up. - -Once you complete all the required configurations you can access the -following consoles using the credentials that you provided in the -configuration. - -- Security Console: https://\/sc -- Operational Console: https://\/oc -- Self Service Console: https://\/ssc - -### Configuring the NTP Server on RSA Authentication Manager operational console - -The NTP server is responsible for time. Set up your NTP server for your -region and make sure the time setting is accurate. To set the time, -follow the steps below. - -1. Log in to the RSA Authentication Manager Operational Console - (https://\/oc) with your operation - console credentials. This was set when you performed the RSA - Authentication Manager configurations. -2. Navigate to the **Administration** menu and select **Date and Time** - . -3. Set up your regional NTP server as shown in the following screen, - but do this for your region. - ![](attachments/52528427/56987871.png) - - - -### Adding a user to the internal database of RSA Authentication Manager - -To enroll the user into the RSA Authentication Manager, you must log -into the security console (https://\/oc) -with your security console credentials. See the following video for more -information on how to do this. - -[Video Guide: Add user to the Internal -Database](https://youtu.be/zYG7REyAdmY?list=PL69kuTXA1IasAousLJVVK1qItFJVALlJc) - -### Importing token records - -Token records are unique records used to identify each token in RSA. To -activate a token record you must import the token record. See the -following video, which guides you through the steps on how to import the -token records to the RSA Authentication Manager Security Console. - -[Video Guide: Import Token -Records](https://youtu.be/zqIRMIxUwXg?list=PL69kuTXA1IasAousLJVVK1qItFJVALlJc) - -### Assigning the token to the user - -Once the token records are imported and the users are added, you are -able to assign either software tokens or hardware tokens to the users. -See the following video, which guides you through the process of -assigning a token to the registered user. - -[Video Guide: Assign Tokens to -Users](https://youtu.be/0TF5Jv5av0o?list=PL69kuTXA1IasAousLJVVK1qItFJVALlJc) - -### Self-enrollment of users and setting or resetting the PIN - -The RSA Self-service Console provides the option to create/reset the -password for users using their RSA user ID and their tokens. If the -users log in for the first time, they must log in to the RSA -Self-service Console and create a PIN for themselves. - -RSA Self-Service Console URL: -https://\/ssc - -### Configuring the RSA custom agent - -If you are want to configure an RSA Authentication custom agent, you -must generate the RSA Authentication Manager configuration file. See the -following video for instructions on how to generate the configuration -file. - -[Video Guide: Generate the Authentication Manager Configuration -File](https://youtu.be/O09jpBCMwKE?list=PL69kuTXA1IasAousLJVVK1qItFJVALlJc&t=54) - -1. Once you have generated the Authentication Manager configuration - file, create a file called rsa.properties and add the following - configurations to it. You must set the paths of each of the required - files in this configuration. - - ``` java - RSA_AGENT_HOST= - RSA_CONFIG_READ_INTERVAL=600 - SDCONF_TYPE=FILE - SDCONF_LOC= - SDSTATUS_TYPE=FILE - SDSTATUS_LOC= - SDOPTS_TYPE=FILE - SDOPTS_LOC= - SDNDSCRT_TYPE=FILE - SDNDSCRT_LOC= - RSA_LOG_TO_CONSOLE=NO - RSA_LOG_TO_FILE=YES - RSA_LOG_FILE= - RSA_LOG_LEVEL=INFO - RSA_ENABLE_DEBUG=NO - RSA_DEBUG_TO_CONSOLE=YES - RSA_DEBUG_TO_FILE=NO - RSA_DEBUG_FILE=rsa_api_debug.log - RSA_DEBUG_ENTRY=YES - RSA_DEBUG_EXIT=YES - RSA_DEBUG_FLOW=YES - RSA_DEBUG_NORMAL=YES - RSA_DEBUG_LOCATION=NO - ``` - -2. Set the file path of the rsa.properties file you created in the - ` /repository/conf/identity/application-authentication.xml ` - file as follows. - - ``` xml - - securidauthenticationendpoint/login.jsp - C:\securidConf\rsa.properties - - ``` - -### Deploying RSA SecurID Authenticator artifacts - -The artifacts can be obtained from the store for this authenticator . - -1. P lace the ` securidauthenticationendpoint.war ` - file into the - ` /repository/deployment/server/webapps ` - directory. -2. Place the - [` org.wso2.carbon.extension.identity.authenticator.securid.connector-1.0.1.jar `](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22rsa%22) - file into the - ` /repository/components/ ` - ` dropins ` directory. - - !!! note - - If you want to upgrade the RSA SecurID Authenticator in your - existing IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -3. Obtain the ` authapi.jar ` and - ` cryptoj.jar ` from RSA or RSA Support, and place - the .jar files in the - ` /repository/components/lib ` directory. - -### Add a claim mapping for RSA user id - -1. Navigate to the **Identity** section under the **Main** tab of the - [management - console](https://docs.wso2.com/display/IS510/Getting+Started+with+the+Management+Console) - and click **Add** under the http://wso2.org/claims claims dialect. -2. Add a new claim for RSA user id. - ![](attachments/52528427/52757012.png) - -Deploying travelocity.com sample app - -The next step is to deploy the travelocity.com sample app in order to -use it in this scenario. - -See [deploying travelocity.com sample app](Deploying-the-Sample-App) -for instructions on how to do this. - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the management console. In the **Service Providers** - section under the **Main** tab, click **Add**. -2. Since you are using travelocity as the sample, enter travelocity.com - in the **Service Provider Name** text box and click **Register**. -3. Now set the configuration as follows: - ![](attachments/52528427/57004462.png) - Do the following configurations. - - **Issuer** : travelocity.com - - **Assertion Consumer URL** : - - - - Select the following check-boxes: - - **Enable Response Signing**. - - **Enable Single Logout**. - - **Enable Attribute Profile**. - - **Include Attributes in the Response Always**. - -4. Click **Update** to save the changes. Now you will be sent back to - the **Service Providers** page. -5. Go to the **Local and Outbound Authentication Configuration** - section. -6. Select the **Advanced** configuration radio button option. -7. Add the basic authentication as the first step and RSASecurID - authentication as the second step and click **Update** to save the - changes. - -### Testing the sample - -To test the sample you need to add the RSA user ID in the WSO2 Identity -Server claim. - -1. Go to the following URL: - ` http://:/ travelocity.com/index.jsp ` - E.g. - ![](attachments/49092381/49226489.png) -2. Click the link to log in with SAML from WSO2 Identity Server. The - basic authentication page appears. Use your WSO2 Identity Server - credentials to log in. - ![](attachments/52528427/57004469.png){height="250"} -3. If the basic authentication succeeds, you are directed to RSA - SecurID authentication page. - ![](attachments/52528427/57004467.png){height="250"} -4. Enter the PIN and TOKEN, where TOKEN is shown in the keyfobs or in - your mobile device RSA applications. - ![](attachments/52528427/52757625.png) -5. If the authentication is successful, you are redirected to the home - page of travelocity.com app - ![](attachments/52528427/52757626.png) - - diff --git a/en/docs/develop/configuring-scim-2.0-provisioning-connector.md b/en/docs/develop/configuring-scim-2.0-provisioning-connector.md deleted file mode 100644 index a58cadb889..0000000000 --- a/en/docs/develop/configuring-scim-2.0-provisioning-connector.md +++ /dev/null @@ -1,1087 +0,0 @@ -# Configuring SCIM 2.0 Provisioning Connector - -This section provides instructions on how to configure the SCIM 2.0 -connector with WSO2 Identity Server for identity provisioning. - -- [About SCIM - 2.0](#ConfiguringSCIM2.0ProvisioningConnector-AboutSCIM2.0) -- [Deploy SCIM 2.0 connector with - IS](#ConfiguringSCIM2.0ProvisioningConnector-DeploySCIM2.0connectorwithIS) -- [Configure claim - dialects](#ConfiguringSCIM2.0ProvisioningConnector-Configureclaimdialects) -- [Try it out](#ConfiguringSCIM2.0ProvisioningConnector-Tryitout) - - [/Users - Endpoint](#ConfiguringSCIM2.0ProvisioningConnector-/UsersEndpoint) - - [/Groups - Endpoint](#ConfiguringSCIM2.0ProvisioningConnector-/GroupsEndpoint) - - [/Me - Endpoint](#ConfiguringSCIM2.0ProvisioningConnector-/MeEndpoint) - - [/Bulk - Endpoint](#ConfiguringSCIM2.0ProvisioningConnector-/BulkEndpoint) - - [/ServiceProviderConfig - Endpoint](#ConfiguringSCIM2.0ProvisioningConnector-/ServiceProviderConfigEndpoint) - - [/ResourceType - Endpoint](#ConfiguringSCIM2.0ProvisioningConnector-/ResourceTypeEndpoint) - -### About SCIM 2.0 - -The System for Cross-domain Identity Management (SCIM) is a -specification that is designed to manage user identities in cloud-based -applications and services in a standardized way to enable -interoperability, security, and scalability. It is an emerging open -standard which provides RESTful APIs for easier, cheaper, and faster way -for creating, provisioning, and maintaining identities. The latest -version SCIM 2.0 was released as IETF RFC in September 2015. - -### Deploy SCIM 2.0 connector with IS - -!!! tip - - **Note:** SCIM 2.0 is supported by default in WSO2 Identity Server - version 5.4.0. If you are using WSO2 Identity Server 5.4.0 or a later - version, see [SCIM 2.0 REST - APIs](http://docs.wso2.com/identity-server/SCIM+2.0+REST+APIs) for - instructions on how to use SCIM 2.0 OOTB. - - -The below instructions provide a step-by-step approach to deploy SCIM -2.0 connector with WSO2 Identity Server: - -1. Download the latest version of WSO2 Identity Server (IS) from - [here](http://wso2.com/identity-and-access-management) and extract - it to a folder. Extracted folder will hereafter be referred to as - \. -2. Download the SCIM 2.0 connector artifacts for WSO2 Identity Server - from - [here](https://store.wso2.com/store/assets/isconnector/details/d3e666a6-c26d-4cd2-ba92-d1b4d9c64a4f) - . - - ![](images/icons/grey_arrow_down.png){.expand-control-image} Expand - to see what the SCIM 2.0 connector artifacts pack includes - - - charon-config.xml - - - claim-config-diff.txt - - - org.wso2.carbon.identity.scim2.common-1.1.1.jar - - - org.wso2.charon3.core-3.0.7.jar - - - README - - - scim2-schema-extension.config - - - scim2.war - -3. From the downloaded artifacts, place the - ` org.wso2.charon.core-3.0.7.jar ` file in the - ` /repository/components/lib ` folder. -4. Place the - ` org.wso2.carbon.identity.scim2.common-1.1.1.jar ` - file in the - ` /repository/components/dropins ` folder. -5. Place the ` scim2.war ` in the - ` /repository/deployment/server/webapps ` - folder. -6. Place the ` charon-config.xml ` in the - ` /repository/conf/identity ` folder. -7. Place the ` scim2-schema-extension.config ` file in - the ` /repository/conf ` folder. -8. Append the following entries to the - ` ` - element of the ` identity.xml ` file found in the - ` /repository/conf/identity ` folder. - - ``` java - - /permission/admin/manage/identity/usermgt/create - - - /permission/admin/manage/identity/usermgt/list - - - /permission/admin/manage/identity/rolemgt/create - - - /permission/admin/manage/identity/rolemgt/view - - - /permission/admin/manage/identity/usermgt/view - - - /permission/admin/manage/identity/usermgt/update - - - /permission/admin/manage/identity/usermgt/update - - - /permission/admin/manage/identity/usermgt/delete - - - /permission/admin/manage/identity/rolemgt/view - - - /permission/admin/manage/identity/rolemgt/update - - - /permission/admin/manage/identity/rolemgt/update - - - /permission/admin/manage/identity/rolemgt/delete - - - /permission/admin/login - - - /permission/admin/manage/identity/usermgt/delete - - - /permission/admin/login - - - /permission/admin/login - - - /permission/admin/manage/identity/usermgt/create - - - - - - - - - /permission/admin/manage/identity/usermgt - - - /permission/admin/manage/identity/applicationmgt - - ``` - -9. Disable the SCIM listener with the ` orderId=90 ` - parameter by setting the enable parameter to **false** in the - ` identity.xml ` file found in the - ` /repository/conf/identity ` folder. - Then, add the SCIM2 listener with the - ` orderid=93 ` parameter to the - ` identity.xml ` file and ensure that the enable - parameter is set to **true.** - - ``` java - - - - - - ``` - -10. If you will be using the tenant endpoint, add the following property - within the `   ` - tag of the ` identity.xml ` file found in the - ` /repository/conf/identity ` folder. - - ``` java - /scim2 - ``` - -11. Ensure that the following property is set to **true** to enable SCIM - for the relevant userstore in the - ` user-mgt.xml ` file found in the - ` /repository/conf/ ` folder. - - ``` java - true - ``` - -!!! note - - If you want to upgrade the SCIM 2.0 Connector in your existing IS pack, - please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -### Configure claim dialects - -Finally, you need to configure the claim dialects. You can use -**either** method 1 or method 2 for this purpose. - -##### Method 1 - -If you want to configure the connector on a new WSO2 Identity Server -extract, follow the instructions given in the -` claim-config-diff.txt ` file that comes with the -connector artifacts pack. - -##### Method 2 - -If you are configuring the connector on an existing WSO2 Identity -Server, add the claim dialects manually. - -1. Start the WSO2 IS and login to the management console. -2. Navigate to **Claims\>Add** and click **Add Claim Dialect**. Add - the following claim dialects through the WSO2 IS management - console. - For more information on how to add a claim dialect, see [Adding - Claim - Dialects](https://docs.wso2.com/display/IS530/Adding+Claim+Dialects) - . - - urn:ietf:params:scim:schemas:core:2.0 - - urn:ietf:params:scim:schemas:core:2.0:User - - urn:ietf:params:scim:schemas:extension:enterprise:2.0:User -3. Navigate to **Claims\>Add** and click **Add Local Claim**. Add the - following claim: - - **Claim URI:** - - **Display Name:** Resource Type - - **Mapped Attribute(s):** ref -4. Navigate to **Claims\>Add** and click **Add External Claim**. Add - the claims listed in step ii) of the - ` claim-config-diff.txt ` file, which comes with - the connector artifacts pack, to the relevant claim dialect. - For more information on adding a claim mapping through the - management console, see [Adding Claim - Mapping](https://docs.wso2.com/display/IS530/Adding+Claim+Mapping#AddingClaimMapping-Addexternalclaim) - . -5. Ensure that the - ` urn:ietf:params:scim:schemas:core:2.0:User:emails.work ` - is mapped to the claim. - -Execute one of the following commands to start the Identity Server. - -- On Windows: ` /bin/wso2server.bat --run ` -- On Linux/Mac OS: ` sh ` - ` /bin/wso2server.sh ` - -After the server has started up successfully, you can query the SCIM 2.0 -REST endpoints. For simplicity, cURL commands are used here to send CRUD -requests to the SCIM 2.0 REST endpoints of WSO2 Identity Server. - -!!! note - - Extending the SCIM API - - If you want to add any custom attributes, you can use the user schema - extension in addition to core user schema. To add attributes with the - user schema extension, do the following: - - 1. Enable the user schema extension by setting the - ` ` property to - **true** in the ` charon-config.xml ` file that - you placed in the - ` /repository/conf/identity ` folder. - - ``` java - true - ``` - - 2. Define the extension by adding attributes in the following format in - the ` scim2-schema-extension.config ` file that - you placed in the ` /repository/conf/ ` - folder. - - ``` java - { - "attributeURI":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:askPassword", - "attributeName":"askPassword", - "dataType":"boolean", - "multiValued":"false", - "description":"Enable password change required notification in the user creation.", - "required":"false", - "caseExact":"false", - "mutability":"readwrite", - "returned":"default", - "uniqueness":"none", - "subAttributes":"null", - "canonicalValues":[], - "referenceTypes":[] - } - ``` - - 3. Add the attribute names of the attributes that you added to the - ` scim2-schema-extension.config ` file as - ` subAttributes ` of the - ` wso2Extension ` attribute as seen in the code - block below. - - ``` java - { - "attributeURI":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", - "attributeName":"EnterpriseUser", - "dataType":"complex", - "multiValued":"false", - "description":"Enterprise User", - "required":"false", - "caseExact":"false", - "mutability":"readWrite", - "returned":"default", - "uniqueness":"none", - "subAttributes":"askPassword employeeNumber costCenter organization division department manager", - "canonicalValues":[], - "referenceTypes":["external"] - } - ``` - - 4. Define a new claim dialect for the extension schema with the dialect - URI you used in defining the extension. For more information on how - to do this, see [Adding Claim - Dialects](http://docs.wso2.com/identity-server/Adding+Claim+Dialects) - . - The following code block shows an example of a claim dialect for the - custom attributes given above. - - ``` java - urn:ietf:params:scim:schemas:extension:enterprise:2.0:User - ``` - - 5. Once you add a custom attribute, add a claim mapping for the custom - attribute. - To do this, open the ` claim-config.xml ` file - found in the ` /respository/conf ` - folder, and add the claim with the relevant property values. The - code block below shows an example of a claim mapping. - - ``` java - - urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:askPassword - Ask Password - postOfficeBox - Temporary claim to invoke email ask Password feature - - 1 - - http://wso2.org/claims/identity/askPassword - - ``` - - 6. Next, add the claim mapping in the relevant tenant through the - management console. To do this, login using tenant credentails and - map the claim. - For more information on adding a claim mapping through the - management console, see [Adding Claim - Mapping](https://docs.wso2.com/display/IS530/Adding+Claim+Mapping#AddingClaimMapping-Addexternalclaim) - . - - It is recommended to configure through both the management console - and the ` claim-config.xml ` file because the - configuration made in the config file will ensure that this claim is - available for all tenants created in future but it needs to be - mapped in the management console in order to map the claim for - exisiting tenants. - - -### Try it out - -Once you have successfully configured the SCIM 2.0 provisioning -connector with WSO2 Identity Server, you can test any SCIM 2.0 REST call -with WSO2 Identity Server using cURL commands. - -- [/Users - Endpoint](#ConfiguringSCIM2.0ProvisioningConnector-/UsersEndpoint) -- [/Groups - Endpoint](#ConfiguringSCIM2.0ProvisioningConnector-/GroupsEndpoint) -- [/Me Endpoint](#ConfiguringSCIM2.0ProvisioningConnector-/MeEndpoint) -- [/Bulk - Endpoint](#ConfiguringSCIM2.0ProvisioningConnector-/BulkEndpoint) -- [/ServiceProviderConfig - Endpoint](#ConfiguringSCIM2.0ProvisioningConnector-/ServiceProviderConfigEndpoint) -- [/ResourceType - Endpoint](#ConfiguringSCIM2.0ProvisioningConnector-/ResourceTypeEndpoint) - -The default permissions required to access each resource in SCIM 2.0 are -given below. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EndpointHTTP MethodPermission
/scim2/Users
POST
/permission/admin/manage/identity/usermgt/create
/scim2/Users
GET
/permission/admin/manage/identity/usermgt/list
/scim2/Groups
POST
/permission/admin/manage/identity/rolemgt/create
/scim2/Groups
GET
/permission/admin/manage/identity/rolemgt/view
/scim2/Users/(.*)
GET
/permission/admin/manage/identity/usermgt/view
/scim2/Users/(.*)
PUT
/permission/admin/manage/identity/usermgt/update
/scim2/Users/(.*)
PATCH
/permission/admin/manage/identity/usermgt/update
/scim2/Users/(.*)
DELETE
/permission/admin/manage/identity/usermgt/delete
/scim2/Groups/(.*)
GET
/permission/admin/manage/identity/rolemgt/view
/scim2/Groups/(.*)
PUT
/permission/admin/manage/identity/rolemgt/update
/scim2/Groups/(.*)
PATCH
/permission/admin/manage/identity/rolemgt/update
/scim2/Groups/(.*)
DELETE
/permission/admin/manage/identity/rolemgt/delete
/scim2/Me
GET
/permission/admin/login
/scim2/Me
DELETE
/permission/admin/login
/scim2/Me
PUT
/permission/admin/login
/scim2/Me
PATCH
/permission/admin/login
/scim2/Me
POST
/permission/admin/manage/identity/usermgt/create
/scim2/ServiceProviderConfig
all-
/scim2/ResourceType
all-
/scim2/Bulk
all
/permission/admin/manage/identity/usermgt
- -!!! tip - - Tenant mode - - In order to provision resources to a different tenant, change the - authorization header and the URL of the endpoint as seen below and use - the commands given below. - - **authorization header** - - ``` java - --user kim@test.com:kimpass -``` - -**URL** - -``` java -/t/test.com/scim2 -``` - -If you are using a tenant endpoint for invoking, you can use a command -similar to the following ('adding user' as an example) : - -**Request** - -``` java -curl -v -k --user kim@test.com:admin --data '{"schemas":[],"name":{"familyName":"jayawardana","givenName":"vindula"},"userName":"pavinaa","password":"vindula","emails":[{"primary":true,"value":"vindula_home.com","type":"home"},{"value":"vindula_work.com","type":"work"}]}' --header "Content-Type:application/json" https://localhost:9443/t/test.com/scim2/Users -``` - - -#### /Users Endpoint - -The following commands can be used to test the users endpoints. - -**Create** User - -Run the following command to create a user: - -**Request** - -``` java -curl -v -k --user admin:admin --data '{"schemas":[],"name":{"familyName":"jackson","givenName":"kim"},"userName":"kim","password":"kimwso2","emails":[{"primary":true,"value":"kim.jackson@gmail.com","type":"home"},{"value":"kim_j@wso2.com","type":"work"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users -``` - -**Response** - -``` java -{"emails":[{"type":"home","value":"kim.jackson@gmail.com","primary":true},{"type":"work","value":"kim_j@wso2.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T11:32:36Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"name":{"familyName":"jackson","givenName":"kim"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} -``` - -Get User -Run the following command to retrieve a particular user resource using -its unique ID (You will get this ID in the response to the -` create user ` request): - -**Request** - -``` java -curl -v -k --user admin:admin https://localhost:9443/scim2/Users/0032fd29-55a9-4fb9-be82-b1c97c073f02 -``` - -**Response** - -``` java -{"emails":[{"type":"work","value":"kim_j@wso2.com"},{"type":"home","value":"kim.jackson@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T11:32:36Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} -``` - -Update User - -Run the following command to update the work and home email fields of -the user “kim”: - -**Request** - -``` java -curl -v -k --user admin:admin -X PUT -d '{"schemas":[],"name":{"familyName":"jackson","givenName":"kim"},"userName":"kim","emails":[{"value":"kim_j@wso2.com","type":"work"},{"value":"kim.jackson@gmail.com","type":"home"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users/0032fd29-55a9-4fb9-be82-b1c97c073f02 -``` - -**Response** - -``` java -{"emails":[{"type":"work","value":"kim_j@wso2.com"},{"type":"home","value":"kim.jackson@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T11:35:29Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} -``` - -Delete User - -Run the following command to delete the user with the given unique ID: - -**Request** - -``` java -curl -v -k --user admin:admin -X DELETE https://localhost:9443/scim2/Users/b228b59d-db19-4064-b637-d33c31209fae -H "Accept: application/json" -``` - -**Response** - -``` java -HTTP/1.1 204 No Content -``` - -** -Patch** User - -The following commands can be used to update a user using the unique ID -of the user. - -**Patch** Add - -Run the following command to add a nickname value to the user with the -given unique ID: - -**Request** - -``` java -curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"add","value":{"nickName":"shaggy"}}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users/92dbbfb8-867f-4fbc-afbf-a2bda12c09b1 -``` - -**Response** - -``` java -{"emails":[{"type":"work","value":"kim_j@wso2.com"},{"type":"home","value":"kim.jackson@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T12:04:14Z","resourceType":"User"},"nickName":"shaggy","schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} -``` - -** -** - -**Patch** Remove - -Run the following command to remove all email addresses from the user: - -**Request** - -``` java -curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"remove","path":"emails"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users/1819c1b4-e30e-41ca-b40c-48140fffffee -``` - -**Response** - -``` java -{"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T13:43:02Z","resourceType":"User"},"nickName":"shaggy","schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} -``` - - - -Run the following command to remove email addresses where type is equal -to 'home' from the user: - -**Request** - -``` java -curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"remove","path":"emails[type eq home]"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users/1819c1b4-e30e-41ca-b40c-48140fffffee -``` - -**Response** - -``` java -{"emails":[{"type":"work","value":"kim_j@wso2.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T13:45:19Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} -``` - - - -**Patch** Replace - -Run the following command to replace attribute values of the user: - -**Request** - -``` java -curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"replace","value":{"EnterpriseUser":{"employeeNumber":"113","manager":{"value":"Alex"}}},"nickName":"Al"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users/1819c1b4-e30e-41ca-b40c-48140fffffee -``` - -**Response** - -``` java -{"emails":[{"type":"work","value":"kim_j@wso2.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T13:47:43Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"EnterpriseUser":{"manager":{"value":"Alex"},"employeeNumber":"113"},"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} -``` - - - -Run the following command to replace the value of the email addresses -where type is equal to 'work': - -**Request** - -``` java -curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"replace","path":"emails[type eq work].value","value":"kim.info@gmail.com"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users/1819c1b4-e30e-41ca-b40c-48140fffffee -``` - -**Response** - -``` java -{"emails":[{"type":"work","value":"kim.info@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T13:51:28Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"EnterpriseUser":{"manager":{"value":"Alex"},"employeeNumber":"113"},"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} -``` - -** -** - -**List** User - -Run the following command to retrieve all user resources in the user -store: - -**Request** - -``` java -curl -v -k --user admin:admin https://localhost:9443/scim2/Users -``` - -**Response** - -``` java -{"totalResults":2,"startIndex":1,"itemsPerPage":2,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"Resources":[{"emails":[{"type":"home","value":"johndoe@gmail.com"}],"meta":{"created":"2017-07-17T11:39:00Z","lastModified":"2017-07-17T11:39:34Z"},"name":{"givenName":"John","familyName":"Doe"},"id":"71f3d46c-1abc-41d0-8fc5-9bf2eaa255df","userName":"John"},{"emails":[{"type":"work","value":"kim.info@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T13:51:28Z","resourceType":"User"},"EnterpriseUser":{"manager":{"value":"Alex"},"employeeNumber":"113"},"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"}]} -``` - -!!! tip - - **Tip:** Proper use of ‘attributes’ and ‘excludedAttributes’ parameters - with any operation on any endpoint can highly increase the performance. - - **attributes** - - Add attributes to the endpoint as seen below to define which particular - attributes the API should return. - - ``` java - curl -v -k --user admin:admin https://localhost:9443/scim2/Users?attributes=userName,name.familyName,emails.value -``` - -**excluded attributes** - -Add excluded attributes to the endpoint as seen below to define which -particular attributes the API should exclude from the response. - -``` java -curl -v -k --user admin:admin https://localhost:9443/scim2/Users?excludedAttributes=emails,meta -``` - - -** -Filter** User - -Since CRUD operations have to be performed using the SCIM ID that is -unique to the service provider, the Users REST endpoint also supports -the filter operation. -Run the following to filter a user using an attribute value: - -**Request** - -``` java -curl -v -k --user admin:admin https://localhost:9443/scim2/Users?filter=userName+Eq+kim -``` - -**Response** - -``` java -{"totalResults":1,"startIndex":1,"itemsPerPage":1,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"Resources":[{"emails":[{"type":"work","value":"kim.info@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T13:51:28Z","resourceType":"User"},"EnterpriseUser":{"manager":{"value":"Alex"},"employeeNumber":"113"},"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"}]} -``` - -#### /Groups Endpoint - -The following commands can be used to test the group endpoints. - -**Create** Group - -Run the following command to create a group: - -**Request** - -``` java -curl -v -k --user admin:admin --data '{"displayName": "engineer","members": [{"value":"316214c0-dd7e-4dc3-bed8-e91227d32597","display": "kim"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Groups -``` - -**Response** - -``` java -{"displayName":"PRIMARY/engineer","meta":{"created":"2017-10-09T14:42:27Z","location":"https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc","lastModified":"2017-10-09T14:42:27Z","resourceType":"Group"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"members":[{"display":"kim","value":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b"}],"id":"56d163ba-b6b6-426e-88f4-498a7183f6dc"} -``` - -** -Get** Group - -Run the following command to retrieve a particular group resource using -its unique ID (You will get this ID in the response to the -` create group ` request): - -**Request** - -``` java -curl -v -k --user admin:admin https://localhost:9443/scim2/Groups/0032fd29-55a9-4fb9-be82-b1c97c073f02 -``` - -**Response** - -``` java -{"displayName":"engineer","meta":{"created":"2017-10-09T14:42:27Z","location":"https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc","lastModified":"2017-10-09T14:42:27Z"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"members":[{"display":"kim","value":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b"}],"id":"56d163ba-b6b6-426e-88f4-498a7183f6dc"} -``` - - -**Update** Group - -Run the following command to update the group: - -**Request** - -``` java -curl -v -k --user admin:admin -X PUT -d '{"displayName": "students","members":[{"value":"d96f4b29-1e29-4986-9ed5-ff61ab506748","display":"sam"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Groups/0d97ab74-0b1f-4c10-80f9-457bf0e0f2aa -``` - -**Response** - -``` java -{"displayName":"PRIMARY/Students","meta":{"created":"2017-10-09T14:49:22Z","location":"https://localhost:9443/scim2/Groups/0959900d-cdba-4f3c-9020-5db5860ac86d","lastModified":"2017-10-09T14:56:32Z"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"members":[{"display":"sam","value":"4b3e60d5-e0c3-4dd6-aaa2-3976096e029b"}],"id":"0959900d-cdba-4f3c-9020-5db5860ac86d"} -``` - - -**Delete** Group - -Run the following command to delete the group using its unique ID: - -**Request** - -``` java -curl -v -k --user admin:admin -X DELETE https://localhost:9443/scim2/Groups/484cdc26-9136-427b-ad9e-96ea3082e1f5 -H "Accept: application/json" -``` - -**Response** - -``` java -HTTP/1.1 204 No Content -``` - - - -**Patch** Group - -The following commands can be used to update a group using the unique ID -of the group. - -**Patch** Add - -Run the following command to add a new member to the group. - -**Request** - -``` java -curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"add","value":{"members":[{"display": "sam","$ref":"https://localhost:9443/scim2/Users/4b3e60d5-e0c3-4dd6-aaa2-3976096e029b","value": "4b3e60d5-e0c3-4dd6-aaa2-3976096e029b"}]}}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc -``` - -**Response** - -``` java -{"displayName":"PRIMARY/engineer","meta":{"created":"2017-10-09T14:42:27Z","location":"https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc","lastModified":"2017-10-09T15:22:07Z"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"members":[{"display":"kim","value":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b"},{"display":"sam","value":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","$ref":"https://localhost:9443/scim2/Users/4b3e60d5-e0c3-4dd6-aaa2-3976096e029b"}],"id":"56d163ba-b6b6-426e-88f4-498a7183f6dc"} -``` - -** -Patch** Remove - -Run the following command to remove a member of the group: - -**Request** - -``` java -curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"remove","path":"members[display eq kim]"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc -``` - -**Response** - -``` java -{"displayName":"PRIMARY/engineer","meta":{"created":"2017-10-09T14:42:27Z","location":"https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc","lastModified":"2017-10-09T22:57:57Z"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"members":[{"display":"sam","value":"4b3e60d5-e0c3-4dd6-aaa2-3976096e029b"}],"id":"56d163ba-b6b6-426e-88f4-498a7183f6dc"} -``` - -** -Patch** Replace - -Run the following command to replace a member of the group with another -member: - -**Request** - -``` java -curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"replace","path":"members[display eq sam]","value":{"value":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","display":"kim"}}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc -``` - -**Response** - -``` java -{"displayName":"PRIMARY/engineer","meta":{"created":"2017-10-09T14:42:27Z","location":"https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc","lastModified":"2017-10-09T22:59:51Z"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"members":[{"display":"kim","value":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b"}],"id":"56d163ba-b6b6-426e-88f4-498a7183f6dc"} -``` - -** -List** Group - -Run the following command to retrieve a all group resources in the user -store. - -**Request** - -``` java -curl -v -k --user admin:admin https://localhost:9443/scim2/Groups -``` - -**Response** - -``` java -{"totalResults":1,"startIndex":1,"itemsPerPage":1,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"Resources":[{"displayName":"PRIMARY/engineer","meta":{"created":"2017-10-09T14:42:27Z","location":"https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc","lastModified":"2017-10-09T14:42:27Z"},"members":[{"display":"kim","value":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b"}],"id":"56d163ba-b6b6-426e-88f4-498a7183f6dc"}]} -``` - -!!! tip - - **Tip:** Proper use of ‘attributes’ and ‘excludedAttributes’ parameters - with any operation on any endpoint can highly increase the performance. - - **attributes** - - Add attributes to the endpoint as seen below to define which particular - attributes the API should return. - - ``` java - curl -v -k --user admin:admin https://localhost:9443/scim2/Groups?attributes=displayName -``` - -**excluded attributes** - -Add excluded attributes to the endpoint as seen below to define which -particular attributes the API should exclude from the response. ** -** - -``` java -curl -v -k --user admin:admin https://localhost:9443/scim2/Groups?excludedAttributes=members -``` - - -** -** - -**Filter** Group - -Since CRUD operations have to be performed using the SCIM ID that is -unique to the service provider, the Groups REST endpoint also supports -the filter operation. -Run the following to filter a group using an attribute value: - -**Request** - -``` java -curl -v -k --user admin:admin https://localhost:9443/scim2/Groups?filter=displayName+Eq+engineer -``` - -**Response** - -``` java -{"totalResults":1,"startIndex":1,"itemsPerPage":1,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"Resources":[{"displayName":"PRIMARY/engineer","meta":{"created":"2017-10-09T14:42:27Z","location":"https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc","lastModified":"2017-10-09T14:42:27Z"},"members":[{"display":"kim","value":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b"}],"id":"56d163ba-b6b6-426e-88f4-498a7183f6dc"}]} -``` - - - -#### /Me Endpoint - -The following commands can be used to test the /Me endpoint. - -**Get** Me - -Run the following command to retrieve the user that is currently -authenticated: - -**Request** - -``` java -curl -v -k --user kim:kimwso2 https://localhost:9443/scim2/Me -``` - -**Response** - -``` java -{"emails":[{"type":"work","value":"kim.info@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T13:51:28Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"EnterpriseUser":{"manager":{"value":"Alex"},"employeeNumber":"113"},"name":{"givenName":"kim","familyName":"jackson"},"groups":[{"display":"engineer","value":"56d163ba-b6b6-426e-88f4-498a7183f6dc"}],"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} -``` - -** -Create** Me - -Run the following command to register a user anonymously. - -**Request** - -``` java -curl -v -k --data '{"schemas":[],"name":{"familyName":"Johnson","givenName":"Alex"},"userName":"alex","password":"alexwso2","emails":[{"primary":true,"value":"alex.j@gmail.com","type":"home"},{"value":"alex_j@wso2.com","type":"work"}],"EnterpriseUser":{"employeeNumber":"123A","manager":{"value":"Taylor"}}}' --header "Content-Type:application/json" https://localhost:9443/scim2/Me -``` - -**Response** - -``` java -{"emails":[{"type":"home","value":"alex.j@gmail.com","primary":true},{"type":"work","value":"alex_j@wso2.com"}],"meta":{"created":"2017-10-09T23:05:35Z","location":"https://localhost:9443/scim2/Users/7f2e12fd-7e8e-466f-bde5-d6e4fd45285b","lastModified":"2017-10-09T23:05:35Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"EnterpriseUser":{"manager":{"value":"Taylor"},"employeeNumber":"123A"},"name":{"familyName":"Johnson","givenName":"Alex"},"id":"7f2e12fd-7e8e-466f-bde5-d6e4fd45285b","userName":"alex"} -``` - -** -Update** Me - -Run the following command to update the user that is currently -authenticated: - -**Request** - -``` java -curl -v -k --user kim:kimwso2 -X PUT -d '{"schemas":[],"name":{"familyName":"Jackson","givenName":"Kim"},"userName":"kim","emails":[{"primary":true,"value":"jacksonk@gmail.com","type":"home"},{"value":"jackson_k@wso2.com","type":"work"}],"EnterpriseUser":{"employeeNumber":"123A","manager":{"value":"Taylor"}}}' --header "Content-Type:application/json" https://localhost:9443/scim2/Me -``` - -**Response** - -``` java -{"emails":[{"type":"work","value":"jackson_k@wso2.com"},{"type":"home","value":"jacksonk@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T23:09:06Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"EnterpriseUser":{"manager":{"value":"Taylor"},"employeeNumber":"123A"},"name":{"givenName":"Kim","familyName":"Jackson"},"groups":[{"display":"engineer","value":"56d163ba-b6b6-426e-88f4-498a7183f6dc"}],"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} -``` - - - -**Patch** Me -Run the following command to update the user that is currently -authenticated using a particular attribute: - -**Request** - -``` java -curl -v -k --user kim:kimwso2 -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"add","value":{"nickName":"kimmy"}}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Me -``` - -**Response** - -``` java -{"emails":[{"type":"work","value":"jackson_k@wso2.com"},{"type":"home","value":"jacksonk@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T23:11:04Z","resourceType":"User"},"nickName":"kimmy","schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"EnterpriseUser":{"manager":{"value":"Taylor"},"employeeNumber":"123A"},"name":{"givenName":"Kim","familyName":"Jackson"},"groups":[{"display":"engineer","value":"56d163ba-b6b6-426e-88f4-498a7183f6dc"}],"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} -``` - -#### /Bulk Endpoint - -Run the following command to create multiple users via one SCIM request: - -**Request** - -``` java -curl -v -k --user admin:admin --data '{"failOnErrors":1,"schemas":["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],"Operations":[{"method": "POST","path": "/Users","bulkId": "qwerty","data":{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"userName": "Kris","password":"krispass"}},{"method": "POST","path": "/Users","bulkId":"ytrewq","data":{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"userName":"Jesse","password":"jessepass","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"employeeNumber": "11250","manager": {"value": "bulkId:qwerty"}}}}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Bulk -``` - -**Response** - -``` java -{"schemas":["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],"Operations":[{"bulkId":"qwerty","method":"POST","location":"https://localhost:9443/scim2/Users/e9c0cec1-924c-47d6-82d5-82ed11ad7c68","status":{"code":201}},{"bulkId":"ytrewq","method":"POST","location":"https://localhost:9443/scim2/Users/59de8734-e56f-4e17-84b3-8d3a8c005248","status":{"code":201}}]} -``` - - - -#### /ServiceProviderConfig Endpoint - -**Get** Config - -Run the following command to retrieve the service provider's -configuration details: - -**Request** - -``` java -curl -v -k --user admin:admin https://localhost:9443/scim2/ServiceProviderConfig -``` - -**Response** - -``` java -{"patch":{"supported":true},"filter":{"maxResults":200,"supported":true},"documentationUri":"http://example.com/help/scim.html","authenticationSchemes":[{"name":"OAuth Bearer Token","description":"Authentication scheme using the OAuth Bearer Token Standard","specURI":"http://www.rfc-editor.org/info/rfc6750","type":"oauthbearertoken","primary":true},{"name":"HTTP Basic","description":"Authentication scheme using the HTTP Basic Standard","specURI":"http://www.rfc-editor.org/info/rfc2617","type":"httpbasic","primary":false}],"schemas":["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],"etag":{"supported":false},"sort":{"supported":false},"bulk":{"maxPayloadSize":1048576,"maxOperations":1000,"supported":true},"changePassword":{"supported":false}} -``` - -#### /ResourceType Endpoint - -**Get** Resource Types - -Run the following command to retrieve metadata about a resource type: - -**Request** - -``` java -curl -v -k --user admin:admin https://localhost:9443/scim2/ResourceType -``` - -**Response** - -``` java -{"schemas":["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],"resourceType":[{"schema":"urn:ietf:params:scim:schemas:core:2.0:User","endpoint":"/Users","meta":{"location":"https://localhost:9443/scim2/ResourceType/User","resourceType":"ResourceType"},"name":"User","description":"User Account","schemaExtensions":{"schema":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User","required":false},"id":"User"},{"schema":"urn:ietf:params:scim:schemas:core:2.0:Group","endpoint":"/Groups","meta":{"location":"https://localhost:9443/scim2/ResourceType/Group","resourceType":"ResourceType"},"name":"Group","description":"Group","id":"Group"}]} -``` diff --git a/en/docs/develop/configuring-symantec-vip-authenticator.md b/en/docs/develop/configuring-symantec-vip-authenticator.md deleted file mode 100644 index 8579161198..0000000000 --- a/en/docs/develop/configuring-symantec-vip-authenticator.md +++ /dev/null @@ -1,194 +0,0 @@ -# Configuring Symantec VIP Authenticator - -This topic provides instructions on how to configure the Symantec -VIP and the Identity Server to integrate using a sample app. See the -following sections for more information. - -- [Deploying Symantec VIP - artifacts](#ConfiguringSymantecVIPAuthenticator-DeployingVIPartifactsDeployingSymantecVIPartifacts) -- [Configuring the Symantec - VIP provider](#ConfiguringSymantecVIPAuthenticator-ConfiguringtheVIPproviderConfiguringtheSymantecVIPprovider) -- [Deploying travelocity.com - sample](#ConfiguringSymantecVIPAuthenticator-Deployingtravelocity.comsampleDeployingtravelocity.comsample) -- [Configuring the identity - provider](#ConfiguringSymantecVIPAuthenticator-ConfiguringtheidentityproviderConfiguringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringSymantecVIPAuthenticator-ConfiguringtheserviceproviderConfiguringtheserviceprovider) -- [Configuring User - Claim](#ConfiguringSymantecVIPAuthenticator-ConfiguringUserClaimConfiguringUserClaim) -- [Testing the - sample](#ConfiguringSymantecVIPAuthenticator-TestingthesampleTestingthesample) - -### Deploying Symantec VIP artifacts - -1. Place the authentication endpoint war file - (semanticvipauthenticationendpoint.war) into the - ` /repository/deployment/server/webapps ` - directory. -2. Place the authenticator .jar file - (org.wso2.carbon.extension.identity.authenticator.semanticvip.connector-1.0.0.jar) - into the - ` /repository/components/dropins ` - directory. - -### Configuring the Symantec VIP provider - -This topic helps you to enable the VIP credential at VIP Manager and -setup the plaform. After enabling the credential, you can use that **VIP -Credential ID** to go with WSO2 Identity Server's Symantic VIP -Authenticator.. - -1. Navigate to - and - create a trial account (this may take few days to get approval). -2. Download the **VIP Access** for - [Desktop](https://idprotect.vip.symantec.com/desktop/download.v) or - [Mobile](https://m.vip.symantec.com/home.v). -3. Once the account gets approved, navigate to - and log into VIP - Manager (use the security code generated from **VIP Access** ). -4. Click on 'Credentials' tab and search the Credential by the ID (the - Credential ID appears in **VIP Access** ). Enable the credential - by selecting the option **Enable Credential** under the **Credential - Status**. - ![](attachments/50510041/50686885.png) -5. Navigate to **Accounts** tab and click on **Manage VIP - Certificates** from tabs pane in right side of the page. -6. Click on **Request a Certificate** and then hit **Continue**. -7. Enter the certificate name for the certificate and hit **Submit - Request**. -8. Select the format as **PKCS\#12** and give a valid password finally - hit **Download Certificate**. Place this certificate in a location - and use the path in the **Identity Provider** configuration. - ![](attachments/50510041/50686887.png) -9. In the properties file placed in resources folder, you can configure - the Endpoint URL, Namespace URI and API version. - - ` vipURL ` = - - - ` vipURI ` = - - - ` Version ` =2.0 - -### Deploying travelocity.com sample - -The next step is to [deploy the sample app](Deploying-the-Sample-App) -in order to use it in this scenario. - -Once this is done, the next step is to configure the WSO2 Identity -Server by adding a [identity -provider](https://docs.wso2.com/display/IS500/Working+with+the+Identity+Provider) -and [service -provider](https://docs.wso2.com/display/IS500/Working+with+the+Service+Provider) -. - -### Configuring the identity provider - -Now you have to configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/) and [run - it](https://docs.wso2.com/display/IS510/Running+the+Product). -2. Log in to the [management - console](https://docs.wso2.com/display/IS510/Getting+Started+with+the+Management+Console) - as an administrator. -3. In the **Identity** section under the **Main** tab of the management - console, click **Add** under **Identity Providers**. -4. Give a suitable name as the **Identity Provider Name**. -5. Go to Symantec VIP Configuration under Federated Authenticators. - -6. Enter the P12File and P12Password. - - ![](attachments/50510041/50686886.png) - -7. Select both checkboxes to Enable Symantec VIP Authenticator and make - it Default. - -8. Click Register . - -You have now added the identity provider. - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the management console. - -2. In the Identity section under the Main tab, click Add under Service - Providers . - -3. Enter travelocity.com in the Service Provider Name text box and - click Register . - -4. In the Inbound Authentication Configuration section, click Configure - under the SAML2 Web SSO Configuration section. - - ![](attachments/50510041/50686888.png) - -5. Now set the configuration as follows: - - 1. Issuer : travelocity.com - - 2. Assertion Consumer URL : - - -6. Select the following check-boxes: - 1. Enable Response Signing - - 2. Enable Single Logout - - 3. Enable Attribute Profile - - 4. Include Attributes in the Response Always - -7. Click Update to save the changes. Now you will be sent back to the - Service Providers page. - -8. Go to Local and Outbound Authentication Configuration section. - -9. Select the Advanced configuration radio button option . - -10. Add the basic authentication as first step and Symantec VIP - authentication as second step - ![](attachments/50510041/50686889.png) - -You have now added and configured the service provider. - -### Configuring User Claim - -1. Go to Claims under IS Management Console. -2. Select Add New Claim. -3. Add new claim VIP Credential ID (Change Claim URI as ( - ). - - ![](attachments/50510041/50686891.png) -4. Now go to **Users and Roles**. -5. Enter the **VIP Credential ID** and update the profile. - ![](attachments/50510041/50686892.png) - -### Testing the sample - -1. To  test the sample, go to the following URL: - [http://localhost:8080/travelocity.com - ](http://localhost:8080/travelocity.com) - - [![](attachments/50510041/50686890.jpeg) ](http://localhost:8080/travelocity.com) - -2. Click the link to log in with SAML from WSO2 Identity Server. - -3. Basic authentication page will be visible, use your IS username and - password. - ![](attachments/50510041/50686894.png) - -4. You will be asked to enter the **Security Code**.Type the Security - Code generated in **VIP Access**, If the authentication success, - you will be taken to the home page of the travelocity.com app. - - ![](attachments/50510041/50686895.png) - - ![](attachments/50510041/50686896.png) - - - - diff --git a/en/docs/develop/configuring-totp-authenticator.md b/en/docs/develop/configuring-totp-authenticator.md index a1e425592b..f05a98add8 100644 --- a/en/docs/develop/configuring-totp-authenticator.md +++ b/en/docs/develop/configuring-totp-authenticator.md @@ -1,47 +1,43 @@ # Configuring TOTP Authenticator +The TOTP authenticator allows you to authenticate a user using +Time-Based One Time Password (TOTP) through WSO2 Identity Server. It +uses the TOTP specification to calculate the access tokens based on the +time and the shared secret key between the user and the identity +provider. + +TOTP is a temporary passcode, generated by an algorithm, for use in +authenticating access to computer systems. The algorithm that generates +each password uses the current time of day as one of its factors, +ensuring that each password is unique. + +!!! note + For more information about TOTP specification, click + [here](https://tools.ietf.org/html/rfc6238). + This topic provides instructions on how to configure the TOTP authenticator and the Identity Server to integrate using a sample app. See the following sections for more information. -TOTP Authenticator is supported with WSO2 Identity Server versions -5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.4.1, 5.5.0 and 5.6.0. - -- [Configuring user - claims](#ConfiguringTOTPAuthenticator-ConfiguringUserClaimsConfiguringuserclaims) -- [Deploying TOTP - artifacts](#ConfiguringTOTPAuthenticator-DeployingTOTPartifactsDeployingTOTPartifacts) -- [Deploying travelocity.com sample - app](#ConfiguringTOTPAuthenticator-Deployingtravelocity.comsampleappDeployingtravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringTOTPAuthenticator-ConfiguringtheidentityproviderConfiguringtheidentityprovider) -- [Configuring the Identity Server to send - email](#ConfiguringTOTPAuthenticator-ConfiguringIdentityServertosendemailConfiguringtheIdentityServertosendemail) -- [Configuring the service - provider](#ConfiguringTOTPAuthenticator-ConfiguringtheserviceproviderConfiguringtheserviceprovider) -- [Testing the - sample](#ConfiguringTOTPAuthenticator-TestingthesampleTestingthesample) -- [Refreshing the secret - key](#ConfiguringTOTPAuthenticator-RefreshingtheSecretKeyRefreshingthesecretkey) +!!! info + TOTP Authenticator is supported with WSO2 Identity Server versions + 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.4.1, 5.5.0 and 5.6.0. ### Configuring user claims 1. Download the WSO2 Identity Server from [here](http://wso2.com/products/identity-server/) and - [run it](https://docs.wso2.com/identity-server/Running+the+Product) + [run it](../../setup/running-the-product) . 2. Sign in to the [Management - Console](https://docs.wso2.com/identity-server/Getting+Started+with+the+Management+Console) + Console](../../setup/getting-started-with-the-management-console) by entering your username and password. 3. In the **Main** menu, click **Add** under **Claims**. 4. Click [Add Local - Claim](https://docs.wso2.com/identity-server/Adding+Claim+Mapping). + Claim](../../learn/adding-claim-mapping). This displays the **Add Local Claim** screen. !!! note - - Note - If you are using WSO2 Identity Server version 5.1.0 or 5.2.0, click **Add New Claim.** This displays the **Add New Claim** screen. On the **Add New Claim** screen, select @@ -59,14 +55,11 @@ TOTP Authenticator is supported with WSO2 Identity Server versions | Mapped Attribute | State or province name | | Supported by Default | selected | - ![](attachments/50502913/75106756.png) + ![](../../assets/img/50502913/75106756.png) ### Deploying TOTP artifacts !!! note - - Note - If you are using WSO2 Identity Server 5.6.0, you can skip steps 1 to 3 in the following section because ` totpauthenticationendpoint.war ` and @@ -76,11 +69,9 @@ TOTP Authenticator is supported with WSO2 Identity Server versions 1. Download the required TOTP artifacts from [WSO2 - Store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22totp%22) - . + Store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22totp%22). !!! note - If you are using WSO2 Identity Server version 5.5.0 or older, follow the steps below to manually add the ` commons-codec_1.4.0.wso2v1.jar ` file to WSO2 @@ -107,12 +98,10 @@ TOTP Authenticator is supported with WSO2 Identity Server versions directory. !!! note - If you want to upgrade the TOTP Authenticator that is available in your existing WSO2 Identity Server distribution, see the [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) + instructions.](../../develop/upgrading-an-authenticator) - 4. Add the following configuration ` /repository/conf/identity/application-authentication.xml ` file under the \< ` AuthenticatorConfigs ` \> @@ -154,13 +143,14 @@ TOTP Authenticator is supported with WSO2 Identity Server versions usecase

This field can take one of the following values: local , association , userAttribute , subjectUri . If you do not specify any usecase , the default value is local .

- !!! tip -

If you have chosen userAttribute as the usecase, add the following parmeter to specify the user attribute.

-
-
- -
-
+
+

Tip

+

If you have chosen userAttribute as the usecase, add the following parmeter to specify the user attribute.

+
+
+ +
+
@@ -246,7 +236,6 @@ TOTP Authenticator is supported with WSO2 Identity Server versions Server 5.3.0. !!! note - This step must be done since the user\_profile that is shipped with the WSO2 Identity Server does not support TOTP out-of-the-box. Due to some changes in the Identity Server framework for each product @@ -256,11 +245,11 @@ TOTP Authenticator is supported with WSO2 Identity Server versions WSO2 Identity Server has corresponding user\_profile required out-of-the-box. - - Comment the ` ` - module from the - ` /repository/conf/axis2/axis2.xml ` - file. + !!! info + Comment the ` ` + module from the + ` /repository/conf/axis2/axis2.xml ` + file. 7. If you use the secondary user store, enter all the user store values for the particular tenant as comma separated values. Make this @@ -270,35 +259,33 @@ TOTP Authenticator is supported with WSO2 Identity Server versions . For example, ` jdbc, abc, xyz ` . +!!! info + The user store configuration is maintained per tenant: -The user store configuration is maintained per tenant: - -- If you use a **super tenant,** put all the above parameter values - (mentioned in step 4) into the - ` /repository/conf/identity/application-authentication.xml ` - file under the ` AuthenticatorConfigs ` - section. + - If you use a **super tenant,** put all the above parameter values + (mentioned in step 4) into the + ` /repository/conf/identity/application-authentication.xml ` + file under the ` AuthenticatorConfigs ` + section. - - -- If you use a **tenant**, upload the same XML file ( - ` application-authentication.xml ` ) into a - specific registry location ( - ` /_system/governance/totp) ` . Create the - collection named ` totp `, add the resource - and upload the - ` application-authentication.xml ` file into - the registry). While doing the authentication, first it checks - whether there is an XML file uploaded to the registry. If that is - so, it reads it from the registry but does not take the local file. - If there is no file in the registry, then it only takes the property - values from the local file. This is how the user store configuration - is maintained per tenant. You can use the registry or local file to - get the property values. + - If you use a **tenant**, upload the same XML file ( + ` application-authentication.xml ` ) into a + specific registry location ( + ` /_system/governance/totp) ` . Create the + collection named ` totp `, add the resource + and upload the + ` application-authentication.xml ` file into + the registry). While doing the authentication, first it checks + whether there is an XML file uploaded to the registry. If that is + so, it reads it from the registry but does not take the local file. + If there is no file in the registry, then it only takes the property + values from the local file. This is how the user store configuration + is maintained per tenant. You can use the registry or local file to + get the property values. ### Deploying travelocity.com sample app -The next step is to [deploy the sample app](Deploying-the-Sample-App) +The next step is to [deploy the sample app](../../develop/deploying-the-sample-app) in order to use it in this scenario. Once this is done, the next step is to configure the WSO2 Identity @@ -308,69 +295,68 @@ Server by configuring resident identity provider and service provider. Now you have to configure WSO2 Identity Server. -1. [Restart](https://docs.wso2.com/identity-server/Running+the+Product) +1. [Restart](../../setup/running-the-product) WSO2 Identity Server. 2. Log in to the [management - console](https://docs.wso2.com/identity-server/Getting+Started+with+the+Management+Console) + console](../../setup/getting-started-with-the-management-console) as an administrator. 3. Login to the [end user - dashboard](https://docs.wso2.com/identity-server/Using+the+End+User+Dashboard) + dashboard](../../learn/using-the-end-user-dashboard) and go to **My Profile** by clicking **View details**. - ![](attachments/50502913/50680097.png) + ![](../../assets/img/50502913/50680097.png) 4. Update your email address (this email address is used to send the token). 5. To enable TOTP, select the **Enable TOTP** checkbox. - ![](attachments/50502913/68687830.png) + ![](../../assets/img/50502913/68687830.png) 6. If you want to use the Google Authenticator Application to generate the one-time passwords (tokens), click on **Scan QR Code** to scan the QR-Code using the Google Authenticator mobile app. You have now configured TOTP. -Obtaining the QR code without using the end user dashboard +!!! info "Obtaining the QR code without using the end user dashboard" + If you need to obtain the QR code without using the end user dashboard, + you can call an Admin Service that does this. The following is the Admin + Service used to obtain the QR code. -If you need to obtain the QR code without using the end user dashboard, -you can call an Admin Service that does this. The following is the Admin -Service used to obtain the QR code. - -``` java -https://localhost:9443/services/TOTPAdminService?wsdl -``` + ``` java + https://localhost:9443/services/TOTPAdminService?wsdl + ``` -The QR code URL can be retrieved using the -` initTOTP ` method in the -` TOTPAdminService ` . + The QR code URL can be retrieved using the + ` initTOTP ` method in the + ` TOTPAdminService ` . -The following is a sample cURL command that invokes the -TOTPAdminService. + The following is a sample cURL command that invokes the + TOTPAdminService. -``` java -curl -i -X POST -H 'Content-Type: application/x-www-form-urlencoded' -H 'Authorization:Basic YWRtaW46YWRtaW4=' https://localhost:9443/services/TOTPAdminService/initTOTP -k -d 'username=testuser@carbon.super' -``` + ``` java + curl -i -X POST -H 'Content-Type: application/x-www-form-urlencoded' -H 'Authorization:Basic YWRtaW46YWRtaW4=' https://localhost:9443/services/TOTPAdminService/initTOTP -k -d 'username=testuser@carbon.super' + ``` -The following is a sample response that is obtained. + The following is a sample response that is obtained. -``` java -b3RwYXV0aDovL3RvdHAvY2FyYm9uLnN1cGVyOmR1c2hhbmk/c2VjcmV0PUJGR0RFUllPU1ZSR0s3 -TE0maXNzdWVyPWNhcmJvbi5zdXBlcg== - -``` + ``` java + b3RwYXV0aDovL3RvdHAvY2FyYm9uLnN1cGVyOmR1c2hhbmk/c2VjcmV0PUJGR0RFUllPU1ZSR0s3 + TE0maXNzdWVyPWNhcmJvbi5zdXBlcg== + + ``` -The Secret Key can be retrieved using the retrieveSecretKeymethod in the -` TOTPAdminService ` . + The Secret Key can be retrieved using the retrieveSecretKeymethod in the + ` TOTPAdminService ` . -The following is a sample cURL command that invokes the -TOTPAdminService. + The following is a sample cURL command that invokes the + TOTPAdminService. -``` java -curl -i -X POST -H 'Content-Type: application/x-www-form-urlencoded' -H 'Authorization:Basic YWRtaW46YWRtaW4=' https://localhost:9443/services/TOTPAdminService/retrieveSecretKey -k -d 'username=testuser@carbon.super' -``` + ``` java + curl -i -X POST -H 'Content-Type: application/x-www-form-urlencoded' -H 'Authorization:Basic YWRtaW46YWRtaW4=' https://localhost:9443/services/TOTPAdminService/retrieveSecretKey -k -d 'username=testuser@carbon.super' + ``` -The following is a sample response that is obtained. + The following is a sample response that is obtained. -``` java -4AAC2HEG7COGHQYI -``` + ``` java + 4AAC2HEG7COGHQYI + ``` ### Configuring the Identity Server to send email @@ -455,7 +441,7 @@ The next step is to configure the service provider. 3. **Enable Attribute Profile**. 4. **Include Attributes in the Response Always**. - ![](attachments/50502913/50680092.png) + ![](../../assets/img/50502913/50680092.png) 8. Click **Update** to save the changes. Now you are sent back to the **Service Providers** page. @@ -508,7 +494,7 @@ The next step is to configure the service provider. association -

Federated username must be associated with the local account in advance in the Dashboard. So local username is retrieved from the association.To associate the user, Login to the end user dashboard and go to Associated Account by clicking View details .

+

Federated username must be associated with the local account in advance in the Dashboard. So local username is retrieved from the association.To associate the user, Login to the end user dashboard and go to Associated Account by clicking View details .

userAttribute @@ -576,10 +562,9 @@ The next step is to configure the service provider. ``` !!! tip - - **Tip** : This is done to configure multi-factor authentication. See + This is done to configure multi-factor authentication. See [Multi-factor - Authentication](https://docs.wso2.com/identity-server/Multi-factor+Authentication+using+FIDO) + Authentication](../../learn/multi-factor-authentication-using-fido) for more information. @@ -594,28 +579,29 @@ You have now added and configured the service provider. ](http://localhost:8080/travelocity.com) 2. Click the link to log in with SAML from the WSO2 Identity Server. - ![](attachments/50502913/50680094.png) + ![](../../assets/img/50502913/50680094.png) 3. The basic authentication page is visible. Use your username and password to log in. - ![](attachments/50502913/57737748.png) + ![](../../assets/img/50502913/57737748.png) 4. If the TOTP is not enabled toin the user's profile and the user is allowed to enable the TOTP in the authentication flow, this page will appear. You can scan either continue or cancel. - ![](attachments/50502913/68688464.png) + ![](../../assets/img/50502913/68688464.png) 5. If you want to enrolthe user, click on the link to show the QR code. Scan the displayed QR code using the mobile application and - continue. ![](attachments/50502913/68688462.png) + continue. + ![](../../assets/img/50502913/68688462.png) 6. You are redirected to the TOTP authentication page. Enter the verification code from your Google Authenticator Mobile Application to authenticate. Alternatively, you can generate the verification code by clicking on **Get a Verification Code** " and use the code that is sent to your email address. - ![](attachments/50502913/68687856.png) + ![](../../assets/img/50502913/68687856.png) 7. If your verification is successful, you are taken to the home page of the travelocity.com app. - ![](attachments/50502913/50680172.png) + ![](../../assets/img/50502913/50680172.png) ### Refreshing the secret key @@ -623,4 +609,4 @@ You can refresh the secret key by selecting the **Refresh Secret Key** checkbox in the dashboard. However, you must re-scan the QR code to sync the new secret key with your Google Authenticator mobile app. -![](attachments/50502913/57737750.png) +![](../../assets/img/50502913/57737750.png) \ No newline at end of file diff --git a/en/docs/develop/configuring-twitter-authenticator.md b/en/docs/develop/configuring-twitter-authenticator.md deleted file mode 100644 index 126a9ba7de..0000000000 --- a/en/docs/develop/configuring-twitter-authenticator.md +++ /dev/null @@ -1,205 +0,0 @@ -# Configuring Twitter Authenticator - -This page provides instructions on how to configure the Twitter -authenticator and Identity Server using a sample app. You can find more -information in the following sections. - -This is tested with the Twitter API version 1.1 which uses OAuth 1.0a. -Twitter Authenticator is supported by Identity Server 5.1.0 upwards. - -- [Deploying Twitter - artifacts](#ConfiguringTwitterAuthenticator-DeployingTwitterartifactsDeployingTwitterartifacts) -- [Configuring the Twitter - App](#ConfiguringTwitterAuthenticator-ConfiguringtheTwitterAppConfiguringtheTwitterApp) -- [Deploying travelocity.com sample - app](#ConfiguringTwitterAuthenticator-Deployingtravelocity.comsampleappDeployingtravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringTwitterAuthenticator-ConfiguringtheidentityproviderConfiguringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringTwitterAuthenticator-ConfiguringtheserviceproviderConfiguringtheserviceprovider) -- [Testing the - sample](#ConfiguringTwitterAuthenticator-TestingthesampleTestingthesample) - -### Deploying Twitter artifacts - -- Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/). - -- Place the Twitter authenticator .jar file ( - ` org.wso2.carbon.extension.identity.authenticator.twitter.connector-X.X.X.jar ` - ) into the - ` /repository/components/dropins ` - directory. This can be downloaded from [the WSO2 - Store](https://store.wso2.com/store/assets/isconnector/details/51bc4245-9c97-4839-9e3c-c177b20145ee) - . - - !!! note - - If you want to upgrade the Twitter Authenticator in your existing IS - pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -### Configuring the Twitter App - -1. Create an account at and log in. -2. Navigate to https://apps.twitter.com/ and click **Create New App**. - - - Provide an application name and description. - - For this tutorial, enter ` https:// ` - ` 127.0.0.1 ` as the website URL. It is - used as a placeholder since application used for the tutorial is - not publicly available. - - Give the **Callback URL** as - ` https://:9443/commonauth ` - . For example: - ` https://apps.customhost.com:9443/commonauth ` - . - - Note - - If the Identity Server is running on your local machine, add an - entry as mentioned below and use this host name (here - ` apps.customhost.com ` - ) in your twitter callback url. - - ` 127.0.0.1       apps.customhost.com ` - - - Click **Create your Twitter application**. - - ![](attachments/50515587/75109897.png) - - !!! note - - **Callback URL** is the URL to which the browser should be - redirected after the authentication is successful. It should have - this format: - ` https://(host-name):(port)/acs ` - . Here ACS URL (Assertion Consumer URL) is the endpoint in WSO2 - Identity Server which accepts the response sent by Google. - - -3. After creating the app, go to the **Keys and Access Tokens** tab to - get the **API Key** and **API Secret**. These are the **Consumer - Key** and **Consumer Secret** values shown. - Example: - ![](attachments/50515587/75109896.png) - -### Deploying travelocity.com sample app - -The next step is to [deploy the sample app](Deploying-the-Sample-App) -in order to use it in this scenario. - -Once this is done, the next step is to configure the WSO2 Identity -Server by adding an [identity -provider](#ConfiguringTwitterAuthenticator-Configuringtheidentityprovider) -and [service -provider](#ConfiguringTwitterAuthenticator-Configuringtheserviceprovider) -. - -### Configuring the identity provider - -Now you have to configure WSO2 Identity Server by adding a new identity -provider. For more information about the Identity Providers, see -[Configuring an Identity -Provider](http://docs.wso2.com/identity-server/Configuring+an+Identity+Provider) -. - -1. [Run the WSO2 Identity - Server](https://docs.wso2.com/display/IS510/Running+the+Product). - -2. Log in to the [management - console](https://docs.wso2.com/display/IS510/Getting+Started+with+the+Management+Console) - as an administrator. -3. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add**. -4. Give a suitable name for **Identity Provider Name**. Expand - **Federated Authenticators** and expand ****TwitterAuthenticator - Configuration****. - ![](attachments/50515587/51249933.png) - Enter the values as given when you [created the twitter - application](#ConfiguringTwitterAuthenticator-twitter-app). - - - Select both checkboxes to ****Enable** the Twitter - authenticator** and make it the Default. ** - ** - - **API Key** : Consumer Key for your app. - - **API Secret** : Consumer Secret for your app. - - **Callback URL** : Service Provider's URL where code needs to be - sent (e.g., https://apps.customhost.com:9443/commonauth ) - -5. Click **Register**. - -You have now added the identity provider. - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the management console. - -2. In the **Service Providers** section, click **Add** under the - **Main** tab. - -3. Since you are using travelocity as the sample, enter travelocity.com - in the **Service Provider Name** text box and click **Register**. - -4. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section. - -5. Now set the configuration as follows: - - 1. **Issuer** : ` travelocity.com ` - - 2. **Assertion Consumer URL** : - ` http://localhost:8080/travelocity.com/home.jsp ` - Click A **dd** to add the assertion consumer URL. - - 3. Select the following check-boxes: - - - - 1. - **Enable Response Signing**. - - - **Enable Single Logout**. - - - **Enable Attribute Profile**. - - - **Include Attributes in the Response Always**. - -6. Click **Register** to save the changes. Now you will be sent back to - the **Service Providers** page. - -7. Navigate to the **Local and Outbound Authentication Configuration** - section. - -8. Select the identity provider you created from the dropdown list - under **Federated Authentication**. - - ![](attachments/50515587/51249934.png) - -9. Ensure that the **Federated Authentication** radio button is - selected and click **Update** to save the changes. - -You have now added and configured the service provider. - -### Testing the sample - -1. To test the sample, go to the following URL: - ` http://:/travelocity.com/index.jsp ` - . E.g., http://localhost:8080/travelocity.com - -2. Click the option available to log in with SAML from the WSO2 - Identity Server. - - ![](attachments/50515587/80723423.png) - - You are navigated to the Twitter application. Enter the username and - password of your Twitter account to log in. - Example: - ![](attachments/50515587/75109949.png) - -3. Once the authentication is complete, you will be taken to the home - page of the travelocity.com app. - Example: - ![](attachments/50515587/75109950.png) diff --git a/en/docs/develop/configuring-wordpress-authenticator.md b/en/docs/develop/configuring-wordpress-authenticator.md deleted file mode 100644 index 2bb96149be..0000000000 --- a/en/docs/develop/configuring-wordpress-authenticator.md +++ /dev/null @@ -1,197 +0,0 @@ -# Configuring Wordpress Authenticator - -The Wordpress authenticator allows you to authenticate users using -Wordpress through the WSO2 Identity Server. This page provides -instructions on how to configure the Wordpress authenticator and the -WSO2 Identity Server for logging into a sample app. - -You can find more information in the following sections. - -This is tested for the Wordpress API version 1.0. Wordpress -Authenticator is supported by Identity Server 5.1.0 upwards. - -- [Configuring the Wordpress - App](#ConfiguringWordpressAuthenticator-ConfiguringtheWordpressApp) -- [Deploying travelocity.com sample - app](#ConfiguringWordpressAuthenticator-Deployingtravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringWordpressAuthenticator-Configuringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringWordpressAuthenticator-Configuringtheserviceprovider) -- [Testing the - sample](#ConfiguringWordpressAuthenticator-Testingthesample) - -### Configuring the Wordpress App - -1. Place the authenticator .jar file into the - ` /repository/components/dropins ` - directory. You can download the - .jar(org.wso2.carbon.identity.authenticator.wordpress) file from the - [wso2 - store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22Wordpress%22) - . - - !!! note - - If you want to upgrade the Wordpress Authenticator in your existing - IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -2. Navigate to and log in. - - !!! note - - **Note** : You can either use your Wordpress developer account - credentials or your own Google account credentials to log in. - - -3. Click **Create New Application**. - - ![](attachments/49092145/76747300.png) - -4. Enter the following details in the window that appears. - - **Name** - TestApp - - **Description** - Application for testing purposes - - **Website URL** - https://localhost:9443/commonauth - - **Redirect URLs** - https://localhost:9443/commonauth - - **Javascript Origins** - - - **Type** - web client - - !!! tip - - Make sure to answer the mathematical question that is asked - (e.g., What is 5+2 ?). - - -5. Click **Create**. - Now you have finished configuring Wordpress so copy the **Client - ID** and **Client Secret** for use in the Identity Server. - ![](attachments/49092145/49226414.png) - -### Deploying travelocity.com sample app - -The next step is to deploy the travelocity.com sample app in order to -use it in this scenario. - -To configure this, see [deploying travelocity.com sample -app](Deploying-the-Sample-App). - -### Configuring the identity provider - -Now you must configure the WSO2 Identity Server by [adding a new -identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/) and [run - it](https://docs.wso2.com/display/IS510/Running+the+Product). -2. Log in to the [management - console](https://docs.wso2.com/display/IS510/Getting+Started+with+the+Management+Console) - as an administrator. -3. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add**. - ![](attachments/49092145/76747356.png) -4. Enter the following details for the Identity Provider. - - - **Identity Provider Name** - WordpressIdP - - **Alias** - - - ![](attachments/49092145/76747375.png) - -5. Go to **Wordpress Configuration** under **Federated Authenticators** - and enter the required details. - - !!! tip - - Make sure to enter the client Id, client secret, and callback URL - based on the [wordpress application that you - created](#ConfiguringWordpressAuthenticator-clientsecret). - - - | Field | Description | Sample value | - |---------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------| - | Enable | Selecting this option enables Wordpress to be used as an authenticator for users provisioned to the Identity Server. | Selected | - | Default | Selecting the Default checkbox signifies that Wordpress is the main/default form of authentication. This removes the selection made for any other default check-boxes for other authenticators. | Selected | - | Client Id | This is the username from the Wordpress application. | 56002 | - | Client Secret | This is the password from the Wordpress application. Click the **Show** button to view the value you enter. | LxLvRoWplkvva4WMdOWAxrcghOVlxrH8RHJ96XWlXVaZi6pZDgXsvPhLHhzGqeCF | - | Callback URL | This is the URL to which the browser should be redirected after the authentication is successful. It should have the following format: ` https://(host-name):(port)/acs ` | | - -6. Click **Register**. - -You have now added the identity provider. - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the management console. -2. In the **Service Providers** section under the **Main** tab, click - **Add**. -3. Since you are using travelocity as the sample, enter travelocity.com - in the **Service Provider Name** text box and click **Register**. -4. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section. - - ![](https://lh6.googleusercontent.com/qsYmfJRbhzqeKB_WHare-nLYmSL3DItCUqx3627JsK8aF0AibTUNO-s4DyG5Zx_bp0wfH_10Ap6dJ2ngKNYBtlgOCHZBSoKqhNbVac0DEWZ49C4Gpej3mzFoQpP2Z6XFP6iYkUCf) -5. Now set the configuration as follows: - 1. **Issuer** : travelocity.com - 2. **Assertion Consumer URL** : - -6. Select the following check-boxes: - 1. **Enable Response Signing**. - 2. **Enable Single Logout**. - 3. **Enable Attribute Profile**. - 4. **Include Attributes in the Response Always**. -7. Click **Update** to save the changes. Now you will be sent back to - the **Service Providers** page. -8. Go to the **Local and Outbound Authentication Configuration** - section. -9. Select the identity provider you created from the dropdown list - under **Federated Authentication**. - - ![](attachments/49092145/49226418.png) -10. Ensure that the **Federated Authentication** radio button is - selected and click **Update** to save the changes. - -You have now added and configured the service provider. - -### Testing the sample - -1. To test the sample, go to the following URL: - ` http://:/travelocity.com/index.jsp ` - . E.g., [http://localhost:8080/travelocity.com - - ](http://localhost:8080/travelocity.com) - ![](attachments/49092145/49226416.png) -2. Click the link to log in with SAML from WSO2 Identity Server. -3. You are redirected to the Wordpress login page. Enter your Wordpress - credentials. - - ![](attachments/49092145/49226419.png) -4. Click **Log In** to authenticate the user. - - ![](attachments/49092145/49226420.png) -5. You will be taken to the home page of the travelocity.com app. - ![](attachments/49092145/49226421.png) - - - -3847 - -3877 - -1251 - -514 - -515 - -964 - -1574 - -1785 - -1788 diff --git a/en/docs/develop/configuring-yammer-authenticator.md b/en/docs/develop/configuring-yammer-authenticator.md deleted file mode 100644 index eeca4f5a3f..0000000000 --- a/en/docs/develop/configuring-yammer-authenticator.md +++ /dev/null @@ -1,177 +0,0 @@ -# Configuring Yammer Authenticator - -This page provides instructions on how to configure the Yammer -authenticator and WSO2 Identity Server using a sample app. You can find -more information in the following sections. - -This is tested for the Yammer API version 1.0. Yammer Authenticator is -supported by Identity Server 5.1.0 upwards . - -- [Deploying Yammer - artifacts](#ConfiguringYammerAuthenticator-DeployingYammerartifactsDeployingYammerartifacts) -- [Configuring the Yammer - App](#ConfiguringYammerAuthenticator-ConfiguringtheYammerAppConfiguringtheYammerApp) -- [Deploying travelocity.com sample - app](#ConfiguringYammerAuthenticator-Deployingtravelocity.comsampleappDeployingtravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringYammerAuthenticator-ConfiguringtheidentityproviderConfiguringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringYammerAuthenticator-ConfiguringtheserviceproviderConfiguringtheserviceprovider) -- [Testing the - sample](#ConfiguringYammerAuthenticator-TestingthesampleTestingthesample) - -### Deploying Yammer artifacts - -1. Place the authenticator .jar file into the - ` /repository/components/dropins ` - directory. You can download the - .jar(org.wso2.carbon.identity.authenticator.yammer) file from the - [WSO2 - Store](https://store.wso2.com/store/assets/isconnector/details/0e1f0ba7-c4dc-4826-afa7-ba3adef00e7b) - . - - !!! note - - If you want to upgrade the Yammer Authenticator in your existing - WSO2 Identity Server pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) - - -### Configuring the Yammer App - -1. Log in to [Yammer](https://www.yammer.com/wso2.com/?show_login=true) - using your account credentials. -2. Register a new application in - . - ![](attachments/48290733/48220784.png) -3. Fill in the form provided to add your application. - ![](attachments/48290733/48220783.png) - Fill in the following required fields and click **Continue** : - - **Application name** : The name of your application - - **Organization** : The organization that the app represents. - - **Support e-mail** : The email address used to communicate with - the app. - - **Website** : The website represented by the app. - - **Redirect URI** : Use - ` https://localhost:9443/commonauth ` - as the **Redirect URI** when you register the app. This is an - important step. -4. Obtain the ` Client ID ` and the - ` Client Secret ` that were generated for your - application via the App Dashboard. - ![](attachments/48290733/76747751.png) - - -### Deploying [travelocity.com](http://travelocity.com) sample app - -Next, [deploy the sample app](Deploying-the-Sample-App) in order to -use it in this scenario. - -Once this is done, configure the WSO2 Identity Server by adding an -[identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -and [service -provider](https://docs.wso2.com/display/IS510/Configuring+a+Service+Provider) -. - -### Configuring the identity provider - -Now you have to configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -. - -1. Download the WSO2 Identity Server from - [here](http://wso2.com/products/identity-server/) and [run - it](https://docs.wso2.com/display/IS510/Running+the+Product). -2. Log in to the [management - console](https://docs.wso2.com/display/IS510/Getting+Started+with+the+Management+Console) - as an administrator. -3. In the **Identity Providers** section under the **Main** tab of the - management console, click **Add**. - 1. Give a suitable name for **Identity Provider Name**. - ![](attachments/48290733/76747696.png) -4. Next, navigate to the **Federated Authenticators \> Yammer - Configuration**. - - 1. Select the **Enable** and **Default** checkboxes. This will - enable the Yammer authenticator and make it the default Identity - provider. - - 2. Enter the following values and click **Register**. - -| Field | Description | Sample Value | -|-------------------|-------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------| -| **Client ID** | This is the ` client ID ` that wasgenerated for the application you registered via Yammer. | ` sGdyjvdPadOTAvYc7SZOg ` | -| **Client Secret** | This is the ` client secret ` that wasgenerated for the application you registered via Yammer. | ` AV0acZHX1fPhJdk5VhTdCW6utt0hP7FHxOb72Gznqo ` | -| **Callback URL** | This is the service provider's URL to which the code is sent to. | ` https://localhost:9443/commonauth ` | - -![](attachments/48290733/76747701.png) - -You have now added the identity provider. - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the management console. - -2. In the **Service Providers** section, click **Add** under the - **Main** tab. - -3. Since you are using travelocity as the sample, enter - ` travelocity.com ` - in the **Service Provider Name** text box and click **Register**. - - 1. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section. - - 2. Now set the configurations as follows: - - - **Issuer** : [travelocity.com](http://travelocity.com) - - - **Assertion Consumer URL** : - - - 3. Select the following check-boxes: - - - Enable Response Signing - - - Enable Single Logout - - - Enable Attribute Profile - - - Include Attributes in the Response Always - - 4. Click **Register** to save the changes. - - ![](attachments/48290733/103332432.png){height="250"} - - 5. Now you will be sent back to the **Service Providers** page. - - 1. Navigate to the **Local and Outbound Authentication - Configuration** section. - - 2. Select the identity provider you created from the dropdown - list under **Federated Authentication**. - - 3. Ensure that the **Federated Authentication** radio button is - selected and click **Update** to save the changes. - -You have now added and configured the service provider. - -### Testing the sample - -1. To test the sample, go to the following URL: - ` http://:/ travelocity.com/index.jsp ` - E.g., - -2. Click “Login with SAML” to log in with SAML from the WSO2 Identity - Server. - - ![](attachments/48290733/76747730.png){height="250"} - -3. Enter your Yammer credentials in the prompted login page to login. - Once you log in successfully you will be taken to the home page of - the [travelocity.com](http://travelocity.com) app. - - ![](attachments/48290733/76747748.png) diff --git a/en/docs/develop/creating-a-third-party-authenticator-or-connector-and-publishing-in-wso2-store.md b/en/docs/develop/creating-a-third-party-authenticator-or-connector-and-publishing-in-wso2-store.md index bc808e46f1..1c81e8900d 100644 --- a/en/docs/develop/creating-a-third-party-authenticator-or-connector-and-publishing-in-wso2-store.md +++ b/en/docs/develop/creating-a-third-party-authenticator-or-connector-and-publishing-in-wso2-store.md @@ -27,20 +27,20 @@ connectors in [WSO2 Store](https://store.wso2.com/store). ``` - !!! note - If maven version is 2.x.x, use the following command in the directory - where you want to create the connector on your local machine: - ``` - mvn - archetype:generate -DarchetypeGroupId=org.wso2.carbon.extension.archetype - -DarchetypeArtifactId= - [org.wso2.carbon.extension.is](http://org.wso2.carbon.extension.is/) - .authenticator-archetype -DarchetypeVersion=2.0.4 - -DgroupId=org.wso2.carbon.extension.identity.authenticator - -DartifactId=org.wso2.carbon.extension.identity.authenticator.\ - -Dversion=1.0.0 -DarchetypeRepository= - ``` - When prompted, enter a name for the connector. Specify the name in upper camel case, such as `HelloWorld`. Type `y` to confirm. + !!! note + If maven version is 2.x.x, use the following command in the directory + where you want to create the connector on your local machine: + ``` + mvn + archetype:generate -DarchetypeGroupId=org.wso2.carbon.extension.archetype + -DarchetypeArtifactId= + [org.wso2.carbon.extension.is](http://org.wso2.carbon.extension.is/) + .authenticator-archetype -DarchetypeVersion=2.0.4 + -DgroupId=org.wso2.carbon.extension.identity.authenticator + -DartifactId=org.wso2.carbon.extension.identity.authenticator.\ + -Dversion=1.0.0 -DarchetypeRepository= + ``` + When prompted, enter a name for the connector. Specify the name in upper camel case, such as `HelloWorld`. Type `y` to confirm. - @@ -56,7 +56,6 @@ connectors in [WSO2 Store](https://store.wso2.com/store). ``` !!! note - If maven version is 2.x.x, use the following command in the directory where you want to create the connector on your local machine: ``` @@ -86,15 +85,13 @@ can be used in the connector store. - 580x300 - 220x200 -### **Publishing the connector** +### Publishing the connector When the connector development is complete, create a -[JIRA](https://wso2.org/jira/browse/ISCONNECT) under the **IS -Connectors** project with the following information: +[JIRA](https://wso2.org/jira/browse/ISCONNECT) under the **IS Connectors** project with the following information: - Source code can be directly attached to the JIRA or do the development in your own git repo. -- Once we review the code we will create a repo under [https://github.com/wso2-extensions](https://github.com/ wso2-extensions), and ask you to send the - pull request. +- Once we review the code we will create a repo under [https://github.com/wso2-extensions](https://github.com/wso2-extensions), and ask you to send the pull request. - If GPL or LGPL licensed connectors are used, specify reasons for the use of such libraries. \ No newline at end of file diff --git a/en/docs/develop/dropbox-authenticator.md b/en/docs/develop/dropbox-authenticator.md index acd8e338ac..d846fcef06 100644 --- a/en/docs/develop/dropbox-authenticator.md +++ b/en/docs/develop/dropbox-authenticator.md @@ -4,22 +4,137 @@ The Dropbox authenticator is configured as a federated authenticator in WSO2 Identity Server to authenticate Dropbox users to log in to your organization’s applications. -![](attachments/49091438/76746194.png) +![](../../assets/img/49091438/76746194.png) -### Getting started +!!! info + To download the authenticator, go to + [https://store.wso2.com/store/assets/isconnector/Dropbox](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22dropbox%22). -To get started with the authenticator, see [Configuring Dropbox -Authenticator](https://docs.wso2.com/display/ISCONNECTORS/Configuring+Dropbox+Authenticator) -for information and configuration steps. Once you have completed your -configurations, you can authenticate users using the Dropbox -authenticator. To download the authenticator, go to -[https://store.wso2.com/store/assets/isconnector/Dropbox](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22dropbox%22) +# Configuring Dropbox Authenticator + +This page provides instructions on how to configure the Dropbox +authenticator and the WSO2 Identity Server to log in to a sample app. +You can find more information in the following sections. + +!!! info + This is tested for the Dropbox API version 1.0. Dropbox Authenticator is + supported by WSO2 Identity Server versions 5.1.0, 5.2.0 and 5.3.0. + +### Configuring the Dropbox App + +1. Place the authenticator .jar file into the + ` /repository/components/dropins ` + directory. You can download the + .jar(org.wso2.carbon.identity.authenticator.dropbox) file from the + [wso2 + store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22dropbox%22). + + !!! note + If you want to upgrade the Dropbox Authenticator (.jar) in your + existing IS pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +2. Navigate to and create a + new app. You must create or have a Dropbox account for this. + + ![](../../assets/img/49091441/75106368.png) + +3. Enter the name of your new app and click **Create App**. +4. Specify the redirect URI as in + the window that appears. +5. Now you have finished configuring Dropbox. Copy the **App key** and + **App Secret** from the above page. + +### Deploying travelocity.com sample app + +The next step is to deploy the travelocity.com sample app in order to +use it in this scenario. + +To configure this, see [deploying travelocity.com sample +app](../../develop/deploying-the-sample-app). + +### Configuring the identity provider + +Now you have to configure WSO2 Identity Server by [adding a new identity +provider](../../learn/adding-and-configuring-an-identity-provider) . - +1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/) and [run + it](../../setup/running-the-product). +2. Log in to the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. +3. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add**. +4. Give a suitable name for **Identity Provider Name**. + ![](../../assets/img/49091441/75106398.png) +5. Go to **Dropbox Configuration** under **Federated Authenticators**. +6. Enter the values as given in the above figure. + + | Field | Description | Sample Value | + |---------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------| + | Enable | Selecting this option enables Dropbox to be used as an authenticator for users provisioned to WSO2 Identity Server. | Selected | + | Default | Selecting the **Default** checkbox specifies Dropbox as the main/default form of authentication. If selected, any other authenticators that have been selected as **Default** will be unselected by WSO2 IS. | Selected | + | Cliend Id | The app key from the Dropbox application. | owqfgrlhowmgypa | + | Client Secret | The app secret from the Dropbox application. Click the **Show** button to see the value. | lmcbrqwb14algwy\| | + | Callback URL | The URL to which the browser should be redirected to after the authentication is successful. Follow this format: https://(host-name):(port)/acs . | | + +7. Click **Register**. + +You have now added the identity provider. + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the management console. +2. In the **Service Providers** section under the **Main** tab, click + **Add**. +3. Since you are using travelocity as the sample, enter travelocity.com + in the **Service Provider Name** text box and click **Register**. +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. + + ![](../../assets/img/49091441/49224550.png) + +5. Now set the configuration as follows: + 1. Issuer: travelocity.com + 2. Assertion Consumer URL: + +6. Select the following check-boxes: + 1. Enable Response Signing. + 2. Enable Single Logout. + 3. Enable Attribute Profile. + 4. Include Attributes in the Response Always. +7. Click **Update** to save the changes. Now you will be sent back to + the **Service Providers** page. +8. Go to the **Local and Outbound Authentication Configuration** + section. +9. Select the identity provider you created from the dropdown list + under **Federated Authentication**. + + ![](../../assets/img/49091441/49224551.png) + +10. Ensure that the **Federated Authentication** radio button is + selected and click **Update** to save the changes. + +You have now added and configured the service provider. + +### Testing the sample + +1. To test the sample, navigate to the following URL: + ` http://:/travelocity.com/index.jsp `. E.g., -3505 + ![](../../assets/img/49091441/49224552.png) -3846 +2. Click the link to log in with SAML from the WSO2 Identity Server. +3. You are redirected to the Dropbox login page. Enter your Dropbox + credentials. + + ![](../../assets/img/49091441/49224553.png) + +4. You are then taken to the home page of the travelocity.com app. + ![](../../assets/img/49091441/49224554.png) -1256 diff --git a/en/docs/develop/configuring-duo-security-authenticator.md b/en/docs/develop/duo-security-authenticator.md similarity index 71% rename from en/docs/develop/configuring-duo-security-authenticator.md rename to en/docs/develop/duo-security-authenticator.md index c3d1d66b0f..b8410f0339 100644 --- a/en/docs/develop/configuring-duo-security-authenticator.md +++ b/en/docs/develop/duo-security-authenticator.md @@ -1,71 +1,73 @@ # Configuring Duo Security Authenticator +The Duo Security authenticator allows you to authenticate a user using +Duo Security through WSO2 Identity Server . The Duo Security +provisioning connector enables you to provision users using Duo +Security. Duo Security provides security beyond passwords. + This topic provides instructions on how to configure the Duo Security app and the Identity Server. A sample app is used to demonstrate this integration. See the following sections for more information. -This is tested for the Duo Security API version V2. +!!! info + You must have the [Duo Security + Android](https://play.google.com/store/apps/details?id=com.duosecurity.duomobile&hl=en) + or [iOS + application](https://itunes.apple.com/us/app/duo-mobile/id422663827?mt=8) + installed on your mobile device to use this authenticator and + connector. + Download the  provisioning connector, authenticator and artifacts from + [the + store](https://store.wso2.com/store/assets/isconnector/details/ef24e15b-8a53-4b8d-898e-108a04dc8f73). -See the following sections for more information. +!!! info + This is tested for the Duo Security API version V2. -- [Configuring the Duo Security - app](#ConfiguringDuoSecurityAuthenticator-ConfiguringtheDuoSecurityapp) -- [Deploying Duo Security - artifacts](#ConfiguringDuoSecurityAuthenticator-DeployingDuoSecurityartifacts) -- [Deploying travelocity.com sample - app](#ConfiguringDuoSecurityAuthenticator-Deployingtravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringDuoSecurityAuthenticator-Configuringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringDuoSecurityAuthenticator-Configuringtheserviceprovider) -- [Testing the - sample](#ConfiguringDuoSecurityAuthenticator-Testingthesample) +See the following sections for more information. ### Configuring the Duo Security app 1. Go to and click free signup and register. 2. Log in to Duo Security. Click **Applications** from the left panel and then click the **Protect an Application** button. - ![](attachments/51486739/51451210.png) + ![](../../assets/img/51486739/51451210.png) 3. In the **Protect an Application** page, select **Auth API** from the list. **Auth API** credentials are **mandatory .** - ![](attachments/51486739/51451211.png) + ![](../../assets/img/51486739/51451211.png) + 4. Once the integration is created, you are given a **Secret key** and an **Integration key** for your integration. You can use these along with your Duo host when accessing Duo Security APIs. - ![](attachments/51486739/53284889.png) + ![](../../assets/img/51486739/53284889.png) 5. You can also configure the **Admin API** credentials if you need to validate the mobile numbers. When you verify the mobile number, use only these credentials. Navigate back to the **Protect an Application** page and select **Admin API** from the list. Once the Integration is created, you are given a **Secret key** and an **Integration key** for your integration. - ![](attachments/51486739/51451212.png) + ![](../../assets/img/51486739/51451212.png) - !!! warning - - **Important** : If you can not see the type “Admin API” in the + !!! warning "Important" + If you can not see the type “Admin API” in the dropdown, contact the Duo team through and ask for Admin API permission. - When configuring the Admin API, select the **Grant read resource** permission. - ![](attachments/51486739/66617570.png) + ![](../../assets/img/51486739/66617570.png) !!! tip - - **Tip** : This step is mandatory if you need to verify the user's + This step is mandatory if you need to verify the user's mobile number in the user store with the mobile number in Duo Security. This is configured in step 4 of [Deploying Duo Security - artifacts](#ConfiguringDuoSecurityAuthenticator-DeployingDuoSecurityartifacts) + artifacts](#duo-security-artifacts) . ### Deploying Duo Security artifacts To download the authenticator and artifacts, go to [the WSO2 -store](https://store.wso2.com/store/assets/isconnector/list?q=%22-default%22%3A%22duo%22) +store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22duo%22) . 1. Place the ` duoauthenticationendpoint.war ` @@ -79,26 +81,22 @@ store](https://store.wso2.com/store/assets/isconnector/list?q=%22-default%22%3A% directory. !!! note - If you want to upgrade the Duo Authenticator in your existing IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) + instructions.](../../develop/upgrading-an-authenticator) -3. Place the - ` okio-1.9.0.jar ` - into the +3. Place the [okio-1.9.0.jar](https://github.com/square/okio/tree/okio-parent-1.9.0#download) into the ` /repository/components/lib ` directory. !!! tip - You may have done this step already if you configured the [Duo Security Provisioning - Connector](../../develop/duo-security-provisioning-connector). If + Connector](../../develop/configuring-duo-security-provisioning-connector). If so, you can skip this step. - + 4. Optionally, to verify the user store user's mobile number with the same user's mobile number in Duo Security, add the following to the ` /repository/conf/identity/application-authentication.xml ` @@ -112,17 +110,12 @@ store](https://store.wso2.com/store/assets/isconnector/list?q=%22-default%22%3A% ``` !!! tip + Duo Security mainly uses Mobile Phone two-factor authentication to ensure secure login. - **Tip** : Duo Security mainly uses Mobile Phone two-factor - authentication to ensure secure login. - - - **Important** : When you update the mobile claim in user profile, use +!!! warning "Important" + When you update the mobile claim in user profile, use the same format of mobile number with country code as you registered in - the DUO site. (i.e +9477\*\*\*\*\*\*\*) - - - + the DUO site. (i.e +9477\*\*\*\*\*\*\*) ### Deploying travelocity.com sample app @@ -130,25 +123,25 @@ The next step is to deploy the travelocity.com sample app in order to use it in this scenario. To do this, see the topic on [deploying the travelocity.com sample -app](Deploying-the-Sample-App). +app](../../develop/deploying-the-sample-app). ### Configuring the identity provider Now you have to configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) +provider](../../learn/adding-and-configuring-an-identity-provider) . 1. Download the WSO2 Identity Server from [here](http://wso2.com/products/identity-server/) and [run - it](https://docs.wso2.com/display/IS510/Running+the+Product). + it](../../setup/running-the-product). 2. Log in to the [management - console](https://docs.wso2.com/display/IS510/Getting+Started+with+the+Management+Console) + console](../../setup/getting-started-with-the-management-console) as an administrator. 3. In the **Identity** section under the **Main** tab of the management console, click **Add** under **Identity Providers**. 4. Give a suitable name as the **Identity Provider Name**. 5. Go to **Duo Configuration** under **Federated Authenticators**. - ![](attachments/51486739/51451222.png) + ![](../../assets/img/51486739/51451222.png) 6. Enter the values for **Integration Key**, **Secret Key**, **Admin Integration Key**, **Admin Secret Key** ( Admin Integration Key and Admin Secret Key are optional) and **Host**, as indicated in @@ -173,7 +166,7 @@ The next step is to configure the service provider. 4. In the **Inbound Authentication Configuration** section, click **Configure** under the **SAML2 Web SSO Configuration** section. - ![](attachments/48283197/48220892.png) + ![](../../assets/img/48283197/48220892.png) 5. Now do the following configurations. @@ -190,17 +183,17 @@ The next step is to configure the service provider. 3. **Enable Attribute Profile**. 4. **Include Attributes in the Response Always**. - ![](attachments/51486739/51451223.png) + ![](../../assets/img/51486739/51451223.png) 7. Click **Update** to save the changes. Now you will be sent back to the **Service Providers** page. 8. Go to **Local and Outbound Authentication Configuration** section. 9. Select the **Advanced Configuration** radio button option. - ![](attachments/51486739/51451225.png) + ![](../../assets/img/51486739/51451225.png) 10. Add the basic authentication as the first step and Duo authentication as the second step and click **Update** to save the changes. - ![](attachments/51486739/51451226.png) + ![](../../assets/img/51486739/51451226.png) You have now added and configured the service provider. @@ -211,13 +204,13 @@ You have now added and configured the service provider. E.g: 2. Click the link to log in with SAML from WSO2 Identity Server. - ![](attachments/48283197/48220894.png) + ![](../../assets/img/48283197/48220894.png) 3. The basic authentication page appears. Log in using your username and password. - ![](attachments/51486739/51451227.png) + ![](../../assets/img/51486739/51451227.png) 4. You are directed to the Duo Security authentication page. - ![](attachments/51486739/53284890.png) + ![](../../assets/img/51486739/53284890.png) 5. If your verification is successful, you are taken to the home page of the travelocity.com app. - ![](attachments/51486739/53284894.png) + ![](../../assets/img/51486739/53284894.png) diff --git a/en/docs/develop/configuring-duo-security-provisioning-connector.md b/en/docs/develop/duo-security-provisioning-connector.md similarity index 68% rename from en/docs/develop/configuring-duo-security-provisioning-connector.md rename to en/docs/develop/duo-security-provisioning-connector.md index 97180cb8f2..974fa3dc20 100644 --- a/en/docs/develop/configuring-duo-security-provisioning-connector.md +++ b/en/docs/develop/duo-security-provisioning-connector.md @@ -1,23 +1,28 @@ # Configuring Duo Security Provisioning Connector +The Duo security provisioning connector and the authenticator work +together as a pair. First, create the user using the Duo Security +provisioning connector and then authenticate the user you created, using +the Duo Security authenticator. + This topic provides instructions on how to configure the Duo app and how to provision the users from WSO2 Identity Server. See the following sections for more information. -This is tested for the Duo Security API version V2. - -- [Configuring the Duo Security - app](#ConfiguringDuoSecurityProvisioningConnector-ConfiguringtheDuoSecurityapp) -- [Configuring user - claim](#ConfiguringDuoSecurityProvisioningConnector-Configuringuserclaim) -- [Deploying - Duo artifacts](#ConfiguringDuoSecurityProvisioningConnector-DeployingDuoartifacts) -- [Configuring the identity - provider](#ConfiguringDuoSecurityProvisioningConnector-Configuringtheidentityprovider) -- [Configuring the resident service - provider](#ConfiguringDuoSecurityProvisioningConnector-Configuringtheresidentserviceprovider) -- [Testing the provisioning - connector](#ConfiguringDuoSecurityProvisioningConnector-Testingtheprovisioningconnector) +!!! info + You must have the [Duo Security + Android](https://play.google.com/store/apps/details?id=com.duosecurity.duomobile&hl=en) + or [iOS + application](https://itunes.apple.com/us/app/duo-mobile/id422663827?mt=8) + installed on your mobile device to use this authenticator and + connector. + Download the  provisioning connector, authenticator and artifacts from + [the + store](https://store.wso2.com/store/assets/isconnector/details/ef24e15b-8a53-4b8d-898e-108a04dc8f73) + . + +!!! info + This is tested for the Duo Security API version V2. ### Configuring the Duo Security app @@ -25,14 +30,13 @@ This is tested for the Duo Security API version V2. register. 2. Log in to Duo Security. Click **Applications** from the left panel and click the **Protect an Application** button. - ![](attachments/51486739/51451210.png) + ![](../../assets/img/51486739/51451210.png) 3. In the **Protect an Application** page, select **Admin API** from the list. - ![](attachments/51486739/51451211.png) + ![](../../assets/img/51486739/51451211.png) - !!! warning - - **Important** : If you can not see the type “Admin API” in the + !!! warning "Important" + If you can not see the type “Admin API” in the dropdown, contact the Duo team through and ask for Admin API permission. @@ -40,7 +44,7 @@ This is tested for the Duo Security API version V2. 4. Once the Integration is created, you are given a **Secret key** and an **Integration key** for your integration. You can use these along with your Duo host when accessing duo security APIs. - ![](attachments/51486739/51451212.png) + ![](../../assets/img/51486739/51451212.png) 5. Make sure to enable " **Grant Write Resource** " permission to provisioning the users. Check the **Admin API** application settings in the Duo Admin Panel ( **Applications \> Admin API,** scroll down @@ -49,18 +53,18 @@ This is tested for the Duo Security API version V2. ### Configuring user claim 1. Log into the WSO2 Identity Server [Management - Console](https://docs.wso2.com/identity-server/Getting+Started+with+the+Management+Console) + Console](../../setup/getting-started-with-the-management-console) by entering your username and password. 2. In the **Main** menu, click **Add** under **Claims**. 3. Click [Add New - Claim](https://docs.wso2.com/identity-server/Adding+Claim+Mapping). + Claim](../../learn/adding-claim-mapping). 4. Select the **Dialect** from the dropdown provided and enter the required information. 5. Add the following user claims under ' http://wso2.org/claims' . -![](attachments/51486808/51451229.png) +![](../../assets/img/51486808/51451229.png) -![](attachments/51486808/51451230.png) +![](../../assets/img/51486808/51451230.png) ### Deploying Duo artifacts @@ -75,35 +79,32 @@ store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A% directory. !!! note - If you want to upgrade the Duo Provisioning Authenticator in your existing IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) + instructions.](../../develop/upgrading-an-authenticator) - -- Place the - ` okio-1.9.0.jar ` into +- Place the [okio-1.9.0.jar](https://github.com/square/okio/tree/okio-parent-1.9.0#download) into the ` /repository/components/lib ` directory. ### Configuring the identity provider Now you have to configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/identity-server/Configuring+an+Identity+Provider) +provider](../../learn/adding-and-configuring-an-identity-provider) . 1. Log in to the [management - console](https://docs.wso2.com/identity-server/Getting+Started+with+the+Management+Console) + console](../../setup/getting-started-with-the-management-console) as an administrator. 2. In the **Main** menu, click **Add** under **Identity Providers**. 3. Expand the **Claim Configuration** section and select **Define Custom Claim Dialect** under **Basic Claim Configuration** section. 4. Click **Add Claim Mapping** and add the following claims. - ![](attachments/51486808/51451231.png) + ![](../../assets/img/51486808/51451231.png) 5. Go to **Duo Provisioning Configuration** under **Outbound Provisioning Connectors**. Give a suitable name as the **Identity Provider Name** and fill out the fields. - ![](attachments/51486808/53284965.png) + ![](../../assets/img/51486808/53284965.png) 6. Enter the values for the required fields. You should use Integration key, Secret key and Host values of the Duo app that you created. @@ -121,7 +122,8 @@ The next step is to configure the service provider. 3. Select **Resident Service Provider** in the Service Providers page and add the created Duo identity provider in the **Outbound Provisioning Configuration** as indicated in the figure below. - ![](attachments/51486808/51451232.png) + + ![](../../assets/img/51486808/51451232.png) 4. Click **Update** to save the changes. @@ -134,8 +136,8 @@ You have now added and configured the service provider. 2. Enter the **User Name** and **Password** for the new user and click **Finish**. - ![](attachments/51486808/51451233.png) + ![](../../assets/img/51486808/51451233.png) 3. Go to and check the newly created user. - ![](attachments/51486808/57008458.png) + ![](../../assets/img/51486808/57008458.png) diff --git a/en/docs/develop/emailotp-authenticator.md b/en/docs/develop/emailotp-authenticator.md index 0433cfbc25..0a5dd3ef18 100644 --- a/en/docs/develop/emailotp-authenticator.md +++ b/en/docs/develop/emailotp-authenticator.md @@ -1,16 +1,841 @@ -# EmailOTP Authenticator +# Configuring Multi-factor Authentication using EmailOTP The Email OTP authenticator allows you to authenticate users via email services using Email APIs through WSO2 IS. -### Getting started +This section provides the instructions to configure [multi-factor +authentication +(MFA)](../../learn/multi-factor-authentication-for-wso2-is) +using Email One Time Password (Email OTP) in WSO2 Identity Server (WSO2 +IS). The Email OTP enables a one-time password (OTP) to be used at the +second step of MFA. For more information on the WSO2 Identity Server +Versions supported by the connector, see the [IS Connector +store](https://store.wso2.com/store/assets/isconnector/details/9edc37f6-873c-408c-a532-bbb386d71e08) +. -- To download the authenticator and other artifacts, go to - [https://store.wso2.com/store/assets/isconnector/emailotp](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22emailotp%22) - . -- To get started with the authenticator, go to [Configuring - Multi-factor Authentication using - EmailOTP](../../develop/configuring-multi-factor-authentication-using-emailotp) +Let's take a look at the tasks you need to follow to configure MFA using +Email OTP: + +!!! tip "Before you begin!" + - To ensure you get the full understanding of configuring Email OTP + with WSO2 IS, the sample travelocity application is used in this use + case. The samples run on the Apache Tomcat server and are written + based on Servlet 3.0. Therefore, download Tomcat 7.x from + [here](https://tomcat.apache.org/download-70.cgi). + - Install Apache Maven to build the samples. For more information, see + [Installation + Prerequisites](../../setup/installation-prerequisites) + . + +### Enabling email configuration on WSO2 IS + +Follow the steps below to configure WSO2 IS to send emails once the +Email OTP is enabled. + +1. Shut down the server if it is running. +2. Open the + ` /repository/conf/axis2/axis2.xml ` + file, uncomment the + ` transportSender name = ` + "mailto" configurations, and update the following properties: + + | | | + |---------------------------------------------------|------------------------------------------------| + | ` mail.smtp.from ` | Provide the email address of the SMTP account. | + | ` mail.smtp.user ` | Provide the username of the SMTP account. | + | ` mail.smtp.password ` | Provide the password of the SMTP account. | + + ``` java + + {SENDER'S_EMAIL_ID} + {USERNAME} + {PASSWORD} + smtp.gmail.com + 587 + true + true + + ``` + +3. Comment out the ` ` + property to avoid syntax errors. + + ``` java + + ``` + +4. Add the following email template to the + ` /repository/conf/email/email-admin-config.xml. ` + + ``` xml + + + WSO2 IS Email OTP + + Hi, + Please use this one time password {OTPCode} to sign in to your application. + +
+ Best Regards, + WSO2 Identity Server Team + http://www.wso2.com +
+ + + ``` + +5. Configure the following properties in the + ` /repository/conf/identity/identity-mgt.properties ` + file to ` true ` . + + ``` xml + Authentication.Policy.Enable=true + Authentication.Policy.Check.OneTime.Password=true + ``` + +6. Add the following configuration to the + ` /repository/conf/identity/application-authentication.xml ` + file under the ` ` + section. + + ``` java + + https://localhost:9443/emailotpauthenticationendpoint/emailotp.jsp + https://localhost:9443/emailotpauthenticationendpoint/emailotpError.jsp + https://localhost:9443/emailotpauthenticationendpoint/emailAddress.jsp + association + primary + false + false + email + true + true + true + + ``` + + ??? note "To view the parameter definitions, click here" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterDescriptionSample Values
usecase
+

This parameter defines how the email ID will be retrieved. The default value is local .

+
+
+ Click here to view the value definitions +
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ValueDefinition
localThis is the default value and is based on the federated username. You must set the federated username in the local userstore . The federated username must be the same as the local username.
associationThe federated username must be associated with the local account in advance in the end user dashboard. The local username is retrieved from the association. To associate the user, log into the end user dashboard and go to Associated Account by clicking View details .
subjectUriWhen configuring the federated authenticator, select the attribute in the subject identifier under the service provider section in UI, this is used as the username of the EmailOTP authenticator.
userAttribute
+

The name of the  federatedauthenticator'suserattribute. That is the local username that is contained in a federated user's attribute. When using this, add the following parameter under the <AuthenticatorConfig name=" EmailOTP " enabled="true"> section in the <IS_HOME>/repository/conf/identity/application-authentication.xml file and put the value, e.g., email and screen_name, id.

+
+
+ +
+
+

If you use OpenID Connect supported authenticators such as LinkedIn and Foursquare or in the case of multiple social login options as the first step and EmailOTP assecondstep, you need to add similar configuration for the specific authenticator in the <IS_HOME>/repository/conf/identity/application-authentication.xml file under the < AuthenticatorConfigs > section.

+

Examples:

+

Fourquare

+
+
+ +
+
+

LinkedIn

+
+
+ +
+
+

Facebook

+
+
+ +
+
+

Likewise, you can add the Authenticator Config for Amazon, Google, Twitter, and Instagram with the relevant values.

+
+
+
+
+
    +
  • local
    • +
  • association
    • +
  • userAttribute
    • +
  • subjectUri
    • + 
secondaryUserstore
+

You can define multiple user stores per tenant as comma separated values.

+

Example:

+
+
+ +
+
+
+

The user store configurations are maintained per tenant:

+
    +
  • If you use a super tenant, set all the parameter values into the <IS_HOME>/repository/conf/identity/application-authentication.xml file under the AuthenticatorConfigs section.
    • +
+
    +
  • If you use a tenant, +
      +
    • Upload the same XML file ( application-authentication.xml ) into a specific registry location ( /_system/governance/EmailOTP ).
      • +
    • Create the collection named EmailOTP , add the resource and upload the application-authentication. xml file into the registry.
      • +
    • While doing the authentication,thesysetmfirstcheckswhetherthereisanXML file uploaded to the registry. If that is so, it reads it from the registry but does not take the local file. If there is no file in the registry, then it only takes the property values from the local file.
      • +
    • You can use the registry or local file to get the property values.
      • +
    • +
+
+


+ 

EMAILOTPMandatory
Thisparmeterdefineswhtherthe EmailOTP is enforced as the second step of the 2FA/MFA or not. +
    +
    • +

    • If the user is not found in the active directory where the parameter is set to true , the OTP is directly sent to the email address defined in the claims set.

      • +

    • If the user is not found in the active directory where the parameter is set to false , the authentication flow terminates at the first step of the 2FA/MFA.

      • +
    • +
    +
  • true
    • +
  • false
    • + 
sendOTPToFederatedEmailAttribute

When the EMAILOTPMandatory and this parameter are set to true and the user is not found in the active directory, the OTPissetn to the mail defined in the federated authenticator claim.

+

When the EMAILOTPMandatory is set to false , an error page gets displayed.

+

When the EMAILOTPMandatory is set to false and the user is not found in the active directory, the authentication mechanism terminates at the first step of the 2FA/MFA. This parameter is not required in such a scenario.

    +
  • true
    • +
  • false
    • + 
federatedEmailAttributeKey
This parameter identifies the email attribute of the federated authenticator, e.g. Foursquare. Set this parameter if the sendOTPToFederatedEmailAttribute is set to true . Example: http://wso2.org/foursquare/claims/email
+ 
EmailOTPEnableByUserClaim
This parameter enables the user to overidethefunctionalitydefinedatthe EMAILOTPMandatory parameter. +
    +
    • +
    • If this parameter and the EMAILOTPMandatory parameters are set to true , the user can either enable or disable the EmailOTP functionality.
      • +
    • If this parameter is set to false where the EMAILOTPMandatory parameter is set to true , the user gets redirected to an error page.
      • +
    • If this parameter and the EMAILOTPMandatory parameters are set to false , the authentication flow terminates at the first step of the 2FA/MFA.
      • +
    • If the user is not available in the active directory
      • +
    • +
    +
  • true
    • +
  • false
    • + 
CaptureAndUpdateEmailAddress

This parameter enables the user to update the email address that is used to send the OTP, at the first login where the email address is not previously set.

    +
  • true
    • +
  • false
    • + 
EmailAddressRequestPage
+

This parameter enables to display a page that requests for an email address where

+
    +
    • +
    • The user has not registered an email address.
      • +
    • Sending OTP is defined as the second step of 2FA/MFA.
      • +
    • The CaptureAndUpdateEmailAddress parameter is set to true .
      • +
    • +
+

Example: https://localhost:9443/emailotpauthenticationendpoint/emailAddress.jsp

+ 
                        
+        
showEmailAddressInUI
+

This parameter enables to display the email address to which the OTP is sent to on the UI.

+
    +
  • true
    • +
  • false
    • +
+ +7. [Start WSO2IS](../../setup/running-the-product). + +### Configure the Email OTP provider + +You can send the One Time Password (OTP) using Gmail APIs or using +SendGrid. Follow the steps given below to configure Gmail APIs as the +mechanisam to send the OTP. + +1. Create a Google account at [https://gmail.com](https://gmail.com/). +2. Got to + [https://console.developers.google.com](https://console.developers.google.com/) + and click **ENABLE APIS AND SERVICES**. +3. Search for Gmail API and click on it. +4. Click **Enable** to enable the Gmail APIs. + + !!! info "Why is this needed?" + If you do not enable the Gmail APIs, you run in to a 401 error when + trying out + [step13](#emailotp-step13) + . + +5. Click **Credentials** a nd click **Create** to create a new project. +6. Click **Credentials** and click the **Create credentials** + drop-down. + +7. Select **OAuth client ID** option. + + ![](../../assets/img/50504065/76749378.png) + +8. Click **Configure consent screen**. + ![](../../assets/img/50504065/80728982.png) +9. Enter the Product name that needs to be shown to users, enter values + to any other fields you prefer to update, and click **Save**. +10. Select the **Web application** option. + Enter ` https://localhost:9443/commonauth ` as + the **Authorize redirect URIs** text-box, and click **Create**. + ![](../../assets/img/50504065/80728977.png) + + The ` client ID ` and the + ` client secret ` are displayed. + Copy the client ID and secret and keep it in a safe place as you + require it for the next step. + ![](../../assets/img/50504065/76749399.png) + +11. Copy the URL below and replace the + ` ` tag with the generated + ` Client ID ` . This is required to generate the + authorization code. + + Format: + + ``` java + https://accounts.google.com/o/oauth2/auth?redirect_uri=https%3A%2F%2Flocalhost%3A9443%2Fcommonauth&response_type=code&client_id=&scope=http%3A%2F%2Fmail.google.com&approval_prompt=force&access_type=offline + ``` + + Example: + + ``` java + https://accounts.google.com/o/oauth2/auth?redirect_uri=https%3A%2F%2Flocalhost%3A9443%2Fcommonauth&response_type=code&client_id=854665841399-l13g81ri4q98elpen1i1uhsdjulhp7ha.apps.googleusercontent.com&scope=http%3A%2F%2Fmail.google.com&approval_prompt=force&access_type=offline + ``` + +12. Paste the updated URL into your browser. + + 1. Select the preferred Gmail account with which you wish to + proceed. + + 2. Click **Allow**. + 3. Obtain the ` authorization code ` using a + SAML tracer on your browser. + + ![](../../assets/img/50504065/76749411.png) + + + +13. To generate the access token, copy the following cURL command and + replace the following place holders : + + 1. ` ` : + Replace this with the ` client ID ` + obtained in [Step + 10](#ConfiguringMulti-factorAuthenticationusingEmailOTP-client-ID) + above. + 2. ` ` + : Replace this with the ` client secret ` + obtained in [Step + 10](#ConfiguringMulti-factorAuthenticationusingEmailOTP-client-ID) + above. + 3. ` ` + : Replace this with the authorization code obtained in [Step + 12](#ConfiguringMulti-factorAuthenticationusingEmailOTP-Auth-code) + above. + + Format: + + ``` java + curl -v -X POST --basic -u : -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=authorization_code&code=&redirect_uri=https://localhost:9443/commonauth" https://www.googleapis.com/oauth2/v3/token + ``` + + Example: + + ``` java + curl -v -X POST --basic -u 854665841399-l13g81ri4q98elpen1i1uhsdjulhp7ha.apps.googleusercontent.com:MK3h4fhSUT-aCTtSquMB3Vll -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=authorization_code&code=4/KEDlA2KjGtib4KlyzaKzVNuDfvAmFZ10T82usT-6llY#&redirect_uri=https://localhost:9443/commonauth" https://www.googleapis.com/oauth2/v3/token + ``` + Sample Response: + + ``` java + > POST /oauth2/v3/token HTTP/1.1 + > Host: www.googleapis.com + > Authorization: Basic OTk3NDE2ODczOTUwLWY4Y2N1YnJobW1ramdkYXNkNnZkZ2tzOGxoaWExcnRhLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tOkJkNlBoY3ZVWXFrM1BhdnA4ZjBZcUQtMw== + > User-Agent: curl/7.54.0 + > Accept: */* + > Content-Type: application/x-www-form-urlencoded;charset=UTF-8 + > Content-Length: 127 + > + < HTTP/1.1 200 OK + < Cache-Control: no-cache, no-store, max-age=0, must-revalidate + < Pragma: no-cache + < Expires: Mon, 01 Jan 1990 00:00:00 GMT + < Date: Wed, 10 Jan 2018 08:29:57 GMT + < Vary: X-Origin + < Content-Type: application/json; charset=UTF-8 + < X-Content-Type-Options: nosniff + < X-Frame-Options: SAMEORIGIN + < X-XSS-Protection: 1; mode=block + < Server: GSE + < Alt-Svc: hq=":443"; ma=2592000; quic=51303431; quic=51303339; quic=51303338; quic=51303337; quic=51303335,quic=":443"; ma=2592000; v="41,39,38,37,35" + < Accept-Ranges: none + < Vary: Origin,Accept-Encoding + < Transfer-Encoding: chunked + < + { + "access_token": "ya29.Gls-BbTUseE2f-Lrc9q0QtdlvIoYFTg2zkYPsXHwgob4pHAFlE66GMgJjwTHT9eHfivhVcATROzU8FaUgt0wVL1sz-7IsC2Slfpdm6i3uFcurNTFbTlABk3jKJ--", + "token_type": "Bearer", + "expires_in": 3600, + "refresh_token": "1/8pMBx_lrUyitknmGzzH-yOcvoPIZ1OqhPeWvcYJOd0U" + } + ``` + + Paste the updated cURL command in your terminal to generate the + OAuth2 access token, token validity period, and the refresh token. + ![](../../assets/img/50504065/76749415.png) + +14. Update the following configurations under the + ` ` section in the + ` /repository/conf/identity/application-authentication.xml ` + file. + + !!! note + - If you need to send the content in a payload, you can introduce + a property in a format \ Payload and define the value. + Similarly, you can define the Form + Data.FormdataforSendgridAPIisgivenasan example. + - You can use \ URLParams, \AuthTokenType, + \Failure and \TokenEndpoint property formats to + specify the URL parameters, Authorization token type, Message to + identify failure and Endpoint to get access token from refresh + token respectively. + - Value of \ URLParams should be like; + api\_user=\&api\_key=\&data=\&list\ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescription
GmailClientId Enter the Client ID you got in step 10 .
+ Example: 501390351749-ftjrp3ld9da4ohd1rulogejscpln646s.apps.googleusercontent.com
GmailClientSecret Enter the client secret you got in step 10 .
+ Example: dj4st7_m3AclenZR1weFNo1V
SendgridAPIKey This property is only required if you are using the Sengrid method. Since you are using Gmail APIs, keep the default value.
GmailRefreshToken Enter the refresh token that you got as the response in step 12 . Example: 1/YgNiepY107SyzJdgpynmf-eMYP4qYTPNG_L73MXfcbv
GmailEmailEndpoint Enter your username of your Gmail account in place of the [userId] place holder . Example: https://www.googleapis.com/gmail/v1/users/alex@gmail.com/messages/send
SendgridEmailEndpoint This property is only required if you are using the Sengrid method. Since you are using Gmail APIs, keep the default value.
accessTokenRequiredAPIs

Use the default value.

apiKeyHeaderRequiredAPIs

This property is only required if you are using the Sengrid method. Since you are using Gmail APIs, keep the default value.

SendgridFormData=to This property is only required if you are using the Sengrid method. Since you are using Gmail APIs, keep the default value.
SendgridURLParams This property is only required if you are using the Sengrid method. Since you are using Gmail APIs, keep the default value.
GmailAuthTokenType Use the default value.
GmailTokenEndpoint Use the the deafult value.
SendgridAuthTokenType This property is only required if you are using the Sengrid method. Since you are using Gmail APIs, keep the default value.
+ + ??? note "Click here to see a sample configuration" + + ``` java + + 501390351749-ftjrp3ld9da4ohd1rulogejscpln646s.apps.googleusercontent.com + dj4st7_m3AclenZR1weFNo1V + sendgridAPIKeyValue + 1/YgNiepY107SyzJdgpynmf-eMYP4qYTPNG_L73MXfcbv + https://www.googleapis.com/gmail/v1/users/alex@gmail.com/messages/send + https://api.sendgrid.com/api/mail.send.json + Gmail + Sendgrid + sendgridFormDataValue + sendgridURLParamsValue + Bearer + https://www.googleapis.com/oauth2/v3/token + Bearer + false + + ``` + +------------------------------------------------------------------------ + +### Deploy the travelocity.com sample + +Follow the steps below to deploy the travelocity.com sample application: + +#### Download the samples + +To be able to deploy a sample of Identity Server, you need to download +it onto your machine first. + +Follow the instructions below to download a sample from GitHub. + +1. Create a folder in your local machine and navigate to it using your + command line. +2. Run the following commands. + + ``` bash + mkdir is-samples + cd is-samples/ + git init + git remote add -f origin https://github.com/wso2/product-is.git + ``` + + ``` bash + git config core.sparseCheckout true + ``` + +3. Navigate into the . ` git/info/ ` directory and + list out the folders/files you want to check out using the + ` echo ` command below. + + ``` bash + cd .git + cd info + echo "modules/samples/" >> sparse-checkout + ``` + +4. Navigate out of ` .git/info ` directory and + checkout the ` v5.4.0 ` tag to update the empty + repository with the remote one. + + ``` bash + cd .. + cd .. + git checkout -b v5.4.0 v5.4.0 + ``` + + Access the samples by navigating to the + ` is-samples/modules/samples ` directory. + +#### Deploy the sample web app + +Deploy this sample web app on a web container. + +1. Use the Apache Tomcat server to do this. If you have not downloaded + Apache Tomcat already, download it from + [here](https://tomcat.apache.org/download-70.cgi). +2. Copy the .war file into the ` webapps ` + folder. For example, + ` /apache-tomcat-/webapps ` . -- Once you have completed your configurations, you can authenticate - users via the EmailOTP authenticator. +3. Start the Tomcat server. + +To check the sample application, navigate to +` http://:/travelocity.com/index.jsp ` +on your browser. + +For example, +` http://localhost:8080/travelocity.com/index.jsp . ` + +!!! note + It is recommended that you use a hostname that is not + ` localhost ` to avoid browser errors. Modify the + ` /etc/hosts ` entry in your machine to reflect this. + Note that ` localhost ` is used throughout + thisdocumentation as an example, but you must modify this when + configuring these authenticators or connectors with this sample + application. + +------------------------------------------------------------------------ + +### Configure the Identity Provider + +Follow the steps below to add an [identity +provider](../../learn/adding-and-configuring-an-identity-provider) +: + +1. Click **Add** under **Main \> Identity \> Identity Providers**. + ![](../../assets/img/50504065/76749441.png) +2. Provide a suitable name for the identity provider. + ![](../../assets/img/50504065/76749432.png) +3. Expand the **EmailOTPAuthenticator Configuration** under **Federated + Authenticators**. + + 1. Select the **Enable** and **Default** check boxes . + + 2. Click **Register**. + + ![](../../assets/img/50504065/76749434.png) + + You have now added the identity provider. +------------------------------------------------------------------------ + +### Configure the Service Provider + +Follow the steps below add a service provider: + +1. Return to the Management Console home screen. + +2. Click **Add** under **Add** under **Main \> Identity \> Service + Providers**. + ![](../../assets/img/50504065/76749440.png) + +3. Enter ` travelocity.com ` as the **Service + Provider Name**. + ![](../../assets/img/50504065/76749442.png) + +4. Click **Register**. + +5. Expand **SAML2 Web SSO Configuration** under **Inbound + Authentication Configuration**. + +6. Click **Configure**. + + ![](../../assets/img/50504065/50684302.png) + +7. Now set the configuration as follows: + + 1. **Issuer** : ` travelocity.com ` + + 2. **Assertion Consumer URL** : + ` http://localhost:8080/travelocity.com/home.jsp ` + + 3. Select the following check-boxes: **Enable Response Signing**, + **Enable Single Logout**, **Enable Attribute Profile**, and + **Include Attributes in the Response Always**. + +8. Click **Update** to save the changes. Now you will be sent back to + the **Service Providers** page. + +9. Go to **Claim Configuration** and select the + **http://wso2.org/claims/emailaddress** claim. + + ![](../../assets/img/50504065/76749444.png) + +10. Go to **Local and Outbound Authentication Configuration** section. + + 1. Select the **Advanced configuration** radio button option. + + 2. Creating the first authentication step: + + 1. Click **Add Authentication Step**. + + 2. Click **Add Authenticator** that is under Local + Authenticators of Step 1 to add the basic authentication as + the first step. + Adding basic authentication as a first step ensures that the + first step of authentication will be done using the user's + credentials that are configured with the WSO2 Identity + Server + + 3. Creating the second authentication step: + + 1. Click **Add Authentication Step**. + + 2. Click **Add Authenticator** that is under Federated + Authenticators of Step 2 to add the SMSOTP identity provider + you created as the second step. + SMSOTP is a second step that adds another layer of + authentication and security. + + ![](../../assets/img/50504065/50684304.png) + +11. Click **Update**. + + You have now added and configured the service provider. + + !!! note + For more information on service provider configuration, see + [Configuring Single + Sign-On](../../learn/configuring-single-sign-on) + . + +------------------------------------------------------------------------ + +### Update the email address of the user + +Follow the steps given below to update the user's email address. + +1. Return to the WSO2 Identity Server Management Console home screen. +2. Click **List** under **Add** under **Main \> Identity \> Users and + Roles**. + ![](../../assets/img/50504065/76749451.png) + 1. Click **Users**. + ![](../../assets/img/50504065/76749454.png) + 2. Click **User Profile** under **Admin**. + ![](../../assets/img/50504065/76749456.png) + 3. Update the **email address**. + ![](../../assets/img/50504065/50684305.png) + 4. Click **Update**. + + + +------------------------------------------------------------------------ + +### Configure the user claims + +Follow the steps below to map the user claims: + +!!! note + + For more information about claims, see [Adding Claim + Mapping](../../learn/adding-claim-mapping). + + +1. Click **Add** under **Main \> Identity \> Claims**. + ![](../../assets/img/50504065/76749457.png) + 1. Click **Add Local Claim**. + ![](../../assets/img/50504065/76749458.png) + 2. Select the **Dialect** from the drop down provided and enter the + required information. + 3. Add the following: + + 1. **Claim URI:** + ` http://wso2.org/claims/identity/emailotp_disabled ` + 2. **Display Name** : + ` DisableEmailOTP ` + 3. **Description:** + ` DisableEmailOTP ` + 4. **Mapped Attribute (s):** ` title ` + 5. **Supported by Default:** checked + + ![](../../assets/img/50504065/75107402.png) + + 4. Click **Add**. + + To disable this claim for the admin user, navigate to **Users + and Roles \> List** and click **Users.** Click on the **User + Profile** link corresponding to admin account and then click + **Disable EmailOTP.** This will disable the second factor + authentication for the admin user. + + + +------------------------------------------------------------------------ + +### Test the sample + +1. To test the sample, go to the following URL: + + + [![](../../assets/img/50504065/50684306.jpeg) ](http://localhost:8080/travelocity.com) + +2. Click the link to log in with SAML from WSO2 Identity Server. + +3. The basic authentication page appears. Use your WSO2 Identity Server + credentials. + ![](../../assets/img/50504065/50684387.png) + +4. You receive a token to your email account. Enter the code to + authenticate. If the authentication is successful, you are taken to + the home page of the travelocity.com app. + + ![](../../assets/img/50504065/50684386.png) + + ![](../../assets/img/50504065/50684388.png) \ No newline at end of file diff --git a/en/docs/develop/facebook-authenticator.md b/en/docs/develop/facebook-authenticator.md index 748d285472..2e9c546225 100644 --- a/en/docs/develop/facebook-authenticator.md +++ b/en/docs/develop/facebook-authenticator.md @@ -1,20 +1,336 @@ -# Facebook Authenticator +# Configuring Facebook Authenticator The Facebook authenticator is configured as a federated authenticator in WSO2 Identity Server to authenticate Facebook users to log in to your organization’s applications. -![](attachments/68686695/76746162.png) +![](../../assets/img/68686695/76746162.png) -### Getting started +Current trends require usage of services from hundreds of websites in a +connected world. Most of these websites need the user to create an +account with them by providing a valid email address and password. +Remembering all the different user IDs and passwords that you use can be +difficult and cumbersome. To make the life easier most websites now +provide the user with an option to log in using their Facebook account, +Twitter account or Google account. Since most of the internet users have +one of these accounts, it makes creating a new account an instant +action. -To get started with the authenticator, go to [Configuring Facebook -Authenticator](../../develop/facebook-authenticator). Once you have -completed your configurations, you can perform authentication with the -Facebook authenticator. +WSO2 Identity Server enables users to log in to the Identity Server +using their Facebook account. To do that, first you have to create a +Facebook app after registering as a Facebook developer. -### Additional information +!!! info + To download the authenticator and other artifacts, go to + + . -To download the authenticator and other artifacts, go to - +!!! note + This is relevant for WSO2 Identity Server versions 5.2.0 and + 5.3.0. For older product versions, you have to configure this + differently. Refer to [WSO2 IS 5.1.0 + documentation](https://docs.wso2.com/display/IS510/How+To%253A+Login+to+the+Identity+Server+using+Facebook+Credentials) + on doing this. + +This topic provides instructions on how to configure the Facebook app +and the Identity Server to integrate using a sample app. See the +following sections for more information. + +### Deploying the required artifacts + +1. Download the .jar file associated with this authenticator from [the + connector + store](https://store.wso2.com/store/assets/isconnector/details/9edb106b-05ee-4810-8d47-81d0639f8c2b) + . +2. Copy the .jar file you downloaded into the + ` /repository/components/dropins ` + folder. + + !!! note + If you want to upgrade the Facebook Authenticator in your existing + IS pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +3. Restart the WSO2 Identity Server if it is already running. + +### Configuring the Facebook app + +1. Go to and log in using your + Facebook credentials. +2. Click on **My Apps** and then click **Create a New App**. + ![](../../assets/img/68686690/68686671.png) +3. Choose the platform you wish to use. Select **Website** here when + working with this sample. + ![](../../assets/img/68686690/68686672.png) +4. Enter the name of your new app in the window that appears and click + **Create New Facebook App ID**. + ![](../../assets/img/68686690/68686673.png) +5. Enter a Display Name, Contact Email and select an appropriate + category from the dropdown. Click **Create App ID**. + ![](../../assets/img/68686690/68686674.png) +6. This will lead you to the quick start guide. You can view the + configuration there and skip the quick start guide to access the + developer dashboard. + ![](../../assets/img/68686690/68686675.png) +7. This will take you to the app **Dashboard** where you can find the + **App ID** and **App Secret** as shown in the image below. Click + **Show** to view the **App Secret**. + + **App ID** is the Client ID and the **App Secret** is the Client + Secret in OAuth terminology. The API Version is Facebook’s API that + is used to create the application. + + ![](../../assets/img/68686690/68686676.png) + +8. Click **Settings** on the left menu and navigate to the **Basic** + tab. Add the **App Domains** (since WSO2 IS is running on localhost, + you can add localhost as the App Domain) and click **Add Platform** + . + ![](../../assets/img/68686690/68686677.png) + +9. Select **Website** as the platform for the application and enter the + following as the site URL: + [https://localhost:9443](https://localhost:9443/). Click **Save + Changes**. + ![](../../assets/img/68686690/68686678.png) + ![](../../assets/img/68686690/68686679.png) +10. On the left panel, click **Add Product** and click **Get Started** + for a **Facebook Login** product. + ![](../../assets/img/68686690/68686680.png) + +11. You can configure the **Client OAuth Settings** on the window that + appears. + ![](../../assets/img/68686690/68686681.png) + + 1. **Client OAuth Login** should be set to **Yes**. + 2. **Web OAuth Login** should be set to **Yes**. + 3. **Valid OAuth redirect URIs** should be set to + . + +12. Scroll down and click the **Save Changes** button to save the + changes. + +Now you have finished configuring Facebook as an Identity Provider. + +!!! info "About accessing the app" + + The app is not available to general public yet. To make to app available + to every Facebook user, you have to submit the app for review. After a + review, Facebook makes the app available to every Facebook user. You can + find more information on the review process by clicking on **App + Review** in the left navigation menu of your app's dashboard. + + The review process may take some time, so for the purposes of this + sample, you can specify some Facebook users as Developers or Testers. + Only the users specified here can use this app to log in with Facebook + until the app goes public. To do this, click on **Roles** in the left + navigation menu of the dashboard and specify the required Facebook users + as Developers or Testers. + + ![](../../assets/img/68686690/68686682.png) + +### Deploying travelocity.com sample app + +The next step is to deploy the travelocity.com sample app in order to +use it in this scenario. + +1. You can download the travelocity.com.war file from + [here](https://drive.google.com/file/d/0B6TqW_IScmilVzdsSUNVWEQ0UWs/edit?usp=sharing) + . +2. Deploy this sample web app on a web container. + 1. Use the Apache Tomcat server to do this. + 2. Since this sample is written based on Servlet 3.0, it needs to + be deployed on Tomcat 7.x. + 3. Copy the .war file into the webapps folder. For example, + ` /apache-tomcat-7.0.50/webapps ` + . + +Once this is done, the next step is to configure the WSO2 Identity +Server by adding a service provider and identity provider. + +### Configuring the identity provider + +Now you have to configure WSO2 Identity Server by [adding a new identity +provider](../../learn/adding-and-configuring-an-identity-provider) . + +1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/) and [run + it](../../setup/running-the-product). +2. Log in to the [Management + Console](../../setup/getting-started-with-the-management-console) + as an administrator. +3. In the **Identity** section under the **Main** tab of the Management + Console, click **Add** under **Identity Providers**. +4. Give a suitable name as the **Identity Provider Name**. + ![](../../assets/img/68686690/68686683.png) +5. Go to **Facebook Configuration** under **Federated Authenticators** + . + +6. Enter the following values in the form that appears: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescriptionSample Value
App IDThis refers to the Client Id you received from the Facebook app you created.<Application ID of the Facebook App>
App SecretThis refers to the Client Secret you received from the Facebook app you created.<App Secret of the Facebook App>
ScopeDefines the permission to access particular information from a Facebook profile. See the Permissions Reference for a list of the different permission groups in Facebook APIs.email
+
+
User Information FieldsThese are the claims related to the user account on Facebook. WSO2 Identity Server requests these fields from Facebook when a user is authenticated with Facebook through the IS. See public_profile permission for more information about these fields.id,name,gender,email,first_name,last_name,age_range,link
+ + ![](../../assets/img/68686690/68686684.png) + +7. Select both checkboxes to **Enable Facebook Authenticator** and make + it the **Default**. + +8. Click **Register**. + +You have now added the identity provider. + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the Management Console. +2. In the **Identity** section under the **Main** tab, click **Add** + under **Service Providers**. +3. Enter [travelocity.com](http://travelocity.com/) in the **Service + Provider Name** text box and click **Register**. +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. + ![](../../assets/img/68686690/68686685.png) + + Now set the configuration as follows: + 1. Enter the following values: + + **Issuer** : [travelocity.com](http://travelocity.com/) + + **Assertion Consumer URL** : + + + 2. Select the following check-boxes: + + Enable Response Signing + + Enable Single Logout + + Enable Attribute Profile + + Include Attributes in the Response Always + +5. Click **Register**. Now you will be sent back to the **Service + Providers** page. + +6. Go to the **Local and Outbound Authentication Configuration** + section. + +7. Select the **Federated Authentication** radio button and select the + Identity Provider you created from the dropdown list under + **Federated Authentication**. + ![](../../assets/img/68686690/68686686.png) + +8. Click **Update** to save the changes. + +You have now added and configured the service provider. + +!!! note + The default client-truststore.jks found in the + ` /repository/resources/security/ ` directory + contains the Facebook certificate by default. + + +### Configuring claim mappings for Facebook + +The next step is to configure claims in the Identity Server and map them +with Facebook. + +1. In the **Identity** section under the **Main** tab, click **List** + under **Identity Providers**. +2. Click **Edit** to edit the facebook identity provider you created. +3. Under **Claim Configuration**, go to **Basic Claim Configuration** + . +4. Select the **Define Custom Claim Dialect** option under **Select + Claim mapping Dialect**. +5. Click **Add Claim Mapping** to add custom claim mappings as + follows. + ![](../../assets/img/68686690/68686687.png) +6. You can retrieve all the public information of the user and the + email address. The following are some common attribute names. + + id + email + name + first\_name + last\_name + link + gender + locale + age\_range + + More information is available from the following link: + + + You can map these attributes to any **Local Claim URI** that is + suitable. + +7. Select a suitable **User ID Claim URI** (e.g., email). +8. Click **Update** to save changes. + +### Configuring requested claims for [travelocity.com](http://travelocity.com/) + +1. In the **Identity** section under the **Main** tab, click **List** + under **Service Providers**. +2. Click **Edit** to edit the + [travelocity.com](http://travelocity.com/) service provider. +3. Go to **Claim Configuration**. +4. Click on **Add Claim URI** under **Requested Claims** to add the + requested claims as follows. Here you should add the claims you + mapped in the Identity Provider claim configuration. + ![](../../assets/img/68686690/68686688.png) +5. Select a suitable claim for the **Subject Claim URI**. + + !!! note + To use email address as the **Subject Claim URI**, you + have to allow the usage of email addresses as usernames in the + ` /repository/conf/carbon.xml ` file. + To allow using email address as usernames, uncomment the following + in the **carbon.xml** file. + ` ` + + +Now you have configured the Identity Server. + +### Testing the sample + +1. To test the sample, go to the following URL: + . + ![](../../assets/img/68686690/68686689.png) +2. Click the link to log in with SAML from WSO2 Identity Server. +3. You are redirected to the Facebook Login page. Enter your Facebook + credentials and you will be taken to the home page of the + [travelocity.com](http://travelocity.com/) app. diff --git a/en/docs/develop/foursquare-authenticator.md b/en/docs/develop/foursquare-authenticator.md index 203a3d7676..06b9484497 100644 --- a/en/docs/develop/foursquare-authenticator.md +++ b/en/docs/develop/foursquare-authenticator.md @@ -1,17 +1,580 @@ -# Foursquare Authenticator +# Configuring Foursquare Authenticator The Foursquare authenticator is configured as a federated authenticator in WSO2 Identity Server to authenticate Foursquare users to log in to your organization’s applications. -![](attachments/49088036/76746198.png) +![](../../assets/img/49088036/76746198.png) -### Getting started +This page provides instructions on how to configure Foursquare +authenticator and Identity Server for using a sample app. You can find +more information in following sections. -To get started with the authenticator, go to [Configuring Foursquare -Authenticator](https://docs.wso2.com/display/ISCONNECTORS/Configuring+Foursquare+Authenticator) -Operations. Once you have completed your configurations, you can perform -authentication with Foursquare authenticator. To download the -authenticator, go to -[https://store.wso2.com/store/assets/isconnector/foursquare](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22foursquare%22) -[.](https://store.wso2.com/store/assets/isconnector/72c58847-0588-44f1-b356-58f9c19e9ce9) +!!! info + To download the + authenticator, go to + [https://store.wso2.com/store/assets/isconnector/foursquare](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22foursquare%22) + [.](https://store.wso2.com/store/assets/isconnector/72c58847-0588-44f1-b356-58f9c19e9ce9) + +!!! info + This is tested with the Foursquare API version 2. Foursquare Authenticator is supported by Identity Server 5.1.0 upwards. + +### Configuring the Foursquare App + +1. Place the authenticator .jar file ( + ` org.wso2.carbon.extension.identity.authenticator.foursquare.connector-1.x.x.jar ` + ) into the + ` /repository/components/dropins ` + directory. You can download the .jar file from the [WSO2 + Store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22foursquare%22) + . + + !!! note + If you want to upgrade the Foursquare Authenticator in your existing + IS pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +2. Go to and login with your Foursquare + account. + + !!! tip + If you do not have a Foursquare account, create an account by + clicking **Sign Up** or sign in with your Facebook credentials. + + +3. Go to and click **Log-in**. You + can create a new app in the **My Apps** section by clicking **Create + a New App**. + ![](../../assets/img/49088044/76747590.png) + +4. Enter the following in the window that appears: + + - **App name** - TravelocityApp + + - **Application Url** - http://localhost:8080/travelocity.com + + - **Redirect URL** as  https://localhost:9443/commonauth + ![](../../assets/img/49088044/76744023.png) + +5. You can select **Create App without Verifying** link at the end in + order to try out the authenticator. + ![](../../assets/img/49088044/76744027.png) + +6. Save your changes. + This takes you to the app Dashboard where you can find the Client Id + and Client Secret as shown in the image below. + ![](../../assets/img/49088044/76744028.png) + +Now you have finished configuring Foursquare as an identity provider. + +### Deploying travelocity.com sample app + +The next step is to [deploy the sample +app](../../develop/deploying-the-sample-app) +in order to use it in this scenario. + +Once this is done, the next step is to configure the WSO2 Identity +Server by adding a [service +provider](../../learn/adding-and-configuring-a-service-provider) +and [identity +provider.](../../learn/adding-and-configuring-an-identity-provider) + +### Configuring the identity provider + +Now you have to configure WSO2 Identity Server by [adding a new identity +provider](../../learn/adding-and-configuring-an-identity-provider) +. + +1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/) and [run + it](../../setup/running-the-product). +2. Log in to the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. +3. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add**. +4. Give a suitable name for **Identity Provider Name** (e.g., + foursquare). + Refer [Adding and Configuring an Identity + Provider](../../learn/adding-and-configuring-an-identity-provider) + for more information related to the identity provider configuration. +5. Go to **Foursquare Configuration** under **Federated + Authenticators**. + ![](../../assets/img/49088044/49221977.png) + +6. Enter the IdP related details. + + - **Client Id** : [Client + Id](#ConfiguringFoursquareAuthenticator-clientID) for the app + that you created in Foursquare. + - **Client Secret** : [Client + Secret](#ConfiguringFoursquareAuthenticator-clientID) for for + the app that you created in Foursquare. + - **Callback URL** : Service Provider's URL where code needs to be + sent. Example: https://localhost:9443/commonauth + - **Profile Version** : The appropriate pass date can be added for + versioning field + OR the + version of your foursquare account can be added from the API + explorer + + . + Example: 20171114 from + https://api.foursquare.com/v2/users/self?oauth\_token=xxx&v=20171114 + +7. Select both checkboxes **Enable** and **Default** to enable the + Foursquare Authenticator and make it the default. + +8. Click **Register**. + +You have now added the identity provider. + +### Configuring the service provider + +The next step is to configure the service provider based on the WSO2 +Identity Server version that you are working on. + +#### Configuring a service provider with IS 5.3.0 upwards + +1. Return to the management console. + +2. In the **Service Providers** section under the **Main** tab, click + **Add**. + +3. As you are using travelocity as the sample, enter travelocity.com in + the **Service Provider Name** text box. + +4. Configure the SAML2 Web SSO Configuration details. + For more information on theSAML2 Web Single-Sign-On Configuration + methods, see [Configuring SAML2 Web + Single-Sign-On](../../learn/configuring-saml2-web-single-sign-on) + . + 1. In the **Inbound Authentication Configuration** section, click + **SAML2 Web SSO Configuration**, and then click + ****Configure****. + + ![](../../assets/img/49088044/76747573.png) + + 2. Now set the configuration as follows: + + 1. **Select Mode** : Manual Configuration + + 2. **Issuer** : travelocity.com + + 3. **Assertion Consumer URL** : Enter the Assertion Consumer + URL as and + click **Add**. + + 3. Select the following check-boxes: + 1. **Enable Response Signing** + + 2. **Enable Single Logout** + + 3. **Enable Attribute Profile** + + 4. **Include Attributes in the Response Always** + +5. Click **Register** to save the changes. Now you will be sent back to + the **Service Providers** page. + +6. Click **Edit** to edit the travelocity.com service provider. + +7. Configure the Local and Outbound Authentication for Foursquare. + For more information, see [Configuring Local and Outbound + Authentication for a Service + Provider](../../using-wso2-identity-server/configuring-local-and-outbound-authentication-for-a-service-provider) + in the WSO2 IS 5.3.0 guide. + + 1. Go to the **Local and Outbound Authentication Configuration** + section. + + 2. Select the identity provider you created from the dropdown list + under **Federated Authentication**. + ![](../../assets/img/49088044/76747587.png) + + 3. Ensure that the **Federated Authentication** radio button is + selected. + +8. Click **Update** to save the changes. + +#### Configuring a service provider with IS 5.1.0 or IS 5.2.0 + +1. Return to the management console. + +2. In the **Service Providers** section under the **Main** tab, click + **Add**. + +3. As you are using travelocity as the sample, enter travelocity.com in + the **Service Provider Name** text box and click **Register**. + +4. In the **Inbound Authentication Configuration** section, click + **SAML2 Web SSO Configuration**, and then click ****Configure****. + + ![](../../assets/img/49088044/49221980.png) + +5. Now set the configuration as follows: + + 1. **Issuer** : travelocity.com + + 2. **Assertion Consumer URL** : + http://localhost:8080/travelocity.com/home.jsp + +6. Select the following check-boxes: + 1. **Enable Response Signing** + + 2. **Enable Single Logout** + + 3. **Enable Attribute Profile** + + 4. **Include Attributes in the Response Always** + +7. Click **Register** to save the changes. Now you will be sent back to + the **Service Providers** page. + +8. Go to the **Local and Outbound Authentication Configuration** + section. + +9. Select the identity provider you created from the dropdown list + under **Federated Authentication**. + +10. Ensure that the **Federated Authentication** radio button is + selected and click **Update** to save the changes. + +You have now added and configured the service provider. + +### Configuring claims + +[Add a new claim +mapping](../../learn/adding-claim-mapping) for +various user attributes related to Foursquare based on the WSO2 Identity +Server version that you are working on. + +#### Configuring claims with IS 5.3.0 upwards + +1. Sign in to the [Management + Console](../../setup/getting-started-with-the-management-console) + by entering your username and password. +2. In the **Main** menu, click **Add** under **Claims**. +3. Click **Add Claim Dialect** to create the Foursquare authenticator + specific claim dialect. + +4. Specify the Dialect URI as and + click **Add** to create the claim dialect. + +5. Map a new external claim to an existing local claim dialect. + You need to map at least one claim under this new claim dialect. + Therefore, let's map the claim for the Foursquare user ID. + 1. In the **Main** menu, click **Add** under **Claims**. + 2. Click **Add External Claim** to add a new claim to the + Foursquare claim dialect. + + 3. Select the **Dialect URI** as - + + 4. Enter the **External Claim URI** based on the following claim + mapping information. + 5. Select the **Mapped Local Claim** based on the following claim + mapping information. + + Claim mapping for ID + + | | | + |--------------------|--------------------------------------| + | Dialect URI | http://wso2.org/foursquare/claims | + | External Claim URI | http://wso2.org/foursquare/claims/id | + | Mapped Local Claim | http://wso2.org/claims/username | + + 6. Click **Add** to add the new external claim. + +6. Similarly, you can create claims for all the public information of + the Foursquare user by repeating step 5 with the following claim + mapping information. + + - Claim mapping for email + + | | | + |--------------------|-----------------------------------------| + | Dialect URI | http://wso2.org/foursquare/claims | + | External Claim URI | http://wso2.org/foursquare/claims/email | + | Mapped Local Claim | http://wso2.org/claims/emailaddress | + + - Claim mapping for first name + + | | | + |--------------------|---------------------------------------------| + | Dialect URI | http://wso2.org/foursquare/claims | + | External Claim URI | http://wso2.org/foursquare/claims/firstName | + | Mapped Local Claim | http://wso2.org/claims/givenname | + + - Claim mapping for last name + + | | | + |--------------------|--------------------------------------------| + | Dialect URI | http://wso2.org/foursquare/claims | + | External Claim URI | http://wso2.org/foursquare/claims/lastName | + | Mapped Local Claim | http://wso2.org/claims/lastname | + + - Claim mapping for gender + + | | | + |--------------------|------------------------------------------| + | Dialect URI | http://wso2.org/foursquare/claims | + | External Claim URI | http://wso2.org/foursquare/claims/gender | + | Mapped Local Claim | http://wso2.org/claims/gender | + + - Claim mapping for home city + + | | | + |--------------------|--------------------------------------------| + | Dialect URI | http://wso2.org/foursquare/claims | + | External Claim URI | http://wso2.org/foursquare/claims/homeCity | + | Mapped Local Claim | http://wso2.org/claims/location | + + - Claim mapping for canonical URL + + | | | + |--------------------|------------------------------------------------| + | Dialect URI | http://wso2.org/foursquare/claims | + | External Claim URI | http://wso2.org/foursquare/claims/canonicalUrl | + | Mapped Local Claim | http://wso2.org/claims/url | + +7. The next step is to configure claims in the Identity Server and map + them with Foursquare. + + 1. In the **Identity** section under the **Main** tab, click + **List** under **Identity Providers**. + 2. Click **Edit** to edit the Foursquare identity provider you + created. + 3. Under **Claim Configuration**, go to **Basic Claim + Configuration**. + ![](../../assets/img/49088044/76747747.png) + 4. Select the **Define Custom Claim Dialect** option under **Select + Claim mapping Dialect**. + 5. Click **Add Claim Mapping** to add custom claim mappings as + follows. + + | Identity Provider URI | Local Claim URI | + |------------------------------------------------|-------------------------------------| + | http://wso2.org/foursquare/claims/id | http://wso2.org/claims/username | + | http://wso2.org/foursquare/claims/email | http://wso2.org/claims/emailaddress | + | http://wso2.org/foursquare/claims/firstName | http://wso2.org/claims/givenname | + | http://wso2.org/foursquare/claims/lastName | http://wso2.org/claims/lastname | + | http://wso2.org/foursquare/claims/gender | http://wso2.org/claims/gender | + | http://wso2.org/foursquare/claims/homeCity | http://wso2.org/claims/location | + | http://wso2.org/foursquare/claims/canonicalUrl | http://wso2.org/claims/url | + + 6. Select the User ID Claim URI as + - http://wso2.org/foursquare/claims/id + + 7. Click **Update**. + +#### Configuring claims with IS 5.1.0 or IS 5.2.0 + +1. Sign into the [Management + Console](../../setup/getting-started-with-the-management-console) + by entering your username and password. +2. In the **Main** menu, click **Add** under **Claims**. +3. Click **Add New Claim Dialect** to create the Foursquare + authenticator specific claim dialect. + ![](../../assets/img/49088044/57749020.png) + Specify the Dialect Uri as and + create claims. It is required to create at least one claim under + this new dialect. Therefore, create the claim for the Foursquare + user ID while creating the claim dialect. Enter the following values + the form. + + | | | + |----------------------|--------------------------------------| + | Display Name | User ID | + | Description | Claim to user ID | + | Mapped Attribute | uid | + | Claim URL | http://wso2.org/foursquare/claims/id | + | Supported by Default | selected | + +4. Click **Add** to add the new claim. +5. Similarly, you can create claims for all the public information of + the Foursquare user. Add the following claims under the dialect + **http://wso2.org/foursquare/claims** + + | | | + |:---------------------|:----------------------------------------| + | Display Name | Email Address | + | Description | Claim to email address | + | Mapped Attribute | mail | + | Claim URL | http://wso2.org/foursquare/claims/email | + | Supported by Default | selected | + + | | | + |:---------------------|:--------------------------------------------| + | Display Name | First Name | + | Description | Claimtofirstname | + | Mapped Attribute | givenName | + | Claim URL | http://wso2.org/foursquare/claims/firstName | + | Supported by Default | selected | + + | | | + |:---------------------|:-------------------------------------------| + | Display Name | LastName | + | Description | Claim to last name | + | Mapped Attribute | sn | + | Claim URL | http://wso2.org/foursquare/claims/lastName | + | Supported by Default | selected | + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Display NameGender
DescriptionClaim to the gender of the user
Mapped Attribute

gender

Claim URLhttp://wso2.org/foursquare/claims/gender
Supported by Defaultselected
+ + | | | + |----------------------|--------------------------------------------| + | Display Name | Home City | + | Description | Claim to Home city | + | Mapped Attribute | locality | + | Claim URL | http://wso2.org/foursquare/claims/homeCity | + | Supported by Default | selected | + + | | | + |----------------------|------------------------------------------------| + | Display Name | Canonical Url | + | Description | Claim to the canonical Url | + | Mapped Attribute | url | + | Claim URL | http://wso2.org/foursquare/claims/canonicalUrl | + | Supported by Default | selected | + + ![](../../assets/img/49088044/57749023.png) + +6. The next step is to configure claims in the Identity Server and map + them with Foursquare. + + 1. In the **Identity** section under the **Main** tab, click + **List** under **Identity Providers**. + 2. Click **Edit** to edit the foursquare identity provider you + created. + 3. Under **Claim Configuration**, go to **Basic Claim + Configuration**. + 4. Select the **Define Custom Claim Dialect** option under **Select + Claim mapping Dialect**. + 5. Click **Add Claim Mapping** to add custom claim mappings as + follows. + 6. Select the User ID Claim URI as - + + + 7. Click **Update**. + ![](../../assets/img/49088044/61669807.png) + +#### Local claim mapping + +Navigate to the **Main** menu, and click **Add** under **Claims** in the +Management Console. The list of claims appear. Click the + claim, and thereafter click **email**. This +shows you that by default, the local claim +**http://wso2.org/claims/emailaddress** is created with the map +attribute **mail.** + +- **IS 5.3.0** + ![](../../assets/img/49088044/76747781.png) + +- **IS 5.1.0/IS 5.2.0** + ![](../../assets/img/49088044/57749027.png) + +In the configuration, **http://wso2.org/foursquare/claims/email** is +mapped to the **mail** attribute in the Foursquare claim, and +**http://wso2.org/claims/emailAddress** is mapped to the **mail** +attribute in WSO2 local claim. + +Creating a new local claim to map it with the Foursquare claim** +You can create the local claim **http://wso2.org/claims/id** with the +map attribute **uid** as follows: + +- **IS 5.3.0** + + 1. In the **Main** menu, click **Add** under **Claims**. + 2. Click **Add Local Claim** to create a new local claim. + + 3. Specify the following: + + - **Claim URI** - + + - **Display Name** - ID + + - **Description** - Identifier + - **Mapped Attribute (s)** - uid + - **Supported by Default** - Select this option. + ![](../../assets/img/49088044/76747798.png) + + 4. Click **Add**. + +- **IS 5.1.0/IS 5.2.0** + + 1. In the **Main** menu, click **Add** under **Claims**. + 2. Click **Add New Claim Dialect** to create the wso2.org specific + claim dialect. + + ![](../../assets/img/49088044/57749026.png) + + 3. Click **Add**. + +### Configuring requested claims for travelocity.com + +1. In the **Identity** section under the **Main** tab, click **List** + under **Service Providers**. +2. Click **Edit** to edit the travelocity.com service provider. +3. Expand the **Claim Configuration** section. +4. Click on **Add Claim URI** under **Requested Claims** to add the + requested claims as indicated in the image below. Here you must add + the claims you mapped in the Identity Provider claim configuration. + + Select the Mandatory Claim checkbox for all the claim URIs that you + added. + + - [**IS 5.3.0**](#60f10e1b28fc4aa6b1c6003302c0c34b) + + ![](../../assets/img/49088044/112364021.png) + + - [**IS 5.1.0/IS 5.2.0**](#a0cfc3dd8fae4fc3ad1c3c46a1b710a3) + + ![](../../assets/img/49088044/57749029.png) + +5. Select the Subject Claim URI as http://wso2.org/claims/emailaddress + to define the authenticated user identifier that will return with + the authentication response to the service provider. + +6. Click **Update** to save your service provider changes. + +### Testing the sample + +1. To test the sample, go to the following URL: + ` http://:/travelocity.com/index.jsp ` + E.g., + +2. Click the link to log in with SAML from WSO2 Identity Server. You + can use either the redirect binding or the post binding option. + ![](../../assets/img/49088044/76748625.png) +3. You are redirected to the Foursquare Login page. Enter your + Foursquare credentials and you will be taken to the home page of the + travelocity.com app. + ![](../../assets/img/49088044/76747861.png) diff --git a/en/docs/develop/getting-support.md b/en/docs/develop/getting-support.md index 6a95de646c..ca19378581 100644 --- a/en/docs/develop/getting-support.md +++ b/en/docs/develop/getting-support.md @@ -3,9 +3,7 @@ In addition to this documentation, there are several ways to get help as you work on WSO2 products. -| | | -|----------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ![Explore learning resources thumbnail](assets/img/connectors/explore-learning-resources-thumbnail.png) | **Explore learning resources**: For tutorials, articles, whitepapers, webinars, and other learning resources, look in the **Resources** menu on the [WSO2 website](http://www.wso2.com). For training materials, click [WSO2 Training](http://wso2.com/training/) on the **Support & Training** menu. In products that have a visual user interface, click the Help link in the top right-hand corner to get help with your current task. | -| ![Try our support options thumbnail](assets/img/connectors/try-our-support-options-thumbmail.png) | **Try our support options** : WSO2 offers a variety of development and production support programs, ranging from web-based support during normal business hours to premium 24x7 phone support. For support information, see [http://wso2.com/support/](http://wso2.com/support). | +| ![Try our support options thumbnail](assets/img/connectors/try-our-support-options-thumbmail.png) | **Try our support options** : WSO2 offers a variety of development and production support programs, ranging from web-based support during normal business hours to premium 24x7 phone support. For support information, see [http://wso2.com/support/](http://wso2.com/support). | | ![Ask questions in the user forms thumbmail](assets/img/connectors/ask-questions-in-the-user-forums.png) | **Ask questions in the user forums** at [http://stackoverflow.com](http://stackoverflow.com/questions/tagged/wso2). Ensure that you tag your question with appropriate keywords such as *WSO2* and the product name so that our team can easily find your questions and provide answers. If you can't find an answer on the user forum, you can email the WSO2 development team directly using the relevant mailing lists described at . | | ![Report issues thumbnail](assets/img/connectors/report-issues-thumbnail.png) | **Report issues**, submit enhancement requests, track and comment on issues using our [public bug-tracking system](https://wso2.org/jira/secure/Dashboard.jspa), and contribute samples, patches, and tips & tricks (see the [WSO2 Contributor License Agreement](http://wso2.com/files/wso2-cla.pdf). | diff --git a/en/docs/develop/github-authenticator.md b/en/docs/develop/github-authenticator.md index 683eb3f33d..ce075d0d2e 100644 --- a/en/docs/develop/github-authenticator.md +++ b/en/docs/develop/github-authenticator.md @@ -1,13 +1,10 @@ -# Github Authenticator +# Configuring Github Authenticator !!! warning + For latest instructions on how to configuring the Github authenticator, + see Github Authenticator [Github + repository](https://github.com/wso2-extensions/identity-outbound-auth-github/tree/master/docs). - For latest documentation on the Github authenticator, see Github - Authenticator [Github - repository](https://github.com/wso2-extensions/identity-outbound-auth-github/tree/master/docs) - . - - The Github authenticator is configured as a federated authenticator in WSO2 Identity Server to authenticate Github users to log in to your organization’s applications. Github is a web-based hosting service for @@ -15,19 +12,211 @@ software development projects that facilitates powerful collaboration, code review, and code management for open source and private software development projects. -![](attachments/49774662/76746205.png) +![](../../assets/img/49774662/76746205.png) + +This page provides instructions on how to configure the Github +authenticator and Identity Server using a sample app. You can find more +information in the following sections. + +!!! info + To download the authenticator and other artifacts, go to [IS Connector + Store](https://store.wso2.com/store/assets/isconnector/details/bfed96a9-0d79-4770-9c55-22378d3a2812). + +!!! info + Github Authenticator  is supported by Identity Server 5.1.0 upwards. + +### Deploying Github artifacts + +- Download the artifacts for this authenticator from [the + store](https://store.wso2.com/store/assets/isconnector/details/bfed96a9-0d79-4770-9c55-22378d3a2812) + . + +- Place the org.wso2.carbon.identity.authenticator.github-1.0.0.jar + file into the + ` /repository/components/dropins ` + directory. + + !!! note + If you want to upgrade the Github Authenticator (.jar) in your + existing IS pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +### Configuring the Github App -### Getting started +1. Go to , and create a github account. +2. Register your app at + . + ![](../../assets/img/49774670/49971235.png) -To get started with the authenticator, go to [Configuring Github -Authenticator](https://github.com/wso2-extensions/identity-outbound-auth-github/tree/master/docs) -. Once you have completed your configurations, you can perform -authentication with the Github authenticator. +3. Use ` https://localhost:9443/commonauth ` as the + authorization callback URL when you register the client. -### Additional information +4. Now you can get the clientId and clientSecret of your created app. + ![](../../assets/img/49774670/49971238.png) -To download the authenticator and other artifacts, go to [IS Connector -Store](https://store.wso2.com/store/assets/isconnector/details/bfed96a9-0d79-4770-9c55-22378d3a2812) +### Deploying travelocity.com sample app + +The next step is to [deploy the sample app](../../develop/deploying-the-sample-app) +in order to use it in this scenario. + +Once this is done, the next step is to configure the WSO2 Identity +Server by adding an [identity +provider](../../learn/adding-and-configuring-an-identity-provider) +and [service +provider](../../learn/adding-and-configuring-a-service-provider) +. + +### Configuring the identity provider + +Now you have to configure WSO2 Identity Server by [adding a new identity +provider](../../learn/adding-and-configuring-an-identity-provider) . - +1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/). + +2. Run the [WSO2 Identity + Server](../../setup/running-the-product). +3. Log in to the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. +4. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add**. +5. Give a suitable name for **Identity Provider Name**. + ![](../../assets/img/49774670/49971239.png) +6. Navigate to **Github Configuration** under **Federated + Authenticators**. + +7. Enter the values as given in the above figure. + + - **Client Id** : Client Id for your app. + - **Client Secret** : Client Secret for your app. + - **Scope** : Scope of the authorize token. For information on + available scopes, see + [Scopes](https://developer.github.com/apps/building-oauth-apps/scopes-for-oauth-apps/) + . + - **Callback URL** : Service Provider's URL where code needs to be + sent . + +8. Select both checkboxes to **Enable** the Github authenticator and + make it the **Default**. + + ??? note "Click here to see descriptions about configuration property values" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionSample Value
EnableSelecting this option enables github to be used as an authenticator for users provisioned to the Identity Server.Selected
DefaultSelecting the Default checkbox signifies that github is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
ClientIDThis is the username from the github application8437ce9b8cfdf282c92b
Client SecretThis is the password from the github application. Click the Show button to view the value you enter.7219bb5e92f4287cb5134b73760e039e55d235d
ScopeScope of the authorize token. For information on available scopes, see Scopes .
+
Callback URL
+

This is the URL to which the browser should be redirected after the authentication is successful. The URL should be specified in the following format:
+ https://<HOST_NAME>:<PORT>/acs

+
https://localhost:9443/commonauth
+ +9. Click **Register**. + +You have now added the identity provider. + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the management console. + +2. In the **Service Providers** section, click **Add** under the + **Main** tab. + +3. Since you are using travelocity as the sample, enter travelocity.com + in the **Service Provider Name** text box and click **Register**. + +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. + +5. Now set the configuration as follows: + + 1. **Issuer** : travelocity.com + + 2. **Assertion Consumer URL** : + ` http://localhost:8080/travelocity.com/home.jsp ` + +6. Select the following check-boxes: + 1. **Enable Response Signing**. + + 2. **Enable Single Logout**. + + 3. **Enable Attribute Profile**. + + 4. **Include Attributes in the Response Always**. + + ![](../../assets/img/49774670/85361222.png) + +7. Click **Update** to save the changes. Now you will be sent back to + the **Service Providers** page. + +8. Navigate to the **Local and Outbound Authentication Configuration** + section. + +9. Select the identity provider you created from the drop-down list + under **Federated Authentication**. + + ![](../../assets/img/49774670/49971240.png) + +10. Ensure that the **Federated Authentication** radio button is + selected and click **Update** to save the changes. + +You have now added and configured the service provider. + +### Testing the sample + +1. To test the sample, go to the following URL: + ` http://:/travelocity.com/index.jsp ` + . E.g., ` http://localhost:8080/travelocity.com ` + +2. Login with SAML from the WSO2 Identity Server. + + ![](../../assets/img/49774670/85361224.jpeg) + +3. Enter your Github credentials in the prompted login page of Github. + Once you log in successfully you will be taken to the home page of + the travelocity.com app. \ No newline at end of file diff --git a/en/docs/develop/instagram-authenticator.md b/en/docs/develop/instagram-authenticator.md index cee91c5687..9bde0d3bc8 100644 --- a/en/docs/develop/instagram-authenticator.md +++ b/en/docs/develop/instagram-authenticator.md @@ -1,4 +1,4 @@ -# Instagram Authenticator +# Configuring Instagram Authenticator The Instagram authenticator allows users to log in to your organization's applications using @@ -7,28 +7,233 @@ photo-sharing, video-sharing, and social networking service. The Instagram authenticator is configured as a federated authenticator in WSO2 Identity Server. -### Getting started +![](../../assets/img/49091418/76746190.png) -To get started with the authenticator, go to [Configuring Instagram -Authenticator](https://docs.wso2.com/display/ISCONNECTORS/Configuring+Instagram+Authenticator) +This page provides instructions on how to configure the Instagram +authenticator and Identity Server using a sample app. You can find more +information in the following sections. + +!!! info + To download the authenticator and other artifacts, go to + [https://store.wso2.com/store/assets/isconnector/instagram](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22Instagram%22) + . + +!!! info + This is tested with the Instagram API version 1.0 (v1). Instagram + authenticator is supported by Identity Server 5.1.0 upwards. + +### Deploying Instagram artifacts + +- Place the Instagram authenticator .jar file ( + ` org.wso2.carbon.extension.identity.authenticator.instagram.connector-X.X.X.jar ` + ) into the + ` /repository/components/dropins ` + directory. You can download this from [the + store](https://store.wso2.com/store/assets/isconnector/details/175db9b2-1aae-4402-adee-94c4acd751d2) + . + + !!! note + If you want to upgrade the Instagram Authenticator (.jar) in your existing IS pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + +### Configuring the Instagram App + +1. Download the **Instagram** app for iOS from the App Store, Android + from Google Play Store or Windows Phone from the Windows Phone + Store. +2. Once the app is installed, tap to open it. +3. Sign up and create an account using your email ID. +4. Navigate to and log in using the + credentials that you used to create the account. +5. Navigate to and click the ' + **Register Your Application** ' button and register a new client. +6. Use as the redirect URL when you + register the client. + ![](../../assets/img/49091422/49224545.png) + + !!! note + If you are getting an error while registering you may have to + "Disable Content Security Policy". It is recommended to enable + content security policy, once you registered into the app. + + +7. From the app dashboard you can get the **clientId** and + **clientSecret** for your created app. + +### Deploying travelocity.com sample app + +The next step is to [deploy the sample app](../../develop/deploying-the-sample-app) +in order to use it in this scenario. + +Once this is done, the next step is to configure the WSO2 Identity +Server by adding an [identity +provider](../../learn/adding-and-configuring-an-identity-provider) +and [service +provider](../../learn/adding-and-configuring-a-service-provider) . -Once you have completed your configurations, you can authenticate users -using the Instagram authenticator. +### Configuring the identity provider - +Now you have to configure WSO2 Identity Server by [adding a new identity +provider](../../learn/adding-and-configuring-an-identity-provider) +. -The diagram below illustrates the flow of the Instagram federated -authenticator +1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/). +2. Go to in your browser, and then click + the HTTPS trust icon on the address bar (e.g., the padlock next to + the URL) to download the certificate. If you are using google chrome + please follow the steps of [inspecting certificates in + chrome](https://textslashplain.com/2017/05/02/inspecting-certificates-in-chrome/) + to export the certificate. - +3. Import that certificate into the IS client keystore by running the + following command on your command line. + ` keytool -importcert -file -keystore < IS_HOME >/repository/resources/security/client-truststore.jks -alias "Instagram" ` + + !!! note + Note that 'wso2carbon' is the keystore password of the default + client-truststore.jks file. We need the certificate in order to + validate the signature. Otherwise, it is unable to prove that the + response is sent by the relevant identity provider we configured. + +4. [Run the WSO2 Identity + Server](../../setup/running-the-product). +5. Log in to the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. +6. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add**. +7. Give a suitable name for **Identity Provider Name** and configure + the authenticator. To do this, navigate to **Instagram + Configuration** under **Federated Authenticators** and fill the + form. + ![](../../assets/img/49091422/51251951.png) + Do the following configurations. + + | Field | Description | Sample value | + |---------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------| + | Enable | Selecting this option enables Instagram to be used as an authenticator for users provisioned to the Identity Server. | Selected | + | Default | Selecting the **Default** checkbox signifies that Instagram is the main/default form of authentication. This removes the selection made for any other **Default** checkboxes for other authenticators. | Selected | + | Client Id | This is the username from the Instagram application. | aa6f12fd086e4b58a6707d5b61377a71 | + | Client Secret | This is the password from the Instagram application. Click the **Show** button to view the value you enter. | fffc3f4808f34e01b0bc529ce78f5980 | + | Callback URL | This is the URL to which the browser should be redirected after the authentication is successful. It should have this format: https://(host-name):(port)/acs. | https://localhost:9443/commonauth | + +8. Select both checkboxes to **Enable** the Instagram authenticator and + make it the **Default**. + +9. Click Register. + +You have now added the identity provider. + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the management console. + +2. In the **Service Providers** section, click **Add** under the + **Main** tab. + +3. Since you are using Travelocity as the sample, enter travelocity.com + in the **Service Provider Name** text box and click Register. + +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. -![](attachments/49091418/76746190.png?effects=border-simple,blur-border) +5. Now set the configuration as follows: -### Additional information + 1. **Issuer** : travelocity.com -To download the authenticator and other artifacts, go to -[https://store.wso2.com/store/assets/isconnector/instagram](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22Instagram%22) + 2. **Assertion Consumer URL** : + + +6. Select the following check-boxes: + 1. **Enable Response Signing**. + + 2. **Enable Single Logout**. + + 3. **Enable Attribute Profile**. + + 4. **Include Attributes in the Response Always**. + +7. Click **Update** to save the changes. Now you will be sent back to + the **Service Providers** page. + +8. Navigate to the **Local and Outbound Authentication Configuration** + section. + +9. Select the identity provider you created from the dropdown list + under **Federated Authentication**. + + ![](../../assets/img/49091422/49227071.png) + +10. Ensure that the **Federated Authentication** radio button is + selected and click **Update** to save the changes. + +You have now added and configured the service provider. + +**Related Topics** + +For more information on service provider configuration, see [Configuring +Single +Sign-On](../../learn/configuring-single-sign-on) . +### Configuring claims + +This involves [adding a new claim +mapping](../../learn/adding-claim-mapping) for +various user attributes related to Instagram. + +- In the **Main** menu, click **Add** under **Claims**. +- Click **Add New Claim Dialect** to create the Instagram + authenticator specific claim dialect. + ![](../../assets/img/49091422/58473586.png) +- Specify the Dialect Uri as and + create claims. It is required to create at least one claim under + this new dialect. Therefore, create the claim for the Instagram user + ID while creating the claim dialect. Enter the following values the + form. +- Click **Add** to add the new claim. +- Similarly, you can create claims for all the public information of + the Instagram user. Add the following claims under the dialect + + ![](../../assets/img/49091422/58473593.png) + +![](../../assets/img/49091422/58473594.png) + + +- You can create the local claim to map it with the Instagram claim. + Create the local claim **http://wso2.org/claims/profilepicture** + with the map attribute **profile picture**. + +![](../../assets/img/49091422/58473595.png) + +### Configuring requested claims for travelocity.com + +1. In the **Identity** section under the **Main** tab, click **List** + under **Service Providers**. +2. Click **Edit** to edit the travelocity.com service provider. +3. Expand the **Claim Configuration** section. +4. Click on **Add Claim URI** under **Requested Claims** to add the + requested claims as indicated in the image below. Here you must add + the claims you mapped in the Identity Provider claim configuration. + +![](../../assets/img/49091422/58473599.png) + +### Testing the sample + +1. To test the sample, go to the following URL: + ` http://:/travelocity.com/index.jsp ` + . E.g., + +2. Click the option available to login with SAML from the WSO2 Identity + Server. + +3. Enter your Instagram credentials in the prompted login page of + Instagram. Once you login successfully you will be taken to the home + page of the [travelocity.com](http://travelocity.com) app. + +![](../../assets/img/49091422/58473600.png) \ No newline at end of file diff --git a/en/docs/develop/configuring-inwebo-authenticator.md b/en/docs/develop/inwebo-authenticator.md similarity index 71% rename from en/docs/develop/configuring-inwebo-authenticator.md rename to en/docs/develop/inwebo-authenticator.md index d510f30da9..aa74540624 100644 --- a/en/docs/develop/configuring-inwebo-authenticator.md +++ b/en/docs/develop/inwebo-authenticator.md @@ -1,38 +1,40 @@ # Configuring Inwebo Authenticator +The Inwebo connector allows you to authenticate a user using Inwebo +through WSO2 Identity Server . Inwebo provides security beyond +passwords. The diagram below illustrates the flow of the Inwebo +federated authenticator + +![](../../assets/img/48276415/76746223.png) + +This is tested with the Inwebo API version 3.1 + This topic provides instructions on how to configure the Inwebo app and the Identity Server to integrate using a sample app. See the following sections for more information. -Inwebo Authenticator is supported by Identity Server version 5.1.0 - -- [Configuring the Inwebo - app](#ConfiguringInweboAuthenticator-ConfiguringtheInweboapp) -- [Deploying Inwebo - artifacts](#ConfiguringInweboAuthenticator-DeployingInweboartifacts) -- [Deploying travelocity.com sample - app](#ConfiguringInweboAuthenticator-Deployingtravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringInweboAuthenticator-Configuringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringInweboAuthenticator-Configuringtheserviceprovider) -- [Configuring user - claim](#ConfiguringInweboAuthenticator-ConfiguringUserClaim) -- [Testing the - sample](#ConfiguringInweboAuthenticator-Testingthesample) +!!! info + Inwebo Authenticator is supported by Identity Server version 5.1.0 + +!!! info + You have to have Inwebo android or IOS application on your mobile device + to go with this authenticator. To download the authenticator and + artifacts, go to + [https://store.wso2.com/store/assets/isconnector/inweboauthenticator](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22Inwebo%22). + ### Configuring the Inwebo app 1. Go to and click free signup and register. 2. Activate your email notification and go to - . + . 3. Go to Administration console and get the Service Id of admin user. - ![](attachments/48276420/51252020.png) + ![](../../assets/img/48276420/51252020.png) 4. Navigate to Secure Sites and download the certificate for API access (.p12 format). 5. Go to MyInweboAccount and navigate to My Devices, click add a Device button. The following window appears. - ![](attachments/48276420/48206313.png) + ![](../../assets/img/48276420/48206313.png) 6. Download Inwebo app in your mobile or any other devices. Add the above secure site ID or scan the QR code to activate the account @@ -49,43 +51,37 @@ Inwebo Authenticator is supported by Identity Server version 5.1.0 directory. !!! note - If you want to upgrade the Inwebo Authenticator in your existing IS - pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) + pack, please refer [upgrade instructions.](../../develop/upgrading-an-authenticator) -To download the authenticator and artifacts, go to -[https://store.wso2.com/store/assets/isconnector/inwebo](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22Inwebo%22) -. - ### Deploying travelocity.com sample app The next step is to deploy the travelocity.com sample app in order to use it in this scenario. To configure this, see [Deploying the Sample -App](Deploying-the-Sample-App). +App](../../develop/deploying-the-sample-app). ### Configuring the identity provider Now you have to configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -. +provider](../../learn/adding-and-configuring-an-identity-provider). 1. Download the WSO2 Identity Server from [here](http://wso2.com/products/identity-server/) and [run - it](https://docs.wso2.com/display/IS510/Running+the+Product). + it](../../setup/running-the-product). 2. Log in to the [management - console](https://docs.wso2.com/display/IS510/Getting+Started+with+the+Management+Console) + console](../../setup/getting-started-with-the-management-console) as an administrator. 3. In the **Identity** section under the **Main** tab of the management console, click **Add** under **Identity Providers**. 4. Give a suitable name as the **Identity Provider Name** and fill out the form to configure Inwebo by expanding **Inwebo Configuration** under **Federated Authenticators**. - ![](attachments/48276420/48214226.png) Fill in the following. - + ![](../../assets/img/48276420/48214226.png) + + Fill in the following. @@ -142,7 +138,7 @@ The next step is to configure the service provider. 4. In the Inbound Authentication Configuration section, click Configure under the SAML2 Web SSO Configuration section. - ![](attachments/48276420/49222042.png) + ![](../../assets/img/48276420/49222042.png) 5. Now set the configuration as follows: @@ -171,7 +167,7 @@ The next step is to configure the service provider. 10. Add the basic authentication as first step and Inwebo authentication as the second step - ![](attachments/48276420/48211344.png) + ![](../../assets/img/48276420/48211344.png) You have now added and configured the service provider. @@ -181,45 +177,46 @@ You have now added and configured the service provider. 2. Select Add New Claim 3. Add new claim UserId (Change Claim Uri as ( ) - ![](attachments/48276420/49221143.png) + ![](../../assets/img/48276420/49221143.png) 4. Go to Service provider, select travalocity.com→Edit → Claim configuration 5. Update the claim UserId - ![](attachments/48276420/48214228.png) + ![](../../assets/img/48276420/48214228.png) + 6. Now go to Users and Roles + 7. Add the details and update the profile. - ![](attachments/48276420/48211847.png) + ![](../../assets/img/48276420/48211847.png) ### Testing the sample 1. To test the sample, go to the following URL: [http://localhost:8080/travelocity.com - ![](attachments/48276420/48206317.png){width="780" - height="502"}](http://localhost:8080/travelocity.com) + ![](../../assets/img/48276420/48206317.png)](http://localhost:8080/travelocity.com) 2. Click the link to log in with SAML from WSO2 Identity Server. 3. Basic authentication page will be visible, use your IS username and password. - ![](attachments/48276420/48214229.png) + ![](../../assets/img/48276420/48214229.png) 4. Hit Click! Button to authenticate Inwebo . - ![](attachments/48276420/49221869.png) + ![](../../assets/img/48276420/49221869.png) 5. You will get a notification in your external device(mobile). - ![](attachments/48276420/49222015.jpg) + ![](../../assets/img/48276420/49222015.jpg) 6. Enter your Inwebo PIN - ![](attachments/48276420/49222016.jpg) + ![](../../assets/img/48276420/49222016.jpg) 7. Click accept - ![](attachments/48276420/49222017.jpg) + ![](../../assets/img/48276420/49222017.jpg) 8. Click ok and taken to the home page of the travelocity.com app - ![](attachments/48276420/48211848.png) + ![](../../assets/img/48276420/48211848.png) diff --git a/en/docs/develop/configuring-inwebo-provisioning.md b/en/docs/develop/inwebo-provisioning.md similarity index 77% rename from en/docs/develop/configuring-inwebo-provisioning.md rename to en/docs/develop/inwebo-provisioning.md index 3023d0a5fc..e6cb47bc87 100644 --- a/en/docs/develop/configuring-inwebo-provisioning.md +++ b/en/docs/develop/inwebo-provisioning.md @@ -1,21 +1,18 @@ # Configuring Inwebo Provisioning +The Inwebo connector allows you to authenticate a user using Inwebo +through WSO2 Identity Server . Inwebo provides security beyond +passwords. The diagram below illustrates the flow of the Inwebo +federated authenticator + +![](../../assets/img/48276415/76746223.png) + +This is tested with the Inwebo API version 3.1 + This topic provides instructions on how to configure the Inwebo app and how to provision the users from WSO2 Identity Server. See the following sections for more information. -- [Configuring the Inwebo - app](#ConfiguringInweboProvisioning-ConfiguringtheInweboapp) -- [Deploying Inwebo - artifacts](#ConfiguringInweboProvisioning-DeployingInweboartifacts) -- [Deploying travelocity.com sample - app](#ConfiguringInweboProvisioning-Deployingtravelocity.comsampleapp) -- [Configuring the identity - provider](#ConfiguringInweboProvisioning-Configuringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringInweboProvisioning-Configuringtheserviceprovider) -- [Testing the - sample](#ConfiguringInweboProvisioning-Testingtheprovisioningconnector) ### Configuring the Inwebo app @@ -26,13 +23,13 @@ sections for more information. 4. Go to Administration console from the right side toggle menu and get the Service Id of admin user. - ![](attachments/50505066/51251911.png) + ![](../../assets/img/50505066/51251911.png) 5. Navigate to Secure Sites and download the certificate for API access (.p12 format). 6. Go to MyInweboAccount and navigate to My Devices, click add a Device button. The following window appears. - ![](attachments/50505066/50683079.png) + ![](../../assets/img/50505066/50683079.png) 7. Download Inwebo app in your mobile or any other devices. Add the above secure site ID or scan the QR code to activate the account. @@ -48,7 +45,7 @@ sections for more information. If you want to upgrade the Inwebo Provisioning Connector (.jar) in your existing IS pack, please refer [upgrade - instructions.](https://docs.wso2.com/display/ISCONNECTORS/Authenticator+Upgrade+Instructions) + instructions.](../../develop/upgrading-an-authenticator) 2. To download the authenticator and artifacts, go to @@ -61,12 +58,12 @@ The next step is to deploy the travelocity.com sample app in order to use it in this scenario. To configure this, see [Deploying the Sample -App](Deploying-the-Sample-App). +App](../../develop/deploying-the-sample-app). ### Configuring the identity provider Now you have to configure WSO2 Identity Server by [adding a new identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) +provider](../../learn/adding-and-configuring-an-identity-provider) . 1. Download the WSO2 Identity Server from @@ -74,33 +71,32 @@ provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) [axis2\_inwebo.xml](https://github.com/wso2-extensions/identity-outbound-provisioning-inwebo/blob/master/component/provisioning-connector/resources/axis2_inwebo.xml) into the ` /repository/conf/axis2 ` directory and [start  up the Identity - Server](https://docs.wso2.com/display/IS510/Running+the+Product). + Server](../../setup/running-the-product). 2. Log in to the [management - console](https://docs.wso2.com/display/IS510/Getting+Started+with+the+Management+Console) + console](../../setup/getting-started-with-the-management-console) as an administrator. 3. In the **Identity** section under the **Main** tab of the management console, click **Add** under **Claims**. 4. Add a new claim for **Language.** - ** - ** ****![](attachments/50505066/50685963.png) **** + ![](../../assets/img/50505066/50685963.png) + 5. Click **Add** under **Identity Providers**. 6. Expand the **Claim Configuration** section and select **Define Custom Claim Dialect** under **Basic Claim Configuration** section. - ** - ** + 7. Click **Add Claim Mapping** and add the following claims. - ![](attachments/50505066/50685960.png) + ![](../../assets/img/50505066/50685960.png) 8. Expand the **Advanced Claim Configuration** section. 9. Select the Claim URI you added from the **Provisioning Claim Filter** dropdown and click **Add Claim**. Enter a default value for each **Claim URI** as shown in the following image. - ![](attachments/50505066/50685961.png) + ![](../../assets/img/50505066/50685961.png) The default value for **language** should be either "fr" or "en". 10. Give a suitable name as the **Identity Provider Name** and fill out the fields. - ![](attachments/50505066/50685962.png) + ![](../../assets/img/50505066/50685962.png) Properties @@ -145,8 +141,7 @@ provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) - 2: An activation link, valid for 3 weeks, is generated. LoginSendByMail must be used immediately after -11. Go to **Inwebo Provisioning Configuration** under **Outbound - Provisioning Connectors**. +11. Go to **Inwebo Provisioning Configuration** under **Outbound Provisioning Connectors**. 12. Enter the values for the required fields. You should use Service Id, P12Password and P12FILE path values of the Inwebo app which you @@ -164,9 +159,8 @@ The next step is to configure the service provider. 2. Select 'Resident Service Provider' under the 'Service Providers' and add the created Inwebo identity provider in 'Outbound Provisioning - Configuration' . - - ![](attachments/50505066/50683359.png) + Configuration'. + ![](../../assets/img/50505066/50683359.png) 3. Click ' Update' to save the changes. @@ -178,10 +172,10 @@ You have now added and configured the service provider. 2. Enter the User Name and Password for the new user and hit 'Finish'. - [![](attachments/50505066/50683376.png) ](http://localhost:8080/travelocity.com) + [![](../../assets/img/50505066/50683376.png) ](http://localhost:8080/travelocity.com) 3. Go to and check the newly created user. - ![](attachments/50505066/50683385.png) + ![](../../assets/img/50505066/50683385.png) diff --git a/en/docs/develop/jwt-grant-type-for-oauth2.md b/en/docs/develop/jwt-grant-type-for-oauth2.md index 260a091077..1fc0faa339 100644 --- a/en/docs/develop/jwt-grant-type-for-oauth2.md +++ b/en/docs/develop/jwt-grant-type-for-oauth2.md @@ -1,4 +1,4 @@ -# JWT Grant Type for OAuth2 +# Configuring JWT Grant Type The JSON Web Token bearer grant is simply a JSON string containing claim values that will be evaluated and validated by the JWT Grant Handlers at @@ -10,11 +10,258 @@ resource owner authentication and authorization. Additionally, it can exchange it with OAuth 2.0 access tokens in order to access protected resources on behalf of the resource owner. -### Getting started +!!! info + To download the grant type, go + to [https://store.wso2.com/store/assets/isconnector/jwtgrant](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22jwt%22) -To get started with the grant type, see [Configuring JWT Grant -Type](https://docs.wso2.com/display/ISCONNECTORS/Configuring+JWT+Grant+Type) -for information and configuration steps. To download the grant type, go -to -[https://store.wso2.com/store/assets/isconnector/jwtgrant](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22jwt%22) -. +This topic provides instructions on how to configure the JWT grant type. +See the following sections for more information. + +### Deploying artifacts + +1. Place the + ` org.wso2.carbon.identity.oauth2.grant.jwt-1.0.5.jar ` + downloaded from + [store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22jwt%22) + in the + ` /repository/components/dropins ` + directory. + + !!! note + + If you want to upgrade the JWT Grant Type (.jar) that is available + in your existing WSO2 Identity Server distribution, see [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +2. To register the JWT grant type, configure the + ` /repository/conf/identity/identity.xml ` + file by adding a new entry under the + ` ` element. Add a + unique identifier between the ` ` + tags as seen in the code block below. + + ``` xml + + urn:ietf:params:oauth:grant-type:jwt-bearer + org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler + org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator + + ``` + +3. To store ` AUTHZ_USER ` and + ` USER_DOMAIN ` values separately, add the + ` SplitAuthzUser3Way ` property to the OAuth + section of the + ` /repository/conf/identity/identity.xml ` + file as follows: + ` true ` + +4. Add the audience values to the JWT token (ID token) in the + ` /repository/conf/identity/identity.xml ` + file as follows + + ``` xml + + https://localhost:9443/oauth2/token + + ``` + +5. Restart the server. + +### Configure the JWT grant type + +1. Sign in to the WSO2 Identity Server. Enter your username and + password to log on to the [Management + Console](../../setup/getting-started-with-the-management-console) + . +2. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add**. +3. Provide the following values to configure the IDP: + - **Identity Provider Name:** Enter a issuer name (this is used to + generate the JWT assertion) as the identity provider name. + - **Identity Provider Public Certificate :** The certificate used + to sign the JWT assertion. You can find more information about + adding certificate in [Configuring an Identity + Provider](../../learn/adding-and-configuring-an-identity-provider) + . + + - **Alias** : Give the name of the alias if the Identity Provider + identifies this token endpoint by an alias (e.g., + ` https://localhost:9443/oauth2/token) ` + + See [Adding a new identity + provider](../../learn/adding-and-configuring-an-identity-provider) + for more information. + + ![](../../assets/img/50507537/50685934.png) +4. Navigate to the **Main** menu to access the **Identity** menu. Click + **Add** under **Service Providers**. +5. Fill in the **Service Provider Name** and provide a brief + **Description** of the service provider. See [Adding a Service + Provider](../../learn/adding-and-configuring-a-service-provider) + for more information. +6. Expand the **OAuth/OpenID Connect Configuration** and click + **Configure**. +7. Enter a **Callback URL**. For example, use + ` http://localhost:8080/playground2/oauth2client ` + and click **Add**. +8. The **OAuth Client Key** and **OAuth Client Secret** will now be + visible. + ![](../../assets/img/50507537/50685935.png) + +!!! note + While configuring the JWT grant type, the IAT validating time + period can also be configured in the **identity.xml** file. + + IAT validity period is configured as 30 minutes by default. This can be + modified by changing the value in the **identity.xml** file in + **\/repository/conf** as shown below. + + ``` xml + + + true + + 30 + + ``` + + +### The flow + +The CURL commands below can be used to retrieve the access token and +refresh the token using a JWT. + +**Request** + +``` java +curl -i -X POST -u : -k -d 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=' -H 'Content-Type: application/x-www-form-urlencoded' https://localhost:9443/oauth2/token +``` + +The **-u** flag should specify the “ +` : ` ” value. The assertion +parameter value is the signed base64 encoded JWT. The value of the +assertion parameter **MUST** contain a **single JWT**. You can refer +[JWT Bearer Grant](#jwt-bearer-grant) for more +information about assertion. + +!!! info + If you have configured the service provider and identity provider in a + tenant, you have to add the tenant domain as a query parameter to the + access token endpoint. + + If the tenant domain is *wso2.com*, the access token endpoint will be + as follows. + + Access Token Endpoint: + https://localhost:9443/oauth2/token?tenantDomain=wso2.com + +**Sample request** + +``` java +curl -i -X POST -H 'Content-Type: application/x-www-form-urlencoded' -u bBhEoE2wIpU1zB8HA3GfvZz8xxAa:RKgXUC3pTRQg9xPpNwyuTPGtnSQa -k -d 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0NTgxNjY5ODUsInN1YiI6ImFkbWluIiwibmJmIjoxNDU4MTA2OTg1LCJhdWQiOlsiaHR0cHM6XC9cL2xvY2FsaG9zdDo5NDQzXC9vYXV0aDJcL3Rva2VuIiwid3NvMi1JUyJdLCJpc3MiOiJqd3RJRFAiLCJqdGkiOiJUb2tlbjU2NzU2IiwiaWF0IjoxNDU4MTA2OTg1fQ.ZcxdoTVEsWoil80ne42QzmsfelMWyjRZJEjUK1c2vMZJjjtrZnsWExyCA5tN6iXYFAXC_7rkFuuNSgOlBi51MNLPZw3WcgGI52j6apGEW92V2tib9zRRWOeLQLAdo8ae8KzLp7kuKZ2XunfQ2WYU9TvvLDm_vp5ruuYz3ZZrJOc' https://localhost:9443/oauth2/token +``` + +You would have now received the response from the token endpoint. The +response would contain the access token, refresh token, expiry time and +token type . + +**Sample response** + +``` java +{"token_type":"Bearer","expires_in":3600,"refresh_token":"b1b4b78e2b0ef4956acb90f2e38a8833","access_token":"615ebcc943be052cf6dc27c6ec578816"}  +``` + + + +### JWT Bearer Grant + +JWT contains three parts that are separated by dots ".": header, +payload, and a signature. The header identifies which algorithm is used +to generate the signature. + +For example, see the following code block. + +**Sample header** + +``` groovy +{ + "alg":"RS256" +} +``` + +The payload contains the claims mentioned below: + +- ` iss ` (issuer) - The JWT must contain an + ` iss ` (issuer) claim that contains a unique + identifier that identifies the identity provider that issued the + JWT. +- ` sub ` (subject) - The JWT must contain a + ` sub ` (subject) claim that identifies the entity + that the identity provider or the entity that issued the JWT vouches + for. +- ` aud ` (audience) - The JWT must contain an + ` aud ` (audience) claim which containing a value + that identifies the authorization server as an intended audience. + This value should be registered as token endpoint alias in the + Identity Provider. +- ` exp ` (expiration time) - The JWT must contain an + ` exp ` (expiration) claim that limits the time + window during which the JWT can be used. +- ` nbf ` (not before) - The JWT may contain a + ` nbf ` (not before time) claim that forces a JWT + to be used only after a specified time. +- ` iat ` (issued at) - The JWT may contain an + ` iat ` (issued at) claim that identifies the time + at which the JWT was issued. +- ` jti ` (json web token Id) - The JWT may contain + ` jti ` (JWT ID) claim that provides a unique + identifier for the token. +- Other custom claims - JWT may contain claims other than the above + mentioned ones. This is the extension point of the JWT + specification. + +For example, see the following code block. + +**Sample payload** + +``` groovy +{ + "sub":"admin", + "aud":[ + "https://localhost:9443/oauth2/token" + ], + "nbf":1507546100, + "iss":"jwtIDP", + "exp":1507606100, + "iat":1507546100, + "jti":"Token56756" +} +``` + +The signature is calculated by base64 URL encoding the header and +payload and concatenating them with a period as a separator and signing +it: + +` Signature = sign(encodeBase64(header) + '.' + encodeBase64(payload)) ` + +The signature must then be base64 URL encoded. JWT assertion can be +generated by concatenating these three encoded values with a separator +dot ".". + +***assertion*** = ***encodeBase64(header) + '.' + encodeBase64(payload) ++ '.' + ***encodeBase64(s****** ***ignature)*** + +The result is as follows: + +**Sample assertion** + +``` java + eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6WyJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iXSwibmJmIjoxNTA3NTQ2MTAwLCJpc3MiOiJqd3RJRFAiLCJleHAiOjE1MDc2MDYxMDAsImlhdCI6MTUwNzU0NjEwMCwianRpIjoiVG9rZW41Njc1NiJ9.iGMhjibB0W2QFQlM27gnHp6z47Eybv8cAHk2o2i-xqo2S4uJ_1VppFI4CCJXTj4qzV9vmkJ5HKNAayiTa6wOMXGL4XnwYwpOAoKXvboznlEDNRpw3htW34nLvyUu6PjHbdvAPVjh8kPRwf7esRr2p-luecGvC21mjWdhyGzM4hE +``` diff --git a/en/docs/develop/linkedin-authenticator.md b/en/docs/develop/linkedin-authenticator.md index 77461c6b04..f404082447 100644 --- a/en/docs/develop/linkedin-authenticator.md +++ b/en/docs/develop/linkedin-authenticator.md @@ -1,31 +1,415 @@ -# LinkedIn Authenticator +# Configuring LinkedIn Authenticator The LinkedIn authenticator is configured as a federated authenticator in WSO2 Identity Server to authenticate LinkedIn users to log in to your organization’s applications. LinkedIn is one of the popular social media networks which helps to build up a professional relationship with the people all around the world. The diagram below illustrates the flow of -the LinkedIn federated authenticator +the LinkedIn federated authenticator. - +![](../../assets/img/50507096/76746227.png) -![](attachments/50507096/76746227.png?effects=border-simple,blur-border) -### Getting started +This page provides instructions on how to configure the LinkedIn +authenticator and the WSO2 Identity Server using a sample app to +demonstrate authentication.You can find more information in the +following sections. -To get started with the authenticator, see [Configuring LinkedIn -Authenticator](https://docs.wso2.com/display/ISCONNECTORS/Configuring+LinkedIn+Authenticator) -for information and configuration steps. +!!! info + This is tested for the LinkedIn API version 1.0. LinkedIn Authenticator is supported by Identity Server 5.1.0 upwards. -Once you have completed your configurations, you can authenticate users -using the LinkedIn authenticator. +!!! info + To download the authenticator, go to + [https://store.wso2.com/store/assets/isconnector/LinkedIn](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22LinkedIn%22) - -To download the authenticator, go to -[https://store.wso2.com/store/assets/isconnector/LinkedIn](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22LinkedIn%22) -. +### Step 1 - Configure the LinkedIn App -12 +1. Place the authenticator .jar file into the + ` /repository/components/dropins ` + directory. You can download the .jar file ( + ` org.wso2.carbon.extension.identity.authenticator.linkedin.connector-1.x.x ` + ) from the [WSO2 + Store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22LinkedIn%22) + . Next restart the WSO2 IS server. -852 + !!! note + If you want to upgrade the LinkedIn (.jar) in your existing IS pack, + please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +2. Create a new app as described in the [LinkedIn Services + documentation](https://developer.linkedin.com/docs/oauth2). + 1. Navigate to the following URL: + + 2. Enter the required details. + - Enter your company details. + - Upload an image that you wish to use at the company logo. + - Select the checkbox to agree to the LinkedIn terms and + conditions. + 3. Click **Submit**. You will redirect to a page with **Client + ID** and **Client Secret** as shown in point 5. + ![](../../assets/img/50507126/76748920.png) +3. Enter the Authorized Redirect URL in the following format and click + **Add**. + ` https://{hostname}:{port}/commonauth ` + The default redirect URL in WSO2 Identity Server is - + +4. Click **Update**. + You have now finished configuring LinkedIn. Copy the **Client ID** + and **Client Secret** from the resulting page. + ![](../../assets/img/50507126/50685689.png) + +### Step 2 - Deploy the travelocity.com sample app + +The next step is to deploy the travelocity.com sample app in order to +use it in this scenario. + +To configure this, see [deploying travelocity.com sample +app](../../develop/deploying-the-sample-app). + +### Step 3 - Configure the identity provider (IdP) + +Now you have to configure WSO2 Identity Server by [adding a new identity +provider](../../learn/adding-and-configuring-an-identity-provider). + +1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/) and [run + it](../../setup/running-the-product). +2. Log in to the [Management + Console](../../setup/getting-started-with-the-management-console) + as an administrator. +3. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add**. +4. Enter a suitable name as the **Identity Provider Name** (e.g., + LinkedIn). + As our resident Identity Provider is WSO2 IS, the Alias will appear + as follows - https://(host-name):(port)/oauth2/token +5. **Optionally**, you can add the LinkedIn public certificate by + uploading it. + ** You can do this by clicking the **Browse** button next to the + **Identity Provider Public Certificate** field, and uploading the + file from your local directory. Some browsers let us download the + public certificate. If not you can skip this step. + + !!! note + In cryptography, a **public** **key** **certificate**, also known + as a **digital** **certificate** or **identity** **certificate**, + is an electronic document used to prove the ownership of a + **public** **key**. + +6. Navigate to the **LinkedIn Authenticator** **Configurations** under + **Federated Authenticators**. + + - **IS 5.3.0** + ![](../../assets/img/50507126/76748968.png) + + - **IS 5.1.0/IS 5.2.0** + ![](../../assets/img/50507126/57737954.png) + +7. Enter the IdP related details as follows: +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescriptionSample Value
EnableSelecting this option enables LinkedIn to be used as an authenticator for users provisioned to the Identity Server.Selected
DefaultSelecting the Default checkbox signifies that LinkedIn is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
Client IdThis is a unique public identifier for apps which is usually given as a 32-character hex string. Enter the client ID of the app that you created in LinkedIn.81b05d91toz66e
Client SecretThis is a secret known only to the application and the authorization server. Enter the client ID of the app that you created in LinkedIn.otYR21HMW1PchfwZ
Callback URLThis is the URL to which the browser should be redirected after the authentication is successful. It should have this format:
+ https://(host-name):(port)/commonauth 		https://localhost:9443/commonauth
+ +8. Click **Register**. + +You have now added the identity provider. + +### Step 4 - Configure the service provider + +The next step is to configure the service provider based on the WSO2 +Identity Server version that you are working on. + +#### Configuring a service provider with IS 5.3.0 upwards + +1. Return to the management console. + +2. In the **Service Providers** section under the **Main** tab, click **Add**. + +3. As you are using travelocity as the sample, enter [travelocity.com](http://travelocity.com) in the **Service Provider Name** text box and click **Register**. + +4. In the **Inbound Authentication Configuration** section, click **SAML2 Web SSO** **Configuration**, and then click **Configure**. + +5. Add the service provider details as follows: + + 1. **Select Mode** : Manual Configuration + For more information on the SAML2 Web Single-Sign-On Configuration + methods, see [Configuring SAML2 Web + Single-Sign-On](https://docs.wso2.com/display/IS530/Configuring+SAML2+Web+Single-Sign-On) + in the WSO2 IS 5.3.0 guide. + + 2. **Issuer** : [travelocity.com](http://travelocity.com) + + 3. **Assertion Consumer URL** : Enter and click **Add**. + + 4. Select the following check-boxes: + - **Enable Response Signing**. + - **Enable Single Logout**. + - **Enable Attribute Profile**. + - **Include Attributes in the Response Always**. + + ![](../../assets/img/50507126/76748957.png) + +6. Click **Register** to save the changes. Now you will be sent back to the **Service Providers** page. + +7. Go to the **Local and Outbound Authentication Configuration** section. + +8. Configure the Local and Outbound Authentication for LinkedIn. For more information, see [Configuring Local and Outbound Authentication +for a Service Provider](https://docs.wso2.com/display/IS530/Configuring+Local+and+Outbound+Authentication+for+a+Service+Provider) +in the WSO2 IS 5.3.0 guide. + 1. Click on the **Federated Authentication** radio button. + 2. Select the identity provider you created from the drop-down list + under **Federated Authentication**. + 3. Select the following options: + - Use tenant domain in local subject identifier. + - Use user store domain in local subject identifier. + +9. Click **Update** to save the changes. + ![](../../assets/img/50507126/76748972.png) + +#### Configuring a service provider with IS 5.1.0 or IS 5.2.0 + +1. Return to the management console. +2. In the **Service Providers** section under the **Main** tab, click + **Add**. +3. Since you are using travelocity as the sample, enter travelocity.com + in the **Service Provider Name** text box and click **Register**. +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. +5. Now set the configuration as follows: + - **Issuer** : travelocity.com + - **Assertion Consumer URL** : http://localhost:8080/travelocity.com/home.jsp +6. Select the following check-boxes: + - **Enable Response Signing**. + - **Enable Single Logout**. + - **Enable Attribute Profile**. + - **Include Attributes in the Response Always**. +7. Click **Update** to save the changes. Now you will be sent back to + the **Service Providers** page. +8. Go to the **Local and Outbound Authentication Configuration** + section. +9. Select the identity provider you created from the dropdown list + under **Federated Authentication**. + ![](../../assets/img/50507126/50685694.png) +10. Ensure that the **Federated Authentication** radio button is + selected and click **Update** to save the changes. + +### Step 5 - Configure claims + +Add a new claim mapping for various user attributes related to LinkedIn +based on the WSO2 Identity Server version that you are working on. + +#### Configuring claims with IS 5.3.0 upwards + +For more information, see [Adding Claim Mapping](../../learn/adding-claim-mapping) in +WSO2 IS guide. + +1. Sign in to the [Management + Console](../../setup/getting-started-with-the-management-console) + by entering your username and password. +2. In the **Main** menu, click **Add** under **Claims**. +3. Click **Add Claim Dialect** to create the LinkedIn authenticator + specific claim dialect. +4. Specify the Dialect URI as follows: + ` http://wso2.org/linkedin/claims ` +5. Click **Add** to create the claim dialect. + ![](../../assets/img/50507126/76748975.png) +6. Map a new external claim to an existing local claim dialect. + You need to map at least one claim under this new dialect. + Therefore, let's map the claim for last name. + 1. In the **Main** menu, click **Add** under **Claims**. + 2. Click **Add External Claim** to add a new claim to the LinkedIn + claim dialect. + 3. Select the Dialect URI as - http://wso2.org/linkedin/claims + 4. Enter the External Claim URI based on the following claim + mapping information. + 5. Select the Mapped Local Claim based on the following claim + mapping information. + Claim mapping for last name + + | | | + |--------------------|------------------------------------------| + | Dialect URI | http://wso2.org/linkedin/claims | + | External Claim URI | http://wso2.org/linkedin/claims/lastName | + | Mapped Local Claim | http://wso2.org/claims/lastname | + + 6. Click **Add** to add the new external claim. + ![](../../assets/img/50507126/76748979.png) + +7. Similarly, you can create claims for all the public information of + the LinkedIn user by repeating step 6 with the following claim + mapping information. + + - Claim mapping for first name + + | | | + |--------------------|-------------------------------------------| + | Dialect URI | http://wso2.org/linkedin/claims | + | External Claim URI | http://wso2.org/linkedin/claims/firstName | + | Mapped Local Claim | http://wso2.org/claims/givenname | + + - Claim mapping for email + + | | | + |--------------------|----------------------------------------------| + | Dialect URI | http://wso2.org/linkedin/claims | + | External Claim URI | http://wso2.org/linkedin/claims/emailAddress | + | Mapped Local Claim | http://wso2.org/claims/emailaddress | + + - Claim mapping for industry + + | | | + |--------------------|------------------------------------------| + | Dialect URI | http://wso2.org/linkedin/claims | + | External Claim URI | http://wso2.org/linkedin/claims/industry | + | Mapped Local Claim | http://wso2.org/claims/organization | + + - Claim mapping for headline + + | | | + |--------------------|------------------------------------------| + | Dialect URI | http://wso2.org/linkedin/claims | + | External Claim URI | http://wso2.org/linkedin/claims/headline | + | Mapped Local Claim | http://wso2.org/claims/title | + +8. Click **Update**. + +#### Configuring claims with IS 5.1.0 or IS 5.2.0 + +1. Sign into the [Management + Console](../../setup/getting-started-with-the-management-console) + by entering your username and password. +2. In the **Main** menu, click **Add** under **Claims**. +3. Click **Add New Claim Dialect** to create the Linkedin authenticator + specific claim dialect. + + Use the Dialect Uri as follows: + ` http://wso2.org/linkedin/claims ` + ![](../../assets/img/50507126/76748975.png) + +4. Click [Add New + Claim](../../learn/adding-claim-mapping). +5. Select the **Dialect** from the dropdown provided and enter the + required information. You must add the following claims under the + dialect + + | | | + |:---------------------|:-----------------------------------------| + | Display Name | LastName | + | Description | Claim to the last name | + | Mapped Attribute | sn | + | Claim URL | http://wso2.org/linkedin/claims/lastName | + | Supported by Default | selected | + + | | | + |:---------------------|:------------------------------------------| + | Display Name | First Name | + | Description | Claim to the first name | + | Mapped Attribute | givenName | + | Claim URL | http://wso2.org/linkedin/claims/firstName | + | Supported by Default | selected | + + | | | + |:---------------------|:---------------------------------------------| + | Display Name | Email Address | + | Description | Claim to email address | + | Mapped Attribute | mail | + | Claim URL | http://wso2.org/linkedin/claims/emailAddress | + | Supported by Default | selected | + + | | | + |:---------------------|:-----------------------------------------| + | Display Name | Industry | + | Description | Claim to industry | + | Mapped Attribute | organizationName | + | Claim URL | http://wso2.org/linkedin/claims/industry | + | Supported by Default | selected | + + | | | + |:---------------------|:-----------------------------------------| + | Display Name | Headline | + | Description | Claim to the headline of the user | + | Mapped Attribute | title | + | Claim URL | http://wso2.org/linkedin/claims/headline | + | Supported by Default | selected | + + Likewise, you can create the claims for all the public information + of the LinkedIn user. + + ![](../../assets/img/50507126/57749001.png) + +### Step 6 - Configure requested claims for travelocity.com + +1. In the **Identity** section under the **Main** tab, click **List** + under **Service Providers**. +2. Click **Edit** to edit the travelocity.com service provider. +3. Go to **Claim Configuration**. +4. Click on **Add Claim URI** under **Requested Claims** to add the + requested claims as follows. + + Select the Mandatory Claim checkbox for all the claim URIs that you + added. + + - **IS 5.3.0** + ![](../../assets/img/50507126/76748980.png) + + - **IS 5.1.0/IS 5.2.0** + ![](../../assets/img/50507126/57749003.png) + +5. Select the Subject Claim URI as + to define the authenticated + user identifier that will return with the authentication response to + the service provider. + +6. Click **Update** to save your service provider changes. + +### Step 7 - Test the sample + +1. To test the sample, go to the following URL: + ` http://:/ travelocity.com/index.jsp ` + E.g., +2. Click the link to log in with SAML from WSO2 Identity Server. You + can use either the Rediect Biniding or the Post Binding option. + ![](../../assets/img/50507126/76748991.png) +3. You are redirected to the LinkedIn sign in page. Enter your LinkedIn + credentials. + ![](../../assets/img/50507126/57749004.png) +4. Authenticate the user by clicking **Allow access**. + You are taken to the home page of the travelocity.com app + ![](../../assets/img/50507126/57749005.png) \ No newline at end of file diff --git a/en/docs/develop/mailchimp-authenticator.md b/en/docs/develop/mailchimp-authenticator.md index 861168b027..13502922c1 100644 --- a/en/docs/develop/mailchimp-authenticator.md +++ b/en/docs/develop/mailchimp-authenticator.md @@ -1,4 +1,4 @@ -# MailChimp Authenticator +# Configuring MailChimp Authenticator The MailChimp authenticator allows you to authenticate a user using MailChimp through the WSO2 Identity Server. MailChimp is an email @@ -7,16 +7,232 @@ MailChimp features and integrations allow you to send marketing emails, automated messages, and targeted campaigns. Their detailed reports help you keep improving over time. -![](attachments/49092742/76746257.png) +![](../../assets/img/49092742/76746257.png) -### Getting started +This page provides instructions on how to configure the MailChimp +authenticator and Identity Server using a sample app. You can find more +information in the following sections. -To get started with the authenticator, go to [Configuring MailChimp -Authenticator](https://docs.wso2.com/display/ISCONNECTORS/Configuring+MailChimp+Authenticator) -. Once you have completed your configurations, you can authenticate -users using the MailChimp authenticator. +!!! info + This is tested with the mailChimp API version 2.0. MailChimp + Authenticator is supported by Identity Server 5.1.0 upwards. -### Additional information +!!! info + To download the authenticator and other artifacts, go to + [https://store.wso2.com/store/assets/isconnector/MailChimp](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22MailChimp%22) -To download the authenticator and other artifacts, go to -[https://store.wso2.com/store/assets/isconnector/MailChimp](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22MailChimp%22) +### Deploying MailChimp artifacts + +- Place the authenticator .jar file into the + ` /repository/components/dropins ` + directory. You can download the mailchimpAuthenticator jar file from + [wso2 + store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22MailChimp%22) + . + + !!! note + If you want to upgrade the MailChimp Authenticator (.jar) in your + existing IS pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + + !!! info "Need to do this configuration" + + If you are using WSO2 Identity Server 5.5.0, be sure to disable + consent management for single-sign-on (SSO) authentication. To + disable consent management for SSO authentication, go to the + ` /repository/conf/identity/identity.xml ` + file, and set the + ` EnableSSOConsentManagement ` parameter to + ` false ` . + + ``` java + + + false + + ``` + + If you do not disable consent management for SSO authentication, you + will get an error when you try to configure the authenticator with + WSO2 Identity Server 5.5.0. + +### Configuring the MailChimp App + +1. Navigate to to create account + for MailChimp. You receive an email to confirm your account and you + must provide your details before you get started. +2. Navigate to and log in using the + credentials you used to create the account. +3. Once you have logged in, navigate to your profile and click the + **Extras** tab. +4. Click the **Registered Apps** tab next. This is done so that you can + register an App. +5. Use  ` https://localhost:9443/commonauth ` + as redirect URL when you register the client. Here you can use + 127.0.0.1 instead of localhost. + ![](../../assets/img/49092781/49226960.png) +6. From the app dashboard you can get clientId and clientSecret for + your created app. + +### Deploying travelocity.com sample app + +The next step is to [deploy the sample app](../../develop/deploying-the-sample-app) +in order to use it in this scenario. + +Once this is done, the next step is to configure the WSO2 Identity +Server by adding an [identity +provider](../../learn/adding-and-configuring-an-identity-provider) and [service +provider](../../learn/adding-and-configuring-a-service-provider). + +!!! info "Need to do this configuration" + Change the **SAML2.IdPURL** to + ` https://127.0.0.1:9443/samlsso ` + instead of ` https://localhost:9443/samlsso ` in + ` /webapps/travelocity.com/WEB-INF/classes/travelocity.properties ` + +### Configuring the identity provider + +Now you have to configure WSO2 Identity Server by [adding a new identity +provider](../../learn/adding-and-configuring-an-identity-provider). + +1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/). +2. Run the [WSO2 Identity + Server](../../setup/running-the-product). +3. Log in to the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. +4. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add**. +5. Give a suitable name for **Identity Provider Name**. + ![](../../assets/img/49092781/56994052.png) +6. Navigate to **MailChimp Configuration** under **Federated + Authenticators**. + +7. Enter the values as given in the above figure. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescriptionValue
EnableSelecting this option enables MailChimp to be used as an authenticator for users provisioned to WSO2 Identity Server.Selected
DefaultSelecting the Default checkbox signifies that MailChimp is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
Client IdClient Id of your app.
+
Client SecretClient Secret of your app.
+
Callback URLThis is the URL to which the browser should be redirected after the authentication is successful. It should have this format: https://(host-name):(port)/acs.
+
userInfoEndpoint
+

The endpoint to get the user information for MailChimp It should have this format: https://.api.mailchimp.com/2.0/users/profile.

+
+

How to get mailChimpInstanceValue

+

The URL after sign up will be similiar to the following URL: https://us12.admin.mailchimp.com/account/.

+

In the example URL, us12 is the mailChimpInstanceValue . Replace the <mailChimpInstanceValue> tag with the instance value you receive. The userInfoEndpoint for the example URL is https://us12.api.mailchimp.com/2.0/users/profile.

+
+
+ +
+
+
+

+
+ +8. Click **Register**. + +You have now added the identity provider. + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the management console. + +2. In the **Service Providers** section, click **Add** under the + **Main** tab. + +3. Since you are using travelocity as the sample, enter travelocity.com + in the **Service Provider Name** text box and click **Register**. + +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. + +5. Now set the configuration as follows: + + 1. **Issuer** : travelocity.com + + 2. **Assertion Consumer URL** : + http://localhost:8080/travelocity.com/home.jsp + +6. Select the following check-boxes: + 1. **Enable Response Signing**. + + 2. **Enable Single Logout**. + + 3. **Enable Attribute Profile**. + + 4. **Include Attributes in the Response Always**. + ![](../../assets/img/49092781/103332418.png) + +7. Click **Update** to save the changes. Now you will be sent back to + the **Service Providers** page. + +8. Navigate to the **Local and Outbound Authentication Configuration** + section. + +9. Select the identity provider you created from the dropdown list + under **Federated Authentication**. + +10. Ensure that the **Federated Authentication** radio button is + selected and click **Update** to save the changes. + +You have now added and configured the service provider. + +### Testing the sample + +1. To test the sample, go to the following URL: + ` http://:/travelocity.com/index.jsp ` + . E.g., + +2. Click “Login with SAML” to log in with SAML from the WSO2 Identity + Server. + ![](../../assets/img/49092781/51251955.png) + +3. Enter your MailChimp credentials in the prompted login page of + MailChimp. + ![](../../assets/img/49092781/49226963.png) + +4. Once you login successfully you will be taken to the home page of + the travelocity.com app. + ![](../../assets/img/49092781/51251954.png) \ No newline at end of file diff --git a/en/docs/develop/mepin-authenticator.md b/en/docs/develop/mepin-authenticator.md index 33abdde299..1b7483dfc6 100644 --- a/en/docs/develop/mepin-authenticator.md +++ b/en/docs/develop/mepin-authenticator.md @@ -1,34 +1,400 @@ -# MePIN Authenticator - +# Configuring MePIN Authenticator The MePIN authenticator allows you to authenticate a user using MePIN through WSO2 Identity Server. MePIN is a user authentication and transaction authorization solution. The diagram below illustrates the -flow of the mePIN federated authenticator +flow of the mePIN federated authenticator. - +![](../../assets/img/48283193/76746236.png) -![](attachments/48283193/76746236.png?effects=border-simple,blur-border) +This topic provides instructions on how to configure the MePIN app and +the Identity Server to integrate using a sample app. - +!!! info + This is tested for the MePIN API version 3.0. -### Getting started +!!! info + You have to have MePIN android or IOS application on your mobile device + to go with this authenticator. To download the authenticator and other + artifacts, go to + [https://store.wso2.com/store/assets/isconnector/mepin](https://store.wso2.com/store/assets/isconnector/details/00902cc7-5efc-4b8f-aae7-930e999f8058). -To get started with the authenticator, go to [Configuring -MePIN Authenticator](https://docs.wso2.com/display/ISCONNECTORS/Configuring+MePIN+Authenticator) -. Once you have completed your configurations, you can perform -authentication with the MePIN authenticator. + To watch a webinar on securing SaaS apps with multi-factor + authentication with MePIN and WSO2 Identity Server, click + [here](http://wso2.com/library/webinars/2016/09/securing-saas-apps-with-multi-factor-authentication-with-mepin-and-wso2-identity-server/). -### Additional information +See the following sections for more information. -You have to have MePIN android or IOS application on your mobile device -to go with this authenticator. To download the authenticator and other -artifacts, go to -[https://store.wso2.com/store/assets/isconnector/mepin](https://store.wso2.com/store/assets/isconnector/details/00902cc7-5efc-4b8f-aae7-930e999f8058) -. +### Configuring the MePIN app + +1. Install + [Android](https://play.google.com/store/apps/details?id=com.mepin.android3) + or [IOS](https://itunes.apple.com/app/id1062845220) application on + your mobile device. +2. Log in to [MePIN developer + portal](https://developer.mepin.com/welcome) using your app. +3. Get your application identifier and credentials. + 1. Edit your organization. + 2. Create an application by providing the app name and domain name + and get the appId / clientId. + 3. Create credentials (username and password). + +4. Contact MePin support to activate the application identifier. + +### Deploying MePIN artifacts + +1. Place the mepinauthenticationendpoint.war file into the + ` /repository/deployment/server/webapps ` + directory. +2. Place the org.wso2.carbon.identity.authenticator.mepin-2.0.0.jar + file into the + ` /repository/components/dropins ` + directory. + + !!! note + If you want to upgrade the MePIN Authenticator in your existing IS + pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + +3. Add the following configurations in the + ` /repository/conf/identity/application-authentication.xml ` + file under the ` ` + section. + + ``` xml + + https://localhost:9443/mepinauthenticationendpoint/mepin.jsp + https://localhost:9443/mepinauthenticationendpoint/mepinError.jsp + false + true + association + primary + + ``` + + The following table includes the definition of the parameters and + the various values you can configure. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ValueDescription
MepinAuthenticationEndpointURL
The mepin page which shows in the flows such as link with mepin and login with mepin.
MepinAuthenticationEndpointErrorPage
The mepin error page will be shown if there is issue in the authentication flow.
MepinEnableByUserClaim
This field makes it possible to disable the 'Mepin disabling by user' functionality. The value can be true or false . If the value is true , user can enable and disable the Mepin according to admin selection ( MepinMandatory parameter value).
MepinMandatory
If the value is true , the second step will be enabled by the admin. The user cannot be authenticated without Mepin authentication. This parameter is used for both super tenant and tenant in the configuration. The value can be true or false.
usecase This field can take one of the following values: local , association , userAttribute , subjectUri . If you do not specify any usecase , the default value is local . See below for more details.
secondaryUserstore

The user store configuration is maintained per tenant as comma separated values. For example, <Parameter name="secondaryUserstore">jdbc, abc, xyz</Parameter>.
+

+ + An admin can change the priority of the Mepin authenticator by + changing the ` MepinMandatory ` value ( + ` true ` or ` false ` ). + + - If Admin specify that Mepin is mandatory ( + ` true ` + , then you must enable Mepin in the user’s profile by adding + claim value true in order to authenticate the user. If this is + not done, the Mepin error page appears. + - If Admin specify that Mepin is optional ( + ` false ` + and you enable Mepin in the user's profile, then the + authenticator will allow the user to login with Mepin + authentication as a second step (multi-step authentication). If + Admin specify that Mepin is optional and you do not enable Mepin + in the user's profile, the Mepin authenticator will proceed to + log the user in as the first step (basic authentication). + + The first step may be local authenticator (basic) or a federated + authenticator (e.g., Facebook, Twitter, etc.). In federated + authenticator support in first step, the following parameters are + used according to the scenario. + + association + jdbc + + usecase value can be local, association, userAttribute or subjectUri. -To watch a webinar on securing SaaS apps with multi-factor -authentication with MePIN and WSO2 Identity Server, click -[here](http://wso2.com/library/webinars/2016/09/securing-saas-apps-with-multi-factor-authentication-with-mepin-and-wso2-identity-server/) + + + + + + + + + + + + + + + + + + + +
local

This is based on the federated username. This is the default. You must set the federated username in the local userstore. Basically, the federated username must be the same as the local username.

association

The federated username must be associated with the local account in advance in the Dashboard. So the local username is retrieved from the association. To associate the user, log into the end user dashboard and go to Associated Account by clicking View details .

userAttribute
+

The name of the  federated authenticator's user attribute. That is, the local user name which is contained in a federated user's attribute. When using this, add the following parameter under the <AuthenticatorConfig name="MePINAuthenticator" enabled="true"> section in the <IS_HOME>/repository/conf/identity/application-authentication.xml file and put the value (e.g., email, screen_name, id, etc.).

+
+
+ +
+
+

If you use, OpenID Connect supported authenticators such as LinkedIn, Foursquare, etc., or in the case of multiple social login options as the first step and Mepin as second step, you need to add similar configuration for the specific authenticator in the <IS_HOME>/repository/conf/identity/application-authentication.xml file under the < AuthenticatorConfigs > section as follows (the following shows the configuration for Foursquare,LinkedIn and Facebook authenticator respectively).

+

Inside the AuthenticatorConfig (i.e., Foursquare), add the specific userAttribute with a prefix of the (current step) authenticator name (i.e., MePINAuthenticator-userAttribute).

+
+
+ +
+
+
+
+ +
+
+
+
+ +
+
+

Likewise, you can add the AuthenticatorConfig for Amazon,Google,Twitter and Instagram with relevant values.

+
subjectUri

When configuring the federated authenticator, select the attribute in the subject identifier under the service provider section in UI, this is used as the username of the Mepin authenticator.

+ + If you use the secondary userstore, enter all the userstore values + for the particular tenant as comma separated values. + + !!! info + The user store configuration is maintained per tenant: + + - If you use a **super tenant,** put all the parameter values into + the + ` /repository/conf/identity/application-authentication.xml ` + file under the ` AuthenticatorConfigs ` + section. + + - If you use a **tenant**, upload the same XML file ( + ` application-authentication.xml ` ) + into a specific registry location ( + ` /_system/governance/MePINAuthenticator) ` + . Create the collection named ` Mepin ` + , add the resource and upload the + ` application-authentication.xml ` file + into the registry). While doing the authentication, first it + checks whether there is an XML file uploaded to the registry. If + that is so, it reads it from the registry but does not take the + local file. If there is no file in the registry, then it only + takes the property values from the local file. This is how the + userstore configuration is maintained per tenant. You can use + the registry or local file to get the property values. + +4. Add the user claim [http://wso2.org/claims/identity/mepin](http://wso2.org/claims/identity/mepinid) + [id](http://wso2.org/claims/identity/mepinid) [. This is a mandatory + claim in Mepin authentication. The claim configuration shows under + **Configuring User Claim** section.](http://wso2.org/claims/identity/mepinid) + +### Deploying travelocity.com sample app + +The next step is to [deploy the sample app](../../develop/deploying-the-sample-app) +in order to use it in this scenario. + +Once this is done, the next step is to configure the WSO2 Identity +Server by adding an [identity +provider](../../learn/adding-and-configuring-an-identity-provider) +and [service +provider](../../learn/adding-and-configuring-a-service-provider) . - +### Configuring the identity provider + +Now you have to configure WSO2 Identity Server by [adding a new identity +provider](../../learn/adding-and-configuring-an-identity-provider). + +1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/) and [run + it](../../setup/running-the-product) + . +2. Log in to the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. +3. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add**. +4. Give a suitable name as the **Identity Provider Name**. + + ![](../../assets/img/48283197/49222048.png) + +5. Go to MePIN Configuration under Federated Authenticators . + +6. Enter the values as given in the above figure. + + - **Username** : The username that you have generated from MePIN + Developer Portal. + - **Password** : The password that you have generated from MePIN + Developer Portal. + - **Application Id** : The application id that you have received + from MePIN Developer Portal. + - **Callback URL** : Service Provider's URL where the transaction + status callback is sent when the user has reacted to the push + notification. + - **Client Id** : The Service Provider's pre-configured + application-specific identifier. + - **Confirmation Policy** : The method required from the end user + to confirm the transaction (e.g., tap, pin, swipe, fp). + - **Expiry Time** : Expiry time in seconds. + - **Header** : Header message to be displayed by the MePIN Device + App. + - **Message** : Message to be displayed once the App is launched. + - **Short Message** : Short message to display for push + notifications. + +7. Select both checkboxes to **Enable** MePIN Authenticator and make it + the **Default**. + +8. Click **Register**. + +You have now added the identity provider. + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the management console. + +2. In the Service Providers section under the Main tab, click Add. + +3. Since you are using travelocity as the sample, enter travelocity.com + in the Service Provider Name text box and click Register . + +4. In the Inbound Authentication Configuration section, click Configure + under the SAML2 Web SSO Configuration section. + ![](../../assets/img/48283197/48220892.png) + +5. Now set the configuration as follows: + + 1. **Issuer** : travelocity.com + + 2. **Assertion Consumer URL** : + + +6. Select the following check-boxes: + 1. **Enable Response Signing**. + + 2. **Enable Single Logout**. + + 3. **Enable Attribute Profile**. + + 4. **Include Attributes in the Response Always**. + + ![](../../assets/img/48283197/49222047.png) + +7. Click **Update** to save the changes. Now you will be sent back to + the Service Providers page. + +8. Go to **Local and Outbound Authentication Configuration** section. + +9. Select the **Advanced** configuration radio button option. + +10. Using the available drop-down list, add the **basic** authentication + as the first step and MePIN authentication as the second step and + click **Update** to save the changes. + ![](../../assets/img/48283197/48221108.png) + +You have now added and configured the service provider. + +### Configuring User Claim + +1. On the **Main** tab in the Management Console, click **List** under + **Users and Roles**. +2. Click **Users**. This link is only visible to users with the Admin + role. +3. From the list of users that appear in the resulting page, identify + the user whose attributes you want to modify and click **User + Profile**. +4. In the **Main** menu, click **Add** under **Claims**. +5. Click [Add New + Claim](../../learn/adding-claim-mapping). +6. Select the **Dialect** from the drop down provided and enter the + required information. +7. Add the user claim as + following under ' http://wso2.org/claims' . This claim is mandatory + for mepin authentication. + ![](../../assets/img/48283197/61053762.png) +8. Add the user claim + [http://wso2.org/claims/identity/mepin\_disabled](http://wso2.org/claims/identity/emailotp_disabled) + as following under ' http://wso2.org/claims'. + + ![](../../assets/img/48283197/61053763.png) + +### Testing the sample + +1. To test the sample, go to the following URL: + ` http://:/ travelocity.com/index.jsp ` + E.g: [http://localhost:8080/travelocity.com + ](http://localhost:8080/travelocity.com) + +2. Click the link to log in with SAML from WSO2 Identity Server. + + ![](../../assets/img/48283197/48220894.png) + +3. The basic authentication page appears. Use your username and + password to log in. + ![](../../assets/img/48283197/57007838.png) +4. I f you are enrolling for the first time, then you are directed to + MePIN authentication page as shown below. + ![](../../assets/img/48283197/57007836.png) +5. Once you hit the Link MePIN button, you will be shown a MePIN login + dialogue. Enter there your app’s nickname and get a random access + code. Enter or scan the given access code to your app and finally + confirm the linking. + ![](../../assets/img/48283197/57007837.png) +6. If the linking succeeds, you will be taken to the home page of the + travelocity.com app. After that, your MePIN app has been linked to + the service and can be used for secure login. + ![](../../assets/img/48283197/57007839.png) +7. If you are already linked, you will be directed to MePIN + authentication page like below. You need to click "Login with + MePIN". + ![](../../assets/img/48283197/57007840.png) +8. Once you confirmed the login through your app, you will be taken to + the home page of the travelocity.com app. + - For the confirmation policy - swipe you will be prompted to + confirm as follows + ![](../../assets/img/48283197/48220946.png) + - For the confirmation policy - tap you will be prompted to + confirm as follows + ![](../../assets/img/48283197/51252037.png) + +- - For the confirmation policy - pin you will be prompted to + confirm as follows + ![](../../assets/img/48283197/51252038.png) + - For the confirmation policy - fingerprint you will be prompted + to confirm as follows + ![](../../assets/img/48283197/51252039.png) \ No newline at end of file diff --git a/en/docs/develop/microsoft-azure-ad-authenticator.md b/en/docs/develop/microsoft-azure-ad-authenticator.md index 3b28864c8e..178df76396 100644 --- a/en/docs/develop/microsoft-azure-ad-authenticator.md +++ b/en/docs/develop/microsoft-azure-ad-authenticator.md @@ -1,4 +1,4 @@ -# Microsoft Azure AD Authenticator +# Configuring Microsoft Azure AD Authenticator !!! note @@ -13,10 +13,9 @@ [v1.0.4 tag](https://github.com/wso2-extensions/identity-outbound-auth-office365/tree/v1.0.4/docs) of the identity-outbound-auth-office365 GitHub repository to view - the documentation.** ** - ** + the documentation. -authenticator in WSO2 Identity Server to authenticate Office365 users to +The Microsoft Azure AD authenticator is configured as a federated authenticator in WSO2 Identity Server to authenticate Office365 users to log in to your organization’s applications using OpenID Connect. Office365 refers to subscription plans that include access to Office applications plus other productivity services that are enabled over the @@ -25,18 +24,260 @@ Internet (cloud services). The diagram below illustrates the flow of the Office365 federated authenticator. -![](attachments/50520526/76746216.png) +![](../../assets/img/50520526/76746216.png) + +This page provides instructions on how to configure the Microsoft Azure +AD authenticator and Identity Server using a sample app. This +authenticator is based on OpenID Connect. Follow the instructions in the +sections given below to configure this authenticator. + +!!! info + This is tested for the Office365 API version 2.0. The Microsoft Azure AD + Authenticator is supported by WSO2 Identity Server versions 5.1.0, 5.2.0 + and 5.3.0. + +### Deploying Office365 artifacts + +1. Place the + ` org.wso2.carbon.extension.identity.authenticator.office365.connector-x.x.x. ` + ` jar ` file into the + ` /repository/components/dropins ` + directory. You can obtain this from the [WSO2 + store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22office365%22) + . + + !!! note + If you want to upgrade the Microsoft Azure AD Authenticator (.jar) + in your existing IS pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +### Configuring the Office365 App + +1. Navigate to + + to create an account for Office365. + +2. Associate an Azure subscription with Office 365 account (Azure AD). + + 1. If you have an existing Microsoft Azure subscription: + 1. Log on to the [Microsoft Azure Management + portal](https://manage.windowsazure.com/) with your existing + Azure credentials. + 2. Select the **Active Directory** node, then select the + **Directory** tab and, at the bottom of the screen, select + **New**. + ![](../../assets/img/50520581/51252169.png) + 3. On the **New** menu, select **Active Directory** \> + **Directory** \> **Custom Create**. + ![](../../assets/img/50520581/51252170.png) + 4. In **Add directory**, in the **Directory** drop-down box, + select **Use existing directory**. Select **I am ready to + be signed out**, and then select the check mark in the + lower-right corner. + ![](../../assets/img/50520581/51252171.png) + + This takes you back to the Azure Management Portal. + 5. Log in with your Office 365 account information. You will be + prompted whether to use your directory with **Azure.** + + !!! warning "Important" + To associate your Office 365 account with + Azure AD, you will need an Office 365 business account with + global administrator privileges. + + 6. Select **Continue**, and then **Sign out** now. + 7. Close the browser and reopen the + [portal](https://manage.windowsazure.com/). Otherwise, you + will get an access denied error. + 8. Log in again with your existing Azure credentials. + 9. Navigate to the **Active Directory** node and, under + **Directory**, you should now see your Office 365 account + listed. + + 2. Alternatively , you will need to create a new Azure subscription + and associate it with your Office 365 account in order to + register and manage apps. + 1. Log on to Office 365. From the **Home** page, select the + **Admin** icon to open the Office 365 admin center. + ![](../../assets/img/50520581/51252172.png) + 2. In the **menu** page on the left side of the page, scroll + down to **Admin** and select **Azure **AD**. + ![](../../assets/img/50520581/51252173.png) + + !!! warning "Important" + To open the Office 365 admin center and + access Azure AD, you will need an Office 365 business + account with global administrator privileges. + + + 3. Create a new subscription. If you are using a trial version + of Office 365, you will see a message informing you that + Azure AD is limited to customers with paid services. You can + still create a free trial 30-day Azure subscription, but you + will need to perform a few extra steps: + ![](../../assets/img/50520581/51252174.png) + 1. Select your country or region, and then choose + **Azure subscription**. + 2. Enter your personal information. For verification + purposes, enter a telephone number at which you can be + reached, and specify whether you want to be sent a text + message or called. + 3. Once you have received your verification code, enter it + and choose **Verify code**. + 4. Enter the payment information, check the agreement, and + select **Sign up**. Your credit card will not be + charged. + 5. Once your Azure subscription is created, choose + **Portal .** + 6. The Azure Tour appears. You can view it, or click **X** + to close it. + +3. Register a new application in the Azure classic portal. + + 1. Sign into the [Azure Management + Portal](https://manage.windowsazure.com/) using your Azure + credentials. + 2. Click **Active Directory** on the left menu, then click on the + **Directory** for your Office 365 developer site. + ![](../../assets/img/50520581/51252175.png) + 3. On the top menu, click **Applications .** + ** + 4. Click **Add** from the bottom menu. + ![](../../assets/img/50520581/51252176.png) + 5. Click **Add an application my organization is developing**. + ![](../../assets/img/50520581/51252177.png) + 6. Specify the application name and select **WEB APPLICATION AND/OR WEB API** for **Type**. + 7. Click the arrow icon on the bottom-right corner of the page. + ![](../../assets/img/50520581/51252178.png) + 8. Specify a sign-on URL. You can specify + ` https://localhost:9443/commonauth ` + . + 9. Click the **checkbox** in the bottom right corner of the page. + ![](../../assets/img/50520581/51252179.png) + 10. Once the application has been successfully added, you will be + taken to the Quick Start page for the application. From here, + click **Configure** in the top menu. + + !!! note + On this page, note the client ID and client secret (key) as you + will need it later when configuring Office365 as a federated + authenticator. -### Getting started + ![](../../assets/img/50520581/76746011.png) + ![](../../assets/img/50520581/76746012.png) -To get started with the authenticator, go to [Configuring Microsoft -Azure AD Authenticator](Configuring-Microsoft-Azure-AD-Authenticator) -. Once you have completed your configurations, you can authenticate -users using the Microsoft Azure AD authenticator. + 11. In **permissions to other applications**, click **Add** + application. + 12. Click **Office 365 Exchange Online**, and then click the check + mark icon. + ![](../../assets/img/50520581/51252184.png) + 13. Under **permissions to other applications**, click the + **Delegated Permissions** column for Office 365 + Exchange Online. + 14. Click **Save** in the bottom menu. + ![](../../assets/img/50520581/51252185.png) -### Additional information +### Deploying [travelocity.com](http://travelocity.com) sample app -Download the authenticator and other artifacts from [the -store](https://store.wso2.com/store/assets/isconnector/list). +The next step is to [deploy the sample app](../../develop/deploying-the-sample-app) +in order to use it in this scenario. + +Once this is done, the next step is to configure the WSO2 Identity +Server by adding a [service +provider](../../learn/adding-and-configuring-a-service-provider) +and an [identity +provider](../../learn/adding-and-configuring-an-identity-provider) +. + +### Configuring the identity provider + +Now you have to configure WSO2 Identity Server by [adding a new identity +provider](../../learn/adding-and-configuring-an-identity-provider) +. + +1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/). +2. Run the [WSO2 Identity + Server](../../setup/running-the-product). +3. Log in to the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. +4. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add**. +5. Give a suitable name for **Identity Provider Name**. Refer + [this](../../learn/adding-and-configuring-an-identity-provider#adding-an-identity-provider) + document for more information regarding the identity provider + configurations. + ![](../../assets/img/50520581/51252816.png) +6. Navigate to **Office365 Configuration** under **Federated + Authenticators**. +7. Enter the values as given in the above figure. + - **Client Id** : Client Id for your app. + - **Client Secret** : Client Secret for your app. + - **Callback Url** : Service Provider's URL where code needs to be + sent ( + ` https://localhost:9443/commonauth ` + ). +8. Select both checkboxes to **Enable** the Microsoft Azure AD + authenticator and make it the **Default**. +9. Click **Register**. + +You have now added the identity provider. + +### Configuring the service provider + +1. Return to the management console. +2. In the **Service Providers** section, click **Add** under the + **Main** tab. +3. Since you are using travelocity as the sample, enter + [travelocity.com](http://travelocity.com) in the **Service Provider Name** text box and click **Register**. +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. +5. Now set the configuration as follows: + 1. **Issuer** : [travelocity.com](http://travelocity.com) + + 2. **Assertion Consumer URL** : + http://localhost:8080/travelocity.com/home.jsp + +6. Select the following check-boxes: + 1. **Enable Response Signing**. + + 2. **Enable Single Logout**. + + 3. **Enable Attribute Profile**. + + 4. **Include Attributes in the Response Always**. + ![](../../assets/img/50520581/51252142.png) + +7. Click **Update** to save the changes. Now you will be sent back to + the **Service Providers** page. +8. Navigate to the **Local and Outbound Authentication Configuration** + section. +9. Select the identity provider you created from the dropdown list + under **Federated Authentication**. + ![](../../assets/img/50520581/51252143.png) +10. Ensure that the **Federated Authentication** radio button is + selected and click **Update** to save the changes. + +You have now added and configured the service provider. + +### Testing the sample + +1. To test the sample, go to the following URL: + ` http://:/ travelocity.com/index.jsp ` + . E.g., +2. Login with SAML from the WSO2 Identity Server. + ![](../../assets/img/50520581/51252144.png) +3. Enter your Office365 credentials in the prompted login page of + Microsoft. + ![](../../assets/img/50520581/51252145.png) +4. Once you login successfully  you will be taken to the home page of + the [travelocity.com](http://travelocity.com) app. + ![](../../assets/img/50520581/51252146.png) + + + + diff --git a/en/docs/develop/microsoft-azure-ad-outbound-provisioning-connector.md b/en/docs/develop/microsoft-azure-ad-outbound-provisioning-connector.md new file mode 100644 index 0000000000..68fb2248f5 --- /dev/null +++ b/en/docs/develop/microsoft-azure-ad-outbound-provisioning-connector.md @@ -0,0 +1,377 @@ +# Configuring Microsoft Azure AD Outbound Provisioning Connector + +The Microsoft Azure AD authenticator is configured as a federated authenticator in WSO2 Identity Server to authenticate Office365 users to +log in to your organization’s applications using OpenID Connect. +Office365 refers to subscription plans that include access to Office +applications plus other productivity services that are enabled over the +Internet (cloud services). + +The diagram below illustrates the flow of the Office365 federated +authenticator. + +![](../../assets/img/50520526/76746216.png) + +This document provides instructions on how to provision users to a Azure +Active Directory (Azure AD) from the WSO2 Identity Server (WSO2 IS). +Follow the instructions given in the sections below to set this up. + +This connector allows the users to be: + +- provisioned to the Azure AD + +- deprovisioned from the Azure AD + +- assigned to groups in the Azure AD + +### Prerequisites + +Before you begin: + +- Register a new application using the [Microsoft App Registration + Portal](https://apps.dev.microsoft.com/). For instructions on how + to do this, see [Registering an + application](https://developer.microsoft.com/en-us/graph/docs/concepts/auth_register_app_v2) + in the Microsoft documentation. + + !!! note + ??? note "Click to view vital information about registering the application" + + When registering the application, note the following mandatory + configurations. + + 1. Under the **Platforms** section, select **Allow Implicit flow** + and configure the redirect and logout URLs. + + 2. Under the **Microsoft Graph Permissions** section, add the + following permissions. + + 1. Delegated permissions: + - User.Read + + - User.ReadBasic.All + + - User.ReadWrite + + - User.Invite.All (Admin Only) + + - User.Read.All (Admin Only) + + - User.ReadWrite.All (Admin Only) + + 2. Application permissions: + 1. Directory.Read.All (Admin Only) + + - Domain.ReadWrite.All (Admin Only) + + - User.Read.All (Admin Only) + + - User.ReadWrite.All (Admin Only) + + 3. Application permissions needs to be [consented by an + administrator](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes#requesting-consent-for-an-entire-tenant) + . Construct and access the following URL on a browser window to + provide consent for the application permissions. + + **Request URL Format** + + ``` java + https://login.microsoftonline.com/{tenant}/adminconsent?client_id={application-is}&state=12345&redirect_uri={application-redirect-url} + ``` + + **Sample URL** + + ``` java + https://login.microsoftonline.com/wso2sl.onmicrosoft.com/adminconsent?client_id=1b0c61c1-3af9-41f6-a7a7-e5f1e4ac1023&state=12345&redirect_uri=https://localhost/myapp + ``` + + +- Add a new domain to Office 365 using the [Office 365 Admin + Portal](https://portal.office.com/adminportal/home). For + instructions on how to do this, see [Add A Domain to Office + 365](https://support.office.com/en-us/article/add-a-domain-to-office-365-6383f56d-3d09-4dcb-9b41-b5f5a5efd611) + in the Microsoft documentation. + +### Installing the connector + +1. Download the [Office365 connector from the WSO2 Connectors + Store](https://store.wso2.com/store/assets/isconnector/list?q=%2522_default%2522%253A%2522Office365%2520Provisioning%2520Connector%2522) + . + +2. Copy the + ` org.wso2.carbon.identity.outbound.provisioning.connector.office365-x.x.x.jar ` + file to the + ` /repository/components/dropins ` + folder. + +3. Restart the server. + +### Configuring the identity provider + +First you must configure an identity provider to accept the provisioning +request from WSO2 Identity Server. Follow the instructions given below +to create a new identity provider for Office365 provisioning in WSO2 IS. + +1. Log in to the management console using your username and password or + admin/admin credentials. + +2. Click **Add** under **Identity Providers** on the **Main** menu. + +3. Enter a name for the identity provider. + +4. Expand **Outbound Provisioning Connectors** and then expand + **Office365 Provisioning Configuration.** +5. Configure the following fields. + + ![](../../assets/img/97567237/97568327.png) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescriptionSample Value
EnableSelect the checkbox to enable Office365 identity provisioning. Unselect the checkbox to disable it.Selected
Client IDThe application ID used to register the app in the Microsoft App Registration Portal
+ (see the prerequisites for more information).		7d7d8f46-7184-4dc7-a198-4554dadc1197
Client SecretThe application secret used to register the app in the Microsoft App Registration Portal
+ (see the prerequisites for more information).
+
Office365 Tenant NameThe organization name used to signup for Office 365.wso2office.onmicrosoft.com
Office365 Domain NameThe domain name registered in Office365 (see the prerequisites for more information).wso2.ml
Immutable ID
+

A valid claim which acts as the unique identifier of the user in the Azure AD.

+ !!! note +

Note: The claim URI for the Immutable ID should match the Subject Claim URI given under the Claim Configuration section when creating a service provider.

+
http://wso2.org/claims/objectguid

User Principal Name

A valid claim which will be the Internet-style login name for the user.

http://wso2.org/claims/username

Append Domain Name to UPN

If this is set to true, the domain name is appended to the UPN if it is not already there.

true

+
+ +

(E.g., if the username is "john" and the domain name is "foo.com",
+ the UPN will be " john@foo.com ")

Display Name

A valid claim which is the name displayed for the user in the address book of the Azure AD.

http://wso2.org/claims/displayName

Email Nickname

A valid claim as the mail alias for the user in the Azure AD.

http://wso2.org/claims/username

Dynamic Membership Rule Attribute
+

The Azure AD user attribute considered during the execution of the dynamic membership query
+ (see prerequisites for more information).

+
+

Note

+

Note: This is an optional configuration and can be used when dynamically assigning users into groups
+ for provisioning in the Azure AD. The attribute must be equal to the attribute name given to the dynamic membership rule.

+
department

Dynamic Membership Rule Value

+

The claim mapped to the attribute (see prerequisites for more information).

+
+

Note

+

Note: This is an optional configuration and can be used when dynamically assigning users into groups
+ for provisioning in the Azure AD.
+ However, if the attribute has been set and this value has not been set, http://wso2.org/claims/role is considered as the default value.

+
+

http://wso2.org/claims/role

+


+

+
+ + !!! tip + All the fields that are marked as mandatory \* must have a + value in order to succesfully provision the users. For more + information about user attributes in the Azure AD, see the [user + properties](https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/user#properties) + in the Microsoft documentation. + +6. **Optional step** - you can provision users based on the roles they + are assigned to. To do this, configure the following. + For more information, see [Role Based + Provisioning](../../learn/role-based-provisioning) + . + + 1. Expand **Role Configuration** section. + + 2. Enter the provisioning roles. + ![](../../assets/img/97567237/97567306.png) + +7. Click **Register** to save the changes. + +### Configuring the resident service provider + +In this scenario, WSO2 Identity Server is the provisioning party. WSO2 +IS initiates the request to Office365 and acts as the identity provider. +Therefore the outbound provisioning identity provider must be configured +against the resident service provider in order to the provision the user +to the Azure AD. + +1. Log in to the management console using the username and password + (admin/admin). + +2. Click **Resident** under **Service Providers** on the **Main** menu. + +3. In the resulting screen, expand the **Outbound Provisioning + Configuration** section. + +4. Select the identity provider you created for Office365 outbound + provisioning from the drop down menu. Click **\[+\]** to add it as a + service provider. + ![](../../assets/img/97567237/97567324.png) + +5. Click **Update** to save changes. + +### Try it out + +The sample scenario in this tutorial demonstrates the use of the +outbound provisioning connector for: + +- Provisioning users based on the user role. Users are not provisioned + to the Azure AD until they are assigned to the + ` office365Role ` role. +- Assigning users into groups using dynamic membership allocation + rules. +- Permanently de-provisioning users from the Azure AD by un-assigning + the role from the user. + +Follow the instructions below to try out this scenario. + +#### Enable Claims + +1. Log in to the management console and click **List** under **Claims** + . +2. Click on the **http://wso2.org/claims** claim dialect. +3. Click **Edit** on the **Display Name** claim and select **Supported By Default** to enable the claim. + ![](../../assets/img/97567237/97568356.png) +4. Click **Update** to save. +5. Similarly, enable all the claims that you configured in the outbound + provisioning configuration of the office365 identity provider. + For this scenario, enable the **User ID** and **Username** claims. + +#### Create User + +1. Click **Add** under **Users and Roles** on the **Main** tab of the + management console. + +2. Click **Add New User** and create a user with the username 'john’. + + ![](../../assets/img/97567237/97568307.png) + +3. Click **Finish**. You will see the user you just created listed on + the screen. +4. Click **User Profile** to edit John's user profile and add claim + values for the claims you configured in the Office365 connector IdP + configurations. + + !!! info + In this scenario, + ` Username `, + ` Display Name `, and + ` User ID ` + ` ` are mandatory attributes for + user provisioning and group assigning. + + ![](../../assets/img/97567237/97569993.png) + +5. Click **Update** to save the changes. + +#### Create a user group in the Azure AD + +1. Create a group in the Azure AD. For more information, see [Create a + dynamic group and check + status](https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-create-rule) + in the Microsoft documentation. + + !!! info + When creating groups in the Azure AD, rules can be applied to + determine the membership based on user properties. All the dynamic + group rules are evaluated in all additions/removals to the group. + Dynamic group membership reduces the administrative overhead of + adding and removing users. + +2. Select **Dynamic Use** r as the **Membership type** when creating + the group. + + !!! note + You need to have a Azure AD Premium P1 license to add + dynamic membership rules in Azure AD. + + +3. Add a **Dynamic Membership Rule** as shown below. This rule + specifies that any users that belong to the ' + ` Engineering ` ' should be provisioned directly to + the ` Engineering ` user group. + ![](../../assets/img/97567237/97569994.png) + +#### Assign the role + +1. Login to the WSO2 IS management console. +2. Click **Add** under **Users and Roles** and then click **Create New + Role**. +3. Create two new roles named ' ` office365role ` ' + and ' ` Engineering ` '. + ![](../../assets/img/97567237/97568332.png) +4. Assign login permissions to the roles. +5. Assign the user 'john' to the roles ' + ` office365role ` ' and ' + ` Engineering ` . + ![](../../assets/img/97567237/97569996.png) + +When the role is assigned to the user, the user is provisioned to the +AzureAD. This may take a few seconds. + +Access the Azure AD portal. You will see that the user John has been +succesfully provisioned to the Azure AD. Since John is assigned to the ' +` office365role ` ' and ' ` Engineering' ` +roles, the dynamic membership rule is satisfied. Therefore, John is +directly added to the ' ` Engineering ` ' group at the +point of provisioning. + +![](../../assets/img/97567237/97569998.png) diff --git a/en/docs/develop/mobile-connect-authenticator.md b/en/docs/develop/mobile-connect-authenticator.md index 3a37d9fd9f..990be7967c 100644 --- a/en/docs/develop/mobile-connect-authenticator.md +++ b/en/docs/develop/mobile-connect-authenticator.md @@ -18,17 +18,6 @@ an identity and access management system can help achieve this. ------------------------------------------------------------------------ -- [What is Mobile - Connect?](#MobileConnectAuthenticator-WhatisMobileConnect?) -- [How does Mobile Connect - work?](#MobileConnectAuthenticator-HowdoesMobileConnectwork?) -- [Why would you use Mobile - Connect?](#MobileConnectAuthenticator-WhywouldyouuseMobileConnect?) -- [How WSO2 Identity Server can be used with Mobile - Connect](#MobileConnectAuthenticator-HowWSO2IdentityServercanbeusedwithMobileConnect) - ------------------------------------------------------------------------- - #### What is Mobile Connect? Mobile Connect is a mobile operator facilitated authentication solution @@ -50,7 +39,7 @@ the perspective of a consumer. ##### Technical perspective -![](attachments/57740505/72427914.png) +![](../../assets/img/57740505/72427914.png) The sequence above depicts the flow of actions from a technical perspective, or the perspective of someone who is setting this up. @@ -65,7 +54,7 @@ perspective, or the perspective of someone who is setting this up. ##### Consumer perspective -![](attachments/57740505/72423055.png) +![](../../assets/img/57740505/72423055.png) The given sequence above depicts the Mobile Connect flow, from sign up/login to the complete authentication in just 4 steps. The @@ -124,18 +113,17 @@ Connect does the authentication and sends the response back to the Identity Server, which in turn sends the response back to the application and authenticates the user. The following diagram illustrates this scenario. -![](attachments/57740505/72426717.png) +![](../../assets/img/57740505/72426717.png) -Configurations to be done +!!! info "Configurations to be done" + To make this scenario work, you must do the following. -To make this scenario work, you must do the following. - -- Configure your application in Mobile Connect. -- Configure your application as a service provider in the WSO2 - Identity Server. -- Mobile Connect is configured as an Identity Provider in the WSO2 - Identity Server. -- Federated authentication is enabled in the Identity Server. + - Configure your application in Mobile Connect. + - Configure your application as a service provider in the WSO2 + Identity Server. + - Mobile Connect is configured as an Identity Provider in the WSO2 + Identity Server. + - Federated authentication is enabled in the Identity Server. ##### Scenario 2: Multi-factor authentication @@ -148,24 +136,17 @@ sends the response back to the Identity Server, which in turn sends the response back to the application and authenticates the user. The following diagram illustrates this scenario. -![](attachments/57740505/72426724.png) - -Configurations to be done - -To make this scenario work, you must do the following. +![](../../assets/img/57740505/72426724.png) -- Configure your application in Mobile Connect. -- Configure your application as a service provider in the WSO2 - Identity Server. -- Mobile Connect is configured as an Identity Provider in the WSO2 - Identity Server. -- Multi-step authentication is configured in the Identity Server. +!!! info "Configurations to be done" + To make this scenario work, you must do the following. -To get started with the authenticator, see [Mobile Connect Federated -Authenticator for WSO2 Identity -Server](Configuring-Mobile-Connect-as-a-Federated-Authenticator). -Once you have completed your configurations, you can perform -authentication with the Mobile Connect authenticator. + - Configure your application in Mobile Connect. + - Configure your application as a service provider in the WSO2 + Identity Server. + - Mobile Connect is configured as an Identity Provider in the WSO2 + Identity Server. + - Multi-step authentication is configured in the Identity Server. ------------------------------------------------------------------------ diff --git a/en/docs/develop/nuxeo-authenticator.md b/en/docs/develop/nuxeo-authenticator.md index 4dafee74f0..dd60eb76f8 100644 --- a/en/docs/develop/nuxeo-authenticator.md +++ b/en/docs/develop/nuxeo-authenticator.md @@ -1,24 +1,394 @@ -# Nuxeo Authenticator +# Configuring Nuxeo Authenticator The Nuxeo authenticator is a federated authenticator that WSO2 Identity Server supports to authenticate Nuxeo users to log in to your -organization’s applications. [Nuxeo](https://www.nuxeo.com/) is an [open -source](https://en.wikipedia.org/wiki/Open_source) content -management platform that allows architects and developers to build, +organization’s applications. [Nuxeo](https://www.nuxeo.com/) is an open +source content management platform that allows architects and developers to build, deploy, and run content-centric business applications. -## Getting started +The topics in this page provide instructions on how to configure the +Nuxeo authenticator with WSO2 Identity Server. Here, a sample +application is used to demonstrate the integration. -To get started with the authenticator, go to [Configuring Nuxeo -Authenticator](https://docs.wso2.com/display/ISCONNECTORS/Configuring+Nuxeo+Authenticator) -. Once you have completed your configurations, you can perform -authentication with the Nuxeo authenticator. +!!! info "Note" + - Nuxeo Authenticator is supported with WSO2 Identity Server 5.5.0. + - Configuring the Nuxeo authenticator is tested with Nuxeo Server + version 10.1. -## Additional information +Follow the instructions in the topics below to configure the Nuxeo +authenticator with WSO2 Identity Server: -To download the authenticator and other required artifacts, go to [IS -Connector -Store](https://store.wso2.com/store/assets/isconnector/details/c7003ffb-18a1-48ed-9a99-6274796fa978) -. +### Deploying Nuxeo artifacts + +- Download the artifacts for this authenticator from [the + store](https://store.wso2.com/store/assets/isconnector/details/c7003ffb-18a1-48ed-9a99-6274796fa978) + . +- Copy the downloaded + ` org.wso2.carbon.identity.authenticator.nuxeo-x.x.x.jar ` + file to the + ` /repository/components/dropins ` + directory. + +!!! note + If you want to upgrade the Nuxeo Authenticator (.jar) that is packaged + with your existing WSO2 IS distribution to the latest, see [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +### Configuring the Nuxeo application + +1. Go to , download the server + and unzip the archive. The path to the sever will be referred to as + ` ` throughout this page. +2. Navigate to the ` /bin ` directory + and use the following command to install the JSF UI add-on: + + ``` java + ./nuxeoctl mp-install nuxeo-jsf-ui + ``` + +3. Start the Nuxeo server using the commands given below: + + ``` java + $ chmod +x ./nuxeoctl + $ ./nuxeoctl start + ``` + + !!! note + After the first time server start, follow the consequence + instructions in the nuxeo console to setup the nuxeo server. + + +4. Once the server starts, follow the steps below to setup the nuxeo + server. + 1. Go to and sign in with + Administrator/Administrator credentials. + 2. Click **Admin**, then click **Cloud Services**, and then click + the **Consumers** tab. + 3. Click **Add** under the **OAuth2 Clients** section. + 4. Specify values for the **Name**, **Client ID**, **Client + Secret**, and **Redirect URI**. You can use + as the **Redirect URI**. + 5. Click **Create**. + ![](../../assets/img/92526518/92534118.png) +Now you have configured the Nuxeo application . + +Next let's deploy the the [travelocity.com](http://travelocity.com/) +sample app so that it can be used in this scenario. + +### Deploying the [travelocity.com](http://travelocity.com) sample app + +To download and deploy the travelocity sample application, follow the +instructions in [deploying travelocity.com sample +app](../../develop/deploying-the-sample-app) +. + +!!! note + If you are running the Nuxeo server and apache tomcat on the same port + (eg: 8080), be sure to change the port that you run apache tomcat. + + Follow the steps below to change the port on which apache tomcat runs: + + 1. Navigate to the ` /conf/server.xml ` + file and change the values of + ` Connector port, Server port ` + parameters. + + ``` text + + + + + + + + ``` + + 2. Navigate to the + ` /webapps/travelocity.com/WEB-INF/classes/travelocity.properties ` + file and change the port in the URL of the SAML 2.0 assertion + consumer. + + ``` text + #The URL of the SAML 2.0 Assertion Consumer + SAML2.AssertionConsumerURL=http://localhost:8080/travelocity.com/home.jsp + ``` + + +### Configuring the identity provider + +Follow the steps below to add a new identity provider via the management +console of WSO2 Identity Server. + +1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/). +2. Run the [WSO2 Identity + Server](../../setup/running-the-product). +3. Log in to the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. +4. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add.** +5. Specify an appropriate name as the **Identity Provider Name**. + ![](../../assets/img/92526518/112363883.png) +6. Expand the **Federated Authenticators** section, and then expand the + **Nuxeo Configuration** section. +7. Select **Enable** to enable the Nuxeo authenticator for the identity + provider. +8. Select **Default** to set Nuxeo as the default authenticator for the + identity provider. +9. Specify appropriate values for the following fields depending on + the + 1. Select both checkboxes to **Enable** the Nuxeo authenticator and + make it the **Default**. + 2. **Client Id** : The client Id of the Nuxeo application you + created. + + 3. **Client Secret** **:** The client secret of the Nuxeo + application you created. + + 4. **Callback URL** **:** The service provider's URL where code + needs to be sent. + + 5. **Nuxeo Server URL** **:** The Nuxeo server URL. + [http://localhost:8080](http://localhost:8080/) + + + + ??? note "Click here to see detailed descriptions for each configuration property" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionSample Value
EnableSelect this to enable the Nuxeo to be used as an authenticator to provision users to the Identity Server.Selected
DefaultSelecting the Default checkbox signifies that github is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
ClientIDThis is the Client Id from the Nuxeo AppclientApp
Client SecretThis is the Client Secret from the Nuxeo App. Click the Show button to view the value you enter.clientsecret
Callback URLThis is the URL to which the browser should be redirected after the authentication is successful. The URL should be specified in the following format:
+ https://<HOST_NAME>:<PORT>/acs 		https://localhost:9443/commonauth
Nuxeo server URLThe Nuxeo server URL.http://localhost:8080
+ +10. Click **Register**. + +Now that you have added the identity provider. Next, let's configure the +service provider. + +### Configuring the service provider + +Follow the steps below to configure the service provider. + +1. On the WSO2 IS management console, click **Add** under **Service + Providers**. +2. Since you are using travelocity as the sample, enter + [travelocity.com](http://travelocity.com/) as the **Service Provider + Name**. +3. Click **Register**. +4. Expand the **Inbound Authentication Configuration** section, then + expand the **SAML2 Web SSO Configuration** section, and then click + **Configure**. +5. Specify values as follows: + 1. **Issuer** : [travelocity.com](http://travelocity.com) + 2. **Assertion Consumer URL** : + + 3. Select the following: + - **Enable Response Signing** + - **Enable Single Logout** + - **Enable Attribute Profile.** + - **Include Attributes in the Response Always** +6. Click **Update** to save the changes. Now you will be sent back to + the **Service Providers** page. +7. Expand the **Local and Outbound Authentication Configuration** + section. + +8. From the drop-down list under **Federated Authentication**, select + the identity provider you created. + +9. Ensure that the **Federated Authentication** radio button is + selected and click **Update** to save the changes. + +Now you have added the service provider. Next, let's configure claims. + +### Configuring claims + +Follow the steps below to configure claims. For more information on +configuring claims, see [Adding Claim +Mapping](../../learn/adding-claim-mapping) in +the WSO2 IS documentation. + +1. Sign in to the [Management + Console](../../setup/getting-started-with-the-management-console) + with your username and password. +2. On the **Main** menu, click **Add** under **Claims**. + +3. Click **Add Claim Dialect** to create the Nuxeo authenticator + specific claim dialect. + +4. Specify the Dialect URI as + ` http://wso2.org/nuxeo/claims ` + . + +5. Click **Add** to create the claim dialect. + +6. Map the new external claim to an existing local claim dialect. Be + sure to map at least one claim under the new dialect. Here, let's + map the claim for the last name. + + 1. On the **Main** menu, click **Add** under **Claims**. + + 2. Click **Add External Claim** to add a new claim to the Nuxeo + claim dialect. + + 3. Select the Dialect URI as + ` http://wso2.org/nuxeo/claims ` + . + + 4. Enter the **External Claim URI** based on the following claim + mapping information. + + 5. Select the **Mapped Local Claim** based on the following claim + mapping information. + + Claim mapping for last name + + | | | + |------------------------|-------------------------------------------------------------------------------------------------------------| + | **Dialect URI** | ` http://wso2.org/nuxeo/claims ` | + | **External Claim URI** | ` http://wso2.org/nuxeo/claims/lastName ` | + | **Mapped Local Claim** | ` http://wso2.org/claims/lastname ` | + + 6. Click **Add** to add the new external claim. + +7. Similarly, repeat step 6 for the following claim mappings to create + claims for all the public information of the Nuxeo user. + + Claim mapping for the first name: + + | | | + |------------------------|----------------------------------------| + | **Dialect URI** | http://wso2.org/nuxeo/claims | + | **External Claim URI** | http://wso2.org/nuxeo/claims/firstName | + | **Mapped Local Claim** | http://wso2.org/claims/givenname | + + Claim mapping for the email: + + | | | + |------------------------|-------------------------------------| + | **Dialect URI** | http://wso2.org/nuxeo/claims | + | **External Claim URI** | http://wso2.org/nuxeo/claims/email | + | **Mapped Local Claim** | http://wso2.org/claims/emailaddress | + + Claim mapping for groups: + + | | | + |------------------------|-------------------------------------| + | **Dialect URI** | http://wso2.org/nuxeo/claims | + | **External Claim URI** | http://wso2.org/nuxeo/claims/groups | + | **Mapped Local Claim** | http://wso2.org/claims/role | + + Claim mapping for user id: + + | | | + |------------------------|---------------------------------| + | **Dialect URI** | http://wso2.org/nuxeo/claims | + | **External Claim URI** | http://wso2.org/nuxeo/claims/id | + | **Mapped Local Claim** | http://wso2.org/claims/userid | + + Claim mapping for extended group: + + | | | + |------------------------|---------------------------------------------| + | **Dialect URI** | http://wso2.org/nuxeo/claims | + | **External Claim URI** | http://wso2.org/nuxeo/claims/extendedGroups | + | **Mapped Local Claim** | http://wso2.org/claims/group | + + Claim mapping for user name: + + | | | + |------------------------|---------------------------------------| + | **Dialect URI** | http://wso2.org/nuxeo/claims | + | **External Claim URI** | http://wso2.org/nuxeo/claims/username | + | **Mapped Local Claim** | http://wso2.org/claims/username | + + Claim mapping for entity type: + + | | | + |------------------------|------------------------------------------| + | **Dialect URI** | http://wso2.org/nuxeo/claims | + | **External Claim URI** | http://wso2.org/nuxeo/claims/entity-type | + | **Mapped Local Claim** | http://wso2.org/claims/userType | + +8. Click **Update**. + +### Configuring requested claims for travelocity.com + +1. On the Main tab of the management console, click **List** under + **Service Providers**. + +2. Click **Edit** to edit the [travelocity.com](http://travelocity.com) + service provider. + +3. Expand the **Claim Configuration** section. + +4. Click **Add Claim URI** under **Requested Claims** and add the + requested claims as follows: + + ![](../../assets/img/92526518/92534139.png) + +5. Select the **Subject Claim** URI as + ` http://wso2.org/claims/username ` + to define the authenticated user identifier that will return with + the authentication response to the service provider. + +6. Click **Update**. This saves the service provider changes. + +### Testing the sample + +1. To test the sample, go to + ` http://:/travelocity.com/index.jsp ` + . For example, . +2. Click the appropriate link to log in with SAML from WSO2 Identity + Server. + ![](../../assets/img/92526518/92526852.png) +3. Enter your Nuxeo credentials in the log in prompt of Nuxeo. Once you + log in successfully you will be taken to the homepage of the t + ` ravelocity.com ` application. + +Now that you understand how to use Nuxeo as a federated authenticator +with WSO2 Identity Server, you can configure the Nuxeo authenticator as +required to authenticate Nuxeo users to log in to your organization’s +applications. \ No newline at end of file diff --git a/en/docs/develop/password-policy-authenticator.md b/en/docs/develop/password-policy-authenticator.md index 93faad6e63..3f3423ff0a 100644 --- a/en/docs/develop/password-policy-authenticator.md +++ b/en/docs/develop/password-policy-authenticator.md @@ -1,17 +1,214 @@ -# Password Policy Authenticator +# Configuring Password Policy Authenticator The Password Policy authenticator allows you to reset the password during the authentication flow, if the password is expired, user will be prompted to reset the password. -### Getting started +!!! note + If you are using Password Policy Authenticator version 1.0.8, go to + the WSO2 identity-outbound-auth-passwordPolicy [GitHub + repository](https://github.com/wso2-extensions/identity-outbound-auth-passwordPolicy/tree/v1.0.8/docs) + to view the latest documentation. -To get started with the authenticator, go to [Configuring Password -Policy -Authenticator](https://docs.wso2.com/display/ISCONNECTORS/Configuring+Password+Policy+Authenticator) -Operations. Once you have completed your configurations, you can perform -with the Password Policy authenticator. -To download the authenticator and other artifacts, go to -[https://store.wso2.com/store/assets/isconnector/passwordpolicy](https://store.wso2.com/store/assets/isconnector/details/502efeb1-cc59-4b62-a197-8c612797933c) +### Deploying Password Policy artifacts + +1. Download the [Password Policy Authenticator and + artifacts](https://store.wso2.com/store/assets/isconnector/details/502efeb1-cc59-4b62-a197-8c612797933c) + from the WSO2 connector store. + +2. Add the following lines to the + ` identity-event.properties ` file in the + ` /repository/conf/identity/ ` + directory ` . ` + + ``` java + module.name.13=passwordExpiry + passwordExpiry.subscription.1=POST_UPDATE_CREDENTIAL + passwordExpiry.subscription.2=POST_UPDATE_CREDENTIAL_BY_ADMIN + passwordExpiry.subscription.3=POST_ADD_USER + passwordExpiry.passwordExpiryInDays=30 + passwordExpiry.enableDataPublishing=false + passwordExpiry.priorReminderTimeInDays=0 + ``` + + !!! note + The value of xx in ` module.name.xx ` should be + decided based on the highest module number that is already available + in the ` identity-event.properties ` file . For + example, if the last module number mentioned in the file is + ` module.name .11 ` + , the above entry should be renamed as + ` module.name.12=passwordExpiry ` . + + +3. Place the authentication pwd-reset.jsp file  into the + ` /repository/deployment/server/webapps/authenticationendpoint ` + directory. + + !!! note + Before pasting the pwd-reset.jsp file, the server needs to be + started at least once to ensure that the folder is available for the + web app to be deployed. + + +4. Place the authenticator .jar file ( + ` org.wso2.carbon.extension.identity.authenticator.passwordpolicy.connector-1.0.3.jar ` + ) into the directory + ` /repository/components/dropins ` . ( + To download the authenticator, go to + [https://store.wso2.com/store/assets/isconnector/passwordpolicy](https://store.wso2.com/store/assets/isconnector/details/502efeb1-cc59-4b62-a197-8c612797933c) + ) + + !!! note + If you want to upgrade the Password Policy Authenticator in your + existing IS pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +5. Edit the ` identity-mgt.properties ` found in + the ` /repository/conf/identity ` + directory and add the following property. This value must be an + integer. + + ``` java + Authentication.Policy.Password.Reset.Time.In.Days=20 + ``` + + !!! info + If the property is not added to the file, by default, the password + reset time is 30 days. + +### Add claim mapping + +A claim is a piece of information about a particular subject. It can be +anything that the subject is owned by or associated with, such as name, +group, preferences, etc. In this instance, the claim in question is +` lastPasswordChangedTimestamp ` and this needs to be +linked to a claim that is local to WSO2 Identity Server. This claim is +required because the WSO2 Identity Server needs to know if the password +is expired or not for this flow to work. + +!!! info + For more information about claim mappings, see [Adding a claim + mapping](../../learn/adding-claim-mapping). + +1. Navigate to the **Identity** section under the **Main** tab of the + [management + console](../../setup/getting-started-with-the-management-console) + . +2. Click **Add** under **Claims** and then click **Add Local Claim**. +3. Add a new claim for + ` lastPasswordChangedTimestamp ` with + ` http://wso2.org/claims/lastPasswordChangedTimestamp ` + as the **Claim Uri.** + + !!! info + When adding a new claim, use an attribute which is mapped to an + existing unused claim if the secondary user-store is an LDAP and use + any attribute name as the mapped attribute if it is a JDBC user + store. + + ![](../../assets/img/50511336/97551782.png) + +### Deploying travelocity.com sample + +The next step is to [deploy the sample app](../../develop/deploying-the-sample-app) +in order to use it in this scenario. + +Once this is done, the next step is to configure the WSO2 Identity +Server by adding a [service +provider](../../learn/adding-and-configuring-a-service-provider) . + +### Configuring the Service Provider + +The next step is to configure the service provider. + +1. Return to the Management Console. + +2. In the **Identity** section under the **Main** tab, click **Add** + under **Service Providers**. + +3. Enter travelocity.com in the **Service Provider Name** text box and + click **Register**. + +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. + +5. Configure the sample application (travelocity) as the service + provider. + ![](../../assets/img/50511336/50688127.png) + Do the following configurations. + + 1. **Issuer** : travelocity.com + + 2. **Assertion Consumer URL** : + + + Select the following check-boxes: + + !!! note "Remember!" + The following check-boxes are enabled or disabled according to the + properties available in your service provider. For "travelocity.com" + the relevant properties file can be seen inside the webapp + travelocy.com/WEB-INF/classes/ called "travelocity **.properties** + ". + + 1. **Enable Response Signing** + + 2. **Enable Single Logout** + + 3. **Enable Attribute Profile** + + 4. **Include Attributes in the Response Always** + +6. Click **Register** to save the changes. Now you will be sent back to + the **Service Providers** page. + +7. Go to **Local and Outbound Authentication Configuration** section. + +8. Select the **Advanced** **configuration** radio button option . + +9. Add the basic authentication as first step and + password-reset-enforcer authentication as second step. + + !!! tip + The **Use attributes from this step** option is unchecked + when the second step is added and selected. + + ![](../../assets/img/50511336/50688128.png) + +You have now added and configured the service provider. + +### Testing the sample + +1. To test the sample, the password needs be expired. So select + "Supported by Default" checkbox in the + ` lastPasswordChangedTimestamp ` that has the + **http://wso2.org/claims/lastPasswordChangedTimestamp** claim. + + !!! note + In a production setup, you need to **deselect** "Supported by + Default" checkbox in the lastPasswordChangedTimestamp claim mapping + configuration. + + + ![](../../assets/img/50511336/51252088.png) + +2. Enter a date and time of the past for the Password Changed Time + field. Make sure to provide the value in the Epoch format. + ![](../../assets/img/50511336/51252089.png) +3. Go to the following URL: http://localhost:8080/travelocity.com +4. Click the link to log in with SAML from WSO2 Identity Server. + ![](../../assets/img/50511336/50688116.png) + +5. The basic authentication page appears. Use your WSO2 Identity Server + credentials. + +6. During the authentication flow, if the password is expired, you will + be prompted to reset the password. + ![](../../assets/img/50511336/50688130.png) +7. Enter the current password, new password and repeat password. If the + authentication is successful, you are taken to the home page of the + travelocity.com app. \ No newline at end of file diff --git a/en/docs/develop/pinterest-authenticator.md b/en/docs/develop/pinterest-authenticator.md index 6ec0b25e67..7339b51658 100644 --- a/en/docs/develop/pinterest-authenticator.md +++ b/en/docs/develop/pinterest-authenticator.md @@ -1,4 +1,4 @@ -# Pinterest Authenticator +# Configuring Pinterest Authenticator The Pinterest authenticator is configured as a federated authenticator in WSO2 Identity Server to authenticate Pinterest users to log in to @@ -8,25 +8,234 @@ images or videos to their own or others' boards and browsing what other users have pinned. The diagram below illustrates the flow of the Printrest federated authenticator. - +![](../../assets/img/60096519/76746244.png) -![](attachments/60096519/76746244.png?effects=border-simple,blur-border) +This page provides instructions on how to configure the Pinterest +authenticator and the WSO2 Identity Server using a sample app to +demonstrate authentication. You can find more information in the +following sections. - +!!! info + This is tested for the Pinterest API version 1.0. Pinterest + Authenticator is supported by Identity Server version 5.3.0 upwards. - +### Configuring the Pinterest App -### Getting started +1. Place the authenticator .jar file into the + ` /repository/components/dropins ` + directory. You can download the .jar file ( + ` org.wso2.carbon.extension.identity.authenticator.Pinterest.connector ` + ) from [the WSO2 + Store](https://store.wso2.com/store/assets/isconnector/list?q=%2522_default%2522%253A%2522Pinterest%2522) + . -To get started with the authenticator, see [Configuring Pinterest -Authenticator](Configuring-Pinterest_Authenticator) for information -and configuration steps. + !!! note + If you want to upgrade the Pinterest Authenticator (.jar) in your + existing IS pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) -Once you have completed your configurations, you can authenticate users -using the Pinterest authenticator. +2. Navigate to and create a + new app as described in the [Pinterest Getting Started + documentation](https://developers.pinterest.com/docs/api/overview/) + . +3. Enter the **Name** and **Description** of your new app and then + click the **Create** button. + ![](../../assets/img/60096589/60096627.png) +4. Enter the redirect URL as in the + page that appears. + This is the WSO2 IS endpoint to which Pintrest, who is the federated + authenticator, needs to send the authentication response. + ![](../../assets/img/60096589/60096629.png) +5. You have now finished configuring Pinterest. Copy the **App ID** and + **App secret** from the resulting page. + ![](../../assets/img/60096589/60096630.png) - +### Deploying travelocity.com sample app -To download the authenticator, go to -[https://store.wso2.com/store/assets/isconnector/Pinterest](https://store.wso2.com/store/assets/isconnector/details/5cc54dd5-8a4b-4da2-8522-4d7d582b6610) +The next step is to deploy the travelocity.com sample app in order to +use it in this scenario. + +For more information on how to do this, see [Deploying travelocity.com +sample app](../../develop/deploying-the-sample-app). + +### Configuring the identity provider + +Now you must configure WSO2 Identity Server by [adding a new identity +provider](../../learn/adding-and-configuring-an-identity-provider) . + +1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/) and [run + it](../../setup/running-the-product). +2. Log in to the [Management + Console](../../setup/getting-started-with-the-management-console) + as an administrator. +3. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add**. +4. Give a suitable name for **Identity Provider Name** and configure + Pinterest as the identity provider. Refer + [this](../../learn/adding-and-configuring-an-identity-provider#adding-an-identity-provider) + document for more information regarding the identity provider + configurations. + ![](../../assets/img/60096589/60096632.png) + Do the following configurations. + + | Field | Description | Sample Value | + |---------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------| + | Enable | Selecting this option enables pinterest to be used as an authenticator for users provisioned to the Identity Server. | Selected | + | Default | Selecting the **Default** checkbox signifies that Pinterest is the main/default form of authentication. This removes the selection made for any other **Default** checkboxes for other authenticators. | Selected | + | Client Id | This is the username from the Pinterest application. | 4927778446347615595 | + | Client Secret | This is the password from the Pinterest application. Click the **Show** button to view the value you enter. | 7514127b86f6a5b6a5f4625cb9ba967f10ba0cdb3fef5bf20a91b0cc7b261818 | + | Callback URL | This is the URL to which the browser should be redirected after the authentication is successful. It should have this format: https://(host-name):(port)/acs. | https://localhost:9443/commonauth | + +5. Go to **Pinterest Authenticator Configuration** under **Federated + Authenticators**. +6. Enter the values as given in the above figure. + - **Client Id** : App ID for your app. + - **Client Secret** : App secret for your app. + - **Callback URL** : Service Provider's URL where code needs to be + sent . + +You have now added the identity provider. + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the management console. +2. In the **Service Providers** section under the **Main** tab, click + **Add**. +3. Since you are using travelocity as the sample, enter travelocity.com + in the **Service Provider Name** text box and click **Register**. +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. + ![](../../assets/img/60096589/60096633.png) +5. Now set the configuration as follows: + - **Issuer** : travelocity.com + - **Assertion Consumer URL** : + +6. Select the following check-boxes: + - **Enable Response Signing**. + - **Enable Single Logout**. + - **Enable Attribute Profile**. + - **Include Attributes in the Response Always**. +7. Click **Update** to save the changes. Now you will be sent back to + the **Service Providers** page. +8. Go to the **Local and Outbound Authentication Configuration** + section. +9. Select the identity provider you created from the dropdown list + under **Federated Authentication**. + ![](../../assets/img/60096589/60096634.png) +10. Ensure that the **Federated Authentication** radio button is + selected and click **Update** to save the changes. + +### Configuring claim mappings for Pinterest + +1. Sign into the [Management + Console](../../setup/getting-started-with-the-management-console) + by entering your username and password. +2. In the **Main** menu, click **Add** under **Claims**. +3. Click **Add Claim Dialect** to create the Pinterest authenticator + specific claim dialect. + +4. Specify the **Dialect URI** as http://wso2.org/pinterest/claims. + ![](../../assets/img/60096589/60489892.png) + +5. Click [Add external + claim](../../learn/adding-claim-mapping#add-external-claim) + . Use the Dialect Uri as http://wso2.org/pinterest/claims. You can + create the external claims here. + ![](../../assets/img/60096589/60490348.png) + Create the claim for Pinterest user id while creating the claim + dialect. + + | | | + |--------------------|-------------------------------------| + | Dialect URI | http://wso2.org/pinterest/claims | + | External Claim URI | http://wso2.org/pinterest/claims/id | + | Mapped Local Claim | http://wso2.org/claims/userid | + + Create the claim for Pinterest first name while creating the claim + dialect. + + | | | + |--------------------|----------------------------------------------| + | Dialect URI | http://wso2.org/pinterest/claims | + | External Claim URI | http://wso2.org/pinterest/claims/first\_name | + | Mapped Local Claim | http://wso2.org/claims/givenname | + + Create the claim for Pinterest last name while creating the claim + dialect. + + | | | + |--------------------|---------------------------------------------| + | Dialect URI | http://wso2.org/pinterest/claims | + | External Claim URI | http://wso2.org/pinterest/claims/last\_name | + | Mapped Local Claim | http://wso2.org/claims/lastname | + + Create the claim for Pinterest URL while creating the claim dialect. + + | | | + |--------------------|---------------------------------------| + | Dialect URI | http://wso2.org/pinterest/claims | + | External Claim URI | http://wso2.org/pinterest/claims/ur l | + | Mapped Local Claim | http://wso2.org/claims/url | + + Likewise, you can create the claims for all the public information + of the Pinterest user. + +6. The next step is to configure claims in the Identity Server and map + them to Pinterest. + + !!! note + For more details on configuring claims for a service provider, + Please refer + [this](../../learn/configuring-claims-for-a-service-provider) + . + + 1. In the **Identity** section under the **Main** tab, click + **List** under **Identity Providers**. + 2. Click **Edit** to edit the pinterest identity provider you + created. + 3. Under **Claim Configuration**, go to **Basic Claim + Configuration**. + 4. Select the **Define Custom Claim Dialect** option under **Select + Claim mapping Dialect**. + 5. Click **Add Claim Mapping** to add custom claim mappings as + follows. + ![](../../assets/img/60096589/61047736.png) + 6. Select a suitable **User ID Claim URI** (e.g., + http://wso2.org/pinterest/claims/id ). + 7. Click **Update** to save changes. + +Here, we are mapping claims in the Identity Server and with the claims +of Pinterest. So that once the user is authenticated from the Printrest, +the identity server can obtain the necessary claim values of the +authenticated user from the Pinterest side. These claims can be used by +the service provider for different purposes. + +### Configuring requested claims for travelocity.com + +1. In the **Identity** section under the **Main** tab, click **List** + under **Service Providers**. +2. Click **Edit** to edit the [travelocity.com](http://travelocity.com) + service provider. +3. Go to **Claim Configuration**. +4. Click on **Add Claim URI** under **Requested Claims** to add the + requested claims as follows. Here you should add the claims you + mapped in the Identity Provider claim configuration. + ![](../../assets/img/60096589/72437732.png) + +### Testing the sample + +1. To test the sample, go to the following URL: + ` http://:/travelocity.com/index.jsp ` + . E.g., + ![](../../assets/img/60096589/60096639.png) +2. Click the link to log in with SAML from the WSO2 Identity Server. +3. You are redirected to the Pinterest sign in page. Enter your + Pinterest credentials and click **Log in**. + ![](../../assets/img/60096589/60096640.png) +4. Authenticate the user by clicking **Allow access**. +5. You are taken to the home page of the travelocity.com app. + ![](../../assets/img/60096589/60490392.png) \ No newline at end of file diff --git a/en/docs/develop/reddit-authenticator.md b/en/docs/develop/reddit-authenticator.md index e3dfce1bb8..8c6cea925b 100644 --- a/en/docs/develop/reddit-authenticator.md +++ b/en/docs/develop/reddit-authenticator.md @@ -1,4 +1,4 @@ -# Reddit Authenticator +# Configuring Reddit Authenticator The Reddit authenticator is configured as a federated authenticator in WSO2 Identity Server to authenticate Reddit users to log in to your @@ -8,31 +8,171 @@ communities and is made up of thousands of active communities (known as are created and maintained by regular users. The diagram below illustrates the flow of the Reddit federated authenticator. - +![](../../assets/img/50520527/76746184(../../learn/adding-claim-mapping)=border-simple,blur-border) -![](attachments/50520527/76746184.png?effects=border-simple,blur-border) +This page provides instructions on how to configure the Reddit +authenticator and Identity Server using a sample app. You can find more +information in the following sections. - +!!! info + This is tested for the Reddit API version 1.0. Reddit Authenticator is + supported by Identity Server 5.1.0 upwards. - - +### Deploying Reddit artifacts -### Getting started +- Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/). -To get started with the authenticator, go to [Configuring Reddit -Authenticator](https://docs.wso2.com/display/ISCONNECTORS/Configuring+Reddit+Authenticator) -. +- Download the Reddit authenticator from + [here](https://store.wso2.com/store/assets/isconnector/details/45092602-8b7b-4f29-9d66-cc5b39990907) + and add it to the + ` /repository/components/dropins ` + directory. -Once you have completed your configurations, you can perform -authentication with the Reddit authenticator. + !!! note + If you want to upgrade the Reddit Authenticator (.jar) in your + existing IS pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + - +### Configuring the Reddit App - +1. Create a reddit account using the URL + [https://www.reddit.com/](https://www.reddit.com/.) and log in. +2. Navigate to https://www.reddit.com/prefs/apps and click are you a + developer?create an app on the top left corner. Example: +3. Create a web app. + Use + ` https://localhost:9443/commonauth ` + as the **about url** and **redirect uri** when creating the web + app. + ![](../../assets/img/50520620/51252148.png) +4. Now you can get the clientId and clientSecret of your created app. + ![](../../assets/img/50520620/51252150.png) -### Additional information +### Deploying travelocity.com sample app -To download the authenticator and other artifacts, go to -[https://store.wso2.com/store/assets/isconnector/reddit](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22reddit%22) -. +The next step is to [deploy the sample app](../../develop/deploying-the-sample-app) +in order to use it in this scenario. + +Once this is done, the next step is to configure the WSO2 Identity +Server by adding an [identity provider](#configuring-the-identity-provider) and [service provider](#configuring-the-service-provider). + +### Configuring the identity provider + +Now you have to configure WSO2 Identity Server by adding a new identity +provider. For more information about the Identity Providers, see +[Configuring an Identity +Provider](../../learn/adding-and-configuring-an-identity-provider). + +1. Go to in your browser, and click the HTTPS + trust icon on the address bar (e.g., the padlock next to the URL in + Chrome) to download the certificate. + Based on the  browser the steps to download the certificate changes. + Click valid under Certificate (Chrome) or click Show certificate + (Safari), expand the **Details** section and click the URL under CA + Issuer to download the certificate. + Example: On Chrome + + ![](../../assets/img/50520620/75109985.png) + + !!! note + This is supported on Firefox and Safari browsers by default but it + is not supported on some Chrome browsers. + + ??? note "Click here to know how to enable certificate downloading on Chrome." + 1. Navigate to . + 2. Click Enable to view the certificates. + ![](../../assets/img/50520620/75109981.png) + 3. Relaunch Chrome. + + +2. Import that certificate into the IS client keystore. + ` keytool -importcert -file -keystore /repository/resources/security/client-truststore.jks -alias "Reddit" ` + + !!! info + The default password of the client-truststore.jks is "wso2carbon". + +3. Run the [WSO2 Identity + Server](../../setup/running-the-product). +4. Log in to the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. +5. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add**. +6. Give a suitable name for **Identity Provider Name**. + ![](../../assets/img/50520620/51252182.png) +7. Navigate to **RedditAuthenticator Configuration** under **Federated + Authenticators**. +8. Enter the values as given in the above figure. + + - **Client Id** : Client Id for your web app. + - **Client Secret** : Client Secret for your web app. + - **Callback URL** : Service Provider's URL where code needs to be + sent . + +9. Select both checkboxes to **Enable** the Reddit authenticator and + make it the **Default**. + +10. Click **Register**. + +You have now added the identity provider. + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the management console. + +2. In the **Service Providers** section, click **Add** under the + **Main** tab. + +3. Since you are using travelocity as the sample, enter travelocity.com + in the **Service Provider Name** text box and click **Register**. + +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. + +5. Now set the configuration as follows: + + 1. **Issuer** : travelocity.com + + 2. **Assertion Consumer URL** : http://localhost:8080/travelocity.com/home.jsp + +6. Select the following check-boxes: + 1. **Enable Response Signing**. + + 2. **Enable Single Logout**. + + 3. **Enable Attribute Profile**. + + 4. **Include Attributes in the Response Always**. + +7. Click **Update** to save the changes. Now you will be sent back to + the **Service Providers** page. + +8. Navigate to the **Local and Outbound Authentication Configuration** + section. + +9. Select the identity provider you created from the dropdown list + under **Federated Authentication**. + ![](../../assets/img/50520620/51252181.png) + +10. Ensure that the **Federated Authentication** radio button is + selected and click **Update** to save the changes. + +You have now added and configured the service provider. + +### Testing the sample + +1. To test the sample, go to the following URL: + ` http://:/travelocity.com ` + . + E.g., http://localhost:8080/travelocity.com + +2. Login with SAML from the WSO2 Identity Server. + +3. Enter your Reddit credentials in the prompted login page of Reddit. + Once you log in successfully you will be taken to the home page of + the travelocity.com app. \ No newline at end of file diff --git a/en/docs/develop/rsa-securid-authenticator.md b/en/docs/develop/rsa-securid-authenticator.md index 0faea0f7c7..51c619f388 100644 --- a/en/docs/develop/rsa-securid-authenticator.md +++ b/en/docs/develop/rsa-securid-authenticator.md @@ -1,4 +1,4 @@ -# RSA SecurID Authenticator +# Configuring RSA SecurID Authenticator The RSA SecurID authenticator allows you to authenticate users using RSA SecurID through WSO2 Identity Server. RSA SecurID is a two-factor @@ -7,10 +7,231 @@ This allows the user to log into a system with software tokens and hardware tokens like keyfobs. The authentication codes at fixed interval using a built-in clock and the card’s factory-encoded random key. -### Getting started +This page provides instructions on how to configure the RSA SecurID +authenticator and the WSO2 Identity Server using a sample app to +demonstrate authentication. You can find more information in the +following sections. -To get started with the authenticator, see [Configuring RSA SecurID -Authenticator](https://docs.wso2.com/display/ISCONNECTORS/Configuring+RSA+SecurID+Authenticator) -for information and configuration steps. Once you have completed your -configurations, you can authenticate users using the RSA SecurID -authenticator. +### Configuring the RSA Authentication Manager + +RSA Authentication Manager 8.1 supports a VMware virtual appliance, +Hyper-V virtual appliance, and the hardware appliance. The same +functionality is provided by each type of appliance. See [the setup and +configuration guide for RSA Authentication Manager +8.1](https://www.emc.com/collateral/15-min-guide/h12284-am8-setup-config-guide.pdf) +for more information on setting this up. + +Once you complete all the required configurations you can access the +following consoles using the credentials that you provided in the +configuration. + +- Security Console: https://\/sc +- Operational Console: https://\/oc +- Self Service Console: https://\/ssc + +### Configuring the NTP Server on RSA Authentication Manager operational console + +The NTP server is responsible for time. Set up your NTP server for your +region and make sure the time setting is accurate. To set the time, +follow the steps below. + +1. Log in to the RSA Authentication Manager Operational Console + (https://\/oc) with your operation + console credentials. This was set when you performed the RSA + Authentication Manager configurations. +2. Navigate to the **Administration** menu and select **Date and Time** + . +3. Set up your regional NTP server as shown in the following screen, + but do this for your region. + ![](../../assets/img/52528427/56987871.png) + + + +### Adding a user to the internal database of RSA Authentication Manager + +To enroll the user into the RSA Authentication Manager, you must log +into the security console (https://\/oc) +with your security console credentials. See the following video for more +information on how to do this. + +[Video Guide: Add user to the Internal +Database](https://youtu.be/zYG7REyAdmY?list=PL69kuTXA1IasAousLJVVK1qItFJVALlJc) + +### Importing token records + +Token records are unique records used to identify each token in RSA. To +activate a token record you must import the token record. See the +following video, which guides you through the steps on how to import the +token records to the RSA Authentication Manager Security Console. + +[Video Guide: Import Token +Records](https://youtu.be/zqIRMIxUwXg?list=PL69kuTXA1IasAousLJVVK1qItFJVALlJc) + +### Assigning the token to the user + +Once the token records are imported and the users are added, you are +able to assign either software tokens or hardware tokens to the users. +See the following video, which guides you through the process of +assigning a token to the registered user. + +[Video Guide: Assign Tokens to +Users](https://youtu.be/0TF5Jv5av0o?list=PL69kuTXA1IasAousLJVVK1qItFJVALlJc) + +### Self-enrollment of users and setting or resetting the PIN + +The RSA Self-service Console provides the option to create/reset the +password for users using their RSA user ID and their tokens. If the +users log in for the first time, they must log in to the RSA +Self-service Console and create a PIN for themselves. + +RSA Self-Service Console URL: +https://\/ssc + +### Configuring the RSA custom agent + +If you are want to configure an RSA Authentication custom agent, you +must generate the RSA Authentication Manager configuration file. See the +following video for instructions on how to generate the configuration +file. + +[Video Guide: Generate the Authentication Manager Configuration +File](https://youtu.be/O09jpBCMwKE?list=PL69kuTXA1IasAousLJVVK1qItFJVALlJc&t=54) + +1. Once you have generated the Authentication Manager configuration + file, create a file called rsa.properties and add the following + configurations to it. You must set the paths of each of the required + files in this configuration. + ``` java + RSA_AGENT_HOST= + RSA_CONFIG_READ_INTERVAL=600 + SDCONF_TYPE=FILE + SDCONF_LOC= + SDSTATUS_TYPE=FILE + SDSTATUS_LOC= + SDOPTS_TYPE=FILE + SDOPTS_LOC= + SDNDSCRT_TYPE=FILE + SDNDSCRT_LOC= + RSA_LOG_TO_CONSOLE=NO + RSA_LOG_TO_FILE=YES + RSA_LOG_FILE= + RSA_LOG_LEVEL=INFO + RSA_ENABLE_DEBUG=NO + RSA_DEBUG_TO_CONSOLE=YES + RSA_DEBUG_TO_FILE=NO + RSA_DEBUG_FILE=rsa_api_debug.log + RSA_DEBUG_ENTRY=YES + RSA_DEBUG_EXIT=YES + RSA_DEBUG_FLOW=YES + RSA_DEBUG_NORMAL=YES + RSA_DEBUG_LOCATION=NO + ``` + +2. Set the file path of the rsa.properties file you created in the + ` /repository/conf/identity/application-authentication.xml ` + file as follows. + + ``` xml + + securidauthenticationendpoint/login.jsp + C:\securidConf\rsa.properties + + ``` + +### Deploying RSA SecurID Authenticator artifacts + +The artifacts can be obtained from the store for this authenticator . + +1. P lace the ` securidauthenticationendpoint.war ` + file into the + ` /repository/deployment/server/webapps ` + directory. +2. Place the + [` org.wso2.carbon.extension.identity.authenticator.securid.connector-1.0.1.jar `] + (https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22rsa%22) + file into the + ` /repository/components/ ` + ` dropins ` directory. + + !!! note + If you want to upgrade the RSA SecurID Authenticator in your + existing IS pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +3. Obtain the ` authapi.jar ` and + ` cryptoj.jar ` from RSA or RSA Support, and place + the .jar files in the + ` /repository/components/lib ` directory. + +### Add a claim mapping for RSA user id + +1. Navigate to the **Identity** section under the **Main** tab of the + [management + console](../../setup/getting-started-with-the-management-console) + and click **Add** under the http://wso2.org/claims claims dialect. +2. Add a new claim for RSA user id. + ![](../../assets/img/52528427/52757012.png) + + +### Deploying travelocity.com sample app + +The next step is to deploy the travelocity.com sample app in order to +use it in this scenario. + +See [deploying travelocity.com sample app](../../develop/deploying-the-sample-app) +for instructions on how to do this. + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the management console. In the **Service Providers** + section under the **Main** tab, click **Add**. +2. Since you are using travelocity as the sample, enter travelocity.com + in the **Service Provider Name** text box and click **Register**. +3. Now set the configuration as follows: + ![](../../assets/img/52528427/57004462.png) + Do the following configurations. + - **Issuer** : travelocity.com + - **Assertion Consumer URL** : + + + + Select the following check-boxes: + - **Enable Response Signing**. + - **Enable Single Logout**. + - **Enable Attribute Profile**. + - **Include Attributes in the Response Always**. + +4. Click **Update** to save the changes. Now you will be sent back to + the **Service Providers** page. +5. Go to the **Local and Outbound Authentication Configuration** + section. +6. Select the **Advanced** configuration radio button option. +7. Add the basic authentication as the first step and RSASecurID + authentication as the second step and click **Update** to save the + changes. + +### Testing the sample + +To test the sample you need to add the RSA user ID in the WSO2 Identity +Server claim. + +1. Go to the following URL: + ` http://:/ travelocity.com/index.jsp ` + E.g. + ![](../../assets/img/49092381/49226489.png) +2. Click the link to log in with SAML from WSO2 Identity Server. The + basic authentication page appears. Use your WSO2 Identity Server + credentials to log in. + ![](../../assets/img/52528427/57004469.png) +3. If the basic authentication succeeds, you are directed to RSA + SecurID authentication page. + ![](../../assets/img/52528427/57004467.png) +4. Enter the PIN and TOKEN, where TOKEN is shown in the keyfobs or in + your mobile device RSA applications. + ![](../../assets/img/52528427/52757625.png) +5. If the authentication is successful, you are redirected to the home + page of travelocity.com app + ![](../../assets/img/52528427/52757626.png) \ No newline at end of file diff --git a/en/docs/develop/scim-2.0-provisioning-connector.md b/en/docs/develop/scim-2.0-provisioning-connector.md index 84b994a382..07017619e0 100644 --- a/en/docs/develop/scim-2.0-provisioning-connector.md +++ b/en/docs/develop/scim-2.0-provisioning-connector.md @@ -1,17 +1,1015 @@ -# SCIM 2.0 Provisioning Connector +# Configuring SCIM 2.0 Provisioning Connector The SCIM (System for Cross-domain Identity Management) 2.0 provisioning connector enables you to provision users using SCIM REST calls to the WSO2 Identity Server. -### Getting started +This section provides instructions on how to configure the SCIM 2.0 +connector with WSO2 Identity Server for identity provisioning. -To get started with the provisioning connector, go to [Configuring SCIM -2.0 Provisioning -Connector](Configuring-SCIM-2.0-Provisioning-Connector). -### Additional information +### About SCIM 2.0 -To download the provisioning connector and artifacts, go to [SCIM -Connector](https://store.wso2.com/store/assets/isconnector/details/d3e666a6-c26d-4cd2-ba92-d1b4d9c64a4f) -. +The System for Cross-domain Identity Management (SCIM) is a +specification that is designed to manage user identities in cloud-based +applications and services in a standardized way to enable +interoperability, security, and scalability. It is an emerging open +standard which provides RESTful APIs for easier, cheaper, and faster way +for creating, provisioning, and maintaining identities. The latest +version SCIM 2.0 was released as IETF RFC in September 2015. + +### Deploy SCIM 2.0 connector with IS + +!!! tip + SCIM 2.0 is supported by default in WSO2 Identity Server + version 5.4.0. If you are using WSO2 Identity Server 5.4.0 or a later + version, see [SCIM 2.0 REST + APIs](../../develop/using-the-scim-2.0-rest-apis) for + instructions on how to use SCIM 2.0 OOTB. + + +The below instructions provide a step-by-step approach to deploy SCIM +2.0 connector with WSO2 Identity Server: + +1. Download the latest version of WSO2 Identity Server (IS) from + [here](http://wso2.com/identity-and-access-management) and extract + it to a folder. Extracted folder will hereafter be referred to as + \. +2. Download the SCIM 2.0 connector artifacts for WSO2 Identity Server + from + [here](https://store.wso2.com/store/assets/isconnector/details/d3e666a6-c26d-4cd2-ba92-d1b4d9c64a4f). + + ??? note "Expand to see what the SCIM 2.0 connector artifacts pack includes" + - charon-config.xml + + - claim-config-diff.txt + + - org.wso2.carbon.identity.scim2.common-1.1.1.jar + + - org.wso2.charon3.core-3.0.7.jar + + - README + + - scim2-schema-extension.config + + - scim2.war + +3. From the downloaded artifacts, place the + ` org.wso2.charon.core-3.0.7.jar ` file in the + ` /repository/components/lib ` folder. +4. Place the + ` org.wso2.carbon.identity.scim2.common-1.1.1.jar ` + file in the + ` /repository/components/dropins ` folder. +5. Place the ` scim2.war ` in the + ` /repository/deployment/server/webapps ` + folder. +6. Place the ` charon-config.xml ` in the + ` /repository/conf/identity ` folder. +7. Place the ` scim2-schema-extension.config ` file in + the ` /repository/conf ` folder. +8. Append the following entries to the + ` ` + element of the ` identity.xml ` file found in the + ` /repository/conf/identity ` folder. + + ``` java + + /permission/admin/manage/identity/usermgt/create + + + /permission/admin/manage/identity/usermgt/list + + + /permission/admin/manage/identity/rolemgt/create + + + /permission/admin/manage/identity/rolemgt/view + + + /permission/admin/manage/identity/usermgt/view + + + /permission/admin/manage/identity/usermgt/update + + + /permission/admin/manage/identity/usermgt/update + + + /permission/admin/manage/identity/usermgt/delete + + + /permission/admin/manage/identity/rolemgt/view + + + /permission/admin/manage/identity/rolemgt/update + + + /permission/admin/manage/identity/rolemgt/update + + + /permission/admin/manage/identity/rolemgt/delete + + + /permission/admin/login + + + /permission/admin/manage/identity/usermgt/delete + + + /permission/admin/login + + + /permission/admin/login + + + /permission/admin/manage/identity/usermgt/create + + + + + + + + + /permission/admin/manage/identity/usermgt + + + /permission/admin/manage/identity/applicationmgt + + ``` + +9. Disable the SCIM listener with the ` orderId=90 ` + parameter by setting the enable parameter to **false** in the + ` identity.xml ` file found in the + ` /repository/conf/identity ` folder. + Then, add the SCIM2 listener with the + ` orderid=93 ` parameter to the + ` identity.xml ` file and ensure that the enable + parameter is set to **true.** + + ``` java + + + + + + ``` + +10. If you will be using the tenant endpoint, add the following property + within the `   ` + tag of the ` identity.xml ` file found in the + ` /repository/conf/identity ` folder. + + ``` java + /scim2 + ``` + +11. Ensure that the following property is set to **true** to enable SCIM + for the relevant userstore in the + ` user-mgt.xml ` file found in the + ` /repository/conf/ ` folder. + + ``` java + true + ``` + +!!! note + If you want to upgrade the SCIM 2.0 Connector in your existing IS pack, + please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +### Configure claim dialects + +Finally, you need to configure the claim dialects. You can use +**either** method 1 or method 2 for this purpose. + +##### Method 1 + +If you want to configure the connector on a new WSO2 Identity Server +extract, follow the instructions given in the +` claim-config-diff.txt ` file that comes with the +connector artifacts pack. + +##### Method 2 + +If you are configuring the connector on an existing WSO2 Identity +Server, add the claim dialects manually. + +1. Start the WSO2 IS and login to the management console. +2. Navigate to **Claims\>Add** and click **Add Claim Dialect**. Add + the following claim dialects through the WSO2 IS management + console. + For more information on how to add a claim dialect, see [Adding + Claim + Dialects](../../learn/adding-claim-dialects) + . + - urn:ietf:params:scim:schemas:core:2.0 + - urn:ietf:params:scim:schemas:core:2.0:User + - urn:ietf:params:scim:schemas:extension:enterprise:2.0:User +3. Navigate to **Claims\>Add** and click **Add Local Claim**. Add the + following claim: + - **Claim URI:** + - **Display Name:** Resource Type + - **Mapped Attribute(s):** ref +4. Navigate to **Claims\>Add** and click **Add External Claim**. Add + the claims listed in step ii) of the + ` claim-config-diff.txt ` file, which comes with + the connector artifacts pack, to the relevant claim dialect. + For more information on adding a claim mapping through the + management console, see [Adding Claim + Mapping](../../learn/adding-claim-mapping#add-external-claim) + . +5. Ensure that the + ` urn:ietf:params:scim:schemas:core:2.0:User:emails.work ` + is mapped to the claim. + +Execute one of the following commands to start the Identity Server. + +- On Windows: ` /bin/wso2server.bat --run ` +- On Linux/Mac OS: ` sh ` + ` /bin/wso2server.sh ` + +After the server has started up successfully, you can query the SCIM 2.0 +REST endpoints. For simplicity, cURL commands are used here to send CRUD +requests to the SCIM 2.0 REST endpoints of WSO2 Identity Server. + +!!! note "Extending the SCIM API" + If you want to add any custom attributes, you can use the user schema + extension in addition to core user schema. To add attributes with the + user schema extension, do the following: + + 1. Enable the user schema extension by setting the + ` ` property to + **true** in the ` charon-config.xml ` file that + you placed in the + ` /repository/conf/identity ` folder. + + ``` java + true + ``` + + 2. Define the extension by adding attributes in the following format in + the ` scim2-schema-extension.config ` file that + you placed in the ` /repository/conf/ ` + folder. + + ``` java + { + "attributeURI":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:askPassword", + "attributeName":"askPassword", + "dataType":"boolean", + "multiValued":"false", + "description":"Enable password change required notification in the user creation.", + "required":"false", + "caseExact":"false", + "mutability":"readwrite", + "returned":"default", + "uniqueness":"none", + "subAttributes":"null", + "canonicalValues":[], + "referenceTypes":[] + } + ``` + + 3. Add the attribute names of the attributes that you added to the + ` scim2-schema-extension.config ` file as + ` subAttributes ` of the + ` wso2Extension ` attribute as seen in the code + block below. + + ``` java + { + "attributeURI":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", + "attributeName":"EnterpriseUser", + "dataType":"complex", + "multiValued":"false", + "description":"Enterprise User", + "required":"false", + "caseExact":"false", + "mutability":"readWrite", + "returned":"default", + "uniqueness":"none", + "subAttributes":"askPassword employeeNumber costCenter organization division department manager", + "canonicalValues":[], + "referenceTypes":["external"] + } + ``` + + 4. Define a new claim dialect for the extension schema with the dialect + URI you used in defining the extension. For more information on how + to do this, see [Adding Claim + Dialects](../../learn/adding-claim-dialects) + . + The following code block shows an example of a claim dialect for the + custom attributes given above. + + ``` java + urn:ietf:params:scim:schemas:extension:enterprise:2.0:User + ``` + + 5. Once you add a custom attribute, add a claim mapping for the custom + attribute. + To do this, open the ` claim-config.xml ` file + found in the ` /respository/conf ` + folder, and add the claim with the relevant property values. The + code block below shows an example of a claim mapping. + + ``` java + + urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:askPassword + Ask Password + postOfficeBox + Temporary claim to invoke email ask Password feature + + 1 + + http://wso2.org/claims/identity/askPassword + + ``` + + 6. Next, add the claim mapping in the relevant tenant through the + management console. To do this, login using tenant credentails and + map the claim. + For more information on adding a claim mapping through the + management console, see [Adding Claim + Mapping](../../learn/adding-claim-mapping#add-external-claim) + . + + !!! info + It is recommended to configure through both the management console + and the ` claim-config.xml ` file because the + configuration made in the config file will ensure that this claim is + available for all tenants created in future but it needs to be + mapped in the management console in order to map the claim for + exisiting tenants. + +### Try it out + +Once you have successfully configured the SCIM 2.0 provisioning +connector with WSO2 Identity Server, you can test any SCIM 2.0 REST call +with WSO2 Identity Server using cURL commands. + +The default permissions required to access each resource in SCIM 2.0 are +given below. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EndpointHTTP MethodPermission
/scim2/Users
POST
/permission/admin/manage/identity/usermgt/create
/scim2/Users
GET
/permission/admin/manage/identity/usermgt/list
/scim2/Groups
POST
/permission/admin/manage/identity/rolemgt/create
/scim2/Groups
GET
/permission/admin/manage/identity/rolemgt/view
/scim2/Users/(.*)
GET
/permission/admin/manage/identity/usermgt/view
/scim2/Users/(.*)
PUT
/permission/admin/manage/identity/usermgt/update
/scim2/Users/(.*)
PATCH
/permission/admin/manage/identity/usermgt/update
/scim2/Users/(.*)
DELETE
/permission/admin/manage/identity/usermgt/delete
/scim2/Groups/(.*)
GET
/permission/admin/manage/identity/rolemgt/view
/scim2/Groups/(.*)
PUT
/permission/admin/manage/identity/rolemgt/update
/scim2/Groups/(.*)
PATCH
/permission/admin/manage/identity/rolemgt/update
/scim2/Groups/(.*)
DELETE
/permission/admin/manage/identity/rolemgt/delete
/scim2/Me
GET
/permission/admin/login
/scim2/Me
DELETE
/permission/admin/login
/scim2/Me
PUT
/permission/admin/login
/scim2/Me
PATCH
/permission/admin/login
/scim2/Me
POST
/permission/admin/manage/identity/usermgt/create
/scim2/ServiceProviderConfig
all-
/scim2/ResourceType
all-
/scim2/Bulk
all
/permission/admin/manage/identity/usermgt
+ +!!! tip "Tenant mode" + In order to provision resources to a different tenant, change the + authorization header and the URL of the endpoint as seen below and use + the commands given below. + + **authorization header** + + ``` java + --user kim@test.com:kimpass + ``` + + **URL** + + ``` java + /t/test.com/scim2 + ``` + + If you are using a tenant endpoint for invoking, you can use a command + similar to the following ('adding user' as an example) : + + **Request** + + ``` java + curl -v -k --user kim@test.com:admin --data '{"schemas":[],"name":{"familyName":"jayawardana","givenName":"vindula"},"userName":"pavinaa","password":"vindula","emails":[{"primary":true,"value":"vindula_home.com","type":"home"},{"value":"vindula_work.com","type":"work"}]}' --header "Content-Type:application/json" https://localhost:9443/t/test.com/scim2/Users + ``` + + +#### /Users Endpoint + +The following commands can be used to test the users endpoints. + +**Create** User + +Run the following command to create a user: + +**Request** + +``` java +curl -v -k --user admin:admin --data '{"schemas":[],"name":{"familyName":"jackson","givenName":"kim"},"userName":"kim","password":"kimwso2","emails":[{"primary":true,"value":"kim.jackson@gmail.com","type":"home"},{"value":"kim_j@wso2.com","type":"work"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users +``` + +**Response** + +``` java +{"emails":[{"type":"home","value":"kim.jackson@gmail.com","primary":true},{"type":"work","value":"kim_j@wso2.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T11:32:36Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"name":{"familyName":"jackson","givenName":"kim"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} +``` + +**Get** User +Run the following command to retrieve a particular user resource using +its unique ID (You will get this ID in the response to the +` create user ` request): + +**Request** + +``` java +curl -v -k --user admin:admin https://localhost:9443/scim2/Users/0032fd29-55a9-4fb9-be82-b1c97c073f02 +``` + +**Response** + +``` java +{"emails":[{"type":"work","value":"kim_j@wso2.com"},{"type":"home","value":"kim.jackson@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T11:32:36Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} +``` + +**Update** User + +Run the following command to update the work and home email fields of +the user “kim”: + +**Request** + +``` java +curl -v -k --user admin:admin -X PUT -d '{"schemas":[],"name":{"familyName":"jackson","givenName":"kim"},"userName":"kim","emails":[{"value":"kim_j@wso2.com","type":"work"},{"value":"kim.jackson@gmail.com","type":"home"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users/0032fd29-55a9-4fb9-be82-b1c97c073f02 +``` + +**Response** + +``` java +{"emails":[{"type":"work","value":"kim_j@wso2.com"},{"type":"home","value":"kim.jackson@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T11:35:29Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} +``` + +**Delete** User + +Run the following command to delete the user with the given unique ID: + +**Request** + +``` java +curl -v -k --user admin:admin -X DELETE https://localhost:9443/scim2/Users/b228b59d-db19-4064-b637-d33c31209fae -H "Accept: application/json" +``` + +**Response** + +``` java +HTTP/1.1 204 No Content +``` + +**Patch** User + +The following commands can be used to update a user using the unique ID +of the user. + +**Patch** Add + +Run the following command to add a nickname value to the user with the +given unique ID: + +**Request** + +``` java +curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"add","value":{"nickName":"shaggy"}}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users/92dbbfb8-867f-4fbc-afbf-a2bda12c09b1 +``` + +**Response** + +``` java +{"emails":[{"type":"work","value":"kim_j@wso2.com"},{"type":"home","value":"kim.jackson@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T12:04:14Z","resourceType":"User"},"nickName":"shaggy","schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} +``` + +**Patch** Remove + +Run the following command to remove all email addresses from the user: + +**Request** + +``` java +curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"remove","path":"emails"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users/1819c1b4-e30e-41ca-b40c-48140fffffee +``` + +**Response** + +``` java +{"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T13:43:02Z","resourceType":"User"},"nickName":"shaggy","schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} +``` + +Run the following command to remove email addresses where type is equal +to 'home' from the user: + +**Request** + +``` java +curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"remove","path":"emails[type eq home]"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users/1819c1b4-e30e-41ca-b40c-48140fffffee +``` + +**Response** + +``` java +{"emails":[{"type":"work","value":"kim_j@wso2.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T13:45:19Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} +``` + +**Patch** Replace + +Run the following command to replace attribute values of the user: + +**Request** + +``` java +curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"replace","value":{"EnterpriseUser":{"employeeNumber":"113","manager":{"value":"Alex"}}},"nickName":"Al"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users/1819c1b4-e30e-41ca-b40c-48140fffffee +``` + +**Response** + +``` java +{"emails":[{"type":"work","value":"kim_j@wso2.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T13:47:43Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"EnterpriseUser":{"manager":{"value":"Alex"},"employeeNumber":"113"},"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} +``` + +Run the following command to replace the value of the email addresses +where type is equal to 'work': + +**Request** + +``` java +curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"replace","path":"emails[type eq work].value","value":"kim.info@gmail.com"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users/1819c1b4-e30e-41ca-b40c-48140fffffee +``` + +**Response** + +``` java +{"emails":[{"type":"work","value":"kim.info@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T13:51:28Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"EnterpriseUser":{"manager":{"value":"Alex"},"employeeNumber":"113"},"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} +``` + +**List** User + +Run the following command to retrieve all user resources in the user +store: + +**Request** + +``` java +curl -v -k --user admin:admin https://localhost:9443/scim2/Users +``` + +**Response** + +``` java +{"totalResults":2,"startIndex":1,"itemsPerPage":2,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"Resources":[{"emails":[{"type":"home","value":"johndoe@gmail.com"}],"meta":{"created":"2017-07-17T11:39:00Z","lastModified":"2017-07-17T11:39:34Z"},"name":{"givenName":"John","familyName":"Doe"},"id":"71f3d46c-1abc-41d0-8fc5-9bf2eaa255df","userName":"John"},{"emails":[{"type":"work","value":"kim.info@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T13:51:28Z","resourceType":"User"},"EnterpriseUser":{"manager":{"value":"Alex"},"employeeNumber":"113"},"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"}]} +``` + +!!! tip + + Proper use of ‘attributes’ and ‘excludedAttributes’ parameters + with any operation on any endpoint can highly increase the performance. + + **attributes** + + Add attributes to the endpoint as seen below to define which particular + attributes the API should return. + + ``` java + curl -v -k --user admin:admin https://localhost:9443/scim2/Users?attributes=userName,name.familyName,emails.value + ``` + + **excluded attributes** + + Add excluded attributes to the endpoint as seen below to define which + particular attributes the API should exclude from the response. + + ``` java + curl -v -k --user admin:admin https://localhost:9443/scim2/Users?excludedAttributes=emails,meta + ``` + + +**Filter** User + +Since CRUD operations have to be performed using the SCIM ID that is +unique to the service provider, the Users REST endpoint also supports +the filter operation. +Run the following to filter a user using an attribute value: + +**Request** + +``` java +curl -v -k --user admin:admin https://localhost:9443/scim2/Users?filter=userName+Eq+kim +``` + +**Response** + +``` java +{"totalResults":1,"startIndex":1,"itemsPerPage":1,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"Resources":[{"emails":[{"type":"work","value":"kim.info@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T13:51:28Z","resourceType":"User"},"EnterpriseUser":{"manager":{"value":"Alex"},"employeeNumber":"113"},"name":{"givenName":"kim","familyName":"jackson"},"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"}]} +``` + +#### /Groups Endpoint + +The following commands can be used to test the group endpoints. + +**Create** Group + +Run the following command to create a group: + +**Request** + +``` java +curl -v -k --user admin:admin --data '{"displayName": "engineer","members": [{"value":"316214c0-dd7e-4dc3-bed8-e91227d32597","display": "kim"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Groups +``` + +**Response** + +``` java +{"displayName":"PRIMARY/engineer","meta":{"created":"2017-10-09T14:42:27Z","location":"https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc","lastModified":"2017-10-09T14:42:27Z","resourceType":"Group"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"members":[{"display":"kim","value":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b"}],"id":"56d163ba-b6b6-426e-88f4-498a7183f6dc"} +``` + +**Get** Group + +Run the following command to retrieve a particular group resource using +its unique ID (You will get this ID in the response to the +` create group ` request): + +**Request** + +``` java +curl -v -k --user admin:admin https://localhost:9443/scim2/Groups/0032fd29-55a9-4fb9-be82-b1c97c073f02 +``` + +**Response** + +``` java +{"displayName":"engineer","meta":{"created":"2017-10-09T14:42:27Z","location":"https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc","lastModified":"2017-10-09T14:42:27Z"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"members":[{"display":"kim","value":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b"}],"id":"56d163ba-b6b6-426e-88f4-498a7183f6dc"} +``` + +**Update** Group + +Run the following command to update the group: + +**Request** + +``` java +curl -v -k --user admin:admin -X PUT -d '{"displayName": "students","members":[{"value":"d96f4b29-1e29-4986-9ed5-ff61ab506748","display":"sam"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Groups/0d97ab74-0b1f-4c10-80f9-457bf0e0f2aa +``` + +**Response** + +``` java +{"displayName":"PRIMARY/Students","meta":{"created":"2017-10-09T14:49:22Z","location":"https://localhost:9443/scim2/Groups/0959900d-cdba-4f3c-9020-5db5860ac86d","lastModified":"2017-10-09T14:56:32Z"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"members":[{"display":"sam","value":"4b3e60d5-e0c3-4dd6-aaa2-3976096e029b"}],"id":"0959900d-cdba-4f3c-9020-5db5860ac86d"} +``` + + +**Delete** Group + +Run the following command to delete the group using its unique ID: + +**Request** + +``` java +curl -v -k --user admin:admin -X DELETE https://localhost:9443/scim2/Groups/484cdc26-9136-427b-ad9e-96ea3082e1f5 -H "Accept: application/json" +``` + +**Response** + +``` java +HTTP/1.1 204 No Content +``` + +**Patch** Group + +The following commands can be used to update a group using the unique ID +of the group. + +**Patch** Add + +Run the following command to add a new member to the group. + +**Request** + +``` java +curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"add","value":{"members":[{"display": "sam","$ref":"https://localhost:9443/scim2/Users/4b3e60d5-e0c3-4dd6-aaa2-3976096e029b","value": "4b3e60d5-e0c3-4dd6-aaa2-3976096e029b"}]}}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc +``` + +**Response** + +``` java +{"displayName":"PRIMARY/engineer","meta":{"created":"2017-10-09T14:42:27Z","location":"https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc","lastModified":"2017-10-09T15:22:07Z"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"members":[{"display":"kim","value":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b"},{"display":"sam","value":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","$ref":"https://localhost:9443/scim2/Users/4b3e60d5-e0c3-4dd6-aaa2-3976096e029b"}],"id":"56d163ba-b6b6-426e-88f4-498a7183f6dc"} +``` + +**Patch** Remove + +Run the following command to remove a member of the group: + +**Request** + +``` java +curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"remove","path":"members[display eq kim]"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc +``` + +**Response** + +``` java +{"displayName":"PRIMARY/engineer","meta":{"created":"2017-10-09T14:42:27Z","location":"https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc","lastModified":"2017-10-09T22:57:57Z"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"members":[{"display":"sam","value":"4b3e60d5-e0c3-4dd6-aaa2-3976096e029b"}],"id":"56d163ba-b6b6-426e-88f4-498a7183f6dc"} +``` + +**Patch** Replace + +Run the following command to replace a member of the group with another +member: + +**Request** + +``` java +curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"replace","path":"members[display eq sam]","value":{"value":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","display":"kim"}}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc +``` + +**Response** + +``` java +{"displayName":"PRIMARY/engineer","meta":{"created":"2017-10-09T14:42:27Z","location":"https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc","lastModified":"2017-10-09T22:59:51Z"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"members":[{"display":"kim","value":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b"}],"id":"56d163ba-b6b6-426e-88f4-498a7183f6dc"} +``` + +**List** Group + +Run the following command to retrieve a all group resources in the user +store. + +**Request** + +``` java +curl -v -k --user admin:admin https://localhost:9443/scim2/Groups +``` + +**Response** + +``` java +{"totalResults":1,"startIndex":1,"itemsPerPage":1,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"Resources":[{"displayName":"PRIMARY/engineer","meta":{"created":"2017-10-09T14:42:27Z","location":"https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc","lastModified":"2017-10-09T14:42:27Z"},"members":[{"display":"kim","value":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b"}],"id":"56d163ba-b6b6-426e-88f4-498a7183f6dc"}]} +``` + +!!! tip + Proper use of ‘attributes’ and ‘excludedAttributes’ parameters + with any operation on any endpoint can highly increase the performance. + + **attributes** + + Add attributes to the endpoint as seen below to define which particular + attributes the API should return. + + ``` java + curl -v -k --user admin:admin https://localhost:9443/scim2/Groups?attributes=displayName + ``` + +**excluded attributes** + +Add excluded attributes to the endpoint as seen below to define which +particular attributes the API should exclude from the response. + + +``` java +curl -v -k --user admin:admin https://localhost:9443/scim2/Groups?excludedAttributes=members +``` + +**Filter** Group + +Since CRUD operations have to be performed using the SCIM ID that is +unique to the service provider, the Groups REST endpoint also supports +the filter operation. +Run the following to filter a group using an attribute value: + +**Request** + +``` java +curl -v -k --user admin:admin https://localhost:9443/scim2/Groups?filter=displayName+Eq+engineer +``` + +**Response** + +``` java +{"totalResults":1,"startIndex":1,"itemsPerPage":1,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"Resources":[{"displayName":"PRIMARY/engineer","meta":{"created":"2017-10-09T14:42:27Z","location":"https://localhost:9443/scim2/Groups/56d163ba-b6b6-426e-88f4-498a7183f6dc","lastModified":"2017-10-09T14:42:27Z"},"members":[{"display":"kim","value":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b"}],"id":"56d163ba-b6b6-426e-88f4-498a7183f6dc"}]} +``` + +#### /Me Endpoint + +The following commands can be used to test the /Me endpoint. + +**Get** Me + +Run the following command to retrieve the user that is currently +authenticated: + +**Request** + +``` java +curl -v -k --user kim:kimwso2 https://localhost:9443/scim2/Me +``` + +**Response** + +``` java +{"emails":[{"type":"work","value":"kim.info@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T13:51:28Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"EnterpriseUser":{"manager":{"value":"Alex"},"employeeNumber":"113"},"name":{"givenName":"kim","familyName":"jackson"},"groups":[{"display":"engineer","value":"56d163ba-b6b6-426e-88f4-498a7183f6dc"}],"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} +``` + +**Create** Me + +Run the following command to register a user anonymously. + +**Request** + +``` java +curl -v -k --data '{"schemas":[],"name":{"familyName":"Johnson","givenName":"Alex"},"userName":"alex","password":"alexwso2","emails":[{"primary":true,"value":"alex.j@gmail.com","type":"home"},{"value":"alex_j@wso2.com","type":"work"}],"EnterpriseUser":{"employeeNumber":"123A","manager":{"value":"Taylor"}}}' --header "Content-Type:application/json" https://localhost:9443/scim2/Me +``` + +**Response** + +``` java +{"emails":[{"type":"home","value":"alex.j@gmail.com","primary":true},{"type":"work","value":"alex_j@wso2.com"}],"meta":{"created":"2017-10-09T23:05:35Z","location":"https://localhost:9443/scim2/Users/7f2e12fd-7e8e-466f-bde5-d6e4fd45285b","lastModified":"2017-10-09T23:05:35Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"EnterpriseUser":{"manager":{"value":"Taylor"},"employeeNumber":"123A"},"name":{"familyName":"Johnson","givenName":"Alex"},"id":"7f2e12fd-7e8e-466f-bde5-d6e4fd45285b","userName":"alex"} +``` + +**Update** Me + +Run the following command to update the user that is currently +authenticated: + +**Request** + +``` java +curl -v -k --user kim:kimwso2 -X PUT -d '{"schemas":[],"name":{"familyName":"Jackson","givenName":"Kim"},"userName":"kim","emails":[{"primary":true,"value":"jacksonk@gmail.com","type":"home"},{"value":"jackson_k@wso2.com","type":"work"}],"EnterpriseUser":{"employeeNumber":"123A","manager":{"value":"Taylor"}}}' --header "Content-Type:application/json" https://localhost:9443/scim2/Me +``` + +**Response** + +``` java +{"emails":[{"type":"work","value":"jackson_k@wso2.com"},{"type":"home","value":"jacksonk@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T23:09:06Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"EnterpriseUser":{"manager":{"value":"Taylor"},"employeeNumber":"123A"},"name":{"givenName":"Kim","familyName":"Jackson"},"groups":[{"display":"engineer","value":"56d163ba-b6b6-426e-88f4-498a7183f6dc"}],"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} +``` + +**Patch** Me +Run the following command to update the user that is currently +authenticated using a particular attribute: + +**Request** + +``` java +curl -v -k --user kim:kimwso2 -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"add","value":{"nickName":"kimmy"}}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Me +``` + +**Response** + +``` java +{"emails":[{"type":"work","value":"jackson_k@wso2.com"},{"type":"home","value":"jacksonk@gmail.com"}],"meta":{"created":"2017-10-09T11:32:36Z","location":"https://localhost:9443/scim2/Users/8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","lastModified":"2017-10-09T23:11:04Z","resourceType":"User"},"nickName":"kimmy","schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"EnterpriseUser":{"manager":{"value":"Taylor"},"employeeNumber":"123A"},"name":{"givenName":"Kim","familyName":"Jackson"},"groups":[{"display":"engineer","value":"56d163ba-b6b6-426e-88f4-498a7183f6dc"}],"id":"8ce382ae-2a56-4c3e-bb57-75b29cd4d30b","userName":"kim"} +``` + +#### /Bulk Endpoint + +Run the following command to create multiple users via one SCIM request: + +**Request** + +``` java +curl -v -k --user admin:admin --data '{"failOnErrors":1,"schemas":["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],"Operations":[{"method": "POST","path": "/Users","bulkId": "qwerty","data":{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"userName": "Kris","password":"krispass"}},{"method": "POST","path": "/Users","bulkId":"ytrewq","data":{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"userName":"Jesse","password":"jessepass","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"employeeNumber": "11250","manager": {"value": "bulkId:qwerty"}}}}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Bulk +``` + +**Response** + +``` java +{"schemas":["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],"Operations":[{"bulkId":"qwerty","method":"POST","location":"https://localhost:9443/scim2/Users/e9c0cec1-924c-47d6-82d5-82ed11ad7c68","status":{"code":201}},{"bulkId":"ytrewq","method":"POST","location":"https://localhost:9443/scim2/Users/59de8734-e56f-4e17-84b3-8d3a8c005248","status":{"code":201}}]} +``` + +#### /ServiceProviderConfig Endpoint + +**Get** Config + +Run the following command to retrieve the service provider's +configuration details: + +**Request** + +``` java +curl -v -k --user admin:admin https://localhost:9443/scim2/ServiceProviderConfig +``` + +**Response** + +``` java +{"patch":{"supported":true},"filter":{"maxResults":200,"supported":true},"documentationUri":"http://example.com/help/scim.html","authenticationSchemes":[{"name":"OAuth Bearer Token","description":"Authentication scheme using the OAuth Bearer Token Standard","specURI":"http://www.rfc-editor.org/info/rfc6750","type":"oauthbearertoken","primary":true},{"name":"HTTP Basic","description":"Authentication scheme using the HTTP Basic Standard","specURI":"http://www.rfc-editor.org/info/rfc2617","type":"httpbasic","primary":false}],"schemas":["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],"etag":{"supported":false},"sort":{"supported":false},"bulk":{"maxPayloadSize":1048576,"maxOperations":1000,"supported":true},"changePassword":{"supported":false}} +``` + +#### /ResourceType Endpoint + +**Get** Resource Types + +Run the following command to retrieve metadata about a resource type: + +**Request** + +``` java +curl -v -k --user admin:admin https://localhost:9443/scim2/ResourceType +``` + +**Response** + +``` java +{"schemas":["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],"resourceType":[{"schema":"urn:ietf:params:scim:schemas:core:2.0:User","endpoint":"/Users","meta":{"location":"https://localhost:9443/scim2/ResourceType/User","resourceType":"ResourceType"},"name":"User","description":"User Account","schemaExtensions":{"schema":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User","required":false},"id":"User"},{"schema":"urn:ietf:params:scim:schemas:core:2.0:Group","endpoint":"/Groups","meta":{"location":"https://localhost:9443/scim2/ResourceType/Group","resourceType":"ResourceType"},"name":"Group","description":"Group","id":"Group"}]} +``` \ No newline at end of file diff --git a/en/docs/develop/smsotp-authenticator.md b/en/docs/develop/smsotp-authenticator.md index 1d1a63807b..7534fed464 100644 --- a/en/docs/develop/smsotp-authenticator.md +++ b/en/docs/develop/smsotp-authenticator.md @@ -1,15 +1,556 @@ -# SMSOTP Authenticator +# Configuring Multi-factor Authentication using SMSOTP The SMSOTP authenticator allows you to authenticate user via short messages through WSO2 IS. -### Getting started +This topic provides instructions on how to configure the SMS OTP +connector and the WSO2 Identity Server (WSO2 IS) to integrate using a +sample app. This is configured so that SMSOTP is a second authentication +factor for the sample application. See the following sections for more +information. -To get started with the authenticator, go to [Configuring SMSOTP -Authenticator](https://docs.wso2.com/display/ISCONNECTORS/Configuring+SMSOTP+Authenticator) -Operations. Once you have completed your configurations, you can perform -authentication with the SMSOTP authenticator +To know more about the WSO2 Identity Server versions supported by this +connector, see the [WSO2 +store](https://store.wso2.com/store/assets/isconnector/details/462ce8e9-8274-496c-a1c3-8aa40168bb1b). -To download the authenticator and other artifacts, go to -[https://store.wso2.com/store/assets/isconnector/smsotp](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22smsotp%22) +This connector is supported by default from WSO2 Identity Server 5.4.0 +onwards. + +!!! note + These configurations work with 2.0.9 to 2.0.12 version of the + connector. If you have a older version, upgrade the connector and + artifacts to the latest version from the [connector + store](https://store.wso2.com/store/assets/isconnector/details/ec6a18ae-4763-4958-bc61-8e12f5b441ac). + + The connector that is shipped OOTB with WSO2 Identity Server 5.3.0 is + connector version 2.0.6. Therefore, if you are using WSO2 IS 5.3.0, + upgrade the connector and artifacts to version 2.0.9 before you begin. + Also the connector that is shipped OOTB with WSO2 Identity Server 5.7.0 + is connector version 2.0.15. + + +### Deploying SMS OTP artifacts + +The artifacts can be obtained from [the store for this +authenticator](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22smsotp%22) . + +1. Place the ` smsotpauthenticationendpoint.war ` + file inside the + ` /repository/deployment/server/webapps ` + directory. +2. Place the + ` org.wso2.carbon.extension.identity.authenticator.smsotp.connector-2.X.X.jar ` + file inside the + ` /repository/components/dropins ` + directory. + + !!! note + If you want to upgrade the SMS OTP Authenticator in your existing + WSO2 IS pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +3. Add the following configurations in the + ` /repository/conf/identity/application-authentication.xml ` + file under the ` ` + section. + + ``` xml + + https://localhost:9443/smsotpauthenticationendpoint/smsotp.jsp + https://localhost:9443/smsotpauthenticationendpoint/smsotpError.jsp + https://localhost:9443/smsotpauthenticationendpoint/mobile.jsp + true + true + true + false + false + association + primary + true + false + + ``` + + The following table includes the definition of the parameters and + the various values you can configure. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ValueDescription
RetryEnable
This field makes it possible to retry the code if the user uses the wrong code. This value can be true or false. 
ResendEnable
This parameter makes it possible to resend the code in the same page if user enters the wrong code. This value can be true or false. 
SMSOTPEnableByUserClaim
This field makes it possible to disable the 'SMS OTP disabling by user' functionality. The value can be true or false . If the value is true , the user can enable and disable the SMS OTP according to what the admin selects ( SMSOTPMandatory parameter value).
BackupCode
The backup code is used instead of the actual SMS code. The value can be true or false . If you do not want backup codes, set this as false . You can skip the steps 6.a and 7 in the Configuring claims section. + 
SMSOTPMandatory
If the value is true , the second step is enabled by the admin. The user cannot be authenticated without the SMS OTP authentication. This parameter is used for both the super tenant and tenant in the configuration. The value can be true or false. 
SendOTPDirectlyToMobile
In the SMSOTPMandatory case, if the user does not exist in user store and if the admin enables SendOTPDirectlyToMobile as true, then the user can enter the mobile number during the time of authentication and the OTP will directly send to that mobile number.
CaptureAndUpdateMobileNumber
In the SMSOTPMandatory case, if the user or admin forgets to update the mobile number in the user's profile and this property is true, then the user can update a mobile claim during the time of authentication (logging in for the first time) and ask the user to enter the mobile number to send the OTP.
+ This update functionality happen when logging in for the first time only. Once the user updates the mobile number, the next time the user logs in the mobile number is taken from specific user's profile.
usecase This field can take one of the following values: local , association , userAttribute , subjectUri . If you do not specify any usecase , the default value is local .
secondaryUserstore

The user store configuration is maintained per tenant as comma separated values. For example, <Parameter name="secondaryUserstore">jdbc , abc , and xyz</Parameter> .
+

screenUserAttribute If you need to show n digits of mobile number or any other user attribute value in the User Interface (UI), This parameter is used to pick the claim URI.
order Define the order of the n numbers you provide, such as the from the first or last or vice versa. The possible values for this property is backward or forward.
noOfDigits The number of digits of claim value to show in UI. If the mobile claim selected for the property screenUserAttribute and if the noOfDigitsproperty has the value 4 then we can show the mobile number according to the property order. If the order is backward, then we can show the last 4 digits of mobile claim in the UI.
+ + An admin can change the priority of the SMSOTP authenticator by + changing the ` SMSOTPMandatory ` value ( + ` true ` or ` false ` + ). + + - If the Admin specifies that SMS OTP is mandatory ( + ` true) ` + , you must enable SMS OTP in the user’s profile by adding the + claim value as true in order to authenticate the user. If this + is not done, the SMSOTP error page appears. + - If the Admin specifies that SMSOTP is optional ( + ` false) ` + and you enable SMS OTP in the user's profile, the authenticator + allows the user to login with the SMS OTP authentication as a + second step (multi-step authentication). If the Admin + specifies that the SMS OTP is optional and you do not enable SMS + OTP in the user's profile, the SMSOTP authenticator proceeds to + log the user in as the first step (basic authentication). + + The first step may be a local authenticator (basic) or a federated + authenticator (e.g., Facebook, Twitter, etc.) . In federated + authenticator support in first step, the following parameters are + used according to the scenario. + + ``` java + association + jdbc + ``` + + The usecase value can be local, association, + ` userAttribute ` or + ` subjectUri ` . + + + + + + + + + + + + + + + + + + + + +
local

This is based on the federated username. This is the default value. You must set the federated username in the localuserstore. Basically, the federated username must be the same as the local username.

association

The federated username must be associated with the local account in advance in the Dashboard. So the local username is retrieved from the association. To associate the user, log into the end user dashboard and go to Associated Account by clicking View details .

userAttribute
+

The name of the  federatedauthenticator's user attribute. That is,the local user namewhich is contained in a federated user's attribute. When using this, add the following parameter under the <AuthenticatorConfig name="SMSOTP" enabled="true"> section in the <IS_HOME>/repository/conf/identity/application-authentication.xml file and put the value (e.g., email, screen_name, id, etc.).

+
+
+ +
+
+

If you use, OpenID Connect supported authenticators such as LinkedIn, Foursquare, etc., or in the case of multiple social login options as the first step and SMSOTP as secondstep, you need to add similar configuration for the specific authenticator in the <IS_HOME>/repository/conf/identity/application-authentication.xml file under the < AuthenticatorConfigs > section as follows (the following shows the configuration forFoursquare,LinkedIn and Facebook authenticator respectively).

+

Inside the AuthenticatorConfig (i.e., Foursquare), add the specific userAttribute with a prefix of the (current step) authenticator name (i.e., SMSOTP-userAttribute).

+
+
+ +
+
+
+
+ +
+
+
+
+ +
+
+

Likewise, you can add the AuthenticatorConfig forAmazon,Google,Twitterand Instagram with relevant values.

+
subjectUri

When configuring the federated authenticator, select the attribute in the subject identifier under the service provider section in UI, this is used as the username of the SMSOTP authenticator.

+ + If you use the secondary userstore, enter all the userstore values + for the particular tenant as comma separated values. + + !!! info + The user store configuration is maintained per tenant: + + - If you use a **super tenant,** put all the parameter values into + the + ` /repository/conf/identity/application-authentication.xml ` + file under the + ` AuthenticatorConfigs ` section. + + + + - If you use a **tenant**, upload the same XML file ( + ` application-authentication.xml ` ) + into a specific registry location ( + ` /_system/governance/SMSOTP) ` . + Create the collection named + ` SMSOTP `, add the resource and + upload the + ` application-authentication.xml ` + file into theregistry). While doing the authentication, first it + checks whether there is an XML file uploaded to the registry. If + that is so, it reads it from the registry but does not take the + local file. If there is no file in the registry, then it only + takes the property values from the local file. This is how + theuserstore configuration is maintained per tenant. You can use + the registry or local file to get the property values. + + If you need to show last n digits of mobile number or any other user + attribute value in UI,  the following parameters can be used  + according to the scenario. For example, we can use the following + parameters to get last 4 digits from mobile number. + + ``` xml + http://wso2.org/claims/mobile + 4 + backward + ``` + +The SMS provider is the entity that is used to send the SMS. The SMSOTP +connector has been configured such that it can be used with most types +of SMS APIs. Some use the GET method with the client secret and API Key +encoded in the URL (e.g., Nexmo), while some may use the POST method +when sending the values in the headers and the message and telephone +number in the payload (e.g., Clickatell). Note that this could change +significantly between different SMS providers. The configuration of the +connector in the identity provider would also change based on this. + +### Deploying [travelocity.com](http://travelocity.com) sample + +The next step is to [deploy the sample app](../../develop/deploying-the-sample-app) +in order to use it in this scenario. + +Once this is done, the next step is to configure the WSO2 Identity +Server by adding an [identity +provider](../../learn/adding-and-configuring-an-identity-provider) +and a [service provider](../../learn/adding-and-configuring-a-service-provider). + +### Configuring the identity provider + +Now you have to configure WSO2 Identity Server by [adding a new identity +provider](../../learn/adding-and-configuring-an-identity-provider) +. + +1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/) and + [run it](../../setup/running-the-product). +2. Download the certificate of the SMS provider. Go to the link (eg:- + [https://www.nexmo.com)](https://www.nexmo.com/) in your browser, + and then click the HTTPS trust icon on the address bar (e.g., the + padlock next to the URL in Chrome) +3. Import that certificate into the IS client keystore. + ` keytool -importcert -file -keystore /repository/resources/security/client-truststore.jks -alias "Nexmo" ` + + Default client-truststore.jks password is "wso2carbon" + +4. Log into the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. + +5. In the **Identity** section under the **Main** tab of the management + console, click **Add** under **Identity Providers**. + +6. Give a suitable name (e.g., SMSOTP) as the **Identity Provider + Name**. + +7. Go to the **SMSOTP Configuration** under **Federated + Authenticators**. + +8. Select both checkboxes to **Enable SMSOTP Authenticator** and make + it the **Default**. + +9. Enter the SMS URL and the HTTP Method used (e.g., GET or POST). + Include the headers and payload if the API uses any. If the text + message and the phone number are passed as parameters in any field, + then include them as $ctx.num and $ctx.msg respectively. You must + also enter the HTTP Response Code the SMS service provider sends + when the API is successfully called. Nexmo API and Bulksms API send + 200 as the code, while Clickatell and Plivo send 202. If this value + is unknown, leave it blank and the connector checks if the response + is 200, 201 or 202. + + **Note** : If Nexmo is used as the SMS provider, + + 1. Go to and click free + signup and register. + 2. Under **API Settings** in **Settings**, copy and save the API + key and Secret. + 3. The Nexmo API requires the parameters to be encoded in the URL, + so the SMS URL would be as follows. + + | | | + |-------------|------------------------------------------------------------------------------------------------------------------------------------| + | SMS URL | *https://rest.nexmo.com/sms/json?api\_key=\*\*\*\*\*\*\*\*\*&api\_secret=\*\*\*\*\*\*\*\*&from=NEXMO&to= $ctx.num &text= $ctx.msg* | + | HTTP Method | GET | + + **Note** : If Clickatell is used as the SMS provider, + + 1. Go to and create + an account. + 2. The auth token is provided when you register with Clickatell. + + 3. Clickatell uses a POST method with headers and the text message + and phone number are sent as the payload. So the fields would be + as follows. + + | | | + |--------------|-------------------------------------------------------------------------------------------------------------| + | SMS URL | https://api.clickatell.com/rest/message | + | HTTP Method | POST | + | HTTP Headers | X-Version: 1,Authorization: bearer \*\*\*\*\*\*\*\*,Accept: application/json,Content-Type: application/json | + | HTTP Payload | {"text":" $ctx.msg ","to":\[" $ctx.num "\]} | + + **Note** : If Plivo is used as the SMS provider, + + 1. Sign up for a free [Plivo trial + account](https://manage.plivo.com/accounts/register/?utm_source=send%bulk%20sms&utm_medium=sms-docs&utm_campaign=internal) + . + 2. Phone numbers must be verified at the [Sandbox + Numbers](https://manage.plivo.com/sandbox-numbers/) page (add at + least two numbers and verify them). + + 3. The Plivo API is authenticated with Basic Auth using your + ` AUTH ID ` and + ` AUTH TOKEN `, Your Plivo + ` AUTH ID ` and + ` AUTH TOKEN ` can be found when you + log in to your [dashboard.](https://manage.plivo.com/dashboard/) + 4. Plivo uses a POST method with headers, and the text message and + phone number are sent as the payload. So the fields would be as + follows. + + + + + + + + + + + + + + + + + + + + + + + + +
SMS URL

https://api.plivo.com/v1/Account/{auth_id}/Message/

HTTP MethodPOST
HTTP HeadersAuthorization: Basic ********,Content-Type: application/json
HTTP Payload{"src":"+94*********","dst":"$ctx.num","text":"$ctx.msg"}
+ + **Note** : If Bulksms is used as the SMS provider, + + 1. Go to and create an account. + 2. While registering the account, verify your mobile number and + click **Claim** to get free credits. + ![](../../assets/img/48276901/51449676.png) + + 3. Bulksms API authentication is performed by providing username + and password request parameters. + 4. Bulksms uses a POST method and the required parameters are to be + encoded in the URL. So the fields would be as follows. + + | | | + |--------------|-----------------------------------------------------------------------------------------------------------------------------------------| + | SMS URL | https://bulksms.vsms.net/eapi/submission/send\_sms/2/2.0?username=\*\*\*\*\*\*\*&password=\*\*\*\*\*\*&message=$ctx.msg&msisdn=$ctx.num | + | HTTP Method | POST | + | HTTP Headers | Content-Type: application/x-www-form-urlencoded | + + + + **Note** : If Twilio is used as the SMS provider, + + 1. Go to and create an account. + 2. While registering the account, verify your mobile number and + click on console home to get + free credits (Account SID and Auth Token). + + 3. Twilio uses a POST method with headers and the text message and + phone number are sent as the payload. So the fields would be as + follows. + + | | | + |--------------|---------------------------------------------------------------------------| + | SMS URL | https://api.twilio.com/2010-04-01/Accounts/{AccountSID}/SMS/Messages.json | + | HTTP Method | POST | + | HTTP Headers | Authorization: Basic base64{AccountSID:AuthToken} | + | HTTP Payload | Body=$ctx.msg&To=$ctx.num&From=urlencode{FROM\_NUM} | + + + +10. Click **Update** and you have now added and configured the + Identity provider. + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the management console. + +2. In the **Identity** section under the **Main** tab, click **Add** + under **Service Providers**. + +3. Enter **[travelocity.com](http://travelocity.com)** in the **Service + Provider Name** text box and click **Register**. + +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. + + ![](../../assets/img/48276901/48211841.png) + +5. Now set the configuration as follows: + + 1. **Issuer** : [travelocity.com](http://travelocity.com) + + 2. **Assertion Consumer URL** : + http://localhost:8080/travelocity.com/home.jsp + +6. Select the following check-boxes: + 1. **Enable Response Signing** + + 2. **Enable Single Logout** + + 3. **Enable Attribute Profile** + + 4. **Include Attributes in the Response Always** + +7. Click **Update** to save the changes. Now you will be sent back to + the Service Providers page. + +8. Go to **Claim configuration** and select the mobile claim. + + ![](../../assets/img/48276901/48211842.png) + +9. Go to **Local and Outbound Authentication Configuration** section. + +10. Select the **Advanced configuration** radio button option. + +11. Add the **basic** authentication as first step and **SMSOTP** + authentication as a second step. Adding basic authentication as a + first step ensures that the first step of authentication will be + done using the user's credentials that are configured with the WSO2 + Identity Server. SMSOTP is a second step that adds another layer of + authentication and security. + ![](../../assets/img/48276901/49222039.png) + +12. Alternatively, federated authentication as the first step and SMSOTP + authentication as the second step and click **Update** to save the + changes. + +You have now added and configured the service provider. + +### Configuring claims + +1. Select **List** under **Users** **and** **Roles** in the IS + Management Console. +2. Go to the **User Profile** and update the mobile number (this number + must be registered with Nexmo in order to send SMS). + ![](../../assets/img/48276901/49222049.png) + **Note:** If you wish to use the backup codes to authenticate, you + can add the following claim, otherwise you can leave it. +3. In the **Main** menu, click **Add** under **Claims**. +4. Click [Add New + Claim](../../learn/adding-claim-mapping) + . +5. Select the **Dialect** from the dropdown provided and enter the + required information. +6. Add the following user claims under ' http://wso2.org/claims' . + 1. Add the claim Uri - + http://wso2.org/claims/identity/smsotp\_disabled . This is an + optional claim for SMSOTP. + 2. Add the claim Uri - http://wso2.org/claims/otpbackupcodes + The backup code claim is an optional. +7. Once you add the above claim, Go to Users → admin →User Profile and + update the Backup codes and user can disable SMS OTP by clicking + "Disable SMS OTP". + + ![](../../assets/img/48276901/57749623.png) + +### Testing the sample + +1. To test the sample, go to the following URL: + [http://localhost:8080/travelocity.com](http://localhost:8080/travelocity.com) + + ![](../../assets/img/48276901/48211814.png) +2. Click the link to log in with SAML from WSO2 Identity Server. + +3. The basic authentication page will be visible. Use your WSO2 + Identity Server credentials to sign in. + ![](../../assets/img/48276901/48211843.png) + +4. You will get a token to your mobile phone.Type the code to + authenticate, You will be taken to the home page of the + [travelocity.com](http://travelocity.com) app. + + !!! note + In case, If you forget the mobile phone number or do not + have access to it, you can use the backup codes to authenticate and + you will be taken to the home page of the + [travelocity.com](http://travelocity.com) application. + + ![](../../assets/img/48276901/49221144.png) + + ![](../../assets/img/48276901/49222070.png) \ No newline at end of file diff --git a/en/docs/develop/token2-authenticator.md b/en/docs/develop/token2-authenticator.md index 9b047a6ffa..e6ceb89ef4 100644 --- a/en/docs/develop/token2-authenticator.md +++ b/en/docs/develop/token2-authenticator.md @@ -1,22 +1,467 @@ -# Token2 Authenticator +# Configuring Multi-factor Authentication using Token2 The Token2 authenticator is configured as a federated authenticator in WSO2 Identity Server to provide multifactor authentication for your organization’s applications. It can be used with a time-based hardware token device that complies with OAuth specifications. -### Getting started +This section provides instructions on how to configure the Token2 +authenticator and WSO2 Identity Server using a sample app. See the +following sections for more information. -To get started with the authenticator, go to [Configuring Multi-factor -Authentication using -Token2](../../develop/configuring-multi-factor-authentication-using-token2). Once -you have completed your configurations, you can perform authentication -with the Token2 authenticator. +!!! info + Token2 Authenticator is supported by WSO2 Identity Server versions 5.1.0 + and 5.2.0. -### Additional information +### Deploying Token2 artifacts -To download the authenticator and other artifacts, go to -[https://store.wso2.com/store/assets/isconnector/token2](https://store.wso2.com/store/assets/isconnector/details/265c3cea-a82f-4241-9262-30747456f33d) +The artifacts can be obtained from [the store for this +authenticator](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22token2%22) . - +1. Place the ` token2authenticationendpoint. ` war + file into the + ` /repository/deployment/server/webapps ` + directory. +2. Place the + ` org.wso2.carbon.extension.identity.authenticator.token2.connector-1.0.0.jar ` + file into the + ` /repository/components/dropins ` + directory. + + !!! note + If you want to upgrade the Token2 Authenticator in your existing IS + pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +### Configuring the Token2 hardware device + +1. Register a Token2 account using " ". + Ensure that you do the following. + 1. Enter the **Mobile phone number** in e164 format (+ 94 77 \*\* + \*\* \*\*\* ) + 2. Select **SMS Based** as the **User type**. + 3. Click **Register**. + ![](../../assets/img/53120841/53284895.png) +2. Once you have registered with Token2, log in using your email, + password and the OTP that is sent to the registered mobile number + through Token2. +3. Add a new site using " " and obtain the + API Key and site\_id for the site. +4. As mentioned in the [Token2 API + page](https://token2.com/?content=api), create the user and you can + find the userid in the response . +5. You have to obtain the hardware token device and send the userid, + site\_id and token serial number to Token2 support to enable it. +6. Then logout and login again with your email, password and use the + token generated in the hardware token device . + +You have now enabled the token2 hardware device. + +### Deploying [travelocity.com](http://travelocity.com) sample + +The next step is to [deploy the sample app](../../develop/deploying-the-sample-app) +in order to use it in this scenario. + +O nce this is done, the next step is to configure the WSO2 Identity +Server by adding an [identity +provider](../../learn/adding-and-configuring-an-identity-provider) +and a [service provider](../../learn/adding-and-configuring-a-service-provider). + +### Configuring the identity provider + +Now you have to configure WSO2 Identity Server by [adding a new identity +provider](../../learn/adding-and-configuring-an-identity-provider) +. + +1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/). + +2. [Run the WSO2 Identity + Server](../../setup/running-the-product). +3. Log in to the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. +4. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add**. +5. Give a suitable name for **Identity Provider Name** (e.g., token2 ). +6. Navigate to **Token2Authenticator Configuration** under **Federated + Authenticators**. +7. Select both check boxes to **Enable** the Token2 authenticator and + make it the **Default**. + ![](../../assets/img/53120841/53284908.png) + +8. Enter the following values: + + | Field | Description | Sample Value | + |--------------|------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------| + | ApiKey | This is the API key you obtained when [configuring the Token2 hardware device](_Configuring_Multi-factor_Authentication_using_Token2_). | ` 7cf6eof73be1c38952ca81dd68a ` | + | Callback URL | This is the service provider's URL to which the code is sent. | ` https://localhost:9443/commonauth ` | + +9. Click **Register**. + You have now added the identity provider. + +### Configuring user claims + +1. In the **Main** menu, click **Add** under **Claims**. +2. Click [Add New + Claim](../../learn/adding-claim-mapping). +3. Click **Add Local Claim**. The **Dialect URI** will be + automatically set to + ` http://wso2.org/claims ` + , which is the internal claim dialect . + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Claim detailsDescriptionSample
Claim URIThis is the URI defined under the dialect, specific to the claim. There are different URIs available in the Identity Server and these equate to user attributes displayed in the profile of users. These URIs are mapped to the attributes in the underlying user store. http://wso2.org/claims/identity/userid
Display NameThis is the name of the claim displayed on the UI. This can be viewed in the user's profile by navigating to the Main tab in the management console and clicking List in Users and Roles . In the resulting page, click Users and in the list of users that is displayed, click User Profile next to the one you wish to check. User Id
DescriptionThis gives you the option to describe the functionality of the claim. Claim to User Id
Mapped Attribute
+

This is the corresponding attribute name from the underlying user store that is mapped to the Claim URI value.
+
+ When you have multiple user stores connected to the Identity Server, this maps the equivalent attribute in all of them to the Claim URI you are configuring.
+ For example, if you specify the cn attribute, this is mapped to the cn attribute in all the connected user stores. If you want to specify the attribute in a specific user store, you must add the domain name in addition to the mapped claim. For example, in a scenario where you have a primary user store configured called PRIMARY and secondary user stores called AD (representing Active Directory), you can map an attribute from each of these user stores to the Claim URI value by clicking Add Attribute Mapping, selecting the respective user store from the drop-down list, and mentioning the attribute of the userstore the attribute needs to be mapped to.
+ Example:
+

+
stateOrProvinceName
Regular ExpressionThis is the regular expression used to validate inputs. Example : For a claim URI like http://wso2.org/claims/email the regex should be something like ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ . This will validate the claim value and will not let other values except an email.
+
Display OrderThis enables you to specify the order in which the claim is displayed, among the other claims defined under the same dialect.
+
Supported by DefaultIf unchecked, this claim will not be prompted during user registration.
+
RequiredThis specifies whether this claim is required for user registration.
+
Read-onlyThis specifies whether the claim is read-only or not. If the claim is read-only, it can't be updated by the user.
+
Additional PropertiesThese properties are not currently used in current WSO2 Identity server. If we need to write an extension using current claims, we can use these property values.
+
+ + ![](../../assets/img/53120841/76748580.png) + +4. Next click **List** under **Main \> Identity \> Users and Roles**. +5. Click **User Profile** under **Admin** and update the + ` User Id ` . + ![](../../assets/img/53120841/76748586.png) + +Now you have configured the claim. + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the management console. + +2. In the **Identity** section under the **Main** tab, click **Add** + under **Service Providers**. + +3. Enter **[travelocity.com](http://travelocity.com)** in the **Service + Provider Name** text box and click **Register**. + +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. + ![](../../assets/img/53120841/53284577.png) + + ??? note "Click here to view the field definitions" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescriptionSample value
IssuerSpecify the Issuer . This is the <saml:Issuer> element that contains the unique identifier of the service provider. This is also the issuer value specified in the SAML Authentication Request issued by the service provider. When configuring single-sign-on across Carbon servers, ensure that this value is equal to the ServiceProviderID value mentioned in the <IS_HOME>/repository/conf/security/authenticators.xml file of the relying party Carbon server.travelocity.com
Assertion Consumer URLsSpecify the Assertion Consumer URLs . This is the URL to which the browser should be redirected to after the authentication is successful. This is the Assertion Consumer Service (ACS) URL of the service provider. The identity provider redirects the SAML2 response to this ACS URL. However, if the SAML2 request is signed and SAML2 request contains the ACS URL, the Identity Server will honor the ACS URL of the SAML2 request. It should have this format: https://(host-name):(port)/acs . You can add multiple assertion consumer URLs for the service provider by entering the URL and clicking the Add button.http://wso2is.local:8080/travelocity.com/home.jsp
Default Assertion Consumer URL
+

Since there can be multiple assertion consumer URLs, you must define a Default Assertion Consumer URL in case you are unable to retrieve it from the authentication request.

+
+

Tips

+

In a service provider initiated single sign-on setup, the following needs to be considered.

+
    +
  • If no ACS URL is given in the < AuthnRequest >, the Identity Server sends the response to the default ACS URL of the service provider (whether the request is signed or not).
    • +
  • If the ACS URL in < AuthnRequest > matches with one of the registered URLs, the Identity Server sends the response to the matched one.
    • +
  • If the ACS URL in < AuthnRequest > does not match any of the registered ACS URLs and if the request is signed, the Identity Server sends the response to the ACS URL in the request only if the signature is valid. Alternatively, the < AuthnRequest > is rejected.
    • +
+

In an identity provider initiated single sign-on setup, the following needs to be considered.

+
    +
  • If the “acs” query parameter is not present in the request, the Identity Server sends the response to default ACS URL of the service provider.
    • +
  • If the "acs” parameter is present and the value of that parameter matches with any of the registered ACS URLs of the service provider, then the Identity Server sends the response to the matched one.
    • +
+
http://wso2is.local:8080/travelocity.com/home.jsp
NameID format
+

Specify the NameID format . This defines the name identifier formats supported by the identity provider. The service provider and identity provider usually communicate with each other regarding a specific subject. That subject should be identified through a Name-Identifier (NameID), which should be in some format so that It is easy for the other party to identify it based on the format. Name identifiers are used to provide information regarding a user.

+
+
+

About NameID formats

+

For SSO interactions, you can use the following types of NameID formats.

+
    +
  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    • +
  • urn:oasis:names: tc :SAML:2.0: nameid -format:transient
    • +
  • urn:oasis:names: tc :SAML:1.1: nameid -format:
    • +
  • emailAddressurn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    • +
  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
    • +
  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
    • +
  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
    • +
  • urn:oasis:names:tc:SAML:2.0:nameid-format:entity
    • +
+

This specifies the name identifier format that the Identity Server wants to receive in the subject of an assertion from a particular identity provider. The following is the default format used by the identity provider.

+
    +
  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    • +
+
+

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Certificate Alias

Select the Certificate Alias from thedropdown. This is used to validate the signature of SAML2 requests and is used to generate encryption.Basically the service provider’s certificate must be selected here. Note that this can also be the Identity Server tenant's public certificate in a scenario where you are doing atenant specific configuration.

wso2carbon
Response Signing Algorithm

Specifies the ‘SignatureMethod’ algorithm to be used in the ‘Signature’ element in POST binding. The default value can be configured in the <IS_HOME>/repository/conf/identity.xml file, in the SSOService element with SAMLDefaultSigningAlgorithmURI tag. If it is not provided the default algorithm is RSA­SHA 1, at URI http:// www.w3.org/2000/09/xmldsig#rsa­sha1 ‘ ’ .

http://www.w3.org/2000/09/xmldsig#rsa­sha1
Response Digest Algorithm

Specifies the ‘DigestMethod’ algorithm to be used in the ‘Signature’ element in POST binding. The default value can be configured in the <IS_HOME>/repository/conf/identity.xml file, in the SSOService element with SAMLDefaultDigestAlgorithmURI tag. If it is not provided the default algorithm is SHA 1, at URI ‘ http://www.w3.org/2000/09/xmldsig#sha1 ’ .

http://www.w3.org/2000/09/xmldsig#sha1
Enable Response SigningSelect Enable Response Signing to sign the SAML2 Responses returned after the authentication process.Selected
Enable SignatureValidation inAuthentication Requests and Logout RequestsSelect Enable Signature Validation in Authentication Requests and Logout Requests if you need this functionality configured. This specifies whether the identity provider must validate the signature of the SAML2 authentication request and the SAML2 logout request thatare sent by the service provider.Unselected
Enable Assertion EncryptionEnable Assertion Encryption, if you wish to encrypt the assertion.Unselected
Enable Single LogoutSelect Enable Single Logout so that all sessions are terminated once the user signs out from one server. If single logout is enabled, the identity provider sends logout requests to all service providers. Basically, the identity provider acts according to the single logout profile. If the service provider supports a different URL for logout, you can enter a SLO Response URL and SLO Request URL for logging out. These URLs indicate where the request and response should go to. If you do not specify this URL, the identity provider uses the Assertion Consumer Service (ACS) URL.Selected
Enable Attribute ProfileSelect Enable Attribute Profile to enable this and add a claim by entering the claim link and clicking the Add Claim button. The Identity Server provides support for a basic attribute profile where the identity provider can include the user’s attributes in the SAML Assertions as part of the attribute statement. Once you select the checkbox to Include Attributes in the Response Always, the identity provider always includes the attribute values related to the selected claims in the SAML attribute statement.Unselected
Enable Audience RestrictionSelect Enable Audience Restriction to restrict the audience. You may add audience members using the Audience text box and clicking the Add button.Unselected
Enable Recipient ValidationSelect this if you require validation from the recipient of the response.Unselected
Enable IdP Initiated SSOSelect the Enable IdP Initiated SSO checkbox to enable this functionality. When this is enabled, the service provider is not required to send the SAML2 request.Unselected
Enable IdP Initiated SLOSelect the Enable IdP Initiated SLO checkbox to enable this functionality. You must specify the URL.Unselected
Enable Assertion Query Request ProfileSelect the Enable Assertion Query Request Profile checkboxto query assertions that are persisted to the database when you loginto the service provider application. For more information, see Querying SAML Assertions .Unselected
+ +5. Now set the configuration as follows: + + 1. **Issuer** : [travelocity.com](http://travelocity.com) + + 2. **Assertion Consumer URL** : + + +6. Select the following check-boxes: + 1. **Enable Response Signing** + + 2. **Enable Single Logout** + + 3. **Enable Attribute Profile** + + 4. **Include Attributes in the Response Always** + +7. Click **Update** to save the changes. Now you will be sent back to + the Service Providers page. + +8. Go to **Claim configuration** and select the userId claim as Subject + Claim URI. + ![](../../assets/img/53120841/53284903.png) + +9. Go to **Local and Outbound Authentication Configuration** section . + +10. Select the **Advanced configuration** radio button option . + +11. Add the **basic** authentication as a first step and **token2** + authentication as a second step . This is done to configure + multi-step authentication. What this means is that a user who logs + in would first have to enter their credentials that are configured + with the Identity Server and then get authenticated using Token2 as + the second step. This is an added security measure and a common use + of the Token2 authenticator. + ![](../../assets/img/53120841/53284914.png) + + ??? note "Click here to view the field definitions" + + + + + + + + + + + + + + + + + + + + + + + + + +
Authentication TypeDetails
Default
+

This is the default authenticator sequence for a configured service provider in the Identity Server. This sequence can be modified by updating following section in the <IS_HOME>/repository/conf/identity/application-authentication. xml file.

+
+
+ +
+
+
LocalAuthentication

In this case, Identity Server itself authenticate the user. There are three types of local authenticators OOTB in a fresh Identity Server pack.

+
    +
  • The basic authenticator is used to authenticate the user using the credentials available in the Identity Server.
    • +
  • IWA stands for Integrated Windows Authentication and involves automatically authenticating users using their Windows credentials.
    • +
  • FIDO authenticator is a local authenticator that comes with the WSO2 Identity Server. This will handle FIDO authentication requests related key validation against stored keys, the public key,keyhandler, and the counter, attestation certificate of FIDO registered users.
    • +
FederatedAuthenticationIn this case, Identity Server trust third-party Identity provider to perform the user authentication. These Identity providers use various protocols to transfer authentication/authorization related messages. Currently, the Identity Server only supports the following federated authenticators OOTB. +
    +
  • SAML2 Web SSO
    • +
  • OAuth2/OpenID Connect
    • +
  • WS-Federation (Passive)
    • +
  • Facebook
    • +
  • Microsoft (Hotmail, MSN, Live)
    • +
  • Google
    • +
  • SMS OTP
    • +
  • Email OTP
    • +
  • Twitter
    • +
  • Yahoo
    • +
  • IWA Kerberos
    • +
  • Office365
    • +
Advanced ConfigurationAdvanced configurations enable you to add multiple options or steps in authentication. When multiple authentication steps exist, the user is authenticated based on each and every one of these steps. If only one step is added then the user is only authenticated based on the local and/or federated authenticators added in a single step. However, in the case of local and/or federated authenticators, the authentication happens based on any one of the available authenticators.
+ +You have now added and configured the service provider. + +### Testing the sample + +1. To test the sample, go to the following URL: + + + ![](../../assets/img/53120841/76748573.png) + +2. Click the link to log in with SAML from WSO2 Identity Server. + +3. Basic authentication page will be visible, use your IS username and + password. + ![](../../assets/img/53120841/76748574.png) + +4. Enter the code that is generated with token2 hardware device to + authenticate. You are directed to the home page of the + [travelocity.com](http://travelocity.com) app. + + ![](../../assets/img/53120841/53284612.png) + + ![](../../assets/img/53120841/53284615.png) diff --git a/en/docs/develop/twitter-authenticator.md b/en/docs/develop/twitter-authenticator.md index 476e0aad5c..45fa2fcf79 100644 --- a/en/docs/develop/twitter-authenticator.md +++ b/en/docs/develop/twitter-authenticator.md @@ -1,4 +1,4 @@ -# Twitter Authenticator +# Configuring Twitter Authenticator The Twitter authenticator is configured as a federated authenticator in WSO2 Identity Server to authenticate Twitter users to log in to your @@ -9,19 +9,183 @@ posts called tweets. The diagram below illustrates the flow of the Twitter federated authenticator. -![](attachments/50515575/76746182.png) +![](../../assets/img/50515575/76746182.png) -### Getting started +This page provides instructions on how to configure the Twitter +authenticator and Identity Server using a sample app. You can find more +information in the following sections. -To get started with the authenticator, go to [Configuring Twitter -Authenticator](https://docs.wso2.com/display/ISCONNECTORS/Configuring+Twitter+Authenticator) -. Once you have completed your configurations, you can authenticate -users using the Twitter authenticator. +!!! info + This is tested with the Twitter API version 1.1 which uses OAuth 1.0a. + Twitter Authenticator is supported by Identity Server 5.1.0 upwards. -### Additional information +### Deploying Twitter artifacts -To download the authenticator and other artifacts, go to -[https://store.wso2.com/store/assets/isconnector/twitter](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22twitter%22) +- Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/). + +- Place the Twitter authenticator .jar file ( + ` org.wso2.carbon.extension.identity.authenticator.twitter.connector-X.X.X.jar ` + ) into the + ` /repository/components/dropins ` + directory. This can be downloaded from [the WSO2 + Store](https://store.wso2.com/store/assets/isconnector/details/51bc4245-9c97-4839-9e3c-c177b20145ee) + . + + !!! note + If you want to upgrade the Twitter Authenticator in your existing IS + pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +### Configuring the Twitter App + +1. Create an account at and log in. +2. Navigate to https://apps.twitter.com/ and click **Create New App**. + + - Provide an application name and description. + - For this tutorial, enter ` https:// ` + ` 127.0.0.1 ` as the website URL. It is + used as a placeholder since application used for the tutorial is + not publicly available. + - Give the **Callback URL** as + ` https://:9443/commonauth ` + . For example: + ` https://apps.customhost.com:9443/commonauth ` + . + + !!! note + If the Identity Server is running on your local machine, add an + entry as mentioned below and use this host name (here + ` apps.customhost.com ` + ) in your twitter callback url. + + ` 127.0.0.1       apps.customhost.com ` + + - Click **Create your Twitter application**. + + ![](../../assets/img/50515587/75109897.png) + + !!! note + **Callback URL** is the URL to which the browser should be + redirected after the authentication is successful. It should have + this format: + ` https://(host-name):(port)/acs ` + . Here ACS URL (Assertion Consumer URL) is the endpoint in WSO2 + Identity Server which accepts the response sent by Google. + +3. After creating the app, go to the **Keys and Access Tokens** tab to + get the **API Key** and **API Secret**. These are the **Consumer Key** and **Consumer Secret** values shown. + Example: + ![](../../assets/img/50515587/75109896.png) + +### Deploying travelocity.com sample app + +The next step is to [deploy the sample app](../../develop/deploying-the-sample-app) +in order to use it in this scenario. + +Once this is done, the next step is to configure the WSO2 Identity +Server by adding an identity provider and service provider as shown below. + +### Configuring the identity provider + +Now you have to configure WSO2 Identity Server by adding a new identity +provider. For more information about the Identity Providers, see +[Configuring an Identity +Provider](../../learn/adding-and-configuring-an-identity-provider) . - +1. [Run the WSO2 Identity + Server](../../setup/running-the-product). + +2. Log in to the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. +3. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add**. +4. Give a suitable name for **Identity Provider Name**. Expand + **Federated Authenticators** and expand **TwitterAuthenticator Configuration**. + + ![](../../assets/img/50515587/51249933.png) + + Enter the values as given when you [created the twitter + application](#configuring-the-twitter-app). + - Select both checkboxes to **Enable** the Twitter + authenticator** and make it the Default. + - **API Key** : Consumer Key for your app. + - **API Secret** : Consumer Secret for your app. + - **Callback URL** : Service Provider's URL where code needs to be + sent (e.g., https://apps.customhost.com:9443/commonauth ) + +5. Click **Register**. + +You have now added the identity provider. + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the management console. + +2. In the **Service Providers** section, click **Add** under the + **Main** tab. + +3. Since you are using travelocity as the sample, enter travelocity.com + in the **Service Provider Name** text box and click **Register**. + +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. + +5. Now set the configuration as follows: + + 1. **Issuer** : ` travelocity.com ` + + 2. **Assertion Consumer URL** : + ` http://localhost:8080/travelocity.com/home.jsp ` + Click A **dd** to add the assertion consumer URL. + + 3. Select the following check-boxes: + - **Enable Response Signing**. + + - **Enable Single Logout**. + + - **Enable Attribute Profile**. + + - **Include Attributes in the Response Always**. + +6. Click **Register** to save the changes. Now you will be sent back to + the **Service Providers** page. + +7. Navigate to the **Local and Outbound Authentication Configuration** + section. + +8. Select the identity provider you created from the dropdown list + under **Federated Authentication**. + + ![](../../assets/img/50515587/51249934.png) + +9. Ensure that the **Federated Authentication** radio button is + selected and click **Update** to save the changes. + +You have now added and configured the service provider. + +### Testing the sample + +1. To test the sample, go to the following URL: + ` http://:/travelocity.com/index.jsp ` + . E.g., http://localhost:8080/travelocity.com + +2. Click the option available to log in with SAML from the WSO2 + Identity Server. + + ![](../../assets/img/50515587/80723423.png) + + You are navigated to the Twitter application. Enter the username and + password of your Twitter account to log in. + Example: + ![](../../assets/img/50515587/75109949.png) + +3. Once the authentication is complete, you will be taken to the home + page of the travelocity.com app. + Example: + ![](../../assets/img/50515587/75109950.png) \ No newline at end of file diff --git a/en/docs/develop/upgrading-an-authenticator.md b/en/docs/develop/upgrading-an-authenticator.md index 0e3c7c351c..22f1224489 100644 --- a/en/docs/develop/upgrading-an-authenticator.md +++ b/en/docs/develop/upgrading-an-authenticator.md @@ -3,16 +3,11 @@ This topic provides instructions on how to upgrade a connector and it's artifacts to the latest version in WSO2 Identity Server. -!!! tip - - Before you begin - +!!! tip "Before you begin" Stop WSO2 Identity Server if the server is already running. - 1. Download and extract the latest version of the connector - artifacts (.jar, .war, gadgets etc.,) from the [connector - store](https://store.wso2.com/store/assets/isconnector/list). + artifacts (.jar, .war, gadgets etc.,) from the [connector store](https://store.wso2.com/store/assets/isconnector/list). 2. Replace the old ` .jar ` file found in the ` /repository/components/dropins ` folder with the new ` .jar ` file that you downloaded. @@ -37,8 +32,7 @@ artifacts to the latest version in WSO2 Identity Server. according to the specific connector that you are upgrading. !!! note - - **Note:** If you are upgrading the TOTP authenticator, replace the + If you are upgrading the TOTP authenticator, replace the ` user_profile ` folder found in the ` /repository/deployment/server/jaggeryapps/portal/gadgets ` directory with the relevant ` user_profile ` folder diff --git a/en/docs/develop/using-the-totp-api.md b/en/docs/develop/using-the-totp-api.md index 740d9dd6a2..91b69061ad 100644 --- a/en/docs/develop/using-the-totp-api.md +++ b/en/docs/develop/using-the-totp-api.md @@ -1,30 +1,16 @@ # Using the TOTP API !!! warning - **Note** : This is a draft version of this document. - This page guides you through using the TOTP API to enable TOTP authenticator and generate QR-Code url and the different operations you can use to work with it. See the following sections for more information. -- [Configuring user - claims](#UsingtheTOTPAPI-ConfiguringuserclaimsConfiguringuserclaims) -- [Deploying TOTP - artifacts](#UsingtheTOTPAPI-DeployingTOTPartifactsDeployingTOTPartifacts) -- [Enable TOTP admin - service](#UsingtheTOTPAPI-EnableTOTPadminserviceEnableTOTPadminservice) -- [Enable TOTP](#UsingtheTOTPAPI-EnableTOTPEnableTOTP) -- [Disable TOTP](#UsingtheTOTPAPI-DisableTOTPDisableTOTP) -- [Refresh Secret - Key](#UsingtheTOTPAPI-RefreshSecretKeyRefreshSecretKey) - ### Configuring user claims -Add the claims ' **Enable TOTP** ', ' **Encoding** ', and ' **Secret -Key** ' as described in [Configuring user +Add the claims ' **Enable TOTP** ', ' **Encoding** ', and ' **Secret Key** ' as described in [Configuring user claims](https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+Authenticator#ConfiguringTOTPAuthenticator-ConfiguringUserClaimsConfiguringuserclaims) . @@ -105,15 +91,11 @@ encoded QR-Code URL, which is in the format that can be scanned with Google Authenticator Mobile Application. You can decode the QR-Code URL and use any QR-Code generator library to generate the QR-Code. -Using TOTP Authenticator - -You can scan the QR-Code with the Google Authenticator Mobile App and -get the code to authenticate the user using TOTP authenticator. Follow -[Configuring the service -provider](https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+Authenticator#ConfiguringTOTPAuthenticator-ConfiguringtheserviceproviderConfiguringtheserviceprovider) -and [Testing the -sample](https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+Authenticator#ConfiguringTOTPAuthenticator-TestingthesampleTestingthesample) -to continue the authentication using TOTP. +!!! info "Using TOTP Authenticator" + You can scan the QR-Code with the Google Authenticator Mobile App and + get the code to authenticate the user using TOTP authenticator. Follow + [Configuring the service provider](../../develop/totp-authenticator#configuring-the-service-provider) + and [Testing the sample](../../develop/totp-authenticator#testing-the-sample) to continue the authentication using TOTP. ### Disable TOTP diff --git a/en/docs/develop/wordpress-authenticator.md b/en/docs/develop/wordpress-authenticator.md index fa67a43548..d6e899280b 100644 --- a/en/docs/develop/wordpress-authenticator.md +++ b/en/docs/develop/wordpress-authenticator.md @@ -1,22 +1,166 @@ -# Wordpress Authenticator - +# Configuring Wordpress Authenticator The Wordpress authenticator is configured as a federated authenticator in WSO2 Identity Server to authenticate Wordpress users to log in to your organization’s applications. The diagram below illustrates the flow of the Wordpress federated authenticator. -![](attachments/49092142/76746176.png) +![](../../assets/img/49092142/76746176.png) + +The Wordpress authenticator allows you to authenticate users using +Wordpress through the WSO2 Identity Server. This page provides +instructions on how to configure the Wordpress authenticator and the +WSO2 Identity Server for logging into a sample app. + +You can find more information in the following sections. + +!!! info + This is tested for the Wordpress API version 1.0. Wordpress + Authenticator is supported by Identity Server 5.1.0 upwards. + +### Configuring the Wordpress App + +1. Place the authenticator .jar file into the + ` /repository/components/dropins ` + directory. You can download the + .jar(org.wso2.carbon.identity.authenticator.wordpress) file from the + [wso2 + store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22Wordpress%22) + . + + !!! note + If you want to upgrade the Wordpress Authenticator in your existing + IS pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +2. Navigate to and log in. + + !!! note + You can either use your Wordpress developer account + credentials or your own Google account credentials to log in. + + +3. Click **Create New Application**. + + ![](../../assets/img/49092145/76747300.png) + +4. Enter the following details in the window that appears. + - **Name** - TestApp + - **Description** - Application for testing purposes + - **Website URL** - https://localhost:9443/commonauth + - **Redirect URLs** - https://localhost:9443/commonauth + - **Javascript Origins** - + - **Type** - web client + + !!! tip + Make sure to answer the mathematical question that is asked + (e.g., What is 5+2 ?). + + +5. Click **Create**. + Now you have finished configuring Wordpress so copy the **Client ID** and **Client Secret** for use in the Identity Server. + ![](../../assets/img/49092145/49226414.png) + +### Deploying travelocity.com sample app + +The next step is to deploy the travelocity.com sample app in order to +use it in this scenario. + +To configure this, see [deploying travelocity.com sample +app](../../develop/deploying-the-sample-app). + +### Configuring the identity provider + +Now you must configure the WSO2 Identity Server by [adding a new +identity +provider](../../learn/adding-and-configuring-an-identity-provider). + +1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/) and [run + it](../../setup/running-the-product). +2. Log in to the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. +3. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add**. + ![](../../assets/img/49092145/76747356.png) +4. Enter the following details for the Identity Provider. + + - **Identity Provider Name** - WordpressIdP + - **Alias** - + + ![](../../assets/img/49092145/76747375.png) + +5. Go to **Wordpress Configuration** under **Federated Authenticators** + and enter the required details. + + !!! tip + Make sure to enter the client Id, client secret, and callback URL + based on the [wordpress application that you + created](#configure-wordpress). + + + | Field | Description | Sample value | + |---------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------| + | Enable | Selecting this option enables Wordpress to be used as an authenticator for users provisioned to the Identity Server. | Selected | + | Default | Selecting the Default checkbox signifies that Wordpress is the main/default form of authentication. This removes the selection made for any other default check-boxes for other authenticators. | Selected | + | Client Id | This is the username from the Wordpress application. | 56002 | + | Client Secret | This is the password from the Wordpress application. Click the **Show** button to view the value you enter. | LxLvRoWplkvva4WMdOWAxrcghOVlxrH8RHJ96XWlXVaZi6pZDgXsvPhLHhzGqeCF | + | Callback URL | This is the URL to which the browser should be redirected after the authentication is successful. It should have the following format: ` https://(host-name):(port)/acs ` | | + +6. Click **Register**. + +You have now added the identity provider. + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the management console. +2. In the **Service Providers** section under the **Main** tab, click + **Add**. +3. Since you are using travelocity as the sample, enter travelocity.com + in the **Service Provider Name** text box and click **Register**. +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. -### Getting started +5. Now set the configuration as follows: + 1. **Issuer** : travelocity.com + 2. **Assertion Consumer URL** : + +6. Select the following check-boxes: + 1. **Enable Response Signing**. + 2. **Enable Single Logout**. + 3. **Enable Attribute Profile**. + 4. **Include Attributes in the Response Always**. +7. Click **Update** to save the changes. Now you will be sent back to + the **Service Providers** page. +8. Go to the **Local and Outbound Authentication Configuration** + section. +9. Select the identity provider you created from the dropdown list + under **Federated Authentication**. + + ![](../../assets/img/49092145/49226418.png) +10. Ensure that the **Federated Authentication** radio button is + selected and click **Update** to save the changes. -To get started with the authenticator, see [Configuring Wordpress -Authenticator](https://docs.wso2.com/display/ISCONNECTORS/Configuring+Wordpress+Authenticator) -for information and configuration steps. Once you have completed your -configurations, you can authenticate users using the Wordpress -authenticator. To download the authenticator, go to -[https://store.wso2.com/store/assets/isconnector/Wordpress](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22Wordpress%22) -. +You have now added and configured the service provider. -3844 +### Testing the sample -1249 +1. To test the sample, go to the following URL: + ` http://:/travelocity.com/index.jsp ` + . E.g., [http://localhost:8080/travelocity.com](http://localhost:8080/travelocity.com) + + ![](../../assets/img/49092145/49226416.png) + +2. Click the link to log in with SAML from WSO2 Identity Server. +3. You are redirected to the Wordpress login page. Enter your Wordpress + credentials. + + ![](../../assets/img/49092145/49226419.png) +4. Click **Log In** to authenticate the user. + + ![](../../assets/img/49092145/49226420.png) +5. You will be taken to the home page of the travelocity.com app. + ![](../../assets/img/49092145/49226421.png) diff --git a/en/docs/develop/x509-authenticator-with-ssl-termination.md b/en/docs/develop/x509-authenticator-with-ssl-termination.md new file mode 100644 index 0000000000..83bc73a049 --- /dev/null +++ b/en/docs/develop/x509-authenticator-with-ssl-termination.md @@ -0,0 +1,227 @@ +# Configuring X509 Authenticator with SSL Termination + +SSL bridging is the process of decrypting the encrypted SSL traffic that +arrives from the browser and then re-encrypting it before sending it on +to the server. SSL bridging can be used to ensure that the contents of +the SSL-encrypted transmission are reliable and secure . + +It enables NGINX to decrypt client requests from the browser. X509 +authenticarion will not work in the normal SSL Termination since NGINX +does not pass the X509 Certificate as a request attribute to the server +after decrypting it. Due to this, the server will not be able to +authenticate the client using its certificate, resulting in the failure +of X509 authentication. + +We need a separate valve to handle the request from NGINX and pass the +X509 Certificate as a request attribute to the server. Here, we +configure NGINX to pass the SSL Certificate as a request header. + +Following are the steps to configure X509Authenticator with SSL +Termination using NGINX and WSO2 Identity Server. + +### Configure NGINX for SSL Termination + +1. Install the [NGINX + 1.15.8](https://medium.com/@ThomasTan/installing-nginx-in-mac-os-x-maverick-with-homebrew-d8867b7e8a5a) + community version. +2. Create an SSL directory in ` /usr/local/etc/nginx ` + . +3. Create a self-signed key and certificate for NGINX as shown below + and put them into ` /usr/local/etc/nginx/ssl. ` + + ``` java + openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -x509 -days 365  + -out nginx.pem + openssl x509 -text -noout -in nginx.pem + ``` + +4. Add the following configurations to the + ` nginx.config ` file in + ` /usr/local/etc/nginx. ` + + !!! note + Mention the path of the file in which you have created the + self-signed key and the certificate as + ` ssl_client_certificate. ` + + + ``` java + http { + upstream wso2.is.com{ + server localhost:9443; + ip_hash; + } + # HTTPS server + server { + listen 443 ssl; + server_name localhost; + #nginx certificate + ssl_certificate /usr/local/etc/nginx/ssl/nginx.pem; + #nginx key + ssl_certificate_key /usr/local/etc/nginx/ssl/key.pem; + #certificate of the client + ssl_client_certificate /usr/local/etc/nginx/ssl/certificate.pem; + ssl_session_timeout 50m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_verify_client on; + ssl_prefer_server_ciphers on; + location / { + #to enable the nginx to pass request header + proxy_pass_request_headers on; + proxy_set_header X-HTTPS-Protocol $ssl_protocol; + proxy_set_header X-SSL-CERT $ssl_client_cert; + proxy_pass https:/wso2.is.com; + } + } + } + ``` + +### Configure the Proxy Port in IS nodes + +By default, WSO2 Identity Server runs on the 9443 port. The following +steps describe how you can configure a proxy port to 443. + +1. Open the ` catalina-server.xm ` l file in + ` /repository/conf/tomcat/ ` and add the + proxy port 443 in the https connector as follows. + + ``` java + /repository/deployment/server/jaggeryapps/dashboard/conf/ ` + as follows. + + ``` java + { + "proxy":{ + "proxyHost":"nginx.mybsf.org" + "proxyHTTPSPort":"443", + "proxyContextPath":"", + "servicePath":"/services" + } + } + ``` + +3. Configure the proxy port and host it in the + ` site.json ` file in + ` /repository/deployment/server/jaggeryapps/portal/conf/ ` + as follows. + + ``` java + { + "proxy":{ + "proxyHost":"nginx.mybsf.org" + "proxyHTTPSPort":"443", + "proxyContextPath":"", + }, + "fido":{ + "appId":"" + } + } + ``` + +4. Configure the proxy port and host in the + ` web.xml ` file in + ` /repository/deployment/server/webapps/shindig/WEB-INF/ ` + as follows. + + ``` java + + system.properties + + + ``` + +### Change the authentication endpoint in the Travelocity sample + +Since the NGINX listens to port 443, we need to change the +authentication endpoint of the client. + +Go to travelocity properties in +` /Webapps/travelocity.com/WEB-INF/classes ` +and set ` SAML2.IdPURL ` to +[https://localhost:443/samlsso](https://localhost/samlsso) as shown +below. + +``` java +#The URL of the SAML 2.0 Identity Provider +SAML2.IdPURL=https://localhost:443/samlsso +``` + +### Configure X509 Authenticator in WSO2 Identity Server + +Follow the steps mentioned +[here](../../develop/x509-certificate-authenticator) +in order to configure X509 Authenticator. + +### Add the X509 Authentication Valve to WSO2 Identity Server + +1. Get a git clone by executing the following command in the terminal + [.](https://github.com/wso2-extensions/identity-x509-commons.git) + + ``` java + git clone https://github.com/wso2-extensions/identity-x509-commons.git + ``` + +2. If the current branch is not the master, checkout from the master as + follows. + + ``` java + git branch checkout master + ``` + +3. Build the component. + + ``` java + mvn clean install + ``` + +4. Copy the + ` org.wso2.carbon.extension.identity.authenticator.x509Certificate.valve-1.0.4-SNAPSHOT.jar ` + file in + ` /identity-x509-revocation/component/valve/target ` + into ` /repository/components/dropins/ ` + . (Check whether the version of x509revocation component in the IS + pack and change its version to 1.0.4-SNAPSHOT). + + +5. Open ` catalina.xml ` in + ` /repository/conf/tomcat/directory ` + and add the new valve in the configuration file. + + ``` java + Valve name = + ``` + + ![](../../assets/img/119111969/119112177.png) + +6. Configure in ` identity.xml ` file in + /repository/conf/identity by adding the value of the certificate + configured in NGINX within + ` . ` + + ``` java + + + + SSL-CERT + ``` + +7. Now run the travelocity sample and it will be authenticated using + X509 Certificate when SSL termination is configured. + + + + + + diff --git a/en/docs/develop/x509certificate-authenticator.md b/en/docs/develop/x509certificate-authenticator.md index 7302434da5..90f55e69d3 100644 --- a/en/docs/develop/x509certificate-authenticator.md +++ b/en/docs/develop/x509certificate-authenticator.md @@ -1,25 +1,706 @@ -# X509Certificate Authenticator +# Configuring X509Certificate Authenticator The X509Certificate authenticator allows users to access your organization’s applications by getting authenticated through an X509 certificate, which contains public key information. -### Getting started +![x509-authenticator](../../assets/img/connectors/x509-authenticator.png) -To get started with the authenticator, see [Configuring X509Certificate -Authenticator](../../develop/x509certificate-authenticator) for -information and configuration steps. Once you have completed your -configurations, you can authenticate users using the X509Certificate -authenticator. +This page provides instructions on how to configure the X509 certificate +authenticator and the WSO2 Identity Server using a sample app to +demonstrate authentication. You can find more information in the +following sections. -### Additional information +!!! info + X509Certificate Authenticator is supported by WSO2 Identity Server + versions 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.4.1 and 5.5.0 -To download the authenticator, go to -[https://store.wso2.com/store/assets/isconnector/X509Certificate](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22X509%22) -. +### Working with certificates -506 +X509 authentication requires the client to posses a Public Key +Certificate (PKC). -90 +!!! info "What is a Public Key Certificate (PKC) and Certificate Authority (CA)?" + Public key cryptography relies on a public and private key pair to + encrypt and decrypt content. The keys are mathematically related, and + content encrypted by using one of the keys can only be decrypted by + using the other. The private key is kept secret. The public key is + typically embedded in a binary certificate, and the certificate is + published to a database that can be reached by all authorized users. The + certificate binds the public key to an entity and is used to protect + information, encrypt transactions, and ensure secure communication. -859 + Certificate Authorities, or Certificate Authorities / CAs, issue Digital + Certificates. Digital Certificates are verifiable small data files that + contain identity credentials to help websites, people, and devices + represent their authentic online identity (authentic because the CA has + verified the identity) + +If **X509 authentication** is specified, the WSO2 IS will authenticate +the client using the client’s public key certificate. To issue the +digital certificate, a Certificate Authority (CA) is required. A CA +issues digital certificates that contain identity credentials in order +to help websites, people and devices represent their authentic, +CA-verified, online identity. + +To create a sample certificate and create your own Certificate Authority +to sign the certificates, follow the following steps: + +1. The first step is to create the private RSA key: + + ``` xml + openssl genrsa -out rootCA.key 2048 + ``` + + Here, the specified key size is 2048 bit. You can specify the key + size for your private key. + +2. Based on this key you can now generate an actual certificate which + is valid for 10 years using the following command: + + ``` xml + openssl req -new -x509 -days 3650 -key rootCA.key -out rootCA.crt + ``` + + You are prompted to provide the following details, and the details + you provide are incorporated to the certificate request. + Example: Make sure you use the values that fit your use case. + + ``` java + Country Name (2 letter code) [AU] : SL + State or Province Name (full name) [Some-State]:Western + Locality Name (eg, city) [ ]:Colombo + Organization Name (eg, company) [Internet Widgits Pty Ltd]:WSO2 + Organizational Unit Name (eg, section) [ ]:QA + Common Name (e.g. serverFQDN or YOUR name) [ ]: wso2is.com + Email Address [ ]:maneesha@wso2.com + ``` + +3. An OpenSSL CA requires new files and supporting directories. + Therefore, create a new directory. + Create the directory structure according to your + ` openssl.conf ` format. + + ``` xml + mkdir -p demoCA/newcerts + ``` + +4. You also need some initial files inside your CA directory structure. + + ``` xml + touch demoCA/index.txt + echo '01' > demoCA/serial + ``` + +5. In order for the JVM to trust your newly created certificate import + your certificate into your JVM trust store by executing the + following command: + + ``` xml + keytool -import -noprompt -trustcacerts -alias rootCA -file rootCA.crt -keystore ${JAVA_HOME}/jre/lib/security/cacerts -storepass changeit + ``` + + !!! note "Got the permission denied error?" + Note that when adding the certificate to the JVM trust store you may + get the permission denied error. Running this command as an + administrator resolves this permission issue. + For example, if you are a Mac users, you can use + ` sudo ` in front of this command to fix the + permission issue. + + +6. Now you have created the CA to sign the certificate. To create the + server certificate follow the steps given below: + 1. Create the keystore that includes the private key by executing + the following command: + + ``` xml + keytool -genkey -v -alias localcrt -keyalg RSA -validity 3650 -keystore localcrt.jks -storepass localpwd -keypass localpwd + ``` + + !!! info + You are prompted for details after executing the above command. + For "What is your first and last name?" you need to give a name + without space(e.g.,: wso2). This name is the CN to [create a + user](#ConfiguringX509CertificateAuthenticator-createauser). + + This command will create a keystore with the following details: + + - Keystore name: localcrt.jks + + - Alias of public certificate: localcrt + + - Keystore password: localpwd + + - Private key password: localpwd (this is required to be the + same as keystore password) + + 2. Execute the following command to generate the certificate + signing request(CSR) using the generated keystore file. + + ``` xml + keytool -certreq -alias localcrt -file localcrt.csr -keystore localcrt.jks -storepass localpwd + ``` + + 3. To enable CRL or OCSP based certificate revocation validation, + configure the necessary openSSL extension configurations. + + 1. Open either of the following files. + 1. ` validation.cnf ` + 2. ` /usr/lib/ssl/openssl.cnf ` + 2. Set the following properties under x509\_extensions. + + ``` java + crlDistributionPoints = URI:http://pki.google.com/GIAG2.crl + authorityInfoAccess = OCSP;URI: http://clients1.google.com/ocsp + ``` + + 4. Once it is done you need to sign the CSR, which requires the CA + root key. + + ``` xml + openssl ca -batch -startdate 150813080000Z -enddate 250813090000Z -keyfile rootCA.key -cert rootCA.crt -policy policy_anything -out localcrt.crt -infiles localcrt.csr + ``` + + This creates a signed certificate called + ` localcrt.crt ` that is valid for + a specified time period that is denoted by the + ` startdate ` and + ` enddate ` . + + 5. The next step is to import the CA and signed certificate into + the keystore. + + ``` xml + keytool -importcert -alias rootCA -file rootCA.crt -keystore localcrt.jks -storepass localpwd -noprompt + + keytool -importcert -alias localcrt -file demoCA/newcerts/01.pem -keystore localcrt.jks -storepass localpwd -noprompt + ``` + + 6. Now, get the ` pkcs12 ` out of + ` .crt ` file using the command given + below as it is been used to import certificates to the browser. + + ``` xml + keytool -importkeystore -srckeystore localcrt.jks -destkeystore localhost.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass localpwd -deststorepass browserpwd -srcalias localcrt -destalias browserKey -srckeypass localpwd -destkeypass browserpwd -noprompt + ``` + + Make sure to use the same password you used when creating the + keystore for the ` srcstorepass ` in the + above step. Now you have the + ` localhost.p12 ` + file that you can import into your browser as explained in the + [import + certificate](#import-certificate) + section. + +7. Next, create a new trust store and import the server certificate + into the trust store using the following commands: + + ``` xml + keytool -import -keystore cacerts.jks -storepass cacertspassword -alias rootCA -file rootCA.crt -noprompt + keytool -importcert -alias localcrt -file localcrt.crt -keystore cacerts.jks -storepass cacertspassword -noprompt + ``` + + !!! info "CN" + The User objects in the LDAP directory hierarchy have designators + that start with CN, meaning Common Name. The CN designator applies + to all but a few object types. Active Directory only uses two other + object designators (although LDAP defines several). + +Once you have done the above steps, you have the keystore ( +` localcrt.jks ` ), truststore ( +` cacerts.jks ` ), and pkcs12 ( +` localhost.p12 ` ) files that you need to use later on +in this guide. + +### Configuring the X509 Certificate for the app + +1. Download the [WSO2 Identity + Server](http://wso2.com/products/identity-server/). + +2. Replace your keystore file path, keystore password, trust store file + path and trust store password (you can use the keystore and + truststore, which you created under the [Working with + Certificate](#working-with-certificates) + section) in the following configuration and add it to + ` /repository/conf/tomcat/catalina-server.xml ` + file. + + ``` xml + + ``` + + !!! note + - In order to function properly, this connector should come first + in the order. Otherwise, when mutual SSL takes place, the + already existing connector (9443) will be picked up and the + certificate will not be retrieved correctly. + - The ` clientAuth ` attribute causes the + Tomcat to require the client with providing a certificate that + can be configured as follows. + - ` true ` : valid client + certificate required for a connection to succeed + + - ` want ` : use a certificate if + available, but still connect if no certificate is available + + - ` false ` : no client certificate + is required or validated + + - The ` truststoreFile ` attributes specifies + the location of the truststore that contains the trusted + certificate issuers. + + +3. Download the authenticator .jar file and the artifacts from the + [WSO2 + store](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22X509%22) + . + +4. Place the ` authenticator ` + ` .jar ` file in the + ` /repository/components/dropins ` + directory. + + !!! note + If you want to upgrade the X509 Certificate Authenticator in your + existing IS pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +5. Place the + ` x509certificateauthenticationendpoint.war ` + file in the + ` /repository/deployment/server/webapps ` + directory. + +### Disabling Certificate Validation + +!!! warning + In product versions prior to WSO2 Identity Server 5.7.0, the + CRL-and-OCSP-based certificate validations were disabled by default. + With WSO2 Identity Server 5.7.0, CAs could be added to a truststore and + get them verified through certificate validation. To complement this, + CRL-and-OCSP-based certificate validations were enabled by default. + Enabling certificate validation without adding the CAs to the truststore + may cause errors. + + Disable certificate validation if you are using WSO2 Identity Server + 5.7.0 and do not require verifying CAs through certificate validation. + + +The location that is used to disable certificate validation depends on +whether WSO2 Identity Server was started at least once or not. + +- If you have never started WSO2 Identity Server before, the + configurations should be made on the + ` certificate-validation.xml ` file. +- If you have started WSO2 Identity Server at leasts once, the + configurations should be made on the registry parameters. + +#### Disabling Certificate Validation in an Unstarted WSO2 IS Pack + +Follow the steps below to disable certificate validation if WSO2 +Identity Server was never started. + +1. Open the ` certificate-validation.xml ` file in the + ` /repository/conf/security ` repository. +2. Disable certificate validation. + + 1. To disable CRL-based certificate validation, set the + ` enable ` sub-parameter of the + ` org.wso2.carbon.identity.x509Certificate.validation.validator.CRLValidator ` + validator, to ` false ` . + 2. To disable OCSP-based certificate validation, set the + ` enable ` sub-parameter of the + ` org.wso2.carbon.identity.x509Certificate.validation.validator.OCSPValidato ` + validator, to ` false ` . + + Example: + + ``` java + + + + 1 + true + 2 + + + 2 + true + 1 + + + + ``` + +#### Disabling Certificate Validation in an Already-started WSO2 IS Pack + +Follow the steps below to disable certificate validation if WSO2 +Identity Server was started before. + +1. Access the WSO2 Identity Server Management Console. +2. Click **Main \> Registry \> Browse**. + ![](../../assets/img/50501577/112378780.png) +3. Disable CRL certificate validation. + 1. Locate the CRL parameter by entering + ` _system/governance/repository/security/certificate/validator/crlvalidator ` + in the **Location** search box. + ![](../../assets/img/50501577/112378782.png) + 2. Expand **Properties**. + ![](../../assets/img/50501577/112378786.png) + 3. Click **Edit** pertaining to the **Enable** property. + ![](../../assets/img/50501577/112378794.png) + + 4. Change the value to ` false ` and click + **Save**. + ![](../../assets/img/50501577/112378795.png) +4. Similarly, disable OCSP certificate validation in the + ` _system/governance/repository/security/certificate/validator/ocspvalidator ` + registry parameter. + +For more information on CRL and OCSP certificate validation, see +[Configuring Certificate Revocation +Validation](../../develop/certificate-revocation-validation). + +### Configuring the Authentication Endpoint + +1. Open the ` application-authentication.xml ` file in + the ` /repository/conf/identity ` + directory. +2. Add the following AuthenticatorConfig configuration to the file. + + 1. ` AuthenticationEndpoint ` : This is the + URL with the port that is secured with the certificate, e.g., + ` https://localhost:8443/x509-certificate-servlet ` + . Update this based on your host name. + 2. ` username ` : This attribute value will be + taken as the authenticated user subject identifier. Update this + with any of the certificate attributes, e.g., CN and Email. + + ``` java + + https://localhost:8443/x509-certificate-servlet + CN + + ``` + + !!! note + When X509 authentication is configured as the second authentication + step, the certificate will be validated to check whether it is + associated with the authenticated user in first authentication step. + For that, the ` username ` parameter will be + used. For that, the authenticated user name considered in the first + authentication step will be validated with the certificate attribute + in this property. + + When X509 authentication is configured as the first step, this + certificate attribute will be treated as the authenticated user + subject identifier. + + +3. If you are using the identity claim dialect URI to store X509 + certificate, add the following parameter. + + ``` java + http://wso2.org/claims/identity/userCertificate + ``` + +4. To enable storing the X509 certificate as a user claim, add the + following parameter. + + ``` java + true http://:9776/carbon + For HTTPS --> https://:9443/carbon + ``` + +2. On the **Main** tab, click **Claims \> Add**. + ![](../../assets/img/50501577/103328153.png) +3. Click **Add Local Claim**. + ![](../../assets/img/50501577/103328154.png) +4. Add a new claim for the **certificate** by giving the details as + below, e.g., select a mapped attribute for the claim that is + supported by the underlying database type. + ![](../../assets/img/50501577/103328155.png) +5. Click **Add**. + +### Updating the column size of the database for X509 certificates + +Make note of the following points and configure your database to match +your use case: +- [Disabling Certificate Validation in an Unstarted WSO2 IS Pack](#disabling-certificate-validation-in-an-unstarted-wso2-is-pack) +- [Disabling Certificate Validation in an Already-started WSO2 IS Pack](#disabling-certificate-validation-in-an-already-started-wso2-is-pack) +- [Using an identity claim for the X509 certificate or working with read only user stores](#using-an-identity-claim-for-the-x509-certificate-or-working-with-read-only-user-stores) +- [Using a wso2 claim for the X509 certificate](#Using-a-wso2-claim-for-the-x509-certificate) + +#### Using an identity claim for the X509 certificate or working with read only user stores + +If you are using an identity claim to store X509 Certificates, e.g., +` http://wso2.org/claims/identity , ` +or if you are working with a read only user store, the certificate gets +stored in the ` DATA_VALUE ` column of the +` IDN_IDENTITY_USER_DATA ` table. The default DB script +sets the column size to 255 characters but in this case the certificate +value has more than 255 characters. Therefore, you need to update the +column size to a higher value. + +Follow the steps given below to update the column size: + +!!! info + You do not need to update the column size if you are using WSO2 IS 5.4.0 + or above 5.4.0. + +- Refer this + [link](../../administer/browsing-the-h2-database) + to browse the H2 database of WSO2 products, and execute the query + given below to alter the column size of the H2 database. + + ``` java + ALTER TABLE IDN_IDENTITY_USER_DATA ALTER DATA_VALUE VARCHAR(2048); + ``` + +- Refer the table given below to find out the queries you can use for + the databases listed below: + + + + + + + + + + + + + + + + + + + + + + + + + +
DatabaseQuery to alter the column
MySQL ALTER TABLE IDN_IDENTITY_USER_DATA CHANGE DATA_VALUE DECIMAL VARCHAR(2048)
Oracle IDN_IDENTITY_USER_DATA modify (DATA_VALUE varchar(2048));
MSSQL ALTER TABLE IDN_IDENTITY_USER_DATA
+ ALTER COLUMN DATA_VALUE VARCHAR(2048) NOT NULL;
PostgreSQL ALTER TABLE IDN_IDENTITY_USER_DATA ALTER COLUMN DATA_VALUE TYPE VARCHAR(2048); Configuring the X509 Certificate for the app
+ +#### Using a wso2 claim for the X509 certificate + +If you use are using a wso2 claim to store X509 Certificate, e.g., +` http://wso2.org/claims `, the +certificate gets stored as a user attribute in the +` UM_ATTR_VALUE ` column of the +` UM_USER_ATTRIBUTE ` table. The default DB script sets +the column size to 1024 characters but in this case the certificate +value is having more than 1024 characters Therefore, you need to update +the column size to a higher value. + +Follow the steps given below to update the column size: + +You do not need to update the column size if you are using WSO2 IS 5.4.0 +or above 5.4.0. + +- Refer this + [link](../../administer/browsing-the-h2-database) + to browse the H2 database of WSO2 products, and execute the query + given below to alter the column size of the H2 database. + + ``` java + ALTER TABLE UM_USER_ATTRIBUTE ALTER UM_ATTR_VALUE VARCHAR(2048); + ``` + +- Refer the table given below to find out the queries you can use for + the databases listed below: + + + + + + + + + + + + + + + + + + + + + + + + + + +
DatabaseQuery to alter the column
MySQL ALTER TABLE UM_USER_ATTRIBUTE CHANGE UM_ATTR_VALUE DECIMAL VARCHAR(2048)
Oracle UM_USER_ATTRIBUTE modify (UM_ATTR_VALUE varchar(2048));
MSSQL ALTER TABLE UM_USER_ATTRIBUTE
+ ALTER COLUMN UM_ATTR_VALUE VARCHAR(2048) NOT NULL;
PostgreSQL ALTER TABLE UM_USER_ATTRIBUTE ALTER COLUMN UM_ATTR_VALUE TYPE VARCHAR(2048);
+ +### Deploying travelocity.com sample app + +The next step is to deploy the travelocity.com sample app in order to +use it in this scenario. + +See the topic on [deploying the travelocity.com sample +app](../../develop/deploying-the-sample-app) for information on how to configure +this. + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the management console. +2. In the **Service Providers** section under the **Main** tab, click + **Add**. +3. Since you are using Travelocity as the sample, enter travelocity.com + in the **Service Provider Name** text box and click **Register**. +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. +5. Now set the configuration as follows: + 1. **Issuer** : travelocity.com + 2. **Assertion Consumer URL** : + http://localhost:8080/travelocity.com/home.jsp +6. Select the following check-boxes: + 1. **Enable Response Signing**. + 2. **Enable Single Logout**. + 3. **Enable Attribute Profile**. + 4. **Include Attributes in the Response Always**. + + ![](../../assets/img/50501577/56985063.png) +7. Click **Update** to save the changes. Now you will be sent back to + the **Service Providers** page. +8. Go to the **Local and Outbound Authentication Configuration** + section. +9. You have two options here. You can add X509 certificate + authenticator as the first factor and also as the second factor. + 1. Second factor + 1. Select the **Advanced** configuration radio button option. + + 2. Add the **basic** authentication as a first step and + **X509Certificate** authentication as the second step. + ![](../../assets/img/50501577/56985064.png) + + 2. First factor + - Select **Local Authentication** as the **Authentication + Type** and select **X509Certificate** from the drop-down + list. + ![](../../assets/img/50501577/56985065.png) + - When using X509 as first step authentication, you need to + create a user in IS management console with the Email + provided while creating the browser certificate. + Example: + ![](../../assets/img/50501577/72423358.png) + + !!! note + For more information on creating users and assigning roles + using management console, refer + [here](../../learn/configuring-users#creating-a-new-user-using-the-management-console). + +10. Finally, click on **Update** to finish the service provider + configurations. + +You have now added and configured the service provider. + +### Configuring CRL Caching + +CA provides a CRL that is valid for a limited duration, which is defined +in the **Next Update** CRL field. This field indicates the date by which +the next CRL will be issued. According to the [Internet X.509 PKI +Certificate and CRL Profile](https://tools.ietf.org/html/rfc5280), the +next CRL could be issued before but not later than the indicated date. +This property is considered to validate the returned CRL from cache as a +certificate in the CRL can be temporarily invalidated (Hold) rather than +being irreversibly revoked, i.e., an outdated CRL creates a security +exposure. + +The X509CRL is downloaded from the CRL URL and persisted in cache. +Follow the steps below to configure CRL caching. + +1. Open the identity.xml located in the + ` /repository/conf/identity ` directory. +2. Locate the ` ` element. +3. Enable CRL caching by using the following snippet. + + ``` java + + ``` + +### Import certificate + +- **Chrome** + 1. In your browser, navigate to **Settings \> HTTPS/SSL \> Manage + certificates**. + ![](../../assets/img/50501577/56985081.png) + 2. Click on **Import,** select the **localhost.p12** file, and then + click **Open**. Note that you may have to enter the password that + you used to generate the p12 file, (browserpwd) to open it. + +- **Firefox** + 1. Click on the menu option on the right of the screen and select + **Preferences**. + + ![](../../assets/img/50501577/76747279.png) + 2. Click Privacy & Security in the left navigation and scroll down to + the **Certificates** section. Click **View Certificates**. + + ![](../../assets/img/50501577/76747282.png) + 3. In the window that appears, click **Import**. + ![](../../assets/img/50501577/76747286.png) + 4. Select the **localhost.p12** file, and then click **Open**. Note + that you may have to enter the password that you used to generate + the p12 file, (browserpwd) to open it. + +### Testing the sample + +1. To test the sample, go to the following URL: + ` http://:/travelocity.com/index.jsp ` + E.g., http://localhost:8080/travelocity.com +2. Click the link to log in with SAML from WSO2 Identity Server. + + !!! note + If you have set this up as the first factor you will not + get basic authentication. + + ![](../../assets/img/50501577/56985082.png) + +3. The basic authentication page appears unless it is not set as the + first factor. Use your username and password and click **Sign In** + (Only for the second step). + ![](../../assets/img/50501577/56985083.png) + +4. You are directed to the X509 certificate authentication page ( + ` https://localhost:8443/x509-certificate-servlet ` + ). If the authentication is successful, you will be taken to the + home page of the travelocity.com app. + ![](../../assets/img/50501577/56985084.png) diff --git a/en/docs/develop/yammer-authenticator.md b/en/docs/develop/yammer-authenticator.md index cb02c9f1dd..5c0c7c07d7 100644 --- a/en/docs/develop/yammer-authenticator.md +++ b/en/docs/develop/yammer-authenticator.md @@ -1,18 +1,171 @@ -# Yammer Authenticator +# Configuring Yammer Authenticator The Yammer authenticator is configured as a federated authenticator in WSO2 Identity Server to authenticate Yammer users to log in to your organization’s applications. The diagram below illustrates the flow of the Yammer federated authenticator. -![](attachments/48290727/76746158.png) +![](../../assets/img/48290727/76746158.png) -### Getting started +This page provides instructions on how to configure the Yammer +authenticator and WSO2 Identity Server using a sample app. You can find +more information in the following sections. -To get started with the authenticator, see [Configuring Yammer -Authenticator](https://docs.wso2.com/display/ISCONNECTORS/Configuring+Yammer+Authenticator) -for information and configuration steps. Once you have completed your -configurations, you can authenticate users using the Yammer -authenticator. To download the authenticator, go to -[https://store.wso2.com/store/assets/isconnector/yammer](https://store.wso2.com/store/assets/isconnector/list?q=%22_default%22%3A%22Yammer%22) +!!! info + This is tested for the Yammer API version 1.0. Yammer Authenticator is + supported by Identity Server 5.1.0 upwards. + +### Deploying Yammer artifacts + +1. Place the authenticator .jar file into the + ` /repository/components/dropins ` + directory. You can download the + .jar(org.wso2.carbon.identity.authenticator.yammer) file from the + [WSO2 + Store](https://store.wso2.com/store/assets/isconnector/details/0e1f0ba7-c4dc-4826-afa7-ba3adef00e7b) + . + + !!! note + If you want to upgrade the Yammer Authenticator in your existing + WSO2 Identity Server pack, please refer [upgrade + instructions.](../../develop/upgrading-an-authenticator) + + +### Configuring the Yammer App + +1. Log in to [Yammer](https://www.yammer.com/wso2.com/?show_login=true) + using your account credentials. +2. Register a new application in + . + ![](../../assets/img/48290733/48220784.png) +3. Fill in the form provided to add your application. + ![](../../assets/img/48290733/48220783.png) + Fill in the following required fields and click **Continue** : + - **Application name** : The name of your application + - **Organization** : The organization that the app represents. + - **Support e-mail** : The email address used to communicate with + the app. + - **Website** : The website represented by the app. + - **Redirect URI** : Use + ` https://localhost:9443/commonauth ` + as the **Redirect URI** when you register the app. This is an + important step. +4. Obtain the ` Client ID ` and the + ` Client Secret ` that were generated for your + application via the App Dashboard. + ![](../../assets/img/48290733/76747751.png) + + +### Deploying [travelocity.com](http://travelocity.com) sample app + +Next, [deploy the sample app](../../develop/deploying-the-sample-app) in order to +use it in this scenario. + +Once this is done, configure the WSO2 Identity Server by adding an +[identity +provider](../../learn/adding-and-configuring-an-identity-provider) +and [service +provider](../../learn/adding-and-configuring-a-service-provider) +. + +### Configuring the identity provider + +Now you have to configure WSO2 Identity Server by [adding a new identity +provider](../../learn/adding-and-configuring-an-identity-provider) . + +1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/) and [run + it](../../setup/running-the-product). +2. Log in to the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. +3. In the **Identity Providers** section under the **Main** tab of the + management console, click **Add**. + 1. Give a suitable name for **Identity Provider Name**. + ![](../../assets/img/48290733/76747696.png) +4. Next, navigate to the **Federated Authenticators \> Yammer + Configuration**. + + 1. Select the **Enable** and **Default** checkboxes. This will + enable the Yammer authenticator and make it the default Identity + provider. + + 2. Enter the following values and click **Register**. + +| Field | Description | Sample Value | +|-------------------|-------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------| +| **Client ID** | This is the ` client ID ` that wasgenerated for the application you registered via Yammer. | ` sGdyjvdPadOTAvYc7SZOg ` | +| **Client Secret** | This is the ` client secret ` that wasgenerated for the application you registered via Yammer. | ` AV0acZHX1fPhJdk5VhTdCW6utt0hP7FHxOb72Gznqo ` | +| **Callback URL** | This is the service provider's URL to which the code is sent to. | ` https://localhost:9443/commonauth ` | + +![](../../assets/img/48290733/76747701.png) + +You have now added the identity provider. + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the management console. + +2. In the **Service Providers** section, click **Add** under the + **Main** tab. + +3. Since you are using travelocity as the sample, enter + ` travelocity.com ` + in the **Service Provider Name** text box and click **Register**. + + 1. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. + + 2. Now set the configurations as follows: + + - **Issuer** : [travelocity.com](http://travelocity.com) + + - **Assertion Consumer URL** : + + + 3. Select the following check-boxes: + + - Enable Response Signing + + - Enable Single Logout + + - Enable Attribute Profile + + - Include Attributes in the Response Always + + 4. Click **Register** to save the changes. + + ![](../../assets/img/48290733/103332432.png) + + 5. Now you will be sent back to the **Service Providers** page. + + 1. Navigate to the **Local and Outbound Authentication + Configuration** section. + + 2. Select the identity provider you created from the dropdown + list under **Federated Authentication**. + + 3. Ensure that the **Federated Authentication** radio button is + selected and click **Update** to save the changes. + +You have now added and configured the service provider. + +### Testing the sample + +1. To test the sample, go to the following URL: + ` http://:/ travelocity.com/index.jsp ` + E.g., + +2. Click “Login with SAML” to log in with SAML from the WSO2 Identity + Server. + + ![](../../assets/img/48290733/76747730.png) + +3. Enter your Yammer credentials in the prompted login page to login. + Once you log in successfully you will be taken to the home page of + the [travelocity.com](http://travelocity.com) app. + + ![](../../assets/img/48290733/76747748.png) \ No newline at end of file From 33ddf69c610b627d15784fdf1b3879b930b45090 Mon Sep 17 00:00:00 2001 From: gomathyK Date: Mon, 16 Sep 2019 19:45:28 +0530 Subject: [PATCH 2/2] add changes to amazon authenticator --- en/docs/develop/amazon-authenticator.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/en/docs/develop/amazon-authenticator.md b/en/docs/develop/amazon-authenticator.md index f679a4d80e..323900b2c4 100644 --- a/en/docs/develop/amazon-authenticator.md +++ b/en/docs/develop/amazon-authenticator.md @@ -74,8 +74,7 @@ app](../../connectors/deploying-the-sample-app). Now you must configure the WSO2 Identity Server by [adding a new identity -provider](../../using-wso2-identity-server/configuring-an-identity-provider) -. +provider](../../learn/adding-and-configuring-an-identity-provider). 1. Download the WSO2 Identity Server from [here](http://wso2.com/products/identity-server/) and [run @@ -88,8 +87,7 @@ provider](../../using-wso2-identity-server/configuring-an-identity-provider) 4. Give a suitable name for **Identity Provider Name** (e.g., Amazon) and click **Register**. -5. Navigate to the **Amazon Configurations** under ****Federated - Authenticators**** +5. Navigate to the **Amazon Configurations** under **Federated Authenticators** - In IS 5.1.0 or 5.2.0, go to **AmazonAuthenticator Configuration** under **Federated Authenticators**. - In IS 5.3.0, go to **Amazon Configuration** under **Federated @@ -164,7 +162,7 @@ The next step is to configure the service provider. 8. Configure the Local and Outbound Authentication for Amazon. For more information, see [Configuring Local and Outbound Authentication for a Service - Provider](../../using-wso2-identity-server/configuring-local-and-outbound-authentication-for-a-service-provider). + Provider](../../learn/configuring-local-and-outbound-authentication-for-a-service-provider). 1. Click on the **Federated Authentication** radio button. @@ -220,7 +218,7 @@ Add a new claim mapping for various user attributes related to Amazon. !!! info For more information, see [Adding Claim - Mapping](../../using-wso2-identity-server/adding-claim-mapping). + Mapping](../../learn/adding-claim-mapping). 1. Sign in to the [Management Console](../../setup/getting-started-with-the-management-console)