diff --git a/en/docs/assets/img/tutorials/action-name.png b/en/docs/assets/img/tutorials/action-name.png new file mode 100644 index 0000000000..756fbd6e47 Binary files /dev/null and b/en/docs/assets/img/tutorials/action-name.png differ diff --git a/en/docs/assets/img/tutorials/action-read-and-write.png b/en/docs/assets/img/tutorials/action-read-and-write.png new file mode 100644 index 0000000000..a65c27b0c6 Binary files /dev/null and b/en/docs/assets/img/tutorials/action-read-and-write.png differ diff --git a/en/docs/assets/img/tutorials/add-authenticator.png b/en/docs/assets/img/tutorials/add-authenticator.png new file mode 100755 index 0000000000..9d591b87b1 Binary files /dev/null and b/en/docs/assets/img/tutorials/add-authenticator.png differ diff --git a/en/docs/assets/img/tutorials/add-claim-mapping-for-facebook.png b/en/docs/assets/img/tutorials/add-claim-mapping-for-facebook.png new file mode 100755 index 0000000000..842383efc3 Binary files /dev/null and b/en/docs/assets/img/tutorials/add-claim-mapping-for-facebook.png differ diff --git a/en/docs/assets/img/tutorials/add-local-claim.png b/en/docs/assets/img/tutorials/add-local-claim.png new file mode 100755 index 0000000000..d525a3c2b4 Binary files /dev/null and b/en/docs/assets/img/tutorials/add-local-claim.png differ diff --git a/en/docs/assets/img/tutorials/add-new-policy.png b/en/docs/assets/img/tutorials/add-new-policy.png new file mode 100755 index 0000000000..b463f3293d Binary files /dev/null and b/en/docs/assets/img/tutorials/add-new-policy.png differ diff --git a/en/docs/assets/img/tutorials/add-new-trusted-service.png b/en/docs/assets/img/tutorials/add-new-trusted-service.png new file mode 100755 index 0000000000..e5deb482fb Binary files /dev/null and b/en/docs/assets/img/tutorials/add-new-trusted-service.png differ diff --git a/en/docs/assets/img/tutorials/add-requested-claims.png b/en/docs/assets/img/tutorials/add-requested-claims.png new file mode 100755 index 0000000000..57c4c7e483 Binary files /dev/null and b/en/docs/assets/img/tutorials/add-requested-claims.png differ diff --git a/en/docs/assets/img/tutorials/add-service-provider.png b/en/docs/assets/img/tutorials/add-service-provider.png new file mode 100755 index 0000000000..dfc61406fc Binary files /dev/null and b/en/docs/assets/img/tutorials/add-service-provider.png differ diff --git a/en/docs/assets/img/tutorials/adding-an-identity-provider.png b/en/docs/assets/img/tutorials/adding-an-identity-provider.png new file mode 100755 index 0000000000..9a4e0cdd35 Binary files /dev/null and b/en/docs/assets/img/tutorials/adding-an-identity-provider.png differ diff --git a/en/docs/assets/img/tutorials/adding-claims.png b/en/docs/assets/img/tutorials/adding-claims.png new file mode 100755 index 0000000000..6d37b29cea Binary files /dev/null and b/en/docs/assets/img/tutorials/adding-claims.png differ diff --git a/en/docs/assets/img/tutorials/adding-wso2-is-url-ie-chrome.png b/en/docs/assets/img/tutorials/adding-wso2-is-url-ie-chrome.png new file mode 100755 index 0000000000..ae93aac272 Binary files /dev/null and b/en/docs/assets/img/tutorials/adding-wso2-is-url-ie-chrome.png differ diff --git a/en/docs/assets/img/tutorials/adding-wso2-is-url.png b/en/docs/assets/img/tutorials/adding-wso2-is-url.png new file mode 100755 index 0000000000..f4c980abbe Binary files /dev/null and b/en/docs/assets/img/tutorials/adding-wso2-is-url.png differ diff --git a/en/docs/assets/img/tutorials/allow-to-use-back-up-codes.png b/en/docs/assets/img/tutorials/allow-to-use-back-up-codes.png new file mode 100755 index 0000000000..4bd8c1c9a4 Binary files /dev/null and b/en/docs/assets/img/tutorials/allow-to-use-back-up-codes.png differ diff --git a/en/docs/assets/img/tutorials/app-id-app-secret.png b/en/docs/assets/img/tutorials/app-id-app-secret.png new file mode 100755 index 0000000000..881e908ec4 Binary files /dev/null and b/en/docs/assets/img/tutorials/app-id-app-secret.png differ diff --git a/en/docs/assets/img/tutorials/attribute-role.png b/en/docs/assets/img/tutorials/attribute-role.png new file mode 100644 index 0000000000..6f7ac52c58 Binary files /dev/null and b/en/docs/assets/img/tutorials/attribute-role.png differ diff --git a/en/docs/assets/img/tutorials/authenticating-using-enterprise-userstore-and-shibolethidp.png b/en/docs/assets/img/tutorials/authenticating-using-enterprise-userstore-and-shibolethidp.png new file mode 100755 index 0000000000..917f6bf016 Binary files /dev/null and b/en/docs/assets/img/tutorials/authenticating-using-enterprise-userstore-and-shibolethidp.png differ diff --git a/en/docs/assets/img/tutorials/authenticating-with-sms-otp.jpeg b/en/docs/assets/img/tutorials/authenticating-with-sms-otp.jpeg new file mode 100755 index 0000000000..1c51c15c85 Binary files /dev/null and b/en/docs/assets/img/tutorials/authenticating-with-sms-otp.jpeg differ diff --git a/en/docs/assets/img/tutorials/authorization-code.png b/en/docs/assets/img/tutorials/authorization-code.png new file mode 100755 index 0000000000..ef4a7110b7 Binary files /dev/null and b/en/docs/assets/img/tutorials/authorization-code.png differ diff --git a/en/docs/assets/img/tutorials/authorize-redirect-uris.png b/en/docs/assets/img/tutorials/authorize-redirect-uris.png new file mode 100755 index 0000000000..b8750e5b9c Binary files /dev/null and b/en/docs/assets/img/tutorials/authorize-redirect-uris.png differ diff --git a/en/docs/assets/img/tutorials/available-entitlement-policies.png b/en/docs/assets/img/tutorials/available-entitlement-policies.png new file mode 100755 index 0000000000..8a9d1baa32 Binary files /dev/null and b/en/docs/assets/img/tutorials/available-entitlement-policies.png differ diff --git a/en/docs/assets/img/tutorials/basic-authentication-credentials.png b/en/docs/assets/img/tutorials/basic-authentication-credentials.png new file mode 100755 index 0000000000..7eb14cf13c Binary files /dev/null and b/en/docs/assets/img/tutorials/basic-authentication-credentials.png differ diff --git a/en/docs/assets/img/tutorials/basic-authentication-page.jpeg b/en/docs/assets/img/tutorials/basic-authentication-page.jpeg new file mode 100755 index 0000000000..d60edcddb0 Binary files /dev/null and b/en/docs/assets/img/tutorials/basic-authentication-page.jpeg differ diff --git a/en/docs/assets/img/tutorials/basic-policy-resource-names.png b/en/docs/assets/img/tutorials/basic-policy-resource-names.png new file mode 100644 index 0000000000..78586ea709 Binary files /dev/null and b/en/docs/assets/img/tutorials/basic-policy-resource-names.png differ diff --git a/en/docs/assets/img/tutorials/check-policy-list.png b/en/docs/assets/img/tutorials/check-policy-list.png new file mode 100755 index 0000000000..46414bc319 Binary files /dev/null and b/en/docs/assets/img/tutorials/check-policy-list.png differ diff --git a/en/docs/assets/img/tutorials/checking-the-status-policy.png b/en/docs/assets/img/tutorials/checking-the-status-policy.png new file mode 100755 index 0000000000..718b139e94 Binary files /dev/null and b/en/docs/assets/img/tutorials/checking-the-status-policy.png differ diff --git a/en/docs/assets/img/tutorials/claim-configuration.png b/en/docs/assets/img/tutorials/claim-configuration.png new file mode 100755 index 0000000000..acf755798c Binary files /dev/null and b/en/docs/assets/img/tutorials/claim-configuration.png differ diff --git a/en/docs/assets/img/tutorials/clear-decision-cache.png b/en/docs/assets/img/tutorials/clear-decision-cache.png new file mode 100755 index 0000000000..6336868592 Binary files /dev/null and b/en/docs/assets/img/tutorials/clear-decision-cache.png differ diff --git a/en/docs/assets/img/tutorials/client-id-client-secret.png b/en/docs/assets/img/tutorials/client-id-client-secret.png new file mode 100755 index 0000000000..f50e15ed0d Binary files /dev/null and b/en/docs/assets/img/tutorials/client-id-client-secret.png differ diff --git a/en/docs/assets/img/tutorials/client-oauth-setting.png b/en/docs/assets/img/tutorials/client-oauth-setting.png new file mode 100755 index 0000000000..6e9ffacddc Binary files /dev/null and b/en/docs/assets/img/tutorials/client-oauth-setting.png differ diff --git a/en/docs/assets/img/tutorials/configure-consent-screen.png b/en/docs/assets/img/tutorials/configure-consent-screen.png new file mode 100755 index 0000000000..9f631952a2 Binary files /dev/null and b/en/docs/assets/img/tutorials/configure-consent-screen.png differ diff --git a/en/docs/assets/img/tutorials/configure-shibboleth-as-a-federated-authenticator.png b/en/docs/assets/img/tutorials/configure-shibboleth-as-a-federated-authenticator.png new file mode 100755 index 0000000000..760e0b7915 Binary files /dev/null and b/en/docs/assets/img/tutorials/configure-shibboleth-as-a-federated-authenticator.png differ diff --git a/en/docs/assets/img/tutorials/configuring-claims.png b/en/docs/assets/img/tutorials/configuring-claims.png new file mode 100755 index 0000000000..220ff9a878 Binary files /dev/null and b/en/docs/assets/img/tutorials/configuring-claims.png differ diff --git a/en/docs/assets/img/tutorials/configuring-firefox-for-kerberos.png b/en/docs/assets/img/tutorials/configuring-firefox-for-kerberos.png new file mode 100755 index 0000000000..f630545961 Binary files /dev/null and b/en/docs/assets/img/tutorials/configuring-firefox-for-kerberos.png differ diff --git a/en/docs/assets/img/tutorials/configuring-internet-explorer-chrome.png b/en/docs/assets/img/tutorials/configuring-internet-explorer-chrome.png new file mode 100755 index 0000000000..105f15d842 Binary files /dev/null and b/en/docs/assets/img/tutorials/configuring-internet-explorer-chrome.png differ diff --git a/en/docs/assets/img/tutorials/configuring-simple-saml-php.png b/en/docs/assets/img/tutorials/configuring-simple-saml-php.png new file mode 100755 index 0000000000..dd7bacefa6 Binary files /dev/null and b/en/docs/assets/img/tutorials/configuring-simple-saml-php.png differ diff --git a/en/docs/assets/img/tutorials/configuring-sp-fields.png b/en/docs/assets/img/tutorials/configuring-sp-fields.png new file mode 100755 index 0000000000..ce97099ea1 Binary files /dev/null and b/en/docs/assets/img/tutorials/configuring-sp-fields.png differ diff --git a/en/docs/assets/img/tutorials/configuring-the-service-provider.png b/en/docs/assets/img/tutorials/configuring-the-service-provider.png new file mode 100755 index 0000000000..71364acb70 Binary files /dev/null and b/en/docs/assets/img/tutorials/configuring-the-service-provider.png differ diff --git a/en/docs/assets/img/tutorials/console-email-address.png b/en/docs/assets/img/tutorials/console-email-address.png new file mode 100755 index 0000000000..bae86aed6f Binary files /dev/null and b/en/docs/assets/img/tutorials/console-email-address.png differ diff --git a/en/docs/assets/img/tutorials/console-user-profile.png b/en/docs/assets/img/tutorials/console-user-profile.png new file mode 100755 index 0000000000..2e649310ef Binary files /dev/null and b/en/docs/assets/img/tutorials/console-user-profile.png differ diff --git a/en/docs/assets/img/tutorials/console-users-options.png b/en/docs/assets/img/tutorials/console-users-options.png new file mode 100755 index 0000000000..fa20878f4f Binary files /dev/null and b/en/docs/assets/img/tutorials/console-users-options.png differ diff --git a/en/docs/assets/img/tutorials/create-app-facebook.png b/en/docs/assets/img/tutorials/create-app-facebook.png new file mode 100755 index 0000000000..b81af318d1 Binary files /dev/null and b/en/docs/assets/img/tutorials/create-app-facebook.png differ diff --git a/en/docs/assets/img/tutorials/create-app-id.png b/en/docs/assets/img/tutorials/create-app-id.png new file mode 100755 index 0000000000..e77da9f16c Binary files /dev/null and b/en/docs/assets/img/tutorials/create-app-id.png differ diff --git a/en/docs/assets/img/tutorials/create-client-id.png b/en/docs/assets/img/tutorials/create-client-id.png new file mode 100644 index 0000000000..af0e2a4af1 Binary files /dev/null and b/en/docs/assets/img/tutorials/create-client-id.png differ diff --git a/en/docs/assets/img/tutorials/create-request-using-editor.png b/en/docs/assets/img/tutorials/create-request-using-editor.png new file mode 100755 index 0000000000..4463693caf Binary files /dev/null and b/en/docs/assets/img/tutorials/create-request-using-editor.png differ diff --git a/en/docs/assets/img/tutorials/create-xacml-policy-in-standard-policy-editor.png b/en/docs/assets/img/tutorials/create-xacml-policy-in-standard-policy-editor.png new file mode 100755 index 0000000000..a3ba856d06 Binary files /dev/null and b/en/docs/assets/img/tutorials/create-xacml-policy-in-standard-policy-editor.png differ diff --git a/en/docs/assets/img/tutorials/create-xacml-policy.png b/en/docs/assets/img/tutorials/create-xacml-policy.png new file mode 100755 index 0000000000..adb7f73cba Binary files /dev/null and b/en/docs/assets/img/tutorials/create-xacml-policy.png differ diff --git a/en/docs/assets/img/tutorials/created-policy-in-policy-list.png b/en/docs/assets/img/tutorials/created-policy-in-policy-list.png new file mode 100755 index 0000000000..31765a8728 Binary files /dev/null and b/en/docs/assets/img/tutorials/created-policy-in-policy-list.png differ diff --git a/en/docs/assets/img/tutorials/creating-the-second-authentication.jpeg b/en/docs/assets/img/tutorials/creating-the-second-authentication.jpeg new file mode 100755 index 0000000000..194f5da92f Binary files /dev/null and b/en/docs/assets/img/tutorials/creating-the-second-authentication.jpeg differ diff --git a/en/docs/assets/img/tutorials/custom-claim-mapping.png b/en/docs/assets/img/tutorials/custom-claim-mapping.png new file mode 100755 index 0000000000..6e420b7672 Binary files /dev/null and b/en/docs/assets/img/tutorials/custom-claim-mapping.png differ diff --git a/en/docs/assets/img/tutorials/define-a-policy-obligation.png b/en/docs/assets/img/tutorials/define-a-policy-obligation.png new file mode 100755 index 0000000000..ba7fd0e111 Binary files /dev/null and b/en/docs/assets/img/tutorials/define-a-policy-obligation.png differ diff --git a/en/docs/assets/img/tutorials/define-backup-codes.png b/en/docs/assets/img/tutorials/define-backup-codes.png new file mode 100755 index 0000000000..42d66b7fc4 Binary files /dev/null and b/en/docs/assets/img/tutorials/define-backup-codes.png differ diff --git a/en/docs/assets/img/tutorials/define-entitlement-rules.png b/en/docs/assets/img/tutorials/define-entitlement-rules.png new file mode 100644 index 0000000000..1c12bffa46 Binary files /dev/null and b/en/docs/assets/img/tutorials/define-entitlement-rules.png differ diff --git a/en/docs/assets/img/tutorials/define-entitlement.png b/en/docs/assets/img/tutorials/define-entitlement.png new file mode 100644 index 0000000000..ff54754238 Binary files /dev/null and b/en/docs/assets/img/tutorials/define-entitlement.png differ diff --git a/en/docs/assets/img/tutorials/delete-from-pdp.png b/en/docs/assets/img/tutorials/delete-from-pdp.png new file mode 100755 index 0000000000..42b9ea2409 Binary files /dev/null and b/en/docs/assets/img/tutorials/delete-from-pdp.png differ diff --git a/en/docs/assets/img/tutorials/deny-rule.png b/en/docs/assets/img/tutorials/deny-rule.png new file mode 100644 index 0000000000..f4c870a829 Binary files /dev/null and b/en/docs/assets/img/tutorials/deny-rule.png differ diff --git a/en/docs/assets/img/tutorials/disable-policy.png b/en/docs/assets/img/tutorials/disable-policy.png new file mode 100755 index 0000000000..788afe0144 Binary files /dev/null and b/en/docs/assets/img/tutorials/disable-policy.png differ diff --git a/en/docs/assets/img/tutorials/edit-service-provider.png b/en/docs/assets/img/tutorials/edit-service-provider.png new file mode 100755 index 0000000000..ce97099ea1 Binary files /dev/null and b/en/docs/assets/img/tutorials/edit-service-provider.png differ diff --git a/en/docs/assets/img/tutorials/edit-the-order-of-the-policy.png b/en/docs/assets/img/tutorials/edit-the-order-of-the-policy.png new file mode 100755 index 0000000000..6a257f2fc4 Binary files /dev/null and b/en/docs/assets/img/tutorials/edit-the-order-of-the-policy.png differ diff --git a/en/docs/assets/img/tutorials/edit-xacml-policy.png b/en/docs/assets/img/tutorials/edit-xacml-policy.png new file mode 100644 index 0000000000..6b9510f07c Binary files /dev/null and b/en/docs/assets/img/tutorials/edit-xacml-policy.png differ diff --git a/en/docs/assets/img/tutorials/edit-xml-policy-editor.png b/en/docs/assets/img/tutorials/edit-xml-policy-editor.png new file mode 100755 index 0000000000..3b15418e81 Binary files /dev/null and b/en/docs/assets/img/tutorials/edit-xml-policy-editor.png differ diff --git a/en/docs/assets/img/tutorials/email-otp-authenticating.png b/en/docs/assets/img/tutorials/email-otp-authenticating.png new file mode 100755 index 0000000000..b4f12ef512 Binary files /dev/null and b/en/docs/assets/img/tutorials/email-otp-authenticating.png differ diff --git a/en/docs/assets/img/tutorials/enable-authorization.png b/en/docs/assets/img/tutorials/enable-authorization.png new file mode 100755 index 0000000000..deaaf8b607 Binary files /dev/null and b/en/docs/assets/img/tutorials/enable-authorization.png differ diff --git a/en/docs/assets/img/tutorials/enable-or-disable-policy.png b/en/docs/assets/img/tutorials/enable-or-disable-policy.png new file mode 100755 index 0000000000..b9eded5d2b Binary files /dev/null and b/en/docs/assets/img/tutorials/enable-or-disable-policy.png differ diff --git a/en/docs/assets/img/tutorials/enable-policy.png b/en/docs/assets/img/tutorials/enable-policy.png new file mode 100755 index 0000000000..9355b93f0a Binary files /dev/null and b/en/docs/assets/img/tutorials/enable-policy.png differ diff --git a/en/docs/assets/img/tutorials/enable-security.png b/en/docs/assets/img/tutorials/enable-security.png new file mode 100755 index 0000000000..11dad9a43b Binary files /dev/null and b/en/docs/assets/img/tutorials/enable-security.png differ diff --git a/en/docs/assets/img/tutorials/enter-site-url.png b/en/docs/assets/img/tutorials/enter-site-url.png new file mode 100755 index 0000000000..a3596d03da Binary files /dev/null and b/en/docs/assets/img/tutorials/enter-site-url.png differ diff --git a/en/docs/assets/img/tutorials/facebook-configuration.png b/en/docs/assets/img/tutorials/facebook-configuration.png new file mode 100755 index 0000000000..71e4cdfa4d Binary files /dev/null and b/en/docs/assets/img/tutorials/facebook-configuration.png differ diff --git a/en/docs/assets/img/tutorials/fb-app-on-dashboard.png b/en/docs/assets/img/tutorials/fb-app-on-dashboard.png new file mode 100755 index 0000000000..881e908ec4 Binary files /dev/null and b/en/docs/assets/img/tutorials/fb-app-on-dashboard.png differ diff --git a/en/docs/assets/img/tutorials/federated-authentication.png b/en/docs/assets/img/tutorials/federated-authentication.png new file mode 100755 index 0000000000..eedebac7a8 Binary files /dev/null and b/en/docs/assets/img/tutorials/federated-authentication.png differ diff --git a/en/docs/assets/img/tutorials/federated-authenticators-in-saml2-sso-config.png b/en/docs/assets/img/tutorials/federated-authenticators-in-saml2-sso-config.png new file mode 100755 index 0000000000..4ba2a4b79d Binary files /dev/null and b/en/docs/assets/img/tutorials/federated-authenticators-in-saml2-sso-config.png differ diff --git a/en/docs/assets/img/tutorials/federated-authenticators.png b/en/docs/assets/img/tutorials/federated-authenticators.png new file mode 100755 index 0000000000..d4523a41b2 Binary files /dev/null and b/en/docs/assets/img/tutorials/federated-authenticators.png differ diff --git a/en/docs/assets/img/tutorials/filling-claim-fields.png b/en/docs/assets/img/tutorials/filling-claim-fields.png new file mode 100755 index 0000000000..a3eab11546 Binary files /dev/null and b/en/docs/assets/img/tutorials/filling-claim-fields.png differ diff --git a/en/docs/assets/img/tutorials/fine-grained-access-control-policy.png b/en/docs/assets/img/tutorials/fine-grained-access-control-policy.png new file mode 100755 index 0000000000..89eeeaa0d5 Binary files /dev/null and b/en/docs/assets/img/tutorials/fine-grained-access-control-policy.png differ diff --git a/en/docs/assets/img/tutorials/google-app.png b/en/docs/assets/img/tutorials/google-app.png new file mode 100755 index 0000000000..3e2b0d543b Binary files /dev/null and b/en/docs/assets/img/tutorials/google-app.png differ diff --git a/en/docs/assets/img/tutorials/google-configuration.png b/en/docs/assets/img/tutorials/google-configuration.png new file mode 100755 index 0000000000..0279b26fb2 Binary files /dev/null and b/en/docs/assets/img/tutorials/google-configuration.png differ diff --git a/en/docs/assets/img/tutorials/id-secret-for-facebook.png b/en/docs/assets/img/tutorials/id-secret-for-facebook.png new file mode 100755 index 0000000000..881e908ec4 Binary files /dev/null and b/en/docs/assets/img/tutorials/id-secret-for-facebook.png differ diff --git a/en/docs/assets/img/tutorials/identity-provider-in-federated-authentication.png b/en/docs/assets/img/tutorials/identity-provider-in-federated-authentication.png new file mode 100755 index 0000000000..d0a8e533cc Binary files /dev/null and b/en/docs/assets/img/tutorials/identity-provider-in-federated-authentication.png differ diff --git a/en/docs/assets/img/tutorials/identity-provider-name.png b/en/docs/assets/img/tutorials/identity-provider-name.png new file mode 100755 index 0000000000..e74a717269 Binary files /dev/null and b/en/docs/assets/img/tutorials/identity-provider-name.png differ diff --git a/en/docs/assets/img/tutorials/import-existing-policy.png b/en/docs/assets/img/tutorials/import-existing-policy.png new file mode 100755 index 0000000000..1a83cf368d Binary files /dev/null and b/en/docs/assets/img/tutorials/import-existing-policy.png differ diff --git a/en/docs/assets/img/tutorials/import-metadata-file.png b/en/docs/assets/img/tutorials/import-metadata-file.png new file mode 100755 index 0000000000..7c877922b2 Binary files /dev/null and b/en/docs/assets/img/tutorials/import-metadata-file.png differ diff --git a/en/docs/assets/img/tutorials/inbound-authentication-protocol.png b/en/docs/assets/img/tutorials/inbound-authentication-protocol.png new file mode 100755 index 0000000000..380de0e7e5 Binary files /dev/null and b/en/docs/assets/img/tutorials/inbound-authentication-protocol.png differ diff --git a/en/docs/assets/img/tutorials/inbound-provisioning-config.png b/en/docs/assets/img/tutorials/inbound-provisioning-config.png new file mode 100755 index 0000000000..b7f8167661 Binary files /dev/null and b/en/docs/assets/img/tutorials/inbound-provisioning-config.png differ diff --git a/en/docs/assets/img/tutorials/iwa-as-a-federated-authenticator.png b/en/docs/assets/img/tutorials/iwa-as-a-federated-authenticator.png new file mode 100755 index 0000000000..2bdbd069e9 Binary files /dev/null and b/en/docs/assets/img/tutorials/iwa-as-a-federated-authenticator.png differ diff --git a/en/docs/assets/img/tutorials/iwa-as-a-local-authenticator.png b/en/docs/assets/img/tutorials/iwa-as-a-local-authenticator.png new file mode 100755 index 0000000000..f76b5cc8a7 Binary files /dev/null and b/en/docs/assets/img/tutorials/iwa-as-a-local-authenticator.png differ diff --git a/en/docs/assets/img/tutorials/iwa-with-kerberos.png b/en/docs/assets/img/tutorials/iwa-with-kerberos.png new file mode 100755 index 0000000000..543105bcfc Binary files /dev/null and b/en/docs/assets/img/tutorials/iwa-with-kerberos.png differ diff --git a/en/docs/assets/img/tutorials/iwa-wso2.png b/en/docs/assets/img/tutorials/iwa-wso2.png new file mode 100755 index 0000000000..5411c9ac6b Binary files /dev/null and b/en/docs/assets/img/tutorials/iwa-wso2.png differ diff --git a/en/docs/assets/img/tutorials/login-page-with-multioption-authentication.png b/en/docs/assets/img/tutorials/login-page-with-multioption-authentication.png new file mode 100755 index 0000000000..50bdda5acc Binary files /dev/null and b/en/docs/assets/img/tutorials/login-page-with-multioption-authentication.png differ diff --git a/en/docs/assets/img/tutorials/main-tab-resident.png b/en/docs/assets/img/tutorials/main-tab-resident.png new file mode 100755 index 0000000000..1dd99b3c8b Binary files /dev/null and b/en/docs/assets/img/tutorials/main-tab-resident.png differ diff --git a/en/docs/assets/img/tutorials/management-console.png b/en/docs/assets/img/tutorials/management-console.png new file mode 100755 index 0000000000..a898dcc82f Binary files /dev/null and b/en/docs/assets/img/tutorials/management-console.png differ diff --git a/en/docs/assets/img/tutorials/managing-a-xacml-policy-version.png b/en/docs/assets/img/tutorials/managing-a-xacml-policy-version.png new file mode 100755 index 0000000000..a42d0296ee Binary files /dev/null and b/en/docs/assets/img/tutorials/managing-a-xacml-policy-version.png differ diff --git a/en/docs/assets/img/tutorials/managing-enterprise-customers-in-wso2-is.png b/en/docs/assets/img/tutorials/managing-enterprise-customers-in-wso2-is.png new file mode 100755 index 0000000000..1e9f566e02 Binary files /dev/null and b/en/docs/assets/img/tutorials/managing-enterprise-customers-in-wso2-is.png differ diff --git a/en/docs/assets/img/tutorials/manual-configuration.png b/en/docs/assets/img/tutorials/manual-configuration.png new file mode 100755 index 0000000000..3b7cefe2fd Binary files /dev/null and b/en/docs/assets/img/tutorials/manual-configuration.png differ diff --git a/en/docs/assets/img/tutorials/metadata-file-configuration.png b/en/docs/assets/img/tutorials/metadata-file-configuration.png new file mode 100755 index 0000000000..9fef5da67f Binary files /dev/null and b/en/docs/assets/img/tutorials/metadata-file-configuration.png differ diff --git a/en/docs/assets/img/tutorials/microsoft-configuration.png b/en/docs/assets/img/tutorials/microsoft-configuration.png new file mode 100755 index 0000000000..ec2d0d1b20 Binary files /dev/null and b/en/docs/assets/img/tutorials/microsoft-configuration.png differ diff --git a/en/docs/assets/img/tutorials/mobile-number-claim.png b/en/docs/assets/img/tutorials/mobile-number-claim.png new file mode 100755 index 0000000000..77115b5910 Binary files /dev/null and b/en/docs/assets/img/tutorials/mobile-number-claim.png differ diff --git a/en/docs/assets/img/tutorials/multiple-options-for-authentication.png b/en/docs/assets/img/tutorials/multiple-options-for-authentication.png new file mode 100755 index 0000000000..587810300a Binary files /dev/null and b/en/docs/assets/img/tutorials/multiple-options-for-authentication.png differ diff --git a/en/docs/assets/img/tutorials/name-the-identity-provider.png b/en/docs/assets/img/tutorials/name-the-identity-provider.png new file mode 100755 index 0000000000..0a6fa6dd9d Binary files /dev/null and b/en/docs/assets/img/tutorials/name-the-identity-provider.png differ diff --git a/en/docs/assets/img/tutorials/name-the-service-provider.png b/en/docs/assets/img/tutorials/name-the-service-provider.png new file mode 100755 index 0000000000..e576d5a131 Binary files /dev/null and b/en/docs/assets/img/tutorials/name-the-service-provider.png differ diff --git a/en/docs/assets/img/tutorials/nameid-format-list.png b/en/docs/assets/img/tutorials/nameid-format-list.png new file mode 100755 index 0000000000..beda77381d Binary files /dev/null and b/en/docs/assets/img/tutorials/nameid-format-list.png differ diff --git a/en/docs/assets/img/tutorials/new-entitlement-policy.png b/en/docs/assets/img/tutorials/new-entitlement-policy.png new file mode 100755 index 0000000000..34347424ac Binary files /dev/null and b/en/docs/assets/img/tutorials/new-entitlement-policy.png differ diff --git a/en/docs/assets/img/tutorials/nexmo-config.png b/en/docs/assets/img/tutorials/nexmo-config.png new file mode 100755 index 0000000000..b5f96aa621 Binary files /dev/null and b/en/docs/assets/img/tutorials/nexmo-config.png differ diff --git a/en/docs/assets/img/tutorials/oauth-client-id.png b/en/docs/assets/img/tutorials/oauth-client-id.png new file mode 100755 index 0000000000..b84c5d1500 Binary files /dev/null and b/en/docs/assets/img/tutorials/oauth-client-id.png differ diff --git a/en/docs/assets/img/tutorials/oauth2-access-refresh.png b/en/docs/assets/img/tutorials/oauth2-access-refresh.png new file mode 100755 index 0000000000..4dfae0204a Binary files /dev/null and b/en/docs/assets/img/tutorials/oauth2-access-refresh.png differ diff --git a/en/docs/assets/img/tutorials/oauth2-openid-connect-config.png b/en/docs/assets/img/tutorials/oauth2-openid-connect-config.png new file mode 100755 index 0000000000..094986877e Binary files /dev/null and b/en/docs/assets/img/tutorials/oauth2-openid-connect-config.png differ diff --git a/en/docs/assets/img/tutorials/oauth2-openid-connect-configuration.png b/en/docs/assets/img/tutorials/oauth2-openid-connect-configuration.png new file mode 100755 index 0000000000..65d6721067 Binary files /dev/null and b/en/docs/assets/img/tutorials/oauth2-openid-connect-configuration.png differ diff --git a/en/docs/assets/img/tutorials/policy-administration.png b/en/docs/assets/img/tutorials/policy-administration.png new file mode 100755 index 0000000000..4c300c2735 Binary files /dev/null and b/en/docs/assets/img/tutorials/policy-administration.png differ diff --git a/en/docs/assets/img/tutorials/policy-decision-point.png b/en/docs/assets/img/tutorials/policy-decision-point.png new file mode 100755 index 0000000000..1347b4f805 Binary files /dev/null and b/en/docs/assets/img/tutorials/policy-decision-point.png differ diff --git a/en/docs/assets/img/tutorials/policy-editor.png b/en/docs/assets/img/tutorials/policy-editor.png new file mode 100755 index 0000000000..c92596a2ae Binary files /dev/null and b/en/docs/assets/img/tutorials/policy-editor.png differ diff --git a/en/docs/assets/img/tutorials/policy-life-cycle.png b/en/docs/assets/img/tutorials/policy-life-cycle.png new file mode 100755 index 0000000000..974d21016f Binary files /dev/null and b/en/docs/assets/img/tutorials/policy-life-cycle.png differ diff --git a/en/docs/assets/img/tutorials/policy-set-editor.png b/en/docs/assets/img/tutorials/policy-set-editor.png new file mode 100755 index 0000000000..59f61be6d7 Binary files /dev/null and b/en/docs/assets/img/tutorials/policy-set-editor.png differ diff --git a/en/docs/assets/img/tutorials/policy-status-type.png b/en/docs/assets/img/tutorials/policy-status-type.png new file mode 100755 index 0000000000..2221759882 Binary files /dev/null and b/en/docs/assets/img/tutorials/policy-status-type.png differ diff --git a/en/docs/assets/img/tutorials/publish-policy.png b/en/docs/assets/img/tutorials/publish-policy.png new file mode 100755 index 0000000000..1cca27be9d Binary files /dev/null and b/en/docs/assets/img/tutorials/publish-policy.png differ diff --git a/en/docs/assets/img/tutorials/publish-to-my-pdp.png b/en/docs/assets/img/tutorials/publish-to-my-pdp.png new file mode 100755 index 0000000000..4ef4abb47b Binary files /dev/null and b/en/docs/assets/img/tutorials/publish-to-my-pdp.png differ diff --git a/en/docs/assets/img/tutorials/publish-to-pdp.png b/en/docs/assets/img/tutorials/publish-to-pdp.png new file mode 100755 index 0000000000..18fc916361 Binary files /dev/null and b/en/docs/assets/img/tutorials/publish-to-pdp.png differ diff --git a/en/docs/assets/img/tutorials/publishing-a-xacml-policy.png b/en/docs/assets/img/tutorials/publishing-a-xacml-policy.png new file mode 100755 index 0000000000..4f64bdbe02 Binary files /dev/null and b/en/docs/assets/img/tutorials/publishing-a-xacml-policy.png differ diff --git a/en/docs/assets/img/tutorials/register-oauth2.png b/en/docs/assets/img/tutorials/register-oauth2.png new file mode 100755 index 0000000000..8cd3abec9b Binary files /dev/null and b/en/docs/assets/img/tutorials/register-oauth2.png differ diff --git a/en/docs/assets/img/tutorials/registering-an-identity-provider.png b/en/docs/assets/img/tutorials/registering-an-identity-provider.png new file mode 100755 index 0000000000..af4023c48b Binary files /dev/null and b/en/docs/assets/img/tutorials/registering-an-identity-provider.png differ diff --git a/en/docs/assets/img/tutorials/registering-new-federated-idp.png b/en/docs/assets/img/tutorials/registering-new-federated-idp.png new file mode 100644 index 0000000000..add49a1b3c Binary files /dev/null and b/en/docs/assets/img/tutorials/registering-new-federated-idp.png differ diff --git a/en/docs/assets/img/tutorials/remove-policy-from-pdp.png b/en/docs/assets/img/tutorials/remove-policy-from-pdp.png new file mode 100755 index 0000000000..6b33f697bd Binary files /dev/null and b/en/docs/assets/img/tutorials/remove-policy-from-pdp.png differ diff --git a/en/docs/assets/img/tutorials/resident-identity-provider.png b/en/docs/assets/img/tutorials/resident-identity-provider.png new file mode 100755 index 0000000000..f0b72f2659 Binary files /dev/null and b/en/docs/assets/img/tutorials/resident-identity-provider.png differ diff --git a/en/docs/assets/img/tutorials/response-signing-attribute.png b/en/docs/assets/img/tutorials/response-signing-attribute.png new file mode 100755 index 0000000000..f49f894daf Binary files /dev/null and b/en/docs/assets/img/tutorials/response-signing-attribute.png differ diff --git a/en/docs/assets/img/tutorials/saml2-web-sso-config.png b/en/docs/assets/img/tutorials/saml2-web-sso-config.png new file mode 100755 index 0000000000..a3d721b90d Binary files /dev/null and b/en/docs/assets/img/tutorials/saml2-web-sso-config.png differ diff --git a/en/docs/assets/img/tutorials/saml2-web-sso-configuration.png b/en/docs/assets/img/tutorials/saml2-web-sso-configuration.png new file mode 100755 index 0000000000..cb6eebbcbc Binary files /dev/null and b/en/docs/assets/img/tutorials/saml2-web-sso-configuration.png differ diff --git a/en/docs/assets/img/tutorials/saml2-web-sso.png b/en/docs/assets/img/tutorials/saml2-web-sso.png new file mode 100755 index 0000000000..8645b08491 Binary files /dev/null and b/en/docs/assets/img/tutorials/saml2-web-sso.png differ diff --git a/en/docs/assets/img/tutorials/sample-policy-editor.png b/en/docs/assets/img/tutorials/sample-policy-editor.png new file mode 100755 index 0000000000..86c52a1d29 Binary files /dev/null and b/en/docs/assets/img/tutorials/sample-policy-editor.png differ diff --git a/en/docs/assets/img/tutorials/security-policy-scenarios.png b/en/docs/assets/img/tutorials/security-policy-scenarios.png new file mode 100755 index 0000000000..97e9b31d31 Binary files /dev/null and b/en/docs/assets/img/tutorials/security-policy-scenarios.png differ diff --git a/en/docs/assets/img/tutorials/security-token-service-config.png b/en/docs/assets/img/tutorials/security-token-service-config.png new file mode 100755 index 0000000000..8e26daa035 Binary files /dev/null and b/en/docs/assets/img/tutorials/security-token-service-config.png differ diff --git a/en/docs/assets/img/tutorials/select-attribute-values.png b/en/docs/assets/img/tutorials/select-attribute-values.png new file mode 100644 index 0000000000..bd7e4a6f25 Binary files /dev/null and b/en/docs/assets/img/tutorials/select-attribute-values.png differ diff --git a/en/docs/assets/img/tutorials/select-domain.png b/en/docs/assets/img/tutorials/select-domain.png new file mode 100755 index 0000000000..834babc22d Binary files /dev/null and b/en/docs/assets/img/tutorials/select-domain.png differ diff --git a/en/docs/assets/img/tutorials/select-website-as-the-platform.png b/en/docs/assets/img/tutorials/select-website-as-the-platform.png new file mode 100755 index 0000000000..42aeee1a61 Binary files /dev/null and b/en/docs/assets/img/tutorials/select-website-as-the-platform.png differ diff --git a/en/docs/assets/img/tutorials/setup-facebook.png b/en/docs/assets/img/tutorials/setup-facebook.png new file mode 100755 index 0000000000..ddcf338915 Binary files /dev/null and b/en/docs/assets/img/tutorials/setup-facebook.png differ diff --git a/en/docs/assets/img/tutorials/simple-policy-editor-child-resource.png b/en/docs/assets/img/tutorials/simple-policy-editor-child-resource.png new file mode 100755 index 0000000000..c08498f8d2 Binary files /dev/null and b/en/docs/assets/img/tutorials/simple-policy-editor-child-resource.png differ diff --git a/en/docs/assets/img/tutorials/simple-policy-editor-edit-policy.png b/en/docs/assets/img/tutorials/simple-policy-editor-edit-policy.png new file mode 100755 index 0000000000..264ae059c1 Binary files /dev/null and b/en/docs/assets/img/tutorials/simple-policy-editor-edit-policy.png differ diff --git a/en/docs/assets/img/tutorials/status-policy-results.png b/en/docs/assets/img/tutorials/status-policy-results.png new file mode 100755 index 0000000000..725ac38fcc Binary files /dev/null and b/en/docs/assets/img/tutorials/status-policy-results.png differ diff --git a/en/docs/assets/img/tutorials/sts-config.png b/en/docs/assets/img/tutorials/sts-config.png new file mode 100755 index 0000000000..9342f45565 Binary files /dev/null and b/en/docs/assets/img/tutorials/sts-config.png differ diff --git a/en/docs/assets/img/tutorials/subject-claim-uri.png b/en/docs/assets/img/tutorials/subject-claim-uri.png new file mode 100755 index 0000000000..2589ccde11 Binary files /dev/null and b/en/docs/assets/img/tutorials/subject-claim-uri.png differ diff --git a/en/docs/assets/img/tutorials/submit-fb-app-for-review.png b/en/docs/assets/img/tutorials/submit-fb-app-for-review.png new file mode 100755 index 0000000000..c00cb58057 Binary files /dev/null and b/en/docs/assets/img/tutorials/submit-fb-app-for-review.png differ diff --git a/en/docs/assets/img/tutorials/testing-the-sample.png b/en/docs/assets/img/tutorials/testing-the-sample.png new file mode 100755 index 0000000000..f1616e2f22 Binary files /dev/null and b/en/docs/assets/img/tutorials/testing-the-sample.png differ diff --git a/en/docs/assets/img/tutorials/testing-travelocity-sample.jpeg b/en/docs/assets/img/tutorials/testing-travelocity-sample.jpeg new file mode 100755 index 0000000000..cf4cebc9bf Binary files /dev/null and b/en/docs/assets/img/tutorials/testing-travelocity-sample.jpeg differ diff --git a/en/docs/assets/img/tutorials/testing-travelocity.jpeg b/en/docs/assets/img/tutorials/testing-travelocity.jpeg new file mode 100755 index 0000000000..cf4cebc9bf Binary files /dev/null and b/en/docs/assets/img/tutorials/testing-travelocity.jpeg differ diff --git a/en/docs/assets/img/tutorials/travelocity-home-page.jpeg b/en/docs/assets/img/tutorials/travelocity-home-page.jpeg new file mode 100755 index 0000000000..cb1896d25b Binary files /dev/null and b/en/docs/assets/img/tutorials/travelocity-home-page.jpeg differ diff --git a/en/docs/assets/img/tutorials/travelocity-home.png b/en/docs/assets/img/tutorials/travelocity-home.png new file mode 100755 index 0000000000..a714534589 Binary files /dev/null and b/en/docs/assets/img/tutorials/travelocity-home.png differ diff --git a/en/docs/assets/img/tutorials/twitter-config-federated-auth.png b/en/docs/assets/img/tutorials/twitter-config-federated-auth.png new file mode 100755 index 0000000000..c6f9c57f6f Binary files /dev/null and b/en/docs/assets/img/tutorials/twitter-config-federated-auth.png differ diff --git a/en/docs/assets/img/tutorials/upload-id-provider.png b/en/docs/assets/img/tutorials/upload-id-provider.png new file mode 100755 index 0000000000..e0d0dd5da2 Binary files /dev/null and b/en/docs/assets/img/tutorials/upload-id-provider.png differ diff --git a/en/docs/assets/img/tutorials/write-policy-in-xml.png b/en/docs/assets/img/tutorials/write-policy-in-xml.png new file mode 100755 index 0000000000..f507036c18 Binary files /dev/null and b/en/docs/assets/img/tutorials/write-policy-in-xml.png differ diff --git a/en/docs/assets/img/tutorials/writing-a-xacml-policy-using-a-policy-template.png b/en/docs/assets/img/tutorials/writing-a-xacml-policy-using-a-policy-template.png new file mode 100755 index 0000000000..b0235bf914 Binary files /dev/null and b/en/docs/assets/img/tutorials/writing-a-xacml-policy-using-a-policy-template.png differ diff --git a/en/docs/assets/img/tutorials/ws-federation-passive-configuration.png b/en/docs/assets/img/tutorials/ws-federation-passive-configuration.png new file mode 100755 index 0000000000..62a1f33be9 Binary files /dev/null and b/en/docs/assets/img/tutorials/ws-federation-passive-configuration.png differ diff --git a/en/docs/assets/img/tutorials/ws-federation-passive.png b/en/docs/assets/img/tutorials/ws-federation-passive.png new file mode 100755 index 0000000000..a54224c6f4 Binary files /dev/null and b/en/docs/assets/img/tutorials/ws-federation-passive.png differ diff --git a/en/docs/assets/img/tutorials/xacml-basic-policy.png b/en/docs/assets/img/tutorials/xacml-basic-policy.png new file mode 100644 index 0000000000..5543d87699 Binary files /dev/null and b/en/docs/assets/img/tutorials/xacml-basic-policy.png differ diff --git a/en/docs/assets/img/tutorials/xacml-scope-validator.png b/en/docs/assets/img/tutorials/xacml-scope-validator.png new file mode 100755 index 0000000000..90d7a43783 Binary files /dev/null and b/en/docs/assets/img/tutorials/xacml-scope-validator.png differ diff --git a/en/docs/assets/img/tutorials/yahoo-configuration.png b/en/docs/assets/img/tutorials/yahoo-configuration.png new file mode 100755 index 0000000000..fd3eff3a30 Binary files /dev/null and b/en/docs/assets/img/tutorials/yahoo-configuration.png differ diff --git a/en/docs/getting-started/quick-start-guide.md b/en/docs/getting-started/quick-start-guide.md index 5d11a2acf0..3c05c395a7 100644 --- a/en/docs/getting-started/quick-start-guide.md +++ b/en/docs/getting-started/quick-start-guide.md @@ -580,9 +580,10 @@ Pickup Manager applications using WSO2 IS. 2. Add and configure the following properties in the `deployment.toml` file found in the `/repository/conf` folder. Update the address, username, and password parameters with the values of a valid email account. ``` java - mail.publisher.address = - mail.publisher.username = - mail.publisher.password = + [mail.publisher] + address = + username = + password = ``` 4. Restart WSO2 IS. diff --git a/en/docs/tutorials/add-new-authenticator.png b/en/docs/tutorials/add-new-authenticator.png deleted file mode 100644 index 654a7a4b7c..0000000000 Binary files a/en/docs/tutorials/add-new-authenticator.png and /dev/null differ diff --git a/en/docs/tutorials/clearing-a-Cache.md b/en/docs/tutorials/clearing-a-cache.md similarity index 60% rename from en/docs/tutorials/clearing-a-Cache.md rename to en/docs/tutorials/clearing-a-cache.md index 7b67fdb42c..f4761f4cb7 100644 --- a/en/docs/tutorials/clearing-a-Cache.md +++ b/en/docs/tutorials/clearing-a-cache.md @@ -7,22 +7,20 @@ done during an "UPDATE" or "DELETE" of a policy. Once the cache is cleared, all the temporary values will be deleted and the policy will be re-evaluated. -For more details +!!! info "For more details" -Refer [Improving XACML PDP Performance with Caching -Techniques](https://docs.wso2.com/display/IS540/Improving+XACML+PDP+Performance+with+Caching+Techniques) -to get more information about caching techniques used in WSO2 Identity -Server. + Refer [Improving XACML PDP Performance with Caching + Techniques](../../tutorials/improving-xacml-pdp-performance-with-caching-techniques) + to get more information about caching techniques used in WSO2 Identity + Server. WSO2 Identity Server allows you to clear the decision cache and the attribute cache. Follow the instructions below to clear a cache. 1. Sign in. Enter your username and password to log on to the - [Management Console](_Getting_Started_with_the_Management_Console_) - . + [Management Console](../../setup/getting-started-with-the-management-console). 2. Navigate to the **Main** menu to access the **Entitlement** menu. Click **Extension** under **PDP** . -3. Click on " **Clear Decision Cache** " or " **Clear Attribute Cache** - ". - ![](attachments/103331254/103331259.png) +3. Click on **Clear Decision Cache** or **Clear Attribute Cache**. + ![clear-decision-cache](../../assets/img/tutorials/clear-decision-cache.png) 4. Wait a moment while the cache is cleared. diff --git a/en/docs/tutorials/configuring-AD-FS-as-a-Federated-Authenticator.md b/en/docs/tutorials/configuring-AD-FS-as-a-Federated-Authenticator.md deleted file mode 100644 index 2ee64b26f1..0000000000 --- a/en/docs/tutorials/configuring-AD-FS-as-a-Federated-Authenticator.md +++ /dev/null @@ -1,177 +0,0 @@ -# Configuring AD FS as a Federated Authenticator - -!!! warning - - This document is work in progress! - - -In this tutorial, you configure Active Directory Federation Services (AD -FS) 3.0 as the federated authenticator in WSO2 Identity Server (WSO2 IS) -using SAML. Let's take a look at the steps you need to follow: - -- [Configuring Active Directory Federation Services (AD - FS)](#ConfiguringADFSasaFederatedAuthenticator-ConfiguringActiveDirectoryFederationServices(ADFS)) -- [Configuring WSO2 IS for Federated - Authentication](#ConfiguringADFSasaFederatedAuthenticator-ConfiguringWSO2ISforFederatedAuthentication) - -### Configuring Active Directory Federation Services (AD FS) - -Follow the steps given below to add WSO2 IS as the relying party AD FS. - -Go to the AD FS management console and expand **Trust Relationship** . - -Right click on **Relying Party Trust** and select **Add Relying Party -Trust** . - -Click Start \> . Next  on the wizard. - -Enter a preferred name to represent WSO2 Identity Server (relying party) -and click **Next** . - -Select the **AD FS Profile** and click **Next** . - -Click **Next** again as you are not using an encryption profile for this -tutorial. - -Enter the SAML 2.0 SSO service URL of the relying party as the -commonauth endpoint . -The endpoint for WSO2 IS is https://localhost:9443/commonauth . - -Enter a value for the **relying party trust identifier** and click -**Next** . - -The same value that is entered here needs to be used when configuring -the identity provider on WSO2 IS. - -Click **Next** as multi factor authentication is not required for this -tutorial. - -Select **Permit all users to access this relying party** and click -**Next** . - -Review the settings and click **Next** . - -Click **Close** to finish adding the relying party trust. -The Claim Rules dialogue wizard opens. - -In the Edit Claim Rule dialogue specify the claims that needs to be sent -to the relying party. -In this tutorial, let's send the SAM-Account-Name LDAP attribute as a -NameID claim. - - - -1. Click **Add Rule** . - -2. Set a Claim rule name and map the **SAM-Account-Name** to the - **E-Mail Address** . - -3. Click **Finish** . - -4. Click **Add Rule** again to transform the email address claim to a - NameID claim. - -5. Select **Transform an Incoming Claim** and click **Next** . - -6. Set the **Claim rule name** . - -7. Select the incoming claim type as E-Mail Address and outgoing claim - type and ID format as Name ID and Unspecified respectively. - -8. Click **Finish \>** **Apply** . - -9. Close the claim rules dialogue box - -Configure the Relying Party Trust properties. - -1. Right click on the **Relying Party Trust** you just created and - select **Properties** . - -2. Open the **Signature** tab and click **Add** . - -3. Add the certificate. - - You can use any of the two methods listed below depending on your - WSO2 IS configurations. - - - When the Service Provider in WSO2 IS is under the super tenant - domain, the public certificate of WSO2 IS needs to be uploaded - - - Else, the public certificate of the tenant domain needs to be - selected. The public certificate of the tenant can be exported - from the Key Management feature of the WSO2 IS management - console. - - In this tutorial, the service provider is added in the super tenant - domain and the default keystore is not changed. Therefore, the - default ` wso2carbon ` certificate that is in - the ` /repository/resources/security ` - directory is used. - -4. Yes to proceed when following dialogue appears. - -5. Open the **Endpoint** tab to set the SAML logout endpoint. - -6. Click **Add SAML** . - -7. Select SAML Logout as the value for the **Endpoint Type** and the - Binding as the value **POST** . - -8. Set the Trusted URL as https://\/adfs/ls and the - Response URL as the ` /commonauth ` endpoint of - WSO2 IS. - -9. Save the property settings of the relying party. - -Configure AD FS as an Identity Provider in WSO2 IS. You need to add the -Token signing certificate of AD FS when configuring WSO2 IS. -Follow the steps given below to export the token signing certificate of -WSO2 IS: - -1. In the AD FS management close, click **Certificates** that is under - **Service.** - -2. Right click on the **Token-signing certificate** and select **View - Certificate** . - -3. Open the **Details** tab and click **Copy to File** . - -4. Follow the Certificate Export Wizard by clicking **Next** . - -5. Select the **Base-64 encoded X.509 (.cer)** option and click - **Next** . - -6. Save the certificate to a desired location and click **Finish** . - -You have successfully configured AF DS. Next , you need to configure -WSO2 IS for federated authentication. - -### Configuring WSO2 IS for Federated Authentication - -Follow the steps given below to configure WSO2 IS to use AF DS as the -Identity Provider (IdP). - -1. Login to IS Management console. -2. Click Add under Identity Providers. -3. Provide a unique name for the IdP and add the **Token-signing - certificate of ADFS** by clicking the Browse button. -4. Expand **Federated Authenticators** and **Expand SAML Web SSO - Configuration** . -5. Click **Configure** to start configuring the SAML 2 Web SSO - configurations. - 1. Check **Enable SAML2 Web SSO** . - 2. Identity Provider Entity Id: This can be found in - FederationMetadata.xml under entityID attribute. The - FederationMetadata.xml can be accessed through - https://\/FederationMetadata/2007-06/ - FederationMetadata.xml . The Entity ID is usually in the form - ` http:///adfs/services/trust ` - 3. Service Provider Entity Id should be same as what’s given in AD - FS RP trust identifier. **eg:wso2-is** - 4. SSO URL should be in the form of - http://\/adfs/ls. - 5. Check Enable Logout. - 6. Logout URL should be the same as SSO URL. - 7. Check Enable Logout Request Signing. - 8. Select HTTP Binding as POST. -6. Click Register to save the IdP. diff --git a/en/docs/tutorials/configuring-Access-Control-Policy-for-a-Service-Provider.md b/en/docs/tutorials/configuring-Access-Control-Policy-for-a-Service-Provider.md deleted file mode 100644 index c765b0395b..0000000000 --- a/en/docs/tutorials/configuring-Access-Control-Policy-for-a-Service-Provider.md +++ /dev/null @@ -1,289 +0,0 @@ -# Configuring Access Control Policy for a Service Provider - -This topic guides you through configuring and enforcing an XACML access -control policy for a service provider. The authorization is done using -Identity Server’s [XACML -engine](https://docs.wso2.com/display/IS540/Identity+Server+as+an+XACML+Engine) -, which provides fine-grained access control using -policies. Fine-grained authorization specifies the requirements and -variables in an access control policy that is used to authorize access -to a resource. WSO2 Identity provider supports XACML 1.0, 2.0 and -3.0. For more information on XACML, see [XACML -Architecture](https://docs.wso2.com/display/IS540/XACML+Architecture) . - -In today's world, businesses and their customers need to access multiple -service providers that support multiple heterogeneous identity -federation protocols. Each service provider needs to define an -authorization policy at the identity provider to decide whether a given -user is eligible to log into the corresponding service provider. For -example, one service provider only allows the administrator to sign in -to the system after 6 PM. Another service provider only allows the users -from North America to sing in. To meet all these requirements the -Identity provider needs to provide fine-grained authorization. - -WSO2 Identity Server provides an out-of-the-box support for controlling -access to the service providers. The diagram given below explains how -you can configure a fine-grained access control policy for a service -provider in WSO2 IS. - - -![](attachments/103331234/103331243.png){width="500"} - - - -The users can be authorized, based on policies that are written using a -combinations of any of the following: - -- User’s username - -- User's roles -- User’s user store domain - -- User’s tenant domain - -- User’s attributes(e.g. email, age, country, etc) - -- User’s IP address - -- Service provider’s name - -- Service provider’s tenant domain - -- Date - -- Time - -This tutorial demonstrates an example of an access control policy for a -service provider via XACML 3.0 - -Sample Scenario: *An Internal finance application in an organization -needs to be accessed by employees in the finance team only.* - -Here, we will permit access to a service provider called -"travelocity.com" only to users with "finance" role and denies access to -other users. Please follow the below step to get your configurations -done to try out this scenario. - -- [Step1: Configuring the service - provider](#ConfiguringAccessControlPolicyforaServiceProvider-Step1:Configuringtheserviceprovider) -- [Step2: Setting up the - policy](#ConfiguringAccessControlPolicyforaServiceProvider-Step2:Settingupthepolicy) -- [Try it - out](#ConfiguringAccessControlPolicyforaServiceProvider-Tryitout) - -### Step1: Configuring the service provider - -You need to define and configure your service provider in the WSO2 -Identity Server so that the authentication and/or provisioning happens -as expected. For more information on how the service provider fits into -the WSO2 IS architecture, see [Architecture](_Architecture_) . - -1. Start the WSO2 Identity Server and log in to the management console. -2. Click **Add** under **Users and Roles** and then select **Add New - Role** in the Identity section. -3. [Create a - role](https://docs.wso2.com/display/IS540/Configuring+Roles+and+Permissions#ConfiguringRolesandPermissions-Addingauserrole) - called "finance" and give the role login permission. -4. [Create two new - users](https://docs.wso2.com/display/IS540/Configuring+Users#ConfiguringUsers-Addinganewuserandassigningroles) - and assign User1 to the role you just created. Assign the User2 to - the "admin" role or any other role. -5. Click **Add** under **Service Providers** on the Main tab and [add a - new service - provider](https://docs.wso2.com/display/IS540/Configuring+a+Service+Provider#ConfiguringaServiceProvider-Addingaserviceprovider) - in the Identity section. Here we can put any name for the service - provider name, but since we are using we can use a name like - "travelocityApp". -6. Configure an inbound authentication protocol for the service - provider (i.e, SAML, OpenID Connect etc). - - The responsibility of the inbound authentication protocol is to - identify and parse all the incoming authentication requests and then - helps in building the correct response. As Inbound Authentication - Protocols WSO2 Identity Server supports SAML2, OpenID Connect, OAuth - etc. - - For this tutorial, we will set up the travelocity sample application - by following the instructions in [Configuring Single - Sign-On](https://docs.wso2.com/display/IS530/Configuring+Single+Sign-On) - . Here we use **SAML2** as the inbound authentication protocol. - - Since this is the only available configuration that we have for - travelocity.com service provider. The screenshot below shows the - SAML configuration for the travelocity sample service provider. If - your service provider needs any claims of the authenticated user to - provide the service, you can [configure claims of the service - provider](_Configuring_Single_Sign-On_) . Then once the access is - provided after evaluating the XACML policy, the Service Provider can - get those claim details of the authorized user from the Identity - Provider side. - - ![](attachments/103331234/112392594.png){width="750"} - -7. Expand the **Local and Outbound Authentication Configuration** - section and select the authenticator used to authenticate users in - this service provider (sample value: **Default** ). - - Refer [Configuring Local and Outbound Authentication for a Service - Provider](_Configuring_Local_and_Outbound_Authentication_for_a_Service_Provider_) - for more information. - -8. Select the **Enable Authorization** checkbox and click **Update** to - finish registering the service provider. - ![](attachments/103331234/103331235.png) - -### Step2: Setting up the policy - -After setting up the service provider for the application, the next step -is to configure the XACML policy to control access to the -travelocity.com service provider. Let's make our life easy and publish a -policy using an available XACML policy templates in WSO2 Identity -Server. Please follow the below steps to set up the policy according to -our requirement. - -1. Click on **Policy Administration** under the **Entitlement \> PAP** - section on the **Main** tab of the management console. To get more - information about Policy Administration Point(PAP), [Read - more](https://docs.wso2.com/display/IS540/Configuring+the+Policy+Administration+Point) - . -2. Since this sample scenario is based on role, we select the policy - ` authn_role_based_policy_template. ` - - XACML template policies provide a pre-configured template with - placeholders for different types of policies. For a full list of the - available XACML policy templates, see [Writing an XACML Policy using - a Policy - Template](https://docs.wso2.com/display/IS540/Writing+a+XACML+Policy+using+a+Policy+Template) - . - - ![](attachments/103331234/103331251.png){width="694"} - -3. Once you click on " **Edit** ", the XML based policy will appear in - the policy editor. There are placeholders in capitals for entering - the service provider and role names. - -4. Edit the placeholders accordingly with the relevant values. - 1. Change the ` PolicyId ` as follows: - - ``` java - PolicyId="authn_travelocity_for_finance_team_policy" - ``` - - 2. Edit the ` ` tag and enter - a description relevant to your custom policy. - - ``` java - This policy authorizes employees of the finance team to the travelocity service provider in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied. - ``` - - 3. Locate the ` SP_NAME ` placeholder and - replace it with the service provider name "travelocity.com". - 4. Locate the ` ROLE_1 ` placeholder and - replace it with the role name "finance". - 5. In this example, this policy authenticates users to the - specified service provider based on - ` ROLE_1 ` and - ` ROLE_2 ` .But we need only one role to - authenticate. Therefore, we can remove the other role, by - removing that entire section from the start of the - ` ` tag to the ending - ` ` tag. - -5. Once the changes have been made, the policy should be similar to the - following. - - **Access control policy** - - ``` xml - - This policy authorizes employees of the finance team to the travelocity service provider in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied. - - - - - travelocity.com - - - - authenticate - - - - - - - - - - finance - - - - - - - - ``` - -6. Click **Save Policy** to save the changes. You can see the policy - you just created on the policy list (the original template policy - will remain unchanged for later use). - ![](attachments/103331234/103331250.png){width="769"} - -7. Click on the **Publish to My PDP** link corresponding to the new - policy. - ![](attachments/103331234/103331249.png) -8. On the UI that appears, leave the default selected values as they - are and click **Publish** . - ![](attachments/103331234/103331248.png){height="250"} - - !!! note - - For more information on Publishing an XACML policy, click - [here](https://docs.wso2.com/display/IS540/Publishing+a+XACML+Policy) - . - - -9. Click on **Policy View** under the **Entitlement \> PDP** section on - the **Main** tab of the management console. To get more information - about Policy Decision Point(PDP), [Read - more](https://docs.wso2.com/display/IS540/Configuring+the+Policy+Decision+Point) - . -10. To ensure that the policy has been published successfully, check if - the policy is listed. - - ![](attachments/103331234/103331247.png){width="606"} -11. To test out whether the policy works, follow the steps in the [Try - it out](#ConfiguringAccessControlPolicyforaServiceProvider-Tryitout) - section. - -If you want to write a more complicated policy you can use our XACML -policy editors available. To get more information Read, " [How to create -XACML -Policy](https://docs.wso2.com/display/IS540/Creating+a+XACML+Policy) " - -In a SaaS scenario, only the XACML policies that were created in the -tenant domain in which the service provider was created will get -executed. - -### Try it out - -Now that the access control policy has been created and enforced using -the template policy or the policy editor, test it out by running the -travelocity.com sample application. The credentials of a user assigned -to the **finance** role should be accepted while access will be denied -for users who are not assigned to the **finance** role. - -1. Start the Apache Tomcat server and navigate to - ` http://wso2is.local:8080/travelocity.com . ` -2. Login with credentials of User1 who was assigned to the finance - role. You will be logged in successfully. -3. Logout and login again with credentials of User2 who was assigned to - a different role. You will see an **authorization failure** page as - this user is denied access by the access control policy you - enforced. - -**Related Topics** - -[How to configure a service -provider.](_Adding_and_Configuring_a_Service_Provider_) diff --git a/en/docs/tutorials/configuring-Federated-Authentication.md b/en/docs/tutorials/configuring-Federated-Authentication.md deleted file mode 100644 index 3955d248b1..0000000000 --- a/en/docs/tutorials/configuring-Federated-Authentication.md +++ /dev/null @@ -1,46 +0,0 @@ -# Configuring Federated Authentication - -This topic includes information on how to configure federated -authenticators in WSO2 Identity Server. - -!!! warning - - **Note:** OpenID 2.0 has been removed from the base product as it is now - an obsolete specification and has been superseded by OpenID Connect. We - recommend using [OpenID Connect](_Configuring_OAuth2-OpenID_Connect_) - instead. - - -You can configure the following federated authenticators by expanding -the **Federated Authenticators** section followed by the required -subsections. - -![](attachments/103330930/103330949.png) - -- [Configuring SAML 2.0 Web SSO](_Configuring_SAML_2.0_Web_SSO_) -- [Configuring OAuth2-OpenID - Connect](_Configuring_OAuth2-OpenID_Connect_) -- [Configuring WS-Federation](_Configuring_WS-Federation_) -- [Configuring Facebook](_Configuring_Facebook_) -- [Configuring Yahoo](_Configuring_Yahoo_) -- [Configuring Google](_Configuring_Google_) -- [Configuring Microsoft Windows - Live](_Configuring_Microsoft_Windows_Live_) -- [Configuring IWA on Linux](_Configuring_IWA_on_Linux_) -- [Configuring AD FS as a Federated - Authenticator](_Configuring_AD_FS_as_a_Federated_Authenticator_) -- [Configuring Twitter](_Configuring_Twitter_) -- [Configuring SMS OTP](_Configuring_SMS_OTP_) -- [Configuring Email OTP](_Configuring_Email_OTP_) - -!!! tip - - More Federated Authenticators - - Some authenticators such as LinkedIn are not provided OOTB with WSO2 - Identity Server but can be downloaded from the [WSO2 - store](https://store.wso2.com/store/) and plugged in to work with WSO2 - IS. For more information on those authenticators and connectors, see the - [WSO2 Identity Server Connectors - documentation](https://docs.wso2.com/display/ISConnectors) . - diff --git a/en/docs/tutorials/configuring-SAML-2.0-Web-SSO.md b/en/docs/tutorials/configuring-SAML-2.0-Web-SSO.md deleted file mode 100644 index ecd13d56d4..0000000000 --- a/en/docs/tutorials/configuring-SAML-2.0-Web-SSO.md +++ /dev/null @@ -1,477 +0,0 @@ -# Configuring SAML 2.0 Web SSO - -In a single sign on system there are two roles; Service Providers and -Identity Providers. The important characteristic of a single sign on -system is the pre-defined trust relationship between the service -providers and the identity providers. Service providers trust the -assertions issued by the identity providers and the identity providers -issue assertions based on the results of authentication and -authorization of principles which access services on the service -provider's side. - -SAML 2.0 web browser-based single-sign-on profile is defined under the -SAML 2.0 [Profiles -specification](http://www.oasis-open.org/committees/download.php/35389/sstc-saml-profiles-errata-2.0-wd-06-diff.pdf) -. In a web browser-based SSO system, the flow can be started by the user -either by attempting to access a service at the service provider, or by -directly accessing the identity provider itself. - -To navigate to the federated authenticators configuration section, do -the following. - -1. Sign in. Enter your username and password to log on to the - [Management - Console](https://docs.wso2.com/display/IS580/Getting+Started+with+the+Management+Console) - . -2. Navigate to the **Main** menu to access the **Identity** menu. Click - **Add** under **Identity Providers** . - For more information, see [Adding and Configuring an Identity - Provider](https://docs.wso2.com/display/IS580/Adding+and+Configuring+an+Identity+Provider) - . -3. Fill in the details in the **Basic Information** section. - -Expand the **SAML2 Web SSO Configuration** form. The following appears. - -![](attachments/103330956/103330961.png){width="670"} - -SAML configuration information can be entered through one of the -following ways: - -- [Manual - Configuration](#ConfiguringSAML2.0WebSSO-ManualConfiguration) -- [Metadata File - Configuration](#ConfiguringSAML2.0WebSSO-MetadataFileConfiguration) - -#### Manual Configuration - -1. Select the **Manual Configuration** . (selected by default) - ![](attachments/103330956/103330964.png) -2. Fill in the following fields where relevant. The \* indicates - required fields. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldDescriptionSample value
Enable SAML2 Web SSOSelecting this option enables SAML2 Web SSO to be used as an authenticator for users provisioned to the Identity Server.Selected
DefaultSelecting the Default checkbox signifies that SAML2 Web SSO is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
Service Provider Entity Id

This is the entity Id of the Identity Server. This can be any value but when you configure a service provider in the external IDP you should give the same value as the Service Provider Entity Id.

wso2is

NameID format

This is the NameID format to be used in the SAML request. By default, it has 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', But you can change this as per the identity provider.

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Select ModeSelect the mode to decide the input method for SAML configuration. You can have manual configuration or Metadata data configuration where an .xml metadata file is uploaded.Manual configuration (is selected by dafault)
Identity Provider Entity Id
-

This is basically the <Issuer> value of the SAML2 response from the identity provider you are configuring. This value must be a unique string among identity providers inside the same tenant. This information should be taken from the external Identity provider.

-

In order to enable the <Issuer> validation in the SAML2 response from the IdP, add following configuration to <IS_HOME>/repository/conf/identity/application-authentication.xml

-
-
- -
-
-
https://idp.example.org/idp/shibboleth
SSO URLThis is the URL that you want to send the SAML request to. This information should be taken from the external Identity provider.

https://localhost:8443/idp/profile/SAML2/Redirect/SSO

Enable Authentication Request SigningSelecting this checkbox enables you to sign the authentication request. If this is enabled, you must sign the request using the private key of the identity provider.Selected
Enable Assertion EncryptionThis is a security feature where you can encrypt the SAML2 Assertions returned after authentication. So basically, the response must be encrypted when this is enabled.Selected
Enable Assertion Signing

Select Enable Assertion Signing to sign the SAML2 Assertions returned after the authentication. SAML2 relying party components expect these assertions to be signed by the Identity Server.

Selected
Enable LogoutSelect Enable Single Logout so that all sessions are terminated once the user signs out from one server.Selected
Logout URL
-If the external IDP support for logout you can select Enable Logout . Then you can set the URL of the external IDP, where you need to send the logout request, under Logout URL. If you do not set a value for this it will simply return to the SSO URL . -
https://localhost:8443/idp/samlsso/logout
Enable Logout Request SigningSelecting this checkbox enables you to sign the logout request.Selected
Enable Authentication Response Signing

Select Enable Authentication Response Signing to sign the SAML2 responses returned after the authentication.

Selected
Signature Algorithm

Specifies the ‘SignatureMethod’ algorithm to be used in the ‘Signature’ element in POST binding and “SigAlg” HTTP Parameter in REDIRECT binding. The expandable Signature Algorithms table below lists the usable algorithms and their respective URIs that will be sent in the actual SAMLRequest.

Default value is RSA with SHA1 .
Digest Algorithm

Specifies the ‘DigestMethod’ algorithm to be used in the ‘Signature’ element in POST binding. The Digest Algorithms table below lists the usable algorithms and their respective URIs that will be sent in the actual SAMLRequest.

Default value is SHA1 .
Attribute Consuming Service IndexSpecifies the ‘AttributeConsumingServiceIndex’ attribute.By default this would be empty, therefore that attribute would not be sent unless filled.
Enable Force AuthenticationEnable force authentication or decide from the incoming request. This affects ‘ForceAuthn’ attribute.Default value is As Per Request .
Include Public CertificateInclude the public certificate in the request.Selected by default.
Include Protocol BindingInclude ‘ProtocolBinding’ attribute in the request.Selected by default.
Include NameID PolicyInclude ‘NameIDPolicy’ element in the request.Selecte d by default.
Include Authentication ContextInclude a new ‘RequestedAuthnContext’ element in the request, or reuse from the incoming request.Default value is Yes .
Authentication Context Class

Choose an Authentication Context Class Reference (AuthnContextClassRef) to be included in the requested authentication context from the Identity Server which specifies the authentication context requirements of authentication statements returned in the response. Authentication Context Class table below lists the usable classes and their respective URIs that will be sent in the SAMLRequest from the Identity Server to trusted IdP.

Default value is PasswordProtectedTransport .
Authentication Context Comparison Level

Choose the Requested Authentication Context ‘Comparison’ attribute to be sent which specifies the comparison method used to evaluate the requested context classes or statements.

-
    -
  • If Comparison is set to "exact" or omitted, then the resulting authentication context in the authentication statement MUST be the exact match of at least one of the authentication contexts specified.
    • -
  • If Comparison is set to "minimum", then the resulting authentication context in the authentication statement MUST be at least as strong (as deemed by the responder) as one of the authentication contexts specified.
    • -
  • If Comparison is set to "better", then the resulting authentication context in the authentication statement MUST be stronger (as deemed by the responder) than any one of the authentication contexts specified.
    • -
  • If Comparison is set to "maximum", then the resulting authentication context in the authentication statement MUST be as strong as possible (as deemed by the responder) without exceeding the strength of at least one of the authentication contexts specified.
    • -
Default value is “Exact”.
SAML2 Web SSO User Id LocationSelect whether the User ID is found in 'Name Identifier' or if it is found among claims. If the user ID is found amongthe claims, it can override the User ID Claim URI configuration in the identity provider claim mapping section .User ID found among claims
HTTP BindingSelect the HTTP binding details that are relevant for your scenario. This refers to how the request is sent to the identity provider. HTTP-Redirect and HTTP-POST are standard means of sending the request. If you select As Per Request it can handle any type of request.HTTP-POST
Response Authentication Context ClassSelect As Per Response to pass the AuthnContextClassRef received from the configured identity provider to the service provider. Select Default to pass the default AuthnContextClassRef instead.
-
-The AuthnContextClassRef specifies how the user has been authenticated by the IdP (e.g. via username/password login, via certificate etc.)		As Per Response
Additional Query Parameters
-

This is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by this IS or application so these can be specified here. These will be sent along with the SAML request.

-
-

If you want to send query parameters that need to be updated dynamically with each SAML request, the value needs to be defined within parenthesis.This value should be the key of the query parameter sent in the SAML request URL.
-Example: locale={lang}

-

Multiple parameters can be defined by separation of query parameters using the & character.

-
-Example: locale={lang}&scope=openid email profile -
-
-
 paramName1=value1
- -![](images/icons/grey_arrow_down.png){.expand-control-image} Click here -to expand for more information on security algorithms. - -The following table lists out the security algorithms and their -respective URI. - -| Security algorithm name | Security algorithm URI | -|-------------------------|-------------------------------------------------------------| -| DSA with SHA1 | http://www.w3.org/2000/09/xmldsig\#dsa­sha1 | -| ECDSA with SHA1 | http://www.w3.org/2001/04/xmldsig­more\#ecdsa­sha1 dsa­sha1 | -| ECDSA with SHA256 | http://www.w3.org/2001/04/xmldsig­more\#ec dsa­sha256 | -| ECDSA with SHA384 | http://www.w3.org/2001/04/xmldsig­more\#ec dsa­sha384 | -| ECDSA with SHA512 | http://www.w3.org/2001/04/xmldsig­more\#ec dsa­sha512 | -| RSA with MD5 | http://www.w3.org/2001/04/xmldsig­more\#rsa ­md5 | -| RSA with RIPEMD160 | http://www.w3.org/2001/04/xmldsig­more\#rsa ­ripemd160 | -| RSA with SHA1 | http://www.w3.org/2000/09/xmldsig\#rsa­sha1 | -| RSA with SHA256 | http://www.w3.org/2001/04/xmldsig­more\#rsa ­sha256 | -| RSA with SHA384 | http://www.w3.org/2001/04/xmldsig­more\#rsa sha384 | -| RSA with SHA512 | http://www.w3.org/2001/04/xmldsig­more\#rsa ­sha512 | - -![](images/icons/grey_arrow_down.png){.expand-control-image} Click here -to expand for more information on digest algorithms. - -The following table lists out the digest algorithms and their respective -URI. - -| Digest algorithm name | Digest algorithm URI | -|-----------------------|-------------------------------------------------| -| MD5 | http://www.w3.org/2001/04/xmldsig­more\#md 5 | -| RIPEMD160 | http://www.w3.org/2001/04/xmlenc\#ripemd16 0 | -| SHA1 | http://www.w3.org/2000/09/xmldsig\#sha1 | -| SHA256 | http://www.w3.org/2001/04/xmlenc\#sha256 | -| SHA384 | http://www.w3.org/2001/04/xmldsig­more\#sh a384 | -| SHA512 | http://www.w3.org/2001/04/xmlenc\#sha512 | - -![](images/icons/grey_arrow_down.png){.expand-control-image} Click here -to expand for more information on authentication context classes. - -The following table lists out the authentication context classes and -their respective URI. - -| Authentication context class name | Authentication context class URI | -|-------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| -| Internet Protocol | [urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol](http://urnoasisnamestcSAML:2.0:ac:classes:InternetProtocol) | -| Internet Protocol Password | [urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword](http://urnoasisnamestcSAML:2.0:ac:classes:InternetProtocolPassword) | -| Kerberos | [urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos](http://urnoasisnamestcSAML:2.0:ac:classes:Kerberos) | -| Mobile One Factor Unregistered | [urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered](http://urnoasisnamestcSAML:2.0:ac:classes:MobileOneFactorUnregistered) | -| Mobile Two Factor Unregistered | [urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered](http://urnoasisnamestcSAML:2.0:ac:classes:MobileTwoFactorUnregistered) | -| Mobile One Factor Contract | [urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract](http://urnoasisnamestcSAML:2.0:ac:classes:MobileOneFactorContract) | -| Mobile Two Factor Contract | [urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract](http://urnoasisnamestcSAML:2.0:ac:classes:MobileTwoFactorContract) | -| Password | [urn:oasis:names:tc:SAML:2.0:ac:classes:Password](http://urnoasisnamestcSAML:2.0:ac:classes:Password) | -| Password Protected Transport | [urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport](http://urnoasisnamestcSAML:2.0:ac:classes:PasswordProtectedTransport) | -| Previous Session | [urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession](http://urnoasisnamestcSAML:2.0:ac:classes:PreviousSession) | -| Public Key X.509 | [urn:oasis:names:tc:SAML:2.0:ac:classes:X509](http://urnoasisnamestcSAML:2.0:ac:classes:X509) | -| Public Key PGP | [urn:oasis:names:tc:SAML:2.0:ac:classes:PGP](http://urnoasisnamestcSAML:2.0:ac:classes:PGP) | -| Public Key SPKI | [urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI](http://urnoasisnamestcSAML:2.0:ac:classes:SPKI) | -| Public Key XML Digital Signature | [urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig](http://urnoasisnamestcSAML:2.0:ac:classes:XMLDSig) | -| Smartcard | [urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard](http://urnoasisnamestcSAML:2.0:ac:classes:Smartcard) | -| Smartcard PKI | [urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI](http://urnoasisnamestcSAML:2.0:ac:classes:SmartcardPKI) | -| Software PKI | [urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI](http://urnoasisnamestcSAML:2.0:ac:classes:SoftwarePKI) | -| Telephony | [urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony](http://urnoasisnamestcSAML:2.0:ac:classes:Telephony) | -| Telephony (Nomadic) | [urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony](http://urnoasisnamestcSAML:2.0:ac:classes:NomadTelephony) | -| Telephony (Personalized) | [urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalTelephony](http://urnoasisnamestcSAML:2.0:ac:classes:PersonalTelephony) | -| Telephony (Authenticated) | [urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony](http://urnoasisnamestcSAML:2.0:ac:classes:AuthenticatedTelephony) | -| Secure Remote Password | [urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword](http://urnoasisnamestcSAML:2.0:ac:classes:SecureRemotePassword) | -| SSL/TLS Certificate­Based Client Authentication | [urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient](http://urnoasisnamestcSAML:2.0:ac:classes:TLSClient) | -| Time Sync Token | [urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken](http://urnoasisnamestcSAML:2.0:ac:classes:TimeSyncToken) | -| Unspecified | [urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified](http://urnoasisnamestcSAML:2.0:ac:classes:unspecified) | - - - -#### Metadata File Configuration - -About Metadata upload - -When configuring a service provider (SP) or federated Identity Provider -(Federated IdP), the user is required to enter configuration data to -facilitate exchanging authentication and authorization data between -entities in a standard way. Apart from manual entering of configuration -data, the Identity Server 5.3.0 provides the facility to upload -configuration data using a metadata xml file or referring to metadata -xml file located in a predetermined URL. These two methods of uploading -configuration data enables faster entry of configuration data because it -allows the user to use the same metadata xml file for multiple instances -of entity configuration. In addition to SAML metadata upload, IS also -supports SAML metadata download for resident Identity providers using -Management Console and URL. - -1. Select **Metadata File Configuration** . - ![](attachments/103330956/103330963.png) - - The following screen appears: - ![](attachments/103330956/103330959.png) -2. Choose the correct IdP metadata file and click **Register** . - - ![](images/icons/grey_arrow_down.png){.expand-control-image} Click - here to view a sample Identity provider metadata configuration xml - file - - **Identity provider metadata file** - - ``` java - - - - - - - -----BEGIN CERTIFICATE----- - MIIC+jCCAmOgAwIBAgIJAParOnPwEkKjMA0GCSqGSIb3DQEBBQUAMIGKMQswCQYD - VQQGEwJMSzEQMA4GA1UECBMHV2VzdGVybjEQMA4GA1UEBxMHQ29sb21ibzEWMBQG - A1UEChMNU29mdHdhcmUgVmlldzERMA8GA1UECxMIVHJhaW5pbmcxLDAqBgNVBAMT - I1NvZnR3YXJlIFZpZXcgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDcxMDA2 - MzMwM1oXDTI0MDMxODA2MzMwM1owdjELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dl - c3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xFjAUBgNVBAoTDVNvZnR3YXJlIFZpZXcx - ETAPBgNVBAsTCFRyYWluaW5nMRgwFgYDVQQDEw9NeSBUZXN0IFNlcnZpY2UwgZ8w - DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN6bi0llFz+R+93nLLK5BmnuF48tbODp - MBH7yGZ1/ESVUZoYm0GaPzg/ai3rX3r8BEr4TUrhhpKUKBpFxZvb2q+yREIeDEkD - bHJuyVdS6hvtfa89WMJtwc7gwYYkY8AoVJ94gU54GP2B6XyNpgDTXPd0d3aH/Zt6 - 69xGAVoe/0iPAgMBAAGjezB5MAkGA1UdEwQCMAAwHQYDVR0OBBYEFNAwSamhuJSw - XG0SJnWdIVF1PkW9MB8GA1UdIwQYMBaAFNa3YmhDO7BOwbUqmYU1k/U6p/UUMCwG - CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTANBgkq - hkiG9w0BAQUFAAOBgQBwwC5H+U0a+ps4tDCicHQfC2SXRTgF7PlAu2rLfmJ7jyoD - X+lFEoWDUoE5qkTpMjsR1q/+2j9eTyi9xGj5sby4yFvmXf8jS5L6zMkkezSb6QAv - tSHcLfefKeidq6NDBJ8DhWHi/zvC9YbT0KkCToEgvCTBpRZgdSFxTJcUksqoFA== - -----END CERTIFICATE----- - - - - - - - - EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz - dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh - dGUgTWFuYWdlcjAeFw0wNzAzMDcyMjAxMTVaFw0xMDEyMDEyMjAxMTVaMDsxFDASBgNVBAoTC2V4 - YW1wbGUuY29tMSMwIQYDVQQDExpMb2FkQmFsYW5jZXItMy5leGFtcGxlLmNvbTCBnzANBgkqhkiG - HREEETAPgQ1tYWxsYUBzdW4uY29tMA0GCSqGSIb3DQEBBAUAA0EAEgbmnOz2Rvpj9bludb9lEeVa - OA46zRiyt4BPlbgIaFyG6P7GWSddMi/14EimQjjDbr4ZfvlEdPJmimHExZY3KQ== - - - - - - - - - - - - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent - - - urn:oasis:names:tc:SAML:2.0:nameid-format:transient - - - - - - ``` - - - - -!!! tip - - Configure ACL URL in a production environment - - The default assertion consumer URL that is sent with the SAML request - includes the local domain and default port. In a production environment, - you may need to change the assertion consumer URL. To do this, follow - the steps given below: - - 1. Open the ` application-authentication.xm ` l file - found in the ` /repository/conf/identity ` - folder. - 2. Add the following property and update the assertion consumer URL as - required. - - ``` java - - https://localhost:9443/commonauth - - ``` - - -Configuring hostname verification - -In previous releases, SAML Single-Logout (SLO) requests for service -providers were initiated without hostname verification which can impose -a security risk. From IS 5.2.0 release onwards, certificate validation -has been enforced and hostname verification is enabled by default. If -you want to disable the hostname verification, configure the following -property in the -` /repository/conf/identity/identity.xml ` -file under the ` Server\SSOService ` tag. - -``` xml -false -``` - -!!! note - - **Note:** If the certificate is self-signed, import the service - provider's public key to the IS client trust store to ensure that the - SSL handshake in the SLO request is successful. For more information on - how to do this, see [Managing Keystores with the UI](#){.unresolved} in - the WSO2 Product Administration Guide. - - -**Related Topics** - -- Identity Federation is part of the process of configuring an - identity provider. For more information on how to configure an - identity provider, see [Configuring an Identity - Provider.](_Adding_and_Configuring_an_Identity_Provider_) -- See [Configuring Shibboleth IdP as a Trusted Identity - Provider](_Configuring_Shibboleth_IdP_as_a_Trusted_Identity_Provider_) - for a sample of using SAML2 Web SSO configuration. diff --git a/en/docs/tutorials/configuring-SMS-OTP.md b/en/docs/tutorials/configuring-SMS-OTP.md deleted file mode 100644 index 64cfffe009..0000000000 --- a/en/docs/tutorials/configuring-SMS-OTP.md +++ /dev/null @@ -1,498 +0,0 @@ -# Configuring SMS OTP - -The SMS provider is the entity that is used to send the SMS. WSO2 IS -supports most of the SMS APIs. Some use the GET method with the client -secret and API Key encoded in the URL, while some may use the POST -method when sending the values in the headers, and the message and -telephone number in the payload (e.g., Clickatell). Note that this could -change significantly between different SMS providers. The configuration -of the connector in the identity provider would also change based on -this. - -This topic provides instructions on how to configure the SMS One Time -Password (SMS OTP) connector and the WSO2 Identity Server (IS) using a -sample application. This is configured so that SMS OTP is a second -authentication factor for the sample application. See the following -sections for more information. - -!!! tip - - Before you begin! - - - To ensure you get the full understanding of configuring SMS OTP with - WSO2 IS, the sample travelocity application is used in this use - case. Therefore, make sure to [download the - samples](_Downloading_a_Sample_) before you begin. - - The samples run on the Apache Tomcat server and are written based on - Servlet 3.0. Therefore, download Tomcat 7.x from - [here](https://tomcat.apache.org/download-70.cgi) . - - Install Apache Maven to build the samples. For more information, see - [Installation - Prerequisites](https://docs.wso2.com/display/IS540/Installation+Prerequisites) - . - - -- [Deploying travelocity.com - sample](#ConfiguringSMSOTP-Deployingtravelocity.comsampleDeployingtravelocity.comsample) -- [Configuring the identity - provider](#ConfiguringSMSOTP-Configuringtheidentityprovider) -- [Configuring the service - provider](#ConfiguringSMSOTP-Configuringtheserviceprovider) -- [Updating the mobile number of the - user](#ConfiguringSMSOTP-Updatingthemobilenumberoftheuser) -- [Configuring claims](#ConfiguringSMSOTP-Configuringclaims) -- [Testing the sample](#ConfiguringSMSOTP-Testingthesample) - -### Deploying travelocity.com sample - -Deploy the sample travelocity app in order to use it in this scenario. - -To obtain and configure the single sign-on travelocity sample, follow -the steps below. - -1. Add the following entry to the ` /etc/hosts ` - file of your machine to configure the hostname. - - Why is this step needed? - - Some browsers do not allow creating cookies for a naked hostname, - such as ` localhost ` . Cookies are required - when working with SSO. Therefore, to ensure that the SSO - capabilities work as expected in this tutorial, you need to - configure the ` etc/host ` file as explained - in this step. - - The ` etc/host ` file is a read-only file. - Therefore, you won't be able to edit it by opening the file via a - text editor. To avoid this, edit the file using the terminal - commands. - For example, use the following command if you are working on a - Mac/Linux environment. - - ``` java - sudo nano /etc/hosts - ``` - - ``` bash - 127.0.0.1 wso2is.local - ``` - -2. Open the ` travelocity.properties ` file found - in the - ` is-samples/modules/samples/sso/sso-agent-sample/src/main/resources ` - directory of the samples folder you just checked out. Configure the - following property with the hostname ( - ` wso2is.local ` ) that you configured above. - - ``` text - #The URL of the SAML 2.0 Assertion Consumer - SAML2.AssertionConsumerURL=http://wso2is.local:8080/travelocity.com/home.jsp - ``` - -3. In your terminal, navigate to - ` is-samples/modules/samples/sso/sso-agent-sample ` - folder and build the sample using the following command. You must - have Apache Maven installed to do this - - ``` java - mvn clean install - ``` - -4. After successfully building the sample, a - ` .war ` file named **travelocity.com** can be - found inside the - ` is-samples/sso/sso-agent-sample/ ` - ` target ` directory. Deploy this sample web - app on a web container. To do this, use the Apache Tomcat server. - - !!! note - - Since this sample is written based on Servlet 3.0 it needs to be - deployed on [Tomcat 7.x](https://tomcat.apache.org/download-70.cgi) - . - - - Use the following steps to deploy the web app in the web container: - - 1. Stop the Apache Tomcat server if it is already running. - 2. Copy the - ` travelocity.com.war ` - file to the ` /webapps ` - directory. - 3. Start the Apache Tomcat server. - -!!! tip - - If you wish to change properties like the issuer ID, consumer URL, and - IdP URL, you can edit the **travelocity.properties** file found in the - ` travelocity.com/WEB-INF/classes ` directory. If the - service provider is configured in a tenant you can use the - ` QueryParams ` property to send the tenant domain. - For  example, ` QueryParams=tenantDomain=wso2.com ` . - - This sample uses the following default values. - - | Properties | Description | - |-------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------| - | ` SAML2.SPEntityId=travelocity.com ` | A unique identifier for this SAML 2.0 Service Provider application. | - | ` SAML2.AssertionConsumerURL=http://wso2is.local:8080/travelocity.com/home.jsp ` | The URL of the SAML 2.0 Assertion Consumer. | - | ` SAML2.IdPURL=https://localhost:9443/samlsso ` | The URL of the SAML 2.0 Identity Provider. | - - If you edit the - ` travelocity.properties ` file, - you must restart the Apache Tomcat server for the changes to take - effect. - - -Now the web application is successfully deployed on a web container. - -Once this is done, the next step is to configure the WSO2 Identity -Server by adding an [identity -provider](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -and a [service provider](https://docs.wso2.com/display/IS510) . - -### Configuring the identity provider - -Now you have to configure WSO2 Identity Server by adding a new identity -provider. - -1. [Start WSO2 Identity Server - (IS)](Running-the-Product_103328959.html#RunningtheProduct-Startingtheserver) - . -2. Download the certificate of the SMS provider by going to the SMS - providers website on your browser, and clicking the HTTPS trust icon - on the address bar. - For example, navigate to - [https://www.nexmo.com](https://www.nexmo.com/) , and click the - padlock next to the URL on Chrome. -3. Navigate to the - ` /repository/resources/security ` - directory via the terminal and i mport the downloaded certificate - into the WSO2 IS client keystore. - - ``` java - keytool -importcert -file -keystore client-truststore.jks -alias "Nexmo" - ``` - -4. You are prompted to enter the keystore password. The default - ` client-truststore.jks ` password is - **` wso2carbon `** . - -5. Log into the [management - console](https://docs.wso2.com/display/IS510/Getting+Started+with+the+Management+Console) - as an administrator. - -6. In the **Identity** section under the **Main** tab of the management - console, click **Add** under **Identity Providers** . - -7. Give a suitable name (e.g., SMSOTP) as the **Identity Provider - Name** . - -8. Go to the **SMS OTP Configuration** under **Federated - Authenticators** . - -9. Select both check-boxes to **Enable SMSOTP Authenticator** and to - make it the **Default** . - -10. Enter the SMS URL, the HTTP Method used (e.g., GET or POST), and the - headers and payload if the API uses any. - - - If the text message and the phone number are passed as - parameters in any field, include them as - ` $ctx.num ` and - ` $ctx.msg ` respectively. - - - Optionally, enter the HTTP response code the SMS service - provider sends when the API is successfully called. Nexmo API - and  Bulksms API sends 200 as the code, while Clickatell - and Plivo send 202. If this value is unknown, leave it blank and - the connector checks if the response is 200, 201 or 202. - - ![](images/icons/grey_arrow_down.png){.expand-control-image} Click - here to configure Nexmo as the service provider. - - Follow the steps given below if Nexmo is used as the SMS provider: - - 1. Go to and sign up. - 2. Once you successfully register, the API **key** and **secret** - are displayed. Copy and save them as you need them for the next - step. - Example: - ![](attachments/103331006/103331022.png){width="600"} - 3. The Nexmo API requires the parameters to be encoded in the URL, - so the SMS URL would be as follows. - - | | | - |-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| - | SMS URL | ` https://rest.nexmo.com/sms/json?api_key=&api_secret=&from=NEXMO&to=$ctx.num&text=$ctx.msg ` | - | HTTP Method | ` POST ` | - - ![](images/icons/grey_arrow_down.png){.expand-control-image} Click - here to configure Clickatell as the service provider. - - Follow the steps given below if Clickatell is used as the SMS - provider: - - 1. Go to and create - an account. - 2. The Auth token is provided when you register with Clickatell. - - 3. Clickatell uses a POST method with headers and the text message - and phone number are sent as the payload. So the fields would be - as follows. - - | | | - |--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| - | SMS URL | ` https://api.clickatell.com/rest/message ` | - | HTTP Method | ` POST ` | - | HTTP Headers | ` X-Version: 1,Authorization: bearer ,Accept: application/json,Content-Type: application/json ` | - | HTTP Payload | ` {"text":" $ctx.msg ","to":[" $ctx.num "]} ` | - - ![](images/icons/grey_arrow_down.png){.expand-control-image} Click - here to configure Plivo as the service provider. - - Follow the steps given below if Plivo is used as the SMS provider: - - 1. Sign up for a free [Plivo trial - account](https://manage.plivo.com/accounts/register/?utm_source=send%bulk%20sms&utm_medium=sms-docs&utm_campaign=internal) - . - 2. Phone numbers must be verified at the [Sandbox - Numbers](https://manage.plivo.com/sandbox-numbers/) page (add at - least two numbers and verify them). - - 3. The Plivo API is authenticated with Basic Auth using your - ` AUTH ID ` and - ` AUTH TOKEN ` , Your Plivo - ` AUTH ID ` and - ` AUTH TOKEN ` can be found when - you log in to your - [dashboard.](https://manage.plivo.com/dashboard/) - 4. Plivo uses a POST method with headers, and the text message and - phone number are sent as the payload. So the fields would be as - follows. - - | | | - |--------------|---------------------------------------------------------------------------------------------------------| - | SMS URL | ` https://api.plivo.com/v1/Account/{auth_id}/Message/ ` | - | HTTP Method | ` POST ` | - | HTTP Headers | ` Authorization: Basic ********,Content-Type: application/json ` | - | HTTP Payload | ` {"src":"+94*********","dst":"$ctx.num","text":"$ctx.msg"} ` | - - ![](images/icons/grey_arrow_down.png){.expand-control-image} Click - here to configure Bulksms as the service provider. - - Follow the steps given below if Bulksms is used as the SMS provider: - - 1. Go to and create an account. - 2. While registering the account, verify your mobile number and - click **Claim** to get free credit. - ![](attachments/103331006/103331023.png){width="800"} - - Bulksms API authentication is performed by providing the - username and password request parameters.= - - 3. Bulksms uses the POST method and the required parameters are to - be encoded in the URL. So the fields would be as follows. - - | | | - |--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| - | SMS URL | ` https://bulksms.vsms.net/eapi/submission/send_sms/2/2.0?username=&password=&message=$ctx.msg&msisdn=$ctx.num ` | - | HTTP Method | ` POST ` | - | HTTP Headers | ` Content-Type: application/x-www-form-urlencoded ` | - - ![](images/icons/grey_arrow_down.png){.expand-control-image} Click - here to configure Twilio as the service provider. - - Follow the steps given below if Twilio is used as the SMS provider: - - 1. Go to and create an account. - 2. While registering the account, verify your mobile number and - click on console home to get - free credit (Account SID and Auth Token). - - 3. Twilio uses the POST method with headers, and the text message - and phone number are sent as the payload. The fields would be as - follows. - - | | | - |--------------|----------------------------------------------------------------------------------------------------------------------| - | SMS URL | ` https://api.twilio.com/2010-04-01/Accounts/{AccountSID}/SMS/Messages.json ` | - | HTTP Method | ` POST ` | - | HTTP Headers | ` Authorization: Basic base64{AccountSID:AuthToken} ` | - | HTTP Payload | ` Body=$ctx.msg&To=$ctx.num&From=urlencode{FROM_NUM} ` | - -11. Click **Register** . - -### Configuring the service provider - -The next step is to configure the service provider. - -1. Return to the WSO2 IS management console. - -2. In the **Identity** section under the **Main** tab, click **Add** - under **Service Providers** . - -3. Enter **travelocity.com** in the **Service Provider Name** text box, - and click **Register** . - -4. In the **Inbound Authentication Configuration** section, click - **Configure** under the **SAML2 Web SSO Configuration** section. - - 1. Now set the configuration as follows: - - 1. **Issuer** : ` travelocity.com ` - - 2. **Assertion Consumer URL** : - ` http://wso2is.local:8080/travelocity.com/home.jsp ` - Click Yes, in the message that appears. - - 2. Select the following check-boxes: - 1. **Enable Response Signing** - - 2. **Enable Single Logout** - - 3. **Enable Attribute Profile** - - 4. **Include Attributes in the Response Always** ** - ** - - **![](attachments/103331006/103331018.png){width="1000"}** - -5. Click **Update** to save the changes. - Now you are sent back to the Service Providers page. - -6. Go to **Claim configuration** and select the - **` http://wso2.org/claims/mobile `** claim for - the **Subject Claim URI** . - - ![](attachments/103331006/103331020.png){width="800"} - -7. Go to **Local and Outbound Authentication Configuration** section. - - 1. Select the **Advanced configuration** radio button option. - - 2. Creating the first authentication step: - - 1. Click **Add Authentication Step** . - - 2. Click **Add Authenticator** that is under **Local - Authenticators** of Step 1 to add the basic authentication - as the first step. - Adding basic authentication as a first step ensures that the - first step of authentication will be done using the user's - credentials that are configured with the WSO2 Identity - Server - - 3. Creating the second authentication step: - - 1. Click **Add Authentication Step** . - - 2. Click **Add Authenticator** that is under **Federated - Authenticators** of Step 2 to add the SMSOTP identity - provider you created as the second step. - SMSOTP is a second step that adds another layer of - authentication and security. - - ![](attachments/103331006/103331010.jpeg){width="800"} - -8. Click **Update** to save the changes. - -You have now added and configured the service provider. - -### Updating the mobile number of the user - -Follow the steps given below to update the mobile number of the users in -WSO2 IS as this field is empty by default if you are [creating the user -using the WSO2 IS management -console](Configuring-Users_103330327.html#ConfiguringUsers-Addinganewuserandassigningroles) -.. - -1. Select **List** that is under **Users** **and** **Roles** , and - click **Users** in the IS Management Console. -2. Click **User Profile** of the user you want to edit and update the - mobile number. - The mobile number needs to be in the format given in the samples of - the SMS provider. For example, 94778888888. - If the format is wrong you would not get the text message with the - code to sign into WSO2 IS. - - !!! note - - Make sure the number is registered with an SMS provider in order to - send the SMS. For this tutorial, you can use the mobile number that - was used to register with the SMS provider. - - -3. Enter the First Name for the user and click **Update** . - -### Configuring claims - -1. The SMS OTP extensions requires a claim to disable the SMS OTP. You - need to add this claim to WSO2 IS. Else, you run into errors. - 1. In the **Main** menu, click **Add** under **Claims** . - 2. Click **Add Local Claim** . - 3. Enter - ` http://wso2.org/claims/identity/smsotp_disabled ` - as the value for **Claim Uri** . - 4. Add a **Display Name** and **Description** . For example, - Disable SMS OTP. - 5. Enter title as the **Mapped Attribute** . - 6. Enter 0 as the value for **Display Order** . - 7. Select **Supported by Default** . - 8. Click **Add** . - - ![](attachments/103331006/103331017.png){width="800"} -2. Optionally , you can add a claim to allow users to use back up codes - when SMS OTP is disabled. - Adding the OTP backup codes claim: - 1. In the **Main** menu, click **Add** under **Claims** . - 2. Click **Add Local Claim** . - 3. Enter - ` http://wso2.org/claims/otpbackupcodes ` - as the value for **Claim Uri** . - 4. Add a **Display Name** and **Description** . For example, Backup - Code. - 5. Enter ` postalcode ` as the value for - **Mapped Attribute** . - 6. Select **Supported by Default** . - 7. Click **Add** . - - ![](attachments/103331006/103331026.png){width="800"} -3. Now, click **List** under Users and Roles and click **Users.** - -4. **Click User Profile** next to admin or a preferred user and update - the backup codes so that the user can disable SMS OTP by selecting - **Disable SMS OTP** if required. - - A backup code can have any number of digits, and you can define many - backup codes as comma seperated values. - - ![](attachments/103331006/103331019.png){width="400"} - -### Testing the sample - -1. To test the sample, go to the following URL: - - - ![](attachments/103331006/103331024.jpeg){width="500"} - -2. Click the link to log in with SAML from WSO2 Identity Server. - -3. The basic authentication page will be visible. Use your WSO2 - Identity Server credentials to sign in. - ![](attachments/103331006/103331008.jpeg){width="400"} - -4. You will get a token to your mobile phone.Type the code to - authenticate, You will be taken to the home page of the - travelocity.com app. - - !!! note - - **Note** : If you do not have access to your mobile phone, you can - use the [backup codes defined for the - user](#ConfiguringSMSOTP-backup) to authenticate the user and you - are taken to the home page of the travelocity.com application - - - ![](attachments/103331006/103331007.jpeg){height="250"} - ![](attachments/103331006/103331025.jpeg){height="250"} diff --git a/en/docs/tutorials/configuring-WS-Federation-Single-Sign-On.md b/en/docs/tutorials/configuring-WS-Federation-Single-Sign-On.md deleted file mode 100644 index d2705389bf..0000000000 --- a/en/docs/tutorials/configuring-WS-Federation-Single-Sign-On.md +++ /dev/null @@ -1,43 +0,0 @@ -# Configuring WS-Federation Single Sign-On - -To configure WS-Federation SSO: - -1. Expand the **Inbound Authentication Configuration** followed by the - **WS-Federation (Passive) Configuration** section and provide the - following values. - - - **Passive STS Realm** - This should be an unique identifier for - the web app. Provide the same realm name given to the web app - you are configuring WS-Federation for. - - - **Passive STS WReply URL** - Provide the URL of the web app you - are configuring WS-Federation for.  This endpoint URL will - handle the token response. - - !!! tip - - If you want to configure an expiration time for the security - token, you need to add the following configuration in the - ` /repository/conf/carbon.xml ` - file, under the ` ` element: - - ``` java - 1800000 - ``` - - Here, the expiration time should be specified in milliseconds. - - - ![](attachments/103330844/112392543.png){width="750"} - -2. Expand the **Claim Configuration** section and map the relevant - claims. See [Configuring Claims for a Service - Provider](_Configuring_Claims_for_a_Service_Provider_) for more - information. -3. Click **Update** to save changes. - -**Related Topics** - -- To test out WSO2 Identity Server's passive security token service - using a sample, see [Testing Identity Server's Passive - STS](_Testing_Passive_STS_) . diff --git a/en/docs/tutorials/configuring-WS-Federation.md b/en/docs/tutorials/configuring-WS-Federation.md deleted file mode 100644 index 68edb4bee5..0000000000 --- a/en/docs/tutorials/configuring-WS-Federation.md +++ /dev/null @@ -1,122 +0,0 @@ -# Configuring WS-Federation - -WS-Federation (Web Services Federation) describes the management and -brokering of trust relationships and security token exchange across Web -services and organizational boundaries. WS-Federation is a part of the -larger WS-Security framework. For example, WS-Federation builds on the -Security Token Service (STS) by providing mechanisms that facilitate -interactions. In the WS-Federation Model, an Identity Provider is a -Security Token Service (STS). Service Providers depend on an Identity -Provider or Security Token Service to do the user authentication. OAuth -is an important protocol for IdP services as most major Web services are -also identity providers, mainly through the use of OAuth. These Web -services include Google, Facebook, Yahoo, AOL, Microsoft, PayPal, -MySpace, and Flickr among much more. Furthermore, all major email -providers offer OAuth IdP services. - -In most instances it is necessary to secure the Security Token Service. -According to the Trust Brokering model defined in the WS-Trust -specification, the subject (user) should authenticate himself to the STS -before obtaining a token. STS may use this authentication information -when constructing the security token. For example, STS may populate the -required claims based on the user name provided by the subject. - -To navigate to the federated authenticators configuration section, do -the following. - -1. Sign in. Enter your username and password to log on to the - [Management - Console](https://docs.wso2.com/display/IS580/Getting+Started+with+the+Management+Console) - . -2. Navigate to the **Main** menu to access the **Identity** menu. Click - **Add** under **Identity Providers** . - For more information, see [Adding and Configuring an Identity - Provider](https://docs.wso2.com/display/IS580/Adding+and+Configuring+an+Identity+Provider) - . -3. Fill in the details in the **Basic Information** section. - - - -1. Expand the **WS-Federation (Passive) Configuration** form. - ![](attachments/103330930/103330946.png){width="750"} -2. Fill in the following fields where relevant. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldDescriptionSample value
Enable Passive STSSelecting this option enables Passive STS to be used as an authenticator for users provisioned to the Identity Server.Selected
DefaultSelecting the Default checkbox signifies that Passive STS is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
Passive STS RealmThis is used as an identifier for the realm and can be any value.WSFederationHealthCare
Passive STS URL
-

When sending the authentication request, there is a request for a security token generated by WS-Trust.

- !!! note -

As long as the federated IdP is the WSO2 Identity Server, this URL must follow this format: https://(host-name):(port)/acs

-
https://localhost:9443/passivests/
Passive STS User ID LocationSelect whether the User ID is found in 'Name Identifier' as part of the authentication request or if it is found among the claims. This specifies how the user is identified.User ID found in 'Name Identifier'
Additional Query ParametersThis is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by this IS or application so these can be specified here.paramName1=value1
- -Configuring hostname verification - -In previous releases, Passive STS Single-Logout (SLO) requests for -service providers were initiated without hostname verification which can -impose a security risk. From IS 5.2.0 release onwards, certificate -validation has been enforced and hostname verification is enabled by -default. If you want to disable the hostname verification, configure the -following property in the -` /repository/conf/identity/identity.xml ` -file under the ` Server\SSOService ` tag. - -``` xml -false -``` - -!!! note - - **Note:** If the certificate is self-signed, import the service - provider's public key to the IS client trust store to ensure that the - SSL handshake in the SLO request is successful. For more information on - how to do this, see [Managing Keystores with the UI](#){.unresolved} in - the WSO2 Product Administration Guide. - - -- Identity Federation is part of the process of configuring an - identity provider. For more information on how to configure an - identity provider, see [Configuring an Identity - Provider.](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) diff --git a/en/docs/tutorials/configuring-WS-Trust-Security-Token-Service.md b/en/docs/tutorials/configuring-WS-Trust-Security-Token-Service.md deleted file mode 100644 index a5c43671c1..0000000000 --- a/en/docs/tutorials/configuring-WS-Trust-Security-Token-Service.md +++ /dev/null @@ -1,176 +0,0 @@ -# Configuring WS-Trust Security Token Service - -WSO2 Identity Server uses the security token service (STS) as the -[WS-Trust](_WS-Trust_) implementation. The STS is capable of issuing -SAML 1.1 and 2.0 security tokens and has a SOAP/XML API for token -issuance. This API can be secured with the -` UserNameToken ` or with any other WS-Security mechanism -as explained below. - -#### Securing the Security Token Service - -According to the Trust Brokering model defined in the WS-Trust -specification, the users should authenticate themselves to the STS -before obtaining a token. STS may use this authentication information -when constructing the security token. For example, STS may populate the -required claims based on the user name provided by the subject. -Therefore, the STS service needs to be secured. - -STS is configured under the **Resident Identity Provider** section of -the WSO2 Identity Server [Management -Console](_Getting_Started_with_the_Management_Console_) . - -To secure the Security Token Service: - -1. On the **Main** tab, click **Identity \> Identity Providers \> - Resident** . - ![](attachments/103330821/112392547.png){width="200"} - The Resident Identity Provider page appears. - ![](attachments/103330821/112392548.png){width="800"} - -2. Enter the required values as given below. - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldDescriptionSample Value
Home Realm IdentifierThis is the domain name of the identity provider. If you do not enter a value here, when an authentication request comes to WSO2 Identity Server, a user will be prompted to specify a domain. You can enter multiple identifiers as a comma-separated list. localhost
Idle Session Time OutThis is the duration in minutes for which an SSO session can be idle for. If WSO2 Identity Server does not receive any SSO authentication requests for the given duration, a session time out occurs. The default value is 15 . 15
Remember Me Period
-

This is the duration in weeks for which WSO2 Identity Server should remember an SSO session given that the Remember Me option is selected in the WSO2 Identity Server login screen.

-

The default value is 2 weeks.

-
2
- -3. Under the **Inbound Authentication Configuration** section, click - **Security Token Service Configuration \> Apply Security Policy** - . - ![](attachments/103330821/112392550.png){width="750"} -4. Select **Yes** in the **Enable Security?** drop down and  select a - pre-configured security scenario according to your requirements. For - this tutorial, use **UsernameToken** under the **Basic Scenarios** - section. - ![](attachments/103330821/103330825.png){width="750"} - - !!! note - - You can find further details about security policy scenarios from - the **view scenario** option **.** - - **![](attachments/103330821/103330822.png){width="900"}** - - -5. Click **Next** . The user domain and user group selection appears. - - Next steps may vary as per the security scenario that you have - chosen under point (5) above. Below is for **UsernameToken** - scenario **.** - -6. Provide the required details as follows: - 1. Select **ALL-USER-STORE-DOMAINS** . - 2. Select the role you created to grant permission to access - secured service. In this example, the admin role is used **.** - Next, click **Finish** . - - !!! note - - The **Select Domain** drop-down lists many domains. The listed - **User Groups** can vary depending on the domain selected. - - - ![](attachments/103330821/112392552.png){width="750"} - -7. Click **Finish** . -8. Click **Ok** on the confirmation dialog window that appears. -9. Click **Update** to complete the process. - -Now STS is configured and secured with a username and password. Only -users with the Admin role can consume the service. - -The next step is to add a service provider to consume the STS. - -#### Adding a service provider for the STS client - -Do the following steps if you are using a Holder of Key **subject -confirmation method** . For more information, see [Configuring STS for -Obtaining Tokens with Holder-Of-Key Subject -Confirmation](_Configuring_STS_for_Obtaining_Tokens_with_Holder-Of-Key_Subject_Confirmation_) -. - -The **Subject confirmation methods** define how a relying party (RP), -which is the end service can make sure a particular security token -issued by an STS is brought by the legitimate subject. If this is not -done, a third party can take the token from the wire and send any -request it wants including that token. The RP trusts that illegitimate -party. - -1. Under the **Inbound Authenticatino Configuration** section, click - **WS-Trust Security Token Service Configuration** **\>** - **Configure** . The STS Configuration page appears. - ![](attachments/103330821/112392555.png){width="750"} -2. Enter the required details as given below. - - - - - - - - - - - - - - - - - - - - - -
FieldDescriptionSample Value
Endpoint Address
-


-

-
-

Enter the trusted relying party's endpoint address, which is the endpoint address of the Security Token Service. For more information, see Broker Trust Relationship with WSO2 Identity Server .

-

The endpoint must be used as the service URL to which the token gets delivered by the STS client. Then select the public certificate imported. Tokens issued are encrypted using the public certificate of the trusted relying party. Therefore, the consumer who obtains this token, to invoke the RP service, will not be able to see the token.

- !!! note -

Make sure to upload the certificate of the relying party to the truststore. For instructions, see Adding CA-signed ceritificates to keystores .

-


-

-
-


-

-
https://localhost:9444/services/echo
Certificate AliasThis is the alias of the certificate. wso2carbon
- - ![](attachments/103330821/112392557.png){width="750"} - -3. Click **Update** to save the changes made to the service provider. - - **Related Topics** - - Run the STS client after configuring the service provider. For - instructions on trying out a sample STS client, see [Running an STS - Client](_Running_an_STS_Client_) . - - diff --git a/en/docs/tutorials/configuring-access-control-policy-for-a-service-provider.md b/en/docs/tutorials/configuring-access-control-policy-for-a-service-provider.md new file mode 100644 index 0000000000..72d1533da0 --- /dev/null +++ b/en/docs/tutorials/configuring-access-control-policy-for-a-service-provider.md @@ -0,0 +1,273 @@ +# Configuring Access Control Policy for a Service Provider + +This topic guides you through configuring and enforcing an XACML access +control policy for a service provider. The authorization is done using +Identity Server’s [XACML +engine](../../tutorials/identity-server-as-an-xacml-engine) +, which provides fine-grained access control using +policies. Fine-grained authorization specifies the requirements and +variables in an access control policy that is used to authorize access +to a resource. WSO2 Identity provider supports XACML 1.0, 2.0 and +3.0. For more information on XACML, see [XACML +Architecture](../../setup/access-control-and-entitlement-management). + +In today's world, businesses and their customers need to access multiple +service providers that support multiple heterogeneous identity +federation protocols. Each service provider needs to define an +authorization policy at the identity provider to decide whether a given +user is eligible to log into the corresponding service provider. For +example, one service provider only allows the administrator to sign in +to the system after 6 PM. Another service provider only allows the users +from North America to sing in. To meet all these requirements the +Identity provider needs to provide fine-grained authorization. + +WSO2 Identity Server provides an out-of-the-box support for controlling +access to the service providers. The diagram given below explains how +you can configure a fine-grained access control policy for a service +provider in WSO2 IS. + + +![fine-grained-access-control-policy](../../assets/img/tutorials/fine-grained-access-control-policy.png) + + +!!! info + The users can be authorized, based on policies that are written using a + combinations of any of the following: + + - User’s username + - User's roles + - User’s user store domain + - User’s tenant domain + - User’s attributes(e.g. email, age, country, etc) + - User’s IP address + - Service provider’s name + - Service provider’s tenant domain + - Date + - Time + +This tutorial demonstrates an example of an access control policy for a +service provider via XACML 3.0 + +Sample Scenario: *An Internal finance application in an organization +needs to be accessed by employees in the finance team only.* + +Here, we will permit access to a service provider called +"travelocity.com" only to users with "finance" role and denies access to +other users. Please follow the below step to get your configurations +done to try out this scenario. + + +### Step1: Configuring the service provider + +You need to define and configure your service provider in the WSO2 +Identity Server so that the authentication and/or provisioning happens +as expected. For more information on how the service provider fits into +the WSO2 IS architecture, see [Architecture](../../getting-started/architecture). + +1. Start the WSO2 Identity Server and log in to the management console. +2. Click **Add** under **Users and Roles** and then select **Add New + Role** in the Identity section. +3. [Create a role](../../using-wso2-identity-server/configuring-roles-and-permissions#adding-a-user-role) + called "finance" and give the role login permission. +4. [Create two new users](../../using-wso2-identity-server/configuring-users#adding-a-new-user-and-assigning-roles) + and assign User1 to the role you just created. Assign the User2 to + the "admin" role or any other role. +5. Click **Add** under **Service Providers** on the Main tab and [add a + new service + provider](../../using-wso2-identity-server/adding-and-configuring-a-service-provider) + in the Identity section. Here we can put any name for the service + provider name, but since we are using we can use a name like + "travelocityApp". +6. Configure an inbound authentication protocol for the service + provider (i.e, SAML, OpenID Connect etc). + + !!! info + The responsibility of the inbound authentication protocol is to + identify and parse all the incoming authentication requests and then + helps in building the correct response. As Inbound Authentication + Protocols WSO2 Identity Server supports SAML2, OpenID Connect, OAuth + etc. + + For this tutorial, we will set up the travelocity sample application + by following the instructions in [Configuring Single + Sign-On](../../tutorials/configuring-single-sign-on) + . Here we use **SAML2** as the inbound authentication protocol. + + Since this is the only available configuration that we have for + travelocity.com service provider. The screenshot below shows the + SAML configuration for the travelocity sample service provider. If + your service provider needs any claims of the authenticated user to + provide the service, you can [configure claims of the service + provider](../../tutorials/configuring-single-sign-on) . Then once the access is + provided after evaluating the XACML policy, the Service Provider can + get those claim details of the authorized user from the Identity + Provider side. + + ![inbound-authentication-protocol](../../assets/img/tutorials/inbound-authentication-protocol.png) + +7. Expand the **Local and Outbound Authentication Configuration** + section and select the authenticator used to authenticate users in + this service provider(sample value: **Default**). + + !!! info + Refer [Configuring Local and Outbound Authentication for a Service + Provider](../../using-wso2-identity-server/configuring-local-and-outbound-authentication-for-a-service-provider) + for more information. + +8. Select the **Enable Authorization** checkbox and click **Update** to + finish registering the service provider. + ![enable-authorization](../../assets/img/tutorials/enable-authorization.png) + +### Step2: Setting up the policy + +After setting up the service provider for the application, the next step +is to configure the XACML policy to control access to the +travelocity.com service provider. Let's make our life easy and publish a +policy using an available XACML policy templates in WSO2 Identity +Server. Please follow the below steps to set up the policy according to +our requirement. + +1. Click on **Policy Administration** under the **Entitlement \> PAP** + section on the **Main** tab of the management console. To get more + information about Policy Administration Point(PAP), [Read + more](../../tutorials/configuring-the-policy-administration-point) + . +2. Since this sample scenario is based on role, we select the policy + ` authn_role_based_policy_template. ` + + !!! info + XACML template policies provide a pre-configured template with + placeholders for different types of policies. For a full list of the + available XACML policy templates, see [Writing an XACML Policy using + a Policy + Template](../../tutorials/writing-a-xacml-policy-using-a-policy-template). + + ![writing-a-xacml-policy-using-a-policy-template](../../assets/img/tutorials/writing-a-xacml-policy-using-a-policy-template.png) + +3. Once you click on **Edit**, the XML based policy will appear in + the policy editor. There are placeholders in capitals for entering + the service provider and role names. + +4. Edit the placeholders accordingly with the relevant values. + 1. Change the ` PolicyId ` as follows: + + ``` java + PolicyId="authn_travelocity_for_finance_team_policy" + ``` + + 2. Edit the ` ` tag and enter + a description relevant to your custom policy. + + ``` java + This policy authorizes employees of the finance team to the travelocity service provider in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied. + ``` + + 3. Locate the ` SP_NAME ` placeholder and + replace it with the service provider name "travelocity.com". + 4. Locate the ` ROLE_1 ` placeholder and + replace it with the role name "finance". + 5. In this example, this policy authenticates users to the + specified service provider based on + ` ROLE_1 ` and + ` ROLE_2 ` .But we need only one role to + authenticate. Therefore, we can remove the other role, by + removing that entire section from the start of the + ` ` tag to the ending + ` ` tag. + +5. Once the changes have been made, the policy should be similar to the + following. + + **Access control policy** + + ``` xml + + This policy authorizes employees of the finance team to the travelocity service provider in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied. + + + + + travelocity.com + + + + authenticate + + + + + + + + + + finance + + + + + + + + ``` + +6. Click **Save Policy** to save the changes. You can see the policy + you just created on the policy list (the original template policy + will remain unchanged for later use). + ![created-policy-in-policy-list](../../assets/img/tutorials/created-policy-in-policy-list.png) + +7. Click on the **Publish to My PDP** link corresponding to the new + policy. + ![publish-to-pdp](../../assets/img/tutorials/publish-to-pdp.png) +8. On the UI that appears, leave the default selected values as they + are and click **Publish** . + ![publishing-a-xacml-policy](../../assets/img/tutorials/publishing-a-xacml-policy.png) + + !!! note + + For more information on Publishing an XACML policy, click + [here](../../tutorials/publishing-a-xacml-policy). + + +9. Click on **Policy View** under the **Entitlement \> PDP** section on + the **Main** tab of the management console. To get more information + about Policy Decision Point(PDP), [Read + more](../../tutorials/configuring-the-policy-decision-point). + +10. To ensure that the policy has been published successfully, check if + the policy is listed. + + ![check-policy-list](../../assets/img/tutorials/check-policy-list.png) + +11. To test out whether the policy works, follow the steps in the **Try it out** section below. + + !!! info + If you want to write a more complicated policy you can use our XACML + policy editors available. To get more information Read, [How to create + a XACML Policy](../../tutorials/creating-a-xacml-policy) + + !!! info + In a SaaS scenario, only the XACML policies that were created in the + tenant domain in which the service provider was created will get + executed. + +### Try it out + +Now that the access control policy has been created and enforced using +the template policy or the policy editor, test it out by running the +travelocity.com sample application. The credentials of a user assigned +to the **finance** role should be accepted while access will be denied +for users who are not assigned to the **finance** role. + +1. Start the Apache Tomcat server and navigate to + ` http://wso2is.local:8080/travelocity.com . ` +2. Login with credentials of User1 who was assigned to the finance + role. You will be logged in successfully. +3. Logout and login again with credentials of User2 who was assigned to + a different role. You will see an **authorization failure** page as + this user is denied access by the access control policy you + enforced. + +!!!info "Related Topics" + + [How to configure a service provider](../../using-wso2-identity-server/adding-and-configuring-a-service-provider) diff --git a/en/docs/tutorials/configuring-ad-fs-as-a-federated-authenticator.md b/en/docs/tutorials/configuring-ad-fs-as-a-federated-authenticator.md new file mode 100644 index 0000000000..bb51c12a28 --- /dev/null +++ b/en/docs/tutorials/configuring-ad-fs-as-a-federated-authenticator.md @@ -0,0 +1,178 @@ +# Configuring AD FS as a Federated Authenticator + +In this tutorial, you configure Active Directory Federation Services (AD +FS) 3.0 as the federated authenticator in WSO2 Identity Server (WSO2 IS) +using SAML. Let's take a look at the steps you need to follow: + +### Configuring Active Directory Federation Services (AD FS) + +Follow the steps given below to add WSO2 IS as the relying party AD FS. + +1. Go to the AD FS management console and expand **Trust Relationship**. + +2. Right click on **Relying Party Trust** and select **Add Relying Party +Trust**. + +3. Click Start -> Next on the wizard. + +4. Enter a preferred name to represent WSO2 Identity Server (relying party) +and click **Next**. + +5. Select the **AD FS Profile** and click **Next**. + +6. Click **Next** again as you are not using an encryption profile for this +tutorial. + +7. Enter the SAML 2.0 SSO service URL of the relying party as the +commonauth endpoint . +The endpoint for WSO2 IS is https://localhost:9443/commonauth. + +8. Enter a value for the **relying party trust identifier** and click +**Next**. + + !!! info + The same value that is entered here needs to be used when configuring + the identity provider on WSO2 IS. + +9. Click **Next** as multi factor authentication is not required for this +tutorial. + +10. Select **Permit all users to access this relying party** and click +**Next**. + +11. Review the settings and click **Next**. + +12. Click **Close** to finish adding the relying party trust. The Claim Rules dialogue wizard opens. + +13. In the Edit Claim Rule dialogue specify the claims that needs to be sent + to the relying party. + In this tutorial, let's send the SAM-Account-Name LDAP attribute as a + NameID claim. + + a. Click **Add Rule**. + + b. Set a Claim rule name and map the **SAM-Account-Name** to the + **E-Mail Address**. + + c. Click **Finish**. + + d. Click **Add Rule** again to transform the email address claim to a + NameID claim. + + e. Select **Transform an Incoming Claim** and click **Next**. + + f. Set the **Claim rule name**. + + g. Select the incoming claim type as E-Mail Address and outgoing claim + type and ID format as Name ID and Unspecified respectively. + + h. Click **Finish \>** **Apply**. + + i. Close the claim rules dialogue box. + +14. Configure the Relying Party Trust properties. + + a. Right click on the **Relying Party Trust** you just created and + select **Properties**. + + b. Open the **Signature** tab and click **Add**. + + c. Add the certificate. + + !!! info + You can use any of the two methods listed below depending on your + WSO2 IS configurations. + + - When the Service Provider in WSO2 IS is under the super tenant + domain, the public certificate of WSO2 IS needs to be uploaded + + - Else, the public certificate of the tenant domain needs to be + selected. The public certificate of the tenant can be exported + from the Key Management feature of the WSO2 IS management + console. + + In this tutorial, the service provider is added in the super tenant + domain and the default keystore is not changed. Therefore, the + default ` wso2carbon ` certificate that is in + the ` /repository/resources/security ` + directory is used. + + d. Yes to proceed when following dialogue appears. + + e. Open the **Endpoint** tab to set the SAML logout endpoint. + + f. Click **Add SAML**. + + g. Select SAML Logout as the value for the **Endpoint Type** and the + Binding as the value **POST**. + + h. Set the Trusted URL as https://\/adfs/ls and the + Response URL as the ` /commonauth ` endpoint of + WSO2 IS. + + i. Save the property settings of the relying party. + +15. Configure AD FS as an Identity Provider in WSO2 IS. You need to add the + Token signing certificate of AD FS when configuring WSO2 IS. + Follow the steps given below to export the token signing certificate of + WSO2 IS: + + a. In the AD FS management close, click **Certificates** that is under + **Service.** + + b. Right click on the **Token-signing certificate** and select **View + Certificate**. + + c. Open the **Details** tab and click **Copy to File**. + + d. Follow the Certificate Export Wizard by clicking **Next**. + + e. Select the **Base-64 encoded X.509 (.cer)** option and click + **Next**. + + f. Save the certificate to a desired location and click **Finish**. + +You have successfully configured AF DS. Next , you need to configure +WSO2 IS for federated authentication. + +### Configuring WSO2 IS for Federated Authentication + +Follow the steps given below to configure WSO2 IS to use AF DS as the +Identity Provider (IdP). + +1. Login to IS Management console. + +2. Click Add under Identity Providers. + +3. Provide a unique name for the IdP and add the **Token-signing + certificate of ADFS** by clicking the Browse button. + +4. Expand **Federated Authenticators** and **Expand SAML Web SSO + Configuration**. + +5. Click **Configure** to start configuring the SAML 2 Web SSO + configurations. + a. Check **Enable SAML2 Web SSO**. + + b. Identity Provider Entity Id: This can be found in + FederationMetadata.xml under entityID attribute. The + FederationMetadata.xml can be accessed through + https://\/FederationMetadata/2007-06/ + FederationMetadata.xml . The Entity ID is usually in the form + ` http:///adfs/services/trust ` + + c. Service Provider Entity Id should be same as what’s given in AD + FS RP trust identifier. **eg:wso2-is** + + d. SSO URL should be in the form of + http://\/adfs/ls. + + e. Check Enable Logout. + + f. Logout URL should be the same as SSO URL. + + g. Check Enable Logout Request Signing. + + h. Select HTTP Binding as POST. + +6. Click Register to save the IdP. diff --git a/en/docs/tutorials/configuring-Email-OTP.md b/en/docs/tutorials/configuring-email-otp.md similarity index 63% rename from en/docs/tutorials/configuring-Email-OTP.md rename to en/docs/tutorials/configuring-email-otp.md index fbbf4a8b76..16ca49cd67 100644 --- a/en/docs/tutorials/configuring-Email-OTP.md +++ b/en/docs/tutorials/configuring-email-otp.md @@ -9,21 +9,6 @@ second step of MFA. Follow the instructions in the sections below to configure MFA using Email OTP: -- [Configure the email OTP - provider](#ConfiguringEmailOTP-ConfiguretheemailOTPprovider) -- [Deploy the travelocity.com - sample](#ConfiguringEmailOTP-Deployingtravelocity.comsampleDeploythetravelocity.comsample) -- [Configure the Identity - Provider](#ConfiguringEmailOTP-ConfiguringtheidentityproviderConfiguretheIdentityProvider) -- [Configure the Service - Provider](#ConfiguringEmailOTP-ConfiguringtheserviceproviderConfiguretheServiceProvider) -- [Update the email address of the - user](#ConfiguringEmailOTP-Updatetheemailaddressoftheuser) -- [Configure the user - claims](#ConfiguringEmailOTP-ConfiguringUserClaimConfiguretheuserclaims) -- [Test the - sample](#ConfiguringEmailOTP-TestingthesampleTestthesample) - !!! tip Before you begin! @@ -31,17 +16,14 @@ Email OTP: - To ensure you get the full understanding of configuring Email OTP with WSO2 IS, the sample travelocity application is used in this use case. Therefore, make sure to [download the - samples](https://docs.wso2.com/display/IS560/Downloading+a+Sample) + samples](../../using-wso2-identity-server/downloading-a-sample) before you begin. - The samples run on the Apache Tomcat server and are written based on Servlet 3.0. Therefore, download Tomcat 7.x from [here](https://tomcat.apache.org/download-70.cgi) . - Install Apache Maven to build the samples. For more infomation, see - [Installation - Prerequisites](https://docs.wso2.com/display/IS5XX/Installation+Prerequisites) - . + [Installation Prerequisites](../../setup/installation-prerequisites). - ### Configure the email OTP provider You can use WSO2 Identity Server as the email OTP provider or you can @@ -49,21 +31,11 @@ configure Gmail or SendGrid as the email OTP provider using Gmail or SendGrid APIs. Follow the instructions in **one** of these sections to set up the email OTP provider. -- [Configure WSO2 IS as the email OTP - provider](#ConfiguringEmailOTP-ConfigureWSO2ISastheemailOTPprovider) -- [Configure Gmail as the email OTP - provider](#ConfiguringEmailOTP-ConfiguringtheEmailOTPproviderConfigureGmailastheemailOTPprovider) - #### Configure WSO2 IS as the email OTP provider Follow the steps below to configure WSO2 IS to send emails once the Email OTP is enabled. -Alternatively, you can configure Gmail as the email OTP provider by -following the instructions given in -[this](#ConfiguringEmailOTP-ConfigureGmailastheemailOTPprovider) -section. - 1. Shut down the server if it is running. 2. Open the ` /repository/conf/axis2/axis2.xml ` @@ -80,13 +52,13 @@ section. ``` java - {SENDER'S_EMAIL_ID} - {USERNAME} - {PASSWORD} - smtp.gmail.com - 587 - true - true + {SENDER'S_EMAIL_ID} + {USERNAME} + {PASSWORD} + smtp.gmail.com + 587 + true + true ``` @@ -97,27 +69,27 @@ section. property to avoid syntax errors. ``` java - + ``` 4. Add the following email template to the ` /repository/conf/email/email-admin-config.xml. ` ``` xml - - - WSO2 IS Email OTP - - Hi, - Please use this one time password {OTPCode} to sign in to your application. - -
- Best Regards, - WSO2 Identity Server Team - http://www.wso2.com -
- - + + + WSO2 IS Email OTP + + Hi, + Please use this one time password {OTPCode} to sign in to your application. + +
+ Best Regards, + WSO2 Identity Server Team + http://www.wso2.com +
+ + ``` 5. Configure the following properties in the @@ -125,36 +97,29 @@ section. file to ` true ` . ``` xml - Authentication.Policy.Enable=true - Authentication.Policy.Check.OneTime.Password=true + Authentication.Policy.Enable=true + Authentication.Policy.Check.OneTime.Password=true ``` 6. [Start WSO2 - IS](Running-the-Product_103328959.html#RunningtheProduct-Startingtheserver) - . + IS](../../setup/running-the-product#starting-the-server). #### Configure Gmail as the email OTP provider -**Y** ou can send the One Time Password (OTP) using Gmail APIs or using +You can send the One Time Password (OTP) using Gmail APIs or using SendGrid. Follow the steps given below to configure Gmail APIs as the mechanism to send the OTP. -Alternatively, you can configure WSO2 Identity Server as the email OTP -provider by following the instructions given in -[this](#ConfiguringEmailOTP-ConfigureWSO2ISastheemailOTPprovider) -section. - -1. Create a Google account at [https://gmail.com](https://gmail.com/) . -2. Got to +1. Create a Google account at [https://gmail.com](https://gmail.com/). +2. Go to [https://console.developers.google.com](https://console.developers.google.com/) - and click **ENABLE APIS AND SERVICES** . + and click **ENABLE APIS AND SERVICES**. 3. Search for Gmail API and click on it. 4. Click **Enable** to enable the Gmail APIs. - Why is this needed? - - If you do not enable the Gmail APIs, you run in to a 401 error when - trying out [step13](#ConfiguringEmailOTP-copy-URL) . + !!! info "Why is this needed?" + If you do not enable the Gmail APIs, you will run in to a 401 error when + trying out [step13](#configuring-emailotp-copy-url). 5. Click **Credentials** and click **Create** to create a new project. 6. Click **Credentials** and click the **Create credentials** @@ -162,36 +127,40 @@ section. 7. Select **OAuth client ID** option. - ![](attachments/103331027/103331037.png){width="600"} + ![oauth-client-id](../../assets/img/tutorials/oauth-client-id.png) -8. Click **Configure consent screen** . - ![](attachments/103331027/103331067.png){width="931" height="250"} +8. Click **Configure consent screen**. + ![configure-consent-screen](../../assets/img/tutorials/configure-consent-screen.png) + 9. Enter the Product name that needs to be shown to users, enter values - to any other fields you prefer to update, and click **Save** . + to any other fields you prefer to update, and click **Save**. + 10. Select the **Web application** option. Enter ` https://localhost:9443/commonauth ` - as the **Authorize redirect URIs** text-box, and click **Create** - . - ![](attachments/103331027/103331066.png){width="500"} + as the **Authorize redirect URIs** text-box, and click **Create**. + + ![authorize-redirect-uris](../../assets/img/tutorials/authorize-redirect-uris.png) The ` client ID ` and the ` client secret ` are displayed. Copy the client ID and secret and keep it in a safe place as you require it for the next step. - ![](attachments/103331027/103331052.png){width="600"} + ![client-id-client-secret](../../assets/img/tutorials/client-id-client-secret.png) 11. Copy the URL below and replace the ` ` tag with the generated ` Client ID ` . This is required to generate the authorization code. - + + **Format** ``` java - https://accounts.google.com/o/oauth2/auth?redirect_uri=https%3A%2F%2Flocalhost%3A9443%2Fcommonauth&response_type=code&client_id=&scope=http%3A%2F%2Fmail.google.com&approval_prompt=force&access_type=offline + https://accounts.google.com/o/oauth2/auth?redirect_uri=https%3A%2F%2Flocalhost%3A9443%2Fcommonauth&response_type=code&client_id=&scope=http%3A%2F%2Fmail.google.com&approval_prompt=force&access_type=offline ``` - + + **Example** ``` java - https://accounts.google.com/o/oauth2/auth?redirect_uri=https%3A%2F%2Flocalhost%3A9443%2Fcommonauth&response_type=code&client_id=854665841399-l13g81ri4q98elpen1i1uhsdjulhp7ha.apps.googleusercontent.com&scope=http%3A%2F%2Fmail.google.com&approval_prompt=force&access_type=offline + https://accounts.google.com/o/oauth2/auth?redirect_uri=https%3A%2F%2Flocalhost%3A9443%2Fcommonauth&response_type=code&client_id=854665841399-l13g81ri4q98elpen1i1uhsdjulhp7ha.apps.googleusercontent.com&scope=http%3A%2F%2Fmail.google.com&approval_prompt=force&access_type=offline ``` 12. Paste the updated URL into your browser. @@ -199,13 +168,13 @@ section. 1. Select the preferred Gmail account with which you wish to proceed. - 2. Click **Allow** . + 2. Click **Allow**. 3. Obtain the ` authorization code ` using a SAML tracer on your browser. - ![](attachments/103331027/103331051.png){width="600"} + ![authorization-code](../../assets/img/tutorials/authorization-code.png) -13. To generate the access token, copy the following cURL command and +13. To generate the access token, copy the following cURL command and replace the following place holders: 1. ` ` : @@ -218,50 +187,53 @@ section. : Replace this with the authorization code obtained in [Step 12](#ConfiguringEmailOTP-Auth-code) above. + **Format** ``` java - curl -v -X POST --basic -u : -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=authorization_code&code=&redirect_uri=https://localhost:9443/commonauth" https://www.googleapis.com/oauth2/v3/token + curl -v -X POST --basic -u : -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=authorization_code&code=&redirect_uri=https://localhost:9443/commonauth" https://www.googleapis.com/oauth2/v3/token ``` + **Example** ``` java - curl -v -X POST --basic -u 854665841399-l13g81ri4q98elpen1i1uhsdjulhp7ha.apps.googleusercontent.com:MK3h4fhSUT-aCTtSquMB3Vll -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=authorization_code&code=4/KEDlA2KjGtib4KlyzaKzVNuDfvAmFZ10T82usT-6llY#&redirect_uri=https://localhost:9443/commonauth" https://www.googleapis.com/oauth2/v3/token + curl -v -X POST --basic -u 854665841399-l13g81ri4q98elpen1i1uhsdjulhp7ha.apps.googleusercontent.com:MK3h4fhSUT-aCTtSquMB3Vll -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=authorization_code&code=4/KEDlA2KjGtib4KlyzaKzVNuDfvAmFZ10T82usT-6llY#&redirect_uri=https://localhost:9443/commonauth" https://www.googleapis.com/oauth2/v3/token ``` + **Sample Response** ``` java - > POST /oauth2/v3/token HTTP/1.1 - > Host: www.googleapis.com - > Authorization: Basic OTk3NDE2ODczOTUwLWY4Y2N1YnJobW1ramdkYXNkNnZkZ2tzOGxoaWExcnRhLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tOkJkNlBoY3ZVWXFrM1BhdnA4ZjBZcUQtMw== - > User-Agent: curl/7.54.0 - > Accept: */* - > Content-Type: application/x-www-form-urlencoded;charset=UTF-8 - > Content-Length: 127 - > - < HTTP/1.1 200 OK - < Cache-Control: no-cache, no-store, max-age=0, must-revalidate - < Pragma: no-cache - < Expires: Mon, 01 Jan 1990 00:00:00 GMT - < Date: Wed, 10 Jan 2018 08:29:57 GMT - < Vary: X-Origin - < Content-Type: application/json; charset=UTF-8 - < X-Content-Type-Options: nosniff - < X-Frame-Options: SAMEORIGIN - < X-XSS-Protection: 1; mode=block - < Server: GSE - < Alt-Svc: hq=":443"; ma=2592000; quic=51303431; quic=51303339; quic=51303338; quic=51303337; quic=51303335,quic=":443"; ma=2592000; v="41,39,38,37,35" - < Accept-Ranges: none - < Vary: Origin,Accept-Encoding - < Transfer-Encoding: chunked - < - { - "access_token": "ya29.Gls-BbTUseE2f-Lrc9q0QtdlvIoYFTg2zkYPsXHwgob4pHAFlE66GMgJjwTHT9eHfivhVcATROzU8FaUgt0wVL1sz-7IsC2Slfpdm6i3uFcurNTFbTlABk3jKJ--", - "token_type": "Bearer", - "expires_in": 3600, - "refresh_token": "1/8pMBx_lrUyitknmGzzH-yOcvoPIZ1OqhPeWvcYJOd0U" - } + > POST /oauth2/v3/token HTTP/1.1 + > Host: www.googleapis.com + > Authorization: Basic OTk3NDE2ODczOTUwLWY4Y2N1YnJobW1ramdkYXNkNnZkZ2tzOGxoaWExcnRhLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tOkJkNlBoY3ZVWXFrM1BhdnA4ZjBZcUQtMw== + > User-Agent: curl/7.54.0 + > Accept: */* + > Content-Type: application/x-www-form-urlencoded;charset=UTF-8 + > Content-Length: 127 + > + < HTTP/1.1 200 OK + < Cache-Control: no-cache, no-store, max-age=0, must-revalidate + < Pragma: no-cache + < Expires: Mon, 01 Jan 1990 00:00:00 GMT + < Date: Wed, 10 Jan 2018 08:29:57 GMT + < Vary: X-Origin + < Content-Type: application/json; charset=UTF-8 + < X-Content-Type-Options: nosniff + < X-Frame-Options: SAMEORIGIN + < X-XSS-Protection: 1; mode=block + < Server: GSE + < Alt-Svc: hq=":443"; ma=2592000; quic=51303431; quic=51303339; quic=51303338; quic=51303337; quic=51303335,quic=":443"; ma=2592000; v="41,39,38,37,35" + < Accept-Ranges: none + < Vary: Origin,Accept-Encoding + < Transfer-Encoding: chunked + < + { + "access_token": "ya29.Gls-BbTUseE2f-Lrc9q0QtdlvIoYFTg2zkYPsXHwgob4pHAFlE66GMgJjwTHT9eHfivhVcATROzU8FaUgt0wVL1sz-7IsC2Slfpdm6i3uFcurNTFbTlABk3jKJ--", + "token_type": "Bearer", + "expires_in": 3600, + "refresh_token": "1/8pMBx_lrUyitknmGzzH-yOcvoPIZ1OqhPeWvcYJOd0U" + } ``` Paste the updated cURL command in your terminal to generate the OAuth2 access token, token validity period, and the refresh token. - ![](attachments/103331027/103331050.png){width="900"} + ![oauth2-access-refresh](../../assets/img/tutorials/oauth2-access-refresh.png) 14. Update the following configurations under the ` ` section in the @@ -348,30 +320,26 @@ section. - ![](images/icons/grey_arrow_down.png){.expand-control-image} Click - here to see a sample configuration - - ``` java - - 501390351749-ftjrp3ld9da4ohd1rulogejscpln646s.apps.googleusercontent.com - dj4st7_m3AclenZR1weFNo1V - sendgridAPIKeyValue - 1/YgNiepY107SyzJdgpynmf-eMYP4qYTPNG_L73MXfcbv - https://www.googleapis.com/gmail/v1/users/alex@gmail.com/messages/send - https://api.sendgrid.com/api/mail.send.json - Gmail - Sendgrid - sendgridFormDataValue - sendgridURLParamsValue - Bearer - https://www.googleapis.com/oauth2/v3/token - Bearer - false - - ``` - -\[ [Back to Top](_Configuring_Email_OTP_) \] - + ??? Note "Click here to see a sample configuration" + ``` java + + 501390351749-ftjrp3ld9da4ohd1rulogejscpln646s.apps.googleusercontent.com + dj4st7_m3AclenZR1weFNo1V + sendgridAPIKeyValue + 1/YgNiepY107SyzJdgpynmf-eMYP4qYTPNG_L73MXfcbv + https://www.googleapis.com/gmail/v1/users/alex@gmail.com/messages/send + https://api.sendgrid.com/api/mail.send.json + Gmail + Sendgrid + sendgridFormDataValue + sendgridURLParamsValue + Bearer + https://www.googleapis.com/oauth2/v3/token + Bearer + false + + ``` + ------------------------------------------------------------------------ ### Deploy the travelocity.com sample @@ -386,28 +354,28 @@ the steps below. 1. Add the following entry to the ` /etc/hosts ` file of your machine to configure the hostname. - Why is this step needed? + !!! info "Why is this step needed?" - Some browsers do not allow creating cookies for a naked hostname, - such as ` localhost ` . Cookies are required - when working with SSO. Therefore, to ensure that the SSO - capabilities work as expected in this tutorial, you need to - configure the ` etc/host ` file as explained - in this step. + Some browsers do not allow creating cookies for a naked hostname, + such as ` localhost ` . Cookies are required + when working with SSO. Therefore, to ensure that the SSO + capabilities work as expected in this tutorial, you need to + configure the ` etc/host ` file as explained + in this step. - The ` etc/host ` file is a read-only file. - Therefore, you won't be able to edit it by opening the file via a - text editor. To avoid this, edit the file using the terminal - commands. - For example, use the following command if you are working on a - Mac/Linux environment. + The ` etc/host ` file is a read-only file. + Therefore, you won't be able to edit it by opening the file via a + text editor. To avoid this, edit the file using the terminal + commands. + For example, use the following command if you are working on a + Mac/Linux environment. - ``` java - sudo nano /etc/hosts - ``` + ``` java + sudo nano /etc/hosts + ``` ``` bash - 127.0.0.1 wso2is.local + 127.0.0.1 wso2is.local ``` 2. Open the ` travelocity.properties ` file found @@ -418,8 +386,8 @@ the steps below. ` wso2is.local ` ) that you configured above. ``` text - #The URL of the SAML 2.0 Assertion Consumer - SAML2.AssertionConsumerURL=http://wso2is.local:8080/travelocity.com/home.jsp + #The URL of the SAML 2.0 Assertion Consumer + SAML2.AssertionConsumerURL=http://wso2is.local:8080/travelocity.com/home.jsp ``` 3. In your terminal, navigate to @@ -428,7 +396,7 @@ the steps below. have Apache Maven installed to do this ``` java - mvn clean install + mvn clean install ``` 4. After successfully building the sample, a @@ -479,34 +447,32 @@ the steps below. Now the web application is successfully deployed on a web container. -\[ [Back to Top](_Configuring_Email_OTP_) \] - ------------------------------------------------------------------------ ### Configure the Identity Provider Follow the steps below to add an [identity -provider](_Adding_and_Configuring_an_Identity_Provider_) : +provider](../../using-wso2-identity-server/adding-and-configuring-an-identity-provider): -1. Click **Add** under **Main \> Identity \> Identity Providers** . - ![](attachments/103331027/103331064.png){width="200"} +1. Click **Add** under **Main \> Identity \> Identity Providers**. + ![adding-an-identity-provider](../../assets/img/tutorials/adding-an-identity-provider.png) + 2. Provide a suitable name for the identity provider. - ![](attachments/103331027/103331047.png){width="600"} + ![name-the-identity-provider](../../assets/img/tutorials/name-the-identity-provider.png) + 3. Expand the **EmailOTPAuthenticator Configuration** under **Federated - Authenticators** . + Authenticators**. 1. Select the **Enable** and **Default** check boxes(If you are using Gmail or Sendgrid as the email OTP provider, provide values for Email API and Email fields as well). - 2. Click **Register** . + 2. Click **Register**. - ![](attachments/103331027/103331046.png){width="700"} + ![registering-an-identity-provider](../../assets/img/tutorials/registering-an-identity-provider.png) You have now added the identity provider. -\[ [Back to Top](_Configuring_Email_OTP_) \] - ------------------------------------------------------------------------ ### Configure the Service Provider @@ -516,21 +482,21 @@ Follow the steps below add a service provider: 1. Return to the Management Console home screen. 2. Click **Add** under **Add** under **Main \> Identity \> Service - Providers** . - ![](attachments/103331027/103331065.png){width="200"} + Providers**. + ![add-service-provider](../../assets/img/tutorials/add-service-provider.png) 3. Enter ` travelocity.com ` - as the **Service Provider Name** . - ![](attachments/103331027/103331063.png){width="700"} + as the **Service Provider Name**. + ![](attachments/103331027/name-the-service-provider.png) -4. Click **Register** . +4. Click **Register**. 5. Expand **SAML2 Web SSO Configuration** under **Inbound - Authentication Configuration** . + Authentication Configuration**. -6. Click **Configure** . +6. Click **Configure**. - ![](attachments/103331027/103331070.png){width="600"} + ![configuring-the-service-provider](../../assets/img/tutorials/configuring-the-service-provider.png) 7. Now set the configuration as follows: @@ -549,7 +515,7 @@ Follow the steps below add a service provider: 9. Go to **Claim Configuration** and select the **http://wso2.org/claims/emailaddress** claim. - ![](attachments/103331027/103331062.png){width="800"} + ![claim-configuration](../../assets/img/tutorials/claim-configuration.png) 10. Go to **Local and Outbound Authentication Configuration** section. @@ -557,7 +523,7 @@ Follow the steps below add a service provider: 2. Creating the first authentication step: - 1. Click **Add Authentication Step** . + 1. Click **Add Authentication Step**. 2. Click **Add Authenticator** that is under Local Authenticators of Step 1 to add the basic authentication as @@ -569,7 +535,7 @@ Follow the steps below add a service provider: 3. Creating the second authentication step: - 1. Click **Add Authentication Step** . + 1. Click **Add Authentication Step**. 2. Click **Add Authenticator** that is under Federated Authenticators of Step 2 to add the EMAIL OTP identity @@ -577,20 +543,17 @@ Follow the steps below add a service provider: EMAIL OTP is a second step that adds another layer of authentication and security. - ![](attachments/103331027/103331068.png){width="800"} + ![add-authenticator](../../assets/img/tutorials/add-authenticator.png) -11. Click **Update** . +11. Click **Update**. You have now added and configured the service provider. !!! note For more information on service provider configuration, see - [Configuring Single Sign-On](_Configuring_Single_Sign-On_) . + [Configuring Single Sign-On](../../tutorials/configuring-single-sign-on). - -\[ [Back to Top](_Configuring_Email_OTP_) \] - ------------------------------------------------------------------------ ### Update the email address of the user @@ -599,17 +562,15 @@ Follow the steps given below to update the user's email address. 1. Return to the WSO2 Identity Server Management Console home screen. 2. Click **List** under **Add** under **Main \> Identity \> Users and - Roles** . - ![](attachments/103331027/103331059.png){width="200"} - 1. Click **Users** . - ![](attachments/103331027/103331057.png){width="800"} - 2. Click **User Profile** under **Admin** . - ![](attachments/103331027/103331056.png){width="800"} - 3. Update the **email address** . - ![](attachments/103331027/103331072.png){width="800"} - 4. Click **Update** . - -\[ [Back to Top](_Configuring_Email_OTP_) \] + Roles**. + ![management-console](../../assets/img/tutorials/management-console.png) + 1. Click **Users**. + ![console-users-options](../../assets/img/tutorials/console-users-options.png) + 2. Click **User Profile** under **Admin**. + ![console-user-profile](../../assets/img/tutorials/console-user-profile.png) + 3. Update the **email address**. + ![console-email-address](../../assets/img/tutorials/console-email-address.png) + 4. Click **Update**. ------------------------------------------------------------------------ @@ -620,15 +581,18 @@ Follow the steps below to map the user claims: !!! note For more information about claims, see [Adding Claim - Mapping](_Adding_Claim_Mapping_) . + Mapping](../../using-wso2-identity-server/adding-claim-mapping). -1. Click **Add** under **Main \> Identity \> Claims** . - ![](attachments/103331027/103331055.png){width="250"} - 1. Click **Add Local Claim** . - ![](attachments/103331027/103331073.png){width="800"} +1. Click **Add** under **Main \> Identity \> Claims**. + ![adding-claims](../../assets/img/tutorials/adding-claims.png) + + 1. Click **Add Local Claim**. + ![add-local-claim](../../assets/img/tutorials/add-local-claim.png) + 2. Select the **Dialect** from the drop down provided and enter the required information. + 3. Add the following: 1. **Claim URI:** @@ -640,9 +604,9 @@ Follow the steps below to map the user claims: 4. **Mapped Attribute (s):** ` title ` 5. **Supported by Default:** checked - ![](attachments/103331027/103331029.png){width="700"} + ![filling-claim-fields](../../assets/img/tutorials/filling-claim-fields.png) - 4. Click **Add** . + 4. Click **Add**. To disable this claim for the admin user, navigate to **Users and Roles \> List** and click **Users.** Click on the **User @@ -650,8 +614,6 @@ Follow the steps below to map the user claims: **Disable EmailOTP.** This will disable the second factor authentication for the admin user. -\[ [Back to Top](_Configuring_Email_OTP_) \] - ------------------------------------------------------------------------ ### Test the sample @@ -659,30 +621,28 @@ Follow the steps below to map the user claims: 1. To test the sample, go to the following URL: - [![](attachments/103331027/103331069.jpeg){width="600"}](http://localhost:8080/travelocity.com) + ![testing-travelocity-sample](../../assets/img/tutorials/testing-travelocity-sample.jpeg) 2. Click the link to log in with SAML from WSO2 Identity Server. 3. The basic authentication page appears. Use your WSO2 Identity Server credentials. - ![](attachments/103331027/103331032.png){width="400"} + ![basic-authentication-credentials](../../assets/img/tutorials/basic-authentication-credentials.png) 4. You receive a token to your email account. Enter the code to authenticate. If the authentication is successful, you are taken to the home page of the [travelocity.com](http://travelocity.com) app. - ![](attachments/103331027/103331030.png){width="400"} - - ![](attachments/103331027/103331034.png){width="600"} + ![email-otp-authenticating](../../assets/img/tutorials/email-otp-authenticating.png) -\[ [Back to Top](_Configuring_Email_OTP_) \] + ![travelocity-home](../../assets/img/tutorials/travelocity-home.png) ------------------------------------------------------------------------ ## What's next? - Want to see more federated authenticators? See, [Configuring - Federated Authentication](_Configuring_Federated_Authentication_) + Federated Authentication](../../tutorials/configuring-federated-authentication). - [Try out enabling multi factor authentication using the SMSOTP feature of WSO2 - IS](https://docs.wso2.com/display/IS560/Configuring+SMS+OTP) . + IS](../../tutorials/configuring-sms-otp). diff --git a/en/docs/tutorials/configuring-Facebook.md b/en/docs/tutorials/configuring-facebook.md similarity index 67% rename from en/docs/tutorials/configuring-Facebook.md rename to en/docs/tutorials/configuring-facebook.md index cff9c9ab40..2fbeb27cf3 100644 --- a/en/docs/tutorials/configuring-Facebook.md +++ b/en/docs/tutorials/configuring-facebook.md @@ -10,37 +10,38 @@ authenticate users using their Facebook credentials. Identity provider so that it acts as a federated authenticator. **Check out the [Logging in to your application via Identity Server using Facebook - Credentials](_Logging_in_to_your_application_via_Identity_Server_using_Facebook_Credentials_) + Credentials](../../tutorials/logging-in-to-your-application-via-identity-server-using-facebook-credentials) tutorial** to try out an end to end scenario of using Facebook as a federated authenticator. - - Before you begin +!!! tip "Before you begin" 1. Create a Facebook account and [register an application on - Facebook](https://www.facebook.com/business/help/444614902378217) . + Facebook](https://www.facebook.com/business/help/444614902378217). 2. Sign in to the WSO2 Identity Server [Management - Console](_Getting_Started_with_the_Management_Console_) at + Console](../../setup/getting-started-with-the-management-console) at ` https://:9443/carbon ` using your ` username ` and ` password ` . Follow the steps given below to [add a new identity -provider](_Adding_and_Configuring_an_Identity_Provider_) in WSO2 +provider](../../using-wso2-identity-server/adding-and-configuring-an-identity-provider) in WSO2 Identity Server. - + 1. Download the WSO2 Identity Server from [here](http://wso2.com/products/identity-server/) and [run - it](_Running_the_Product_) . + it](../../setup/running-the-product). Log in to the [Management - Console](_Getting_Started_with_the_Management_Console_) as + Console](../../setup/getting-started-with-the-management-console) as administrator. + 2. In the **Identity** section under the **Main** tab of the Management - Console, click **Add** under **Identity Providers** . -3. Give a suitable name as the **Identity Provider Name** . - ![](attachments/103330993/103330995.png){width="678" height="383"} -4. Go to **Facebook Configuration** under **Federated Authenticators** - . + Console, click **Add** under **Identity Providers**. + +3. Give a suitable name as the **Identity Provider Name**. + ![identity-provider-name](../../assets/img/tutorials/identity-provider-name.png) + +4. Go to **Facebook Configuration** under **Federated Authenticators**. 5. Enter the following values in the form that appears: @@ -57,18 +58,14 @@ Identity Server. Client Id

This refers to the App ID you received from the Facebook app you created.

-
-
- Don't know the client ID? Click here for more information -
-
+
+

Don't know the client ID?

  1. Go to https://developers.facebook.com/ and log in using your Facebook credentials.
  2. Click on your app from the My Apps drop-down list.
    You are navigated to the Dashboard of the application. Note down the App ID and the App secret.
-

-
+

@@ -100,25 +97,23 @@ Identity Server. - ![](attachments/103330993/103330996.png){width="630"} + ![facebook-configuration](../../assets/img/tutorials/facebook-configuration.png) 6. Select both checkboxes to **Enable Facebook Authenticator** and make - it the **Default** . + it the **Default**. -7. Click **Register** . +7. Click **Register**. You have now added the identity provider. -**Related Topics** +!!! info "Related Topics" -- Identity Federation is part of the process of configuring an - identity provider. For more information on how to configure an - identity provider, see [Configuring an Identity - Provider](_Adding_and_Configuring_an_Identity_Provider_) . -- See the following topics for samples of configuring Facebook for - federated authentication: - - [Logging in to your application via Identity Server using - Facebook - Credentials](_Logging_in_to_your_application_via_Identity_Server_using_Facebook_Credentials_) - - [Logging in to Salesforce with - Facebook](_Logging_in_to_Salesforce_with_Facebook_) + - Identity Federation is part of the process of configuring an + identity provider. For more information on how to configure an + identity provider, see [Configuring an Identity + Provider](../../using-wso2-identity-server/adding-and-configuring-an-identity-provider). + - See the following topics for samples of configuring Facebook for + federated authentication: + - [Logging in to your application via Identity Server using + Facebook Credentials](../../tutorials/logging-in-to-your-application-via-identity-server-using-facebook-credentials) + - [Logging in to Salesforce with Facebook](../../tutorials/logging-in-to-salesforce-with-facebook) diff --git a/en/docs/tutorials/configuring-federated-authentication.md b/en/docs/tutorials/configuring-federated-authentication.md new file mode 100644 index 0000000000..5876dab131 --- /dev/null +++ b/en/docs/tutorials/configuring-federated-authentication.md @@ -0,0 +1,40 @@ +# Configuring Federated Authentication + +This topic includes information on how to configure federated +authenticators in WSO2 Identity Server. + +!!! Info "Before you begin" + For more information on what federated authenticators are, see [Outbound/federated authenticators in the Identity Server architecture](../../getting-started/architecture#outbound/federated-authenticators). + +To navigate to the federated authenticators configuration section, do the following. + +1. Sign in. Enter your username and password to log on to the [Management Console](../../setup/getting-started-with-the-management-console). + +2. Navigate to the **Main** menu to access the **Identity** menu. Click Add under Identity Providers. +For more information, see [Adding and Configuring an Identity Provider](../../using-wso2-identity-server/adding-and-configuring-an-identity-provider). + +3. Fill in the details in the **Basic Information** section. + +!!! warning + + OpenID 2.0 has been removed from the base product as it is now + an obsolete specification and has been superseded by OpenID Connect. We + recommend using [OpenID Connect](../../tutorials/configuring-oauth2-openid-connect) + instead. + + +You can configure the following federated authenticators by expanding +the **Federated Authenticators** section followed by the required +subsections. + +![federated-authenticators](../../assets/img/tutorials/federated-authenticators.png) + + +!!! tip "More Federated Authenticators" + + Some authenticators such as LinkedIn are not provided OOTB with WSO2 + Identity Server but can be downloaded from the [WSO2 + store](https://store.wso2.com/store/) and plugged in to work with WSO2 + IS. For more information on those authenticators and connectors, see the + [WSO2 Identity Server Connectors documentation](../../connectors/authenticators-and-connectors). + diff --git a/en/docs/tutorials/configuring-Google.md b/en/docs/tutorials/configuring-google.md similarity index 83% rename from en/docs/tutorials/configuring-Google.md rename to en/docs/tutorials/configuring-google.md index 9334cfeb75..eb1c88509f 100644 --- a/en/docs/tutorials/configuring-Google.md +++ b/en/docs/tutorials/configuring-google.md @@ -7,14 +7,13 @@ authenticate users using their Google user accounts. 1. To navigate to the federated authenticators configuration section, do the following. 1. Sign in. Enter your username and password to log on to the - [Management - Console](https://docs.wso2.com/display/IS580/Getting+Started+with+the+Management+Console) - . + [Management Console](../../setup/getting-started-with-the-management-console). + 2. Navigate to the **Main** menu to access the **Identity** menu. - Click **Add** under **Identity Providers** . + Click **Add** under **Identity Providers**. For more information, see [Adding and Configuring an Identity - Provider](https://docs.wso2.com/display/IS580/Adding+and+Configuring+an+Identity+Provider) - . + Provider](../../using-wso2-identity-server/adding-and-configuring-an-identity-provider). + 3. Fill in the details in the **Basic Information** section. 2. Register OAuth 2.0 Application in Google. As the first step, go to @@ -22,22 +21,28 @@ authenticate users using their Google user accounts. and navigate to the **Credentials** tab from the sidebar. You can configure OAuth web application in Google by selecting **OAuth Client ID** . You can find more details from - [here](https://developers.google.com/identity/protocols/OpenIDConnect) - . - ![](attachments/60494108/75110338.png){height="250"} + [here](https://developers.google.com/identity/protocols/OpenIDConnect). + + ![register-oauth2](../../assets/img/tutorials/register-oauth2.png) + Select a web application and give it a name (e.g., SampleWebApllication). Enter the Authorized **redirect URI** as ` https://localhost:9443/commonauth ` (this is the endpoint in WSO2 Identity Server that accepts the response sent by Google). - ![](attachments/60494108/75110343.png){height="400"} + + ![create-client-id](../../assets/img/tutorials/create-client-id.png) + 3. Expand the **Google Configuration** form and configure the Google authenticator as shown below. Make sure to add your Redirect URI as the Callback URL and Client id and Secret which is generated from - above Google application . You can find the client id and secret + above Google application. You can find the client id and secret from edit OAuth client. - ![](attachments/60494108/75110347.png){width="700"} - ![](attachments/103331000/103331001.png){width="700"} + + ![google-app](../../assets/img/tutorials/google-app.png) + + ![google-configuration](../../assets/img/tutorials/google-configuration.png) + 4. Fill in the following fields where relevant. | Field | Description | Sample value | @@ -49,9 +54,9 @@ authenticate users using their Google user accounts. | Callback Url | This is the URL to which the browser should be redirected after the authentication is successful. It should have this format: ` https://(host-name):(port)/acs ` . Here ACS URL (Assertion Consumer URL) is the endpoint in WSO2 Identity Server which accepts the response sent by Google. | https://localhost:9443/commonauth | | Additional Query Parameters | This is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by this IS or application so these can be specified here. | scope=openid email profile | -**Related Topics** +!!! info "Related Topics" -- Identity Federation is part of the process of configuring an - identity provider. For more information on how to configure an - identity provider, see [Configuring an Identity - Provider.](_Adding_and_Configuring_an_Identity_Provider_) + - Identity Federation is part of the process of configuring an + identity provider. For more information on how to configure an + identity provider, see [Configuring an Identity + Provider.](../../using-wso2-identity-server/adding-and-configuring-an-identity-provider) diff --git a/en/docs/tutorials/configuring-IWA-on-Linux.md b/en/docs/tutorials/configuring-iwa-on-linux.md similarity index 66% rename from en/docs/tutorials/configuring-IWA-on-Linux.md rename to en/docs/tutorials/configuring-iwa-on-linux.md index c37121162f..76ecda18eb 100644 --- a/en/docs/tutorials/configuring-IWA-on-Linux.md +++ b/en/docs/tutorials/configuring-iwa-on-linux.md @@ -9,15 +9,14 @@ or federated authentication in WSO2 Identity Server (IS). !!! tip - **Tip:** This IWA authenticator is provided OOTB and was implemented + This IWA authenticator is provided OOTB and was implemented from WSO2 IS 5.3.0 onwards. It uses Kerberos internally and is the recommended approach as it overcomes some limitations of the IWA authenticator provided in previous versions of WSO2 IS which was based on NTLM. If you still want to use the previous IWA authenticator that - was based on NTLM, it is [available as an - extension](https://github.com/wso2-extensions/identity-local-auth-iwa-ntlm) + was based on NTLM, it is [available as an extension](https://github.com/wso2-extensions/identity-local-auth-iwa-ntlm) . For more information on how to setup the NTLM-based IWA authenticator, - see [Configuring IWA Single-Sign-On](_Configuring_IWA_Single-Sign-On_) . + see [Configuring IWA Single-Sign-On](../../tutorials/configuring-iwa-single-sign-on). The benefits of using the authenticator based on Kerberos vs the authenticator based on NTLM are as follows: @@ -27,27 +26,19 @@ or federated authentication in WSO2 Identity Server (IS). - Performance and security on Kerberos are better. -- [How IWA with Kerberos - works](#ConfiguringIWAonLinux-HowIWAwithKerberosworks) -- [Setting up IWA](#ConfiguringIWAonLinux-SettingupIWA) -- [Configuring WSO2 IS with IWA as a local or federated - authenticator](#ConfiguringIWAonLinux-ConfiguringWSO2ISwithIWAasalocalorfederatedauthenticator) -- [Testing the IWA - authenticator](#ConfiguringIWAonLinux-TestingtheIWAauthenticator) +!!! info "Related Links" -**Related Links** - -- For more information about IWA, see [Integrated Windows - Authentication](https://docs.wso2.com/display/IS520/Integrated+Windows+Authentication) -- To configure Active Directory as a user store, see [Configuring a - Read-write Active Directory User - Store](_Configuring_a_Read-write_Active_Directory_User_Store_) . + - For more information about IWA, see [Integrated Windows + Authentication](../../tutorials/integrated-windows-authentication) + - To configure Active Directory as a user store, see [Configuring a + Read-write Active Directory User + Store](../../using-wso2-identity-server/configuring-a-read-write-active-directory-user-store). ### How IWA with Kerberos works -![](attachments/103330977/103330985.png){width="900"} +![iwa-wso2](../../assets/img/tutorials/iwa-wso2.png) -![](attachments/103330977/103330984.png) +![iwa-with-kerberos](../../assets/img/tutorials/iwa-with-kerberos.png) ### Setting up IWA @@ -56,19 +47,18 @@ or federated authentication in WSO2 Identity Server (IS). multiple Kerberos domains, WSO2 IS should have a virtual host name for each Kerberos domain. - When adding the DNS entry, generally the first part of the hostname - is given. The AD will append the rest with its AD domain. For - example, if the AD domain is 'wso2.com, after you add a DNS host - entry, the final result will be similar to the following: - - **Example** + !!! info + When adding the DNS entry, generally the first part of the hostname + is given. The AD will append the rest with its AD domain. For + example, if the AD domain is 'wso2.com, after you add a DNS host + entry, the final result will be similar to the following: - ``` java - idp.wso2.com - ``` - - **NOTE:** Kerberos does not work with IP addresses, it relies on - domain names and correct DNS entries only. + ``` java + idp.wso2.com + ``` + + Kerberos does not work with IP addresses, it relies on + domain names and correct DNS entries only. 2. Open the ` carbon.xml ` file found in the ` /repository/conf ` folder and set the @@ -113,17 +103,14 @@ or federated authentication in WSO2 Identity Server (IS). service account is **is\_linux** ). !!! note - - **Note:** The account used for WSO2 IS needs to be different from + The account used for WSO2 IS needs to be different from the one used by the user to login to the application. - 6. Run the following commands to register WSO2 IS as a service principal in Active Directory. !!! note - - **Note:** Replace ` is_linux ` with the username + Replace ` is_linux ` with the username of your service account in the command below. The format of the command is as follows: ` [setspn -A HTTP/ ] ` @@ -194,48 +181,45 @@ authenticator. - - [**IWA as a Local - Authenticator**](#982230888b5e44ebb0d0ccf591f8c308) - - [**IWA as a Federated - Authenticator**](#f66e0b76ee524f248ec38cfb0b24da62) - - ![](attachments/103330977/103330991.png){width="743"} - - ![](attachments/103330977/103330990.png){width="780"} + - IWA as a Local Authenticator + ![iwa-as-a-local-authenticator](../../assets/img/tutorials/iwa-as-a-local-authenticator.png) + + - IWA as a Federated Authenticator + ![iwa-as-a-federated-authenticator](../../assets/img/tutorials/iwa-as-a-federated-authenticator.png) -6. Configure your browser to support Kerberos and NTLM. The tabs below +6. Configure your browser to support Kerberos and NTLM. The points below explain how to configure each browser. - - [**for Firefox**](#598fa452401744fda084fd9d786becb8) - - [**for Internet - Explorer/Chrome**](#a599620bcefd40859f65f00671253357) + **Configuring firefox** + + 1. Type ` about:config ` in the address + bar, ignore the warning and continue, this will display the advanced + settings of Firefox. - 1. Type ` about:config ` in the address - bar, ignore the warning and continue, this will display the advanced - settings of Firefox. + 2\. In the search bar, search for the key " + ` network.negotiate-auth.trusted-uris. ` - 2\. In the search bar, search for the key " - ` network.negotiate-auth.trusted-uris. ` + ![configuring-firefox-for-kerberos](../../assets/img/tutorials/configuring-firefox-for-kerberos.png) - ![](attachments/103330977/103330978.png){width="600" height="372"} + 3\. Add the WSO2 Identity Server URL and click OK. - 3\. Add the WSO2 Identity Server URL and click OK. + ![adding-wso2-is-url](../../assets/img/tutorials/adding-wso2-is-url.png) - ![](attachments/103330977/103330979.png){width="300"} + **Configuring Internet Explorer/Chrome** - 1. Go to Tools -\>Internet Options. + 1. Go to Tools -\>Internet Options. - 2\. In the “security” tab select local intranet. + 2\. In the “security” tab select local intranet. - ![](attachments/103330977/103330980.png){width="350"} + ![configuring-internet-explorer-chrome](../../assets/img/tutorials/configuring-internet-explorer-chrome.png) - 3\. C lick the **Sites** button. Then add the URL of WSO2 Identity Server - there. + 3\. Click the **Sites** button. Then add the URL of WSO2 Identity Server + there. - ![](attachments/103330977/103330981.png){width="350"} + ![adding-wso2-is-url-ie-chrome](../../assets/img/tutorials/adding-wso2-is-url-ie-chrome.png) - Chrome simply inherits the settings from Internet Explorer. So you - don’t have to configure anything additionally. + Chrome simply inherits the settings from Internet Explorer. So you + don’t have to configure anything additionally. ### Testing the IWA authenticator @@ -243,26 +227,27 @@ authenticator. by following the steps above. 2. Download and set up the Travelocity sample application. To do this, follow the instructions on the [Configuring Single - Sign-On](_Configuring_Single_Sign-On_) page. + Sign-On](../../tutorials/configuring-single-sign-on) page. 3. Edit the service provider you created for the Travelocity sample, and expand the **Local and Outbound Authentication** section. 4. Select **Federated Authentication** as the **Authentication Type** and select the identity provider you created above. - ![](attachments/103330977/103330989.png) + ![](../../assets/img/tutorials/federated-authentication.png) + 5. Restart the Apache Tomcat server and run the Travelocity sample application from a Windows machine. -**Troubleshooting Tips** +!!! tips "Troubleshooting Tips" -- Use hostnames only (no IP addresses). -- Check the configuration of the ` jaas.conf ` - file, particularly the ` isInitiator=false ` - property under the ` Server ` section (see step - 3 of the **Setting Up IWA** section). -- Make sure that your service principal (IS) is associated with only - one account. + - Use hostnames only (no IP addresses). + - Check the configuration of the ` jaas.conf ` + file, particularly the ` isInitiator=false ` + property under the ` Server ` section (see step + 3 of the **Setting Up IWA** section). + - Make sure that your service principal (IS) is associated with only + one account. -- If you get an exception with an error message similar to “Checksum - failed”, check whether you have given the correct password. + - If you get an exception with an error message similar to “Checksum + failed”, check whether you have given the correct password. diff --git a/en/docs/tutorials/configuring-Microsoft-Windows-Live.md b/en/docs/tutorials/configuring-microsoft-windows-live.md similarity index 85% rename from en/docs/tutorials/configuring-Microsoft-Windows-Live.md rename to en/docs/tutorials/configuring-microsoft-windows-live.md index 4b8a05b53c..ed8f750ff8 100644 --- a/en/docs/tutorials/configuring-Microsoft-Windows-Live.md +++ b/en/docs/tutorials/configuring-microsoft-windows-live.md @@ -4,14 +4,12 @@ Microsoft Windows Live can be used as a federated authenticator in the Identity Server. Do the following to configure the Identity Server to authenticate users using their Microsoft Live user accounts. -!!! tip - - Before you begin +!!! tip "Before you begin" 1. [Register an application on Windows - Live](https://msdn.microsoft.com/en-us/library/hh826541.aspx) . + Live](https://msdn.microsoft.com/en-us/library/hh826541.aspx). 2. Sign in to the WSO2 Identity Server [Management - Console](https://docs.wso2.com/display/IS530/Getting+Started+with+the+Management+Console) + Console](../../setup/getting-started-with-the-management-console) at ` https://:9443/carbon ` using your ` username ` and ` password ` . @@ -20,18 +18,20 @@ authenticate users using their Microsoft Live user accounts. do the following. 1. Sign in. Enter your username and password to log on to the [Management - Console](https://docs.wso2.com/display/IS580/Getting+Started+with+the+Management+Console) - . + Console](../../setup/getting-started-with-the-management-console). + 2. Navigate to the **Main** menu to access the **Identity** menu. - Click **Add** under **Identity Providers** . + Click **Add** under **Identity Providers**. For more information, see [Adding and Configuring an Identity - Provider](https://docs.wso2.com/display/IS580/Adding+and+Configuring+an+Identity+Provider) - . + Provider](../../using-wso2-identity-server/adding-and-configuring-an-identity-provider). + 3. Fill in the details in the **Basic Information** section. 2. Expand the **Federated Authenticators** link. + 3. Expand the **Microsoft (Hotmail, MSN, Live) Configuration** form. - ![](attachments/103330975/103330976.png) + ![microsoft-configuration](../../assets/img/tutorials/microsoft-configuration.png) + 4. Fill in the following fields where relevant. Prior to configuring, you need to have an application created in Windows live. See [Configuring your @@ -46,9 +46,9 @@ authenticate users using their Microsoft Live user accounts. | Callback URL | This is the URL to which the browser should be redirected after the authentication is successful. It should have this format: ` https://(host-name):(port)/acs ` | [https://localhost:9443/commonauth](https://www.google.com/url?q=https%3A%2F%2Flocalhost%3A9443%2Fcommonauth&sa=D&sntz=1&usg=AFQjCNG7dB10sZ-F07Du9Q5fT-mVDMfobg) | | Client Id | This is the username from the Microsoft Live application. | 1421263438188909 | -**Related Topics** +!!! info "Related Topics" -- Identity Federation is part of the process of configuring an - identity provider. For more information on how to configure an - identity provider, see [Configuring an Identity - Provider.](_Adding_and_Configuring_an_Identity_Provider_) + - Identity Federation is part of the process of configuring an + identity provider. For more information on how to configure an + identity provider, see [Configuring an Identity + Provider.](../../using-wso2-identity-server/adding-and-configuring-an-identity-provider) diff --git a/en/docs/tutorials/configuring-OAuth2-OpenID-Connect.md b/en/docs/tutorials/configuring-oauth2-openid-connect.md similarity index 80% rename from en/docs/tutorials/configuring-OAuth2-OpenID-Connect.md rename to en/docs/tutorials/configuring-oauth2-openid-connect.md index d1d1578285..3e3b151e15 100644 --- a/en/docs/tutorials/configuring-OAuth2-OpenID-Connect.md +++ b/en/docs/tutorials/configuring-oauth2-openid-connect.md @@ -17,29 +17,28 @@ the users with an authorization server-based authentication. 1. Sign in. Enter your username and password to log on to the [Management - Console](https://docs.wso2.com/display/IS540/Getting+Started+with+the+Management+Console) - . + Console](../../setup/getting-started-with-the-management-console). + 2. Navigate to the **Main** menu to access the **Identity** menu. Click - **Add** under **Identity Providers** . + **Add** under **Identity Providers**. For more information, see [Adding and Configuring an Identity - Provider](https://docs.wso2.com/display/IS540/Adding+and+Configuring+an+Identity+Provider) - . + Provider](../../using-wso2-identity-server/adding-and-configuring-an-identity-provider). + 3. Fill in the details in the **Basic Information** section. + 4. Expand the **Federated Authenticators** section and then the **OAuth2/OpenID Connect Configuration** form. - ![](attachments/103330970/103330971.png) + ![oauth2-openid-connect-configuration](../../assets/img/tutorials/oauth2-openid-connect-configuration.png) + 5. Fill in the following fields where relevant. Prior to this, you need to configure an application for Identity server in the federated authorization server and get the application information such as client ID and secret. For more information, see [configuring OAuth2-OpenID Connect single - sign-on](_Configuring_OAuth2-OpenID_Connect_Single-Sign-On_) . + sign-on](../../tutorials/configuring-oauth2-openid-connect-single-sign-on). !!! tip - - Tip - By default, the **Client Id** and **Client Secret** are stored as plain text values, where the **Client Secret** is generally stored as a random number generated using two UUIDs and HMAC-SHA1 hash @@ -47,15 +46,15 @@ the users with an authorization server-based authentication. against HMAC. If you want to change the format in which the **Client Secret** is - stored, you need to change the - ` ` property in the - ` /repository/conf/identity/identity.xml ` - file, depending on how you want to store tokens. For information on - possible values that you can specify as - ` ` based on your + stored, open the ` /repository/conf/deployment.toml ` file and add the following configuration. + ```xml + [oauth] + hash_tokens_and_secrets: + ``` + For information on + possible values that you can specify based on your requirement, see [Supported token persistence - processors](Extension-Points-for-OAuth_103329664.html#ExtensionPointsforOAuth-TokenPersistenceProcessor) - . + processors](../../using-wso2-identity-server/extension-points-for-oauth#token-persistence-processor). Once you configure a required token persistence processor, be sure to restart the server for the changes to be applied to WSO2 Identity @@ -74,13 +73,13 @@ the users with an authorization server-based authentication. | OpenID Connect User ID Location | Select whether the User ID is found in the 'sub' attribute that is sent with the OpenID Connect request or if it is found among claims. | User ID found in 'sub' attribute | | Additional Query Parameters | This is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by this IS or application so these can be specified here. | paramName1=value1 | -**Related Topics** +!!! info "Related Topics" -- Identity Federation is part of the process of configuring an - identity provider. For more information on how to configure an - identity provider, see [Configuring an Identity - Provider.](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) -- See [Log into Identity Server using another Identity Server - - OAuth2](_Login_to_Identity_Server_using_another_Identity_Server_-_OAuth2_) - for a sample of using OAuth2/OpenIDConnect for federated - authentication. + - Identity Federation is part of the process of configuring an + identity provider. For more information on how to configure an + identity provider, see [Configuring an Identity + Provider.](../../using-wso2-identity-server/adding-and-configuring-an-identity-provider) + - See [Log into Identity Server using another Identity Server - + OAuth2](../../using-wso2-identity-server/login-to-identity-server-using-another-identity-server-oauth2) + for a sample of using OAuth2/OpenIDConnect for federated + authentication. diff --git a/en/docs/tutorials/configuring-saml-2.0-web-sso.md b/en/docs/tutorials/configuring-saml-2.0-web-sso.md new file mode 100644 index 0000000000..75fc7c3a17 --- /dev/null +++ b/en/docs/tutorials/configuring-saml-2.0-web-sso.md @@ -0,0 +1,460 @@ +# Configuring SAML 2.0 Web SSO + +In a single sign on system there are two roles; Service Providers and +Identity Providers. The important characteristic of a single sign on +system is the pre-defined trust relationship between the service +providers and the identity providers. Service providers trust the +assertions issued by the identity providers and the identity providers +issue assertions based on the results of authentication and +authorization of principles which access services on the service +provider's side. + +SAML 2.0 web browser-based single-sign-on profile is defined under the +SAML 2.0 [Profiles specification](http://www.oasis-open.org/committees/download.php/35389/sstc-saml-profiles-errata-2.0-wd-06-diff.pdf).  +In a web browser-based SSO system, the flow can be started by the user +either by attempting to access a service at the service provider, or by +directly accessing the identity provider itself. + +To navigate to the federated authenticators configuration section, do +the following. + +1. Sign in. Enter your username and password to log on to the + [Management + Console](../../setup/getting-started-with-the-management-console). + +2. Navigate to the **Main** menu to access the **Identity** menu. Click + **Add** under **Identity Providers**. + For more information, see [Adding and Configuring an Identity + Provider](../../using-wso2-identity-server/adding-and-configuring-an-identity-provider). + +3. Fill in the details in the **Basic Information** section. + +Expand the **SAML2 Web SSO Configuration** form. The following appears. + +![saml2-web-sso-configuration](../../assets/img/tutorials/saml2-web-sso-configuration.png) + +SAML configuration information can be entered through one of the +following ways: + + +#### Manual Configuration + +1. Select the **Manual Configuration** (selected by default). + + ![manual-configuration](../../assets/img/tutorials/manual-configuration.png) + +2. Fill in the following fields where relevant. The \* indicates + required fields. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescriptionSample value
Enable SAML2 Web SSOSelecting this option enables SAML2 Web SSO to be used as an authenticator for users provisioned to the Identity Server.Selected
DefaultSelecting the Default checkbox signifies that SAML2 Web SSO is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
Service Provider Entity Id

This is the entity Id of the Identity Server. This can be any value but when you configure a service provider in the external IDP you should give the same value as the Service Provider Entity Id.

wso2is

NameID format

This is the NameID format to be used in the SAML request. By default, it has 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', But you can change this as per the identity provider.

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Select ModeSelect the mode to decide the input method for SAML configuration. You can have manual configuration or Metadata data configuration where an .xml metadata file is uploaded.Manual configuration (is selected by dafault)
Identity Provider Entity Id
+

This is basically the <Issuer> value of the SAML2 response from the identity provider you are configuring. This value must be a unique string among identity providers inside the same tenant. This information should be taken from the external Identity provider.

+

In order to enable the <Issuer> validation in the SAML2 response from the IdP, open the /repository/conf/deployment.toml file and add the following configuration.

+
+
+ +
+
https://idp.example.org/idp/shibboleth
SSO URLThis is the URL that you want to send the SAML request to. This information should be taken from the external Identity provider.

https://localhost:8443/idp/profile/SAML2/Redirect/SSO

Enable Authentication Request SigningSelecting this checkbox enables you to sign the authentication request. If this is enabled, you must sign the request using the private key of the identity provider.Selected
Enable Assertion EncryptionThis is a security feature where you can encrypt the SAML2 Assertions returned after authentication. So basically, the response must be encrypted when this is enabled.Selected
Enable Assertion Signing

Select Enable Assertion Signing to sign the SAML2 Assertions returned after the authentication. SAML2 relying party components expect these assertions to be signed by the Identity Server.

Selected
Enable LogoutSelect Enable Single Logout so that all sessions are terminated once the user signs out from one server.Selected
Logout URL
+If the external IDP support for logout you can select Enable Logout . Then you can set the URL of the external IDP, where you need to send the logout request, under Logout URL. If you do not set a value for this it will simply return to the SSO URL . +
https://localhost:8443/idp/samlsso/logout
Enable Logout Request SigningSelecting this checkbox enables you to sign the logout request.Selected
Enable Authentication Response Signing

Select Enable Authentication Response Signing to sign the SAML2 responses returned after the authentication.

Selected
Signature Algorithm

Specifies the ‘SignatureMethod’ algorithm to be used in the ‘Signature’ element in POST binding and “SigAlg” HTTP Parameter in REDIRECT binding. The expandable Signature Algorithms table below lists the usable algorithms and their respective URIs that will be sent in the actual SAMLRequest.

Default value is RSA with SHA1 .
Digest Algorithm

Specifies the ‘DigestMethod’ algorithm to be used in the ‘Signature’ element in POST binding. The Digest Algorithms table below lists the usable algorithms and their respective URIs that will be sent in the actual SAMLRequest.

Default value is SHA1 .
Attribute Consuming Service IndexSpecifies the ‘AttributeConsumingServiceIndex’ attribute.By default this would be empty, therefore that attribute would not be sent unless filled.
Enable Force AuthenticationEnable force authentication or decide from the incoming request. This affects ‘ForceAuthn’ attribute.Default value is As Per Request .
Include Public CertificateInclude the public certificate in the request.Selected by default.
Include Protocol BindingInclude ‘ProtocolBinding’ attribute in the request.Selected by default.
Include NameID PolicyInclude ‘NameIDPolicy’ element in the request.Selecte d by default.
Include Authentication ContextInclude a new ‘RequestedAuthnContext’ element in the request, or reuse from the incoming request.Default value is Yes .
Authentication Context Class

Choose an Authentication Context Class Reference (AuthnContextClassRef) to be included in the requested authentication context from the Identity Server which specifies the authentication context requirements of authentication statements returned in the response. Authentication Context Class table below lists the usable classes and their respective URIs that will be sent in the SAMLRequest from the Identity Server to trusted IdP.

Default value is PasswordProtectedTransport .
Authentication Context Comparison Level

Choose the Requested Authentication Context ‘Comparison’ attribute to be sent which specifies the comparison method used to evaluate the requested context classes or statements.

+
    +
  • If Comparison is set to "exact" or omitted, then the resulting authentication context in the authentication statement MUST be the exact match of at least one of the authentication contexts specified.
    • +
  • If Comparison is set to "minimum", then the resulting authentication context in the authentication statement MUST be at least as strong (as deemed by the responder) as one of the authentication contexts specified.
    • +
  • If Comparison is set to "better", then the resulting authentication context in the authentication statement MUST be stronger (as deemed by the responder) than any one of the authentication contexts specified.
    • +
  • If Comparison is set to "maximum", then the resulting authentication context in the authentication statement MUST be as strong as possible (as deemed by the responder) without exceeding the strength of at least one of the authentication contexts specified.
    • +
Default value is “Exact”.
SAML2 Web SSO User Id LocationSelect whether the User ID is found in 'Name Identifier' or if it is found among claims. If the user ID is found amongthe claims, it can override the User ID Claim URI configuration in the identity provider claim mapping section .User ID found among claims
HTTP BindingSelect the HTTP binding details that are relevant for your scenario. This refers to how the request is sent to the identity provider. HTTP-Redirect and HTTP-POST are standard means of sending the request. If you select As Per Request it can handle any type of request.HTTP-POST
Response Authentication Context ClassSelect As Per Response to pass the AuthnContextClassRef received from the configured identity provider to the service provider. Select Default to pass the default AuthnContextClassRef instead.
+
+The AuthnContextClassRef specifies how the user has been authenticated by the IdP (e.g. via username/password login, via certificate etc.)		As Per Response
Additional Query Parameters
+

This is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by this IS or application so these can be specified here. These will be sent along with the SAML request.

+
+

Info

+

If you want to send query parameters that need to be updated dynamically with each SAML request, the value needs to be defined within parenthesis.This value should be the key of the query parameter sent in the SAML request URL.
+Example: locale={lang}

+

Multiple parameters can be defined by separation of query parameters using the & character.

+
+Example: locale={lang}&scope=openid email profile +
+
+
 paramName1=value1
+ +??? note "Click here to expand for more information on security algorithms." + + The following table lists out the security algorithms and their + respective URI. + + | Security algorithm name | Security algorithm URI | + |-------------------------|-------------------------------------------------------------| + | DSA with SHA1 | http://www.w3.org/2000/09/xmldsig\#dsa­sha1 | + | ECDSA with SHA1 | http://www.w3.org/2001/04/xmldsig­more\#ecdsa­sha1 dsa­sha1 | + | ECDSA with SHA256 | http://www.w3.org/2001/04/xmldsig­more\#ec dsa­sha256 | + | ECDSA with SHA384 | http://www.w3.org/2001/04/xmldsig­more\#ec dsa­sha384 | + | ECDSA with SHA512 | http://www.w3.org/2001/04/xmldsig­more\#ec dsa­sha512 | + | RSA with MD5 | http://www.w3.org/2001/04/xmldsig­more\#rsa ­md5 | + | RSA with RIPEMD160 | http://www.w3.org/2001/04/xmldsig­more\#rsa ­ripemd160 | + | RSA with SHA1 | http://www.w3.org/2000/09/xmldsig\#rsa­sha1 | + | RSA with SHA256 | http://www.w3.org/2001/04/xmldsig­more\#rsa ­sha256 | + | RSA with SHA384 | http://www.w3.org/2001/04/xmldsig­more\#rsa sha384 | + | RSA with SHA512 | http://www.w3.org/2001/04/xmldsig­more\#rsa ­sha512 | + +??? note "Click here to expand for more information on digest algorithms." + + The following table lists out the digest algorithms and their respective + URI. + + | Digest algorithm name | Digest algorithm URI | + |-----------------------|-------------------------------------------------| + | MD5 | http://www.w3.org/2001/04/xmldsig­more\#md 5 | + | RIPEMD160 | http://www.w3.org/2001/04/xmlenc\#ripemd16 0 | + | SHA1 | http://www.w3.org/2000/09/xmldsig\#sha1 | + | SHA256 | http://www.w3.org/2001/04/xmlenc\#sha256 | + | SHA384 | http://www.w3.org/2001/04/xmldsig­more\#sh a384 | + | SHA512 | http://www.w3.org/2001/04/xmlenc\#sha512 | + +??? note "Click here to expand for more information on authentication context classes." + + The following table lists out the authentication context classes and + their respective URI. + + | Authentication context class name | Authentication context class URI | + |-------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| + | Internet Protocol | [urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol](http://urnoasisnamestcSAML:2.0:ac:classes:InternetProtocol) | + | Internet Protocol Password | [urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword](http://urnoasisnamestcSAML:2.0:ac:classes:InternetProtocolPassword) | + | Kerberos | [urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos](http://urnoasisnamestcSAML:2.0:ac:classes:Kerberos) | + | Mobile One Factor Unregistered | [urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered](http://urnoasisnamestcSAML:2.0:ac:classes:MobileOneFactorUnregistered) | + | Mobile Two Factor Unregistered | [urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered](http://urnoasisnamestcSAML:2.0:ac:classes:MobileTwoFactorUnregistered) | + | Mobile One Factor Contract | [urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract](http://urnoasisnamestcSAML:2.0:ac:classes:MobileOneFactorContract) | + | Mobile Two Factor Contract | [urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract](http://urnoasisnamestcSAML:2.0:ac:classes:MobileTwoFactorContract) | + | Password | [urn:oasis:names:tc:SAML:2.0:ac:classes:Password](http://urnoasisnamestcSAML:2.0:ac:classes:Password) | + | Password Protected Transport | [urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport](http://urnoasisnamestcSAML:2.0:ac:classes:PasswordProtectedTransport) | + | Previous Session | [urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession](http://urnoasisnamestcSAML:2.0:ac:classes:PreviousSession) | + | Public Key X.509 | [urn:oasis:names:tc:SAML:2.0:ac:classes:X509](http://urnoasisnamestcSAML:2.0:ac:classes:X509) | + | Public Key PGP | [urn:oasis:names:tc:SAML:2.0:ac:classes:PGP](http://urnoasisnamestcSAML:2.0:ac:classes:PGP) | + | Public Key SPKI | [urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI](http://urnoasisnamestcSAML:2.0:ac:classes:SPKI) | + | Public Key XML Digital Signature | [urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig](http://urnoasisnamestcSAML:2.0:ac:classes:XMLDSig) | + | Smartcard | [urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard](http://urnoasisnamestcSAML:2.0:ac:classes:Smartcard) | + | Smartcard PKI | [urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI](http://urnoasisnamestcSAML:2.0:ac:classes:SmartcardPKI) | + | Software PKI | [urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI](http://urnoasisnamestcSAML:2.0:ac:classes:SoftwarePKI) | + | Telephony | [urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony](http://urnoasisnamestcSAML:2.0:ac:classes:Telephony) | + | Telephony (Nomadic) | [urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony](http://urnoasisnamestcSAML:2.0:ac:classes:NomadTelephony) | + | Telephony (Personalized) | [urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalTelephony](http://urnoasisnamestcSAML:2.0:ac:classes:PersonalTelephony) | + | Telephony (Authenticated) | [urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony](http://urnoasisnamestcSAML:2.0:ac:classes:AuthenticatedTelephony) | + | Secure Remote Password | [urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword](http://urnoasisnamestcSAML:2.0:ac:classes:SecureRemotePassword) | + | SSL/TLS Certificate­Based Client Authentication | [urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient](http://urnoasisnamestcSAML:2.0:ac:classes:TLSClient) | + | Time Sync Token | [urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken](http://urnoasisnamestcSAML:2.0:ac:classes:TimeSyncToken) | + | Unspecified | [urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified](http://urnoasisnamestcSAML:2.0:ac:classes:unspecified) | + + + +#### Metadata File Configuration + +!!! info "About Metadata upload" + + When configuring a service provider (SP) or federated Identity Provider + (Federated IdP), the user is required to enter configuration data to + facilitate exchanging authentication and authorization data between + entities in a standard way. Apart from manual entering of configuration + data, the Identity Server 5.3.0 provides the facility to upload + configuration data using a metadata xml file or referring to metadata + xml file located in a predetermined URL. These two methods of uploading + configuration data enables faster entry of configuration data because it + allows the user to use the same metadata xml file for multiple instances + of entity configuration. In addition to SAML metadata upload, IS also + supports SAML metadata download for resident Identity providers using + Management Console and URL. + +1. Select **Metadata File Configuration**. + ![metadata-file-configuration](../../assets/img/tutorials/metadata-file-configuration.png) + + The following screen appears: + ![upload-id-provider](../../assets/img/tutorials/upload-id-provider.png) + +2. Choose the correct IdP metadata file and click **Register**. + + ??? note "Click here to view a sample Identity provider metadata configuration xml file" + + ``` java + + + + + + + -----BEGIN CERTIFICATE----- + MIIC+jCCAmOgAwIBAgIJAParOnPwEkKjMA0GCSqGSIb3DQEBBQUAMIGKMQswCQYD + VQQGEwJMSzEQMA4GA1UECBMHV2VzdGVybjEQMA4GA1UEBxMHQ29sb21ibzEWMBQG + A1UEChMNU29mdHdhcmUgVmlldzERMA8GA1UECxMIVHJhaW5pbmcxLDAqBgNVBAMT + I1NvZnR3YXJlIFZpZXcgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDcxMDA2 + MzMwM1oXDTI0MDMxODA2MzMwM1owdjELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dl + c3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xFjAUBgNVBAoTDVNvZnR3YXJlIFZpZXcx + ETAPBgNVBAsTCFRyYWluaW5nMRgwFgYDVQQDEw9NeSBUZXN0IFNlcnZpY2UwgZ8w + DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN6bi0llFz+R+93nLLK5BmnuF48tbODp + MBH7yGZ1/ESVUZoYm0GaPzg/ai3rX3r8BEr4TUrhhpKUKBpFxZvb2q+yREIeDEkD + bHJuyVdS6hvtfa89WMJtwc7gwYYkY8AoVJ94gU54GP2B6XyNpgDTXPd0d3aH/Zt6 + 69xGAVoe/0iPAgMBAAGjezB5MAkGA1UdEwQCMAAwHQYDVR0OBBYEFNAwSamhuJSw + XG0SJnWdIVF1PkW9MB8GA1UdIwQYMBaAFNa3YmhDO7BOwbUqmYU1k/U6p/UUMCwG + CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTANBgkq + hkiG9w0BAQUFAAOBgQBwwC5H+U0a+ps4tDCicHQfC2SXRTgF7PlAu2rLfmJ7jyoD + X+lFEoWDUoE5qkTpMjsR1q/+2j9eTyi9xGj5sby4yFvmXf8jS5L6zMkkezSb6QAv + tSHcLfefKeidq6NDBJ8DhWHi/zvC9YbT0KkCToEgvCTBpRZgdSFxTJcUksqoFA== + -----END CERTIFICATE----- + + + + + + + + EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz + dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh + dGUgTWFuYWdlcjAeFw0wNzAzMDcyMjAxMTVaFw0xMDEyMDEyMjAxMTVaMDsxFDASBgNVBAoTC2V4 + YW1wbGUuY29tMSMwIQYDVQQDExpMb2FkQmFsYW5jZXItMy5leGFtcGxlLmNvbTCBnzANBgkqhkiG + HREEETAPgQ1tYWxsYUBzdW4uY29tMA0GCSqGSIb3DQEBBAUAA0EAEgbmnOz2Rvpj9bludb9lEeVa + OA46zRiyt4BPlbgIaFyG6P7GWSddMi/14EimQjjDbr4ZfvlEdPJmimHExZY3KQ== + + + + + + + + + + + + urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + + + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + + + + ``` + + +!!! tip "Configure ACL URL in a production environment" + + The default assertion consumer URL that is sent with the SAML request + includes the local domain and default port. In a production environment, + you may need to change the assertion consumer URL. To do this, follow + the steps given below: + + 1. Open the ` application-authentication.xm ` l file + found in the ` /repository/conf/identity ` + folder. + 2. Add the following property and update the assertion consumer URL as + required. + + ``` java + + https://localhost:9443/commonauth + + ``` + + +!!! note "Configuring hostname verification" + + - In previous releases, SAML Single-Logout (SLO) requests for service + providers were initiated without hostname verification which can impose + a security risk. From IS 5.2.0 release onwards, certificate validation + has been enforced and hostname verification is enabled by default. If + you want to disable the hostname verification, open the ` /repository/conf/deployment.toml ` file + and add the following configuration. + + ``` xml + [saml.slo] + host_name_verification: false + ``` + + - If the certificate is self-signed, import the service + provider's public key to the IS client trust store to ensure that the + SSL handshake in the SLO request is successful. For more information on + how to do this, see [Managing Keystores with the UI]() in + the WSO2 Product Administration Guide. + + +!!! info "Related Topics" + - Identity Federation is part of the process of configuring an + identity provider. For more information on how to configure an + identity provider, see [Configuring an Identity + Provider.](../../using-wso2-identity-server/adding-and-configuring-an-identity-provider) + - See [Configuring Shibboleth IdP as a Trusted Identity + Provider](../../tutorials/configuring-shibboleth-idp-as-a-trusted-identity-provider) + for a sample of using SAML2 Web SSO configuration. diff --git a/en/docs/tutorials/configuring-sms-otp.md b/en/docs/tutorials/configuring-sms-otp.md new file mode 100644 index 0000000000..7f8cadaf8f --- /dev/null +++ b/en/docs/tutorials/configuring-sms-otp.md @@ -0,0 +1,547 @@ +# Configuring SMS OTP + +The SMS provider is the entity that is used to send the SMS. WSO2 IS +supports most of the SMS APIs. Some use the GET method with the client +secret and API Key encoded in the URL, while some may use the POST +method when sending the values in the headers, and the message and +telephone number in the payload (e.g., Clickatell). Note that this could +change significantly between different SMS providers. The configuration +of the connector in the identity provider would also change based on +this. + +This topic provides instructions on how to configure the SMS One Time +Password (SMS OTP) connector and the WSO2 Identity Server (IS) using a +sample application. This is configured so that SMS OTP is a second +authentication factor for the sample application. See the following +sections for more information. + +!!! tip + + Before you begin! + + - To ensure you get the full understanding of configuring SMS OTP with + WSO2 IS, the sample travelocity application is used in this use + case. Therefore, make sure to [download the + samples](../../using-wso2-identity-server/downloading-a-sample) before you begin. + - The samples run on the Apache Tomcat server and are written based on + Servlet 3.0. Therefore, download Tomcat 7.x from + [here](https://tomcat.apache.org/download-70.cgi) . + - Install Apache Maven to build the samples. For more information, see + [Installation + Prerequisites](../../setup/installation-prerequisites) + . + + +### Deploying travelocity.com sample + +Deploy the sample travelocity app in order to use it in this scenario. + +To obtain and configure the single sign-on travelocity sample, follow +the steps below. + +1. Add the following entry to the ` /etc/hosts ` + file of your machine to configure the hostname. + + !!! info "Why is this step needed?" + + Some browsers do not allow creating cookies for a naked hostname, + such as ` localhost ` . Cookies are required + when working with SSO. Therefore, to ensure that the SSO + capabilities work as expected in this tutorial, you need to + configure the ` etc/host ` file as explained + in this step. + + The ` etc/host ` file is a read-only file. + Therefore, you won't be able to edit it by opening the file via a + text editor. To avoid this, edit the file using the terminal + commands. + For example, use the following command if you are working on a + Mac/Linux environment. + + ``` java + sudo nano /etc/hosts + ``` + + ``` bash + 127.0.0.1 wso2is.local + ``` + +2. Open the ` travelocity.properties ` file found + in the + ` is-samples/modules/samples/sso/sso-agent-sample/src/main/resources ` + directory of the samples folder you just checked out. Configure the + following property with the hostname ( + ` wso2is.local ` ) that you configured above. + + ``` text + #The URL of the SAML 2.0 Assertion Consumer + SAML2.AssertionConsumerURL=http://wso2is.local:8080/travelocity.com/home.jsp + ``` + +3. In your terminal, navigate to + ` is-samples/modules/samples/sso/sso-agent-sample ` + folder and build the sample using the following command. You must + have Apache Maven installed to do this + + ``` java + mvn clean install + ``` + +4. After successfully building the sample, a + ` .war ` file named **travelocity.com** can be + found inside the + ` is-samples/sso/sso-agent-sample/ ` + ` target ` directory. Deploy this sample web + app on a web container. To do this, use the Apache Tomcat server. + + !!! note + + Since this sample is written based on Servlet 3.0 it needs to be + deployed on [Tomcat 7.x](https://tomcat.apache.org/download-70.cgi) + . + + + Use the following steps to deploy the web app in the web container: + + 1. Stop the Apache Tomcat server if it is already running. + 2. Copy the + ` travelocity.com.war ` + file to the ` /webapps ` + directory. + 3. Start the Apache Tomcat server. + +!!! tip + + If you wish to change properties like the issuer ID, consumer URL, and + IdP URL, you can edit the **travelocity.properties** file found in the + ` travelocity.com/WEB-INF/classes ` directory. If the + service provider is configured in a tenant you can use the + ` QueryParams ` property to send the tenant domain. + For  example, ` QueryParams=tenantDomain=wso2.com ` . + + This sample uses the following default values. + + | Properties | Description | + |-------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------| + | ` SAML2.SPEntityId=travelocity.com ` | A unique identifier for this SAML 2.0 Service Provider application. | + | ` SAML2.AssertionConsumerURL=http://wso2is.local:8080/travelocity.com/home.jsp ` | The URL of the SAML 2.0 Assertion Consumer. | + | ` SAML2.IdPURL=https://localhost:9443/samlsso ` | The URL of the SAML 2.0 Identity Provider. | + + If you edit the + ` travelocity.properties ` file, + you must restart the Apache Tomcat server for the changes to take + effect. + + +Now the web application is successfully deployed on a web container. + +Once this is done, the next step is to configure the WSO2 Identity +Server by adding an [identity +provider](../../using-wso2-identity-server/adding-and-configuring-an-identity-provider) +and a [service provider](../../using-wso2-identity-server/adding-and-configuring-a-service-provider). + +### Configuring the identity provider + +Now you have to configure WSO2 Identity Server by adding a new identity +provider. + +1. [Start WSO2 Identity Server + (IS)](../../setup/running-the-product#starting-the-server) + . +2. Download the certificate of the SMS provider by going to the SMS + providers website on your browser, and clicking the HTTPS trust icon + on the address bar. + For example, navigate to + [https://www.nexmo.com](https://www.nexmo.com/) , and click the + padlock next to the URL on Chrome. +3. Navigate to the + ` /repository/resources/security ` + directory via the terminal and i mport the downloaded certificate + into the WSO2 IS client keystore. + + ``` java + keytool -importcert -file -keystore client-truststore.jks -alias "Nexmo" + ``` + +4. You are prompted to enter the keystore password. The default + ` client-truststore.jks ` password is + **` wso2carbon `**. + +5. Log into the [management + console](../../setup/getting-started-with-the-management-console) + as an administrator. + +6. In the **Identity** section under the **Main** tab of the management + console, click **Add** under **Identity Providers**. + +7. Give a suitable name (e.g., SMSOTP) as the **Identity Provider + Name**. + +8. Go to the **SMS OTP Configuration** under **Federated + Authenticators**. + +9. Select both check-boxes to **Enable SMSOTP Authenticator** and to + make it the **Default**. + +10. Enter the SMS URL, the HTTP Method used (e.g., GET or POST), and the + headers and payload if the API uses any. + + !!! info + - If the text message and the phone number are passed as + parameters in any field, include them as + ` $ctx.num ` and + ` $ctx.msg ` respectively. + + - Optionally, enter the HTTP response code the SMS service + provider sends when the API is successfully called. Nexmo API + and  Bulksms API sends 200 as the code, while Clickatell + and Plivo send 202. If this value is unknown, leave it blank and + the connector checks if the response is 200, 201 or 202. + + ??? Note "Click here to configure Nexmo as the service provider." + + Follow the steps given below if Nexmo is used as the SMS provider: + + 1. Go to and sign up. + 2. Once you successfully register, the API **key** and **secret** + are displayed. Copy and save them as you need them for the next + step. + Example: + ![nexmo-config](../../assets/img/tutorials/nexmo-config.png) + 3. The Nexmo API requires the parameters to be encoded in the URL, + so the SMS URL would be as follows. + + + + + + + + + + +
SMS URL https://rest.nexmo.com/sms/json?api_key=&api_secret=&from=NEXMO&to=$ctx.num&text=$ctx.msg
HTTP Method POST
+ + ??? Note "Click here to configure Clickatell as the service provider." + + Follow the steps given below if Clickatell is used as the SMS + provider: + + 1. Go to and create + an account. + 2. The Auth token is provided when you register with Clickatell. + + 3. Clickatell uses a POST method with headers and the text message + and phone number are sent as the payload. So the fields would be + as follows. + + + + + + + + + + + + + + + + + + + +
SMS URL https://api.clickatell.com/rest/message
HTTP Method POST
HTTP Headers X-Version: 1,Authorization: bearer ,Accept: application/json,Content-Type: application/json
HTTP Payload {"text":" $ctx.msg ","to":[" $ctx.num "]}
+ + ??? Note "Click here to configure Plivo as the service provider." + + Follow the steps given below if Plivo is used as the SMS provider: + + 1. Sign up for a free [Plivo trial + account](https://manage.plivo.com/accounts/register/?utm_source=send%bulk%20sms&utm_medium=sms-docs&utm_campaign=internal) + . + 2. Phone numbers must be verified at the [Sandbox + Numbers](https://manage.plivo.com/sandbox-numbers/) page (add at + least two numbers and verify them). + + 3. The Plivo API is authenticated with Basic Auth using your + ` AUTH ID ` and + ` AUTH TOKEN ` , Your Plivo + ` AUTH ID ` and + ` AUTH TOKEN ` can be found when + you log in to your + [dashboard.](https://manage.plivo.com/dashboard/) + 4. Plivo uses a POST method with headers, and the text message and + phone number are sent as the payload. So the fields would be as + follows. + + + + + + + + + + + + + + + + + + + +
SMS URL https://api.plivo.com/v1/Account/{auth_id}/Message/
HTTP Method POST
HTTP Headers Authorization: Basic ********,Content-Type: application/json
HTTP Payload {"src":"+94*********","dst":"$ctx.num","text":"$ctx.msg"}
+ + ??? Note "Click here to configure Bulksms as the service provider." + + Follow the steps given below if Bulksms is used as the SMS provider: + + 1. Go to and create an account. + 2. While registering the account, verify your mobile number and + click **Claim** to get free credit. + ![mobile-number-claim](../../assets/img/tutorials/mobile-number-claim.png) + + Bulksms API authentication is performed by providing the + username and password request parameters. + + 3. Bulksms uses the POST method and the required parameters are to + be encoded in the URL. So the fields would be as follows. + + + + + + + + + + + + + + + +
SMS URL https://bulksms.vsms.net/eapi/submission/send_sms/2/2.0?username=&password=&message=$ctx.msg&msisdn=$ctx.num
HTTP Method POST
HTTP Headers Content-Type: application/x-www-form-urlencoded
+ + ??? Note "Click here to configure Twilio as the service provider." + + Follow the steps given below if Twilio is used as the SMS provider: + + 1. Go to and create an account. + 2. While registering the account, verify your mobile number and + click on console home to get + free credit (Account SID and Auth Token). + + 3. Twilio uses the POST method with headers, and the text message + and phone number are sent as the payload. The fields would be as + follows. + + + + + + + + + + + + + + + + + + + +
SMS URL https://api.twilio.com/2010-04-01/Accounts/{AccountSID}/SMS/Messages.json
HTTP Method POST
HTTP Headers Authorization: Basic base64{AccountSID:AuthToken}
HTTP Payload Body=$ctx.msg&To=$ctx.num&From=urlencode{FROM_NUM}
+ +11. Click **Register** . + +### Configuring the service provider + +The next step is to configure the service provider. + +1. Return to the WSO2 IS management console. + +2. In the **Identity** section under the **Main** tab, click **Add** + under **Service Providers**. + +3. Enter **travelocity.com** in the **Service Provider Name** text box, + and click **Register**. + +4. In the **Inbound Authentication Configuration** section, click + **Configure** under the **SAML2 Web SSO Configuration** section. + + 1. Now set the configuration as follows: + + 1. **Issuer** : ` travelocity.com ` + + 2. **Assertion Consumer URL** : + ` http://wso2is.local:8080/travelocity.com/home.jsp ` + Click Yes, in the message that appears. + + 2. Select the following check-boxes: + 1. **Enable Response Signing** + + 2. **Enable Single Logout** + + 3. **Enable Attribute Profile** + + 4. **Include Attributes in the Response Always** + + + **![edit-service-provider](../../assets/img/tutorials/edit-service-provider.png)** + +5. Click **Update** to save the changes. + Now you are sent back to the Service Providers page. + +6. Go to **Claim configuration** and select the + **` http://wso2.org/claims/mobile `** claim for + the **Subject Claim URI**. + + ![subject-claim-uri](../../assets/img/tutorials/subject-claim-uri.png) + +7. Go to **Local and Outbound Authentication Configuration** section. + + 1. Select the **Advanced configuration** radio button option. + + 2. Creating the first authentication step: + + 1. Click **Add Authentication Step**. + + 2. Click **Add Authenticator** that is under **Local + Authenticators** of Step 1 to add the basic authentication + as the first step. + Adding basic authentication as a first step ensures that the + first step of authentication will be done using the user's + credentials that are configured with the WSO2 Identity + Server + + 3. Creating the second authentication step: + + 1. Click **Add Authentication Step**. + + 2. Click **Add Authenticator** that is under **Federated + Authenticators** of Step 2 to add the SMSOTP identity + provider you created as the second step. + SMSOTP is a second step that adds another layer of + authentication and security. + + ![creating-the-second-authentication](../../assets/img/tutorials/creating-the-second-authentication.jpeg) + +8. Click **Update** to save the changes. + +You have now added and configured the service provider. + +### Updating the mobile number of the user + +Follow the steps given below to update the mobile number of the users in +WSO2 IS as this field is empty by default if you are [creating the user +using the WSO2 IS management +console](../../using-wso2-identity-server/configuring-users#adding-a-new-user-and-assigning-roles) +.. + +1. Select **List** that is under **Users** **and** **Roles**, and + click **Users** in the IS Management Console. +2. Click **User Profile** of the user you want to edit and update the + mobile number. + The mobile number needs to be in the format given in the samples of + the SMS provider. For example, 94778888888. + If the format is wrong you would not get the text message with the + code to sign into WSO2 IS. + + !!! note + + Make sure the number is registered with an SMS provider in order to + send the SMS. For this tutorial, you can use the mobile number that + was used to register with the SMS provider. + + +3. Enter the First Name for the user and click **Update**. + +### Configuring claims + +1. The SMS OTP extensions requires a claim to disable the SMS OTP. You + need to add this claim to WSO2 IS. Else, you run into errors. + 1. In the **Main** menu, click **Add** under **Claims**. + 2. Click **Add Local Claim**. + 3. Enter + ` http://wso2.org/claims/identity/smsotp_disabled ` + as the value for **Claim Uri**. + 4. Add a **Display Name** and **Description**. For example, + Disable SMS OTP. + 5. Enter title as the **Mapped Attribute**. + 6. Enter 0 as the value for **Display Order**. + 7. Select **Supported by Default**. + 8. Click **Add**. + + ![configuring-claims](../../assets/img/tutorials/configuring-claims.png) + +2. Optionally , you can add a claim to allow users to use back up codes + when SMS OTP is disabled. + Adding the OTP backup codes claim: + 1. In the **Main** menu, click **Add** under **Claims**. + + 2. Click **Add Local Claim**. + + 3. Enter + ` http://wso2.org/claims/otpbackupcodes ` + as the value for **Claim Uri**. + + 4. Add a **Display Name** and **Description**. For example, Backup + Code. + + 5. Enter ` postalcode ` as the value for + **Mapped Attribute**. + + 6. Select **Supported by Default**. + + 7. Click **Add**. + + ![allow-to-use-back-up-codes](../../assets/img/tutorials/allow-to-use-back-up-codes.png) + +3. Now, click **List** under Users and Roles and click **Users.** + +4. **Click User Profile** next to admin or a preferred user and update + the backup codes so that the user can disable SMS OTP by selecting + **Disable SMS OTP** if required. + + !!! info + A backup code can have any number of digits, and you can define many + backup codes as comma separated values. + + ![define-backup-codes](../../assets/img/tutorials/define-backup-codes.png) + +### Testing the sample + +1. To test the sample, go to the following URL: + + + ![testing-travelocity](../../assets/img/tutorials/testing-travelocity.jpeg) + +2. Click the link to log in with SAML from WSO2 Identity Server. + +3. The basic authentication page will be visible. Use your WSO2 + Identity Server credentials to sign in. + ![basic-authentication-page](../../assets/img/tutorials/basic-authentication-page.jpeg) + +4. You will get a token to your mobile phone.Type the code to + authenticate, You will be taken to the home page of the + travelocity.com app. + + !!! note + + If you do not have access to your mobile phone, you can + use the [backup codes defined for the + user](#ConfiguringSMSOTP-backup) to authenticate the user and you + are taken to the home page of the travelocity.com application + + + ![authenticating-with-sms-otp](../../assets/img/tutorials/authenticating-with-sms-otp.jpeg) + ![travelocity-home-page](../../assets/img/tutorials/travelocity-home-page.jpeg) diff --git a/en/docs/tutorials/configuring-the-Policy-Administration-Point.md b/en/docs/tutorials/configuring-the-policy-administration-point.md similarity index 57% rename from en/docs/tutorials/configuring-the-Policy-Administration-Point.md rename to en/docs/tutorials/configuring-the-policy-administration-point.md index 7c11144698..ca96824763 100644 --- a/en/docs/tutorials/configuring-the-Policy-Administration-Point.md +++ b/en/docs/tutorials/configuring-the-policy-administration-point.md @@ -1,15 +1,20 @@ # Configuring the Policy Administration Point +Entitlement management is a technology that grants, resolves, enforces, +revokes and administers fine-grained access privileges. The Entitlement Management +component of WSO2 Carbon facilitates the management and control of policies +defined in XACML. + The Policy Administration Point (PAP) is the system entity that creates a policy or policy set and manages them. WSO2 Identity Server can act as a PAP that provides comprehensive support on managing policies. A XACML policy has a clearly identifiable life cycle inside a PAP. -Following illustartion shows the life cycle of a policy within WSO2 +The following illustration shows the life cycle of a policy within WSO2 Identity Server. -![](attachments/103331168/103331169.png){width="700"} +![policy-life-cycle](../../assets/img/tutorials/policy-life-cycle.png) 1. We can create XACML policies using the provided editors. 2. Once we are satisfied with the policy we have written, we can @@ -23,22 +28,8 @@ Identity Server. 5. Then we can view the available policies in PDP and enable them as desired. -The following topics provide instructions on how to configure the PAP. - -- [Creating a XACML Policy](_Creating_a_XACML_Policy_) -- [Editing a XACML Policy](_Editing_a_XACML_Policy_) -- [Managing the Version of a XACML - Policy](_Managing_the_Version_of_a_XACML_Policy_) -- [Publishing a XACML Policy](_Publishing_a_XACML_Policy_) -- [Viewing the Status of a XACML - Policy](_Viewing_the_Status_of_a_XACML_Policy_) -- [Writing a XACML Policy using a Policy - Template](_Writing_a_XACML_Policy_using_a_Policy_Template_) - - - -- [Evaluating an XACML policy](_Evaluating_a_XACML_Policy_) +!!! info + For more information on XACML, see [Access Control and Entitlement + Management](../../getting-started/access-control-and-entitlement-management). -For more information on XACML, see [Access Control and Entitlement -Management](https://docs.wso2.com/display/IS540/Access+Control+and+Entitlement+Management) -. +The following topics provide instructions on how to configure the PAP. \ No newline at end of file diff --git a/en/docs/tutorials/configuring-the-Policy-Decision-Point.md b/en/docs/tutorials/configuring-the-policy-decision-point.md similarity index 60% rename from en/docs/tutorials/configuring-the-Policy-Decision-Point.md rename to en/docs/tutorials/configuring-the-policy-decision-point.md index 9fc0102b4a..8ac08fd224 100644 --- a/en/docs/tutorials/configuring-the-Policy-Decision-Point.md +++ b/en/docs/tutorials/configuring-the-policy-decision-point.md @@ -4,17 +4,12 @@ The Policy Decision Point (PDP) is the system entity that evaluates an applicable policy and returns an authorization decision. The following diagram shows the components in the PDP. For more details about PDP archtecture, [Read -this](https://docs.wso2.com/display/IS540/XACML+Architecture#XACMLArchitecture-XACMLenginearchitecture(PDP)) +this](../../getting-started/access-control-and-entitlement-management) . -![](attachments/103331252/103331253.png){width="900"} - - +![policy-decision-point](../../assets/img/tutorials/policy-decision-point.png) All PDP configurations have been exposed via this API as a Web service. The following topics provide instructions on how to configure the PDP, once the policy is published to PDP by the user. -- [Clearing a Cache](_Clearing_a_Cache_) -- [Enabling and Disabling a XACML - Policy](_Enabling_and_Disabling_a_XACML_Policy_) diff --git a/en/docs/tutorials/configuring-Twitter.md b/en/docs/tutorials/configuring-twitter.md similarity index 92% rename from en/docs/tutorials/configuring-Twitter.md rename to en/docs/tutorials/configuring-twitter.md index da2899c694..7a7c4071ce 100644 --- a/en/docs/tutorials/configuring-Twitter.md +++ b/en/docs/tutorials/configuring-twitter.md @@ -13,7 +13,7 @@ authenticate users using their Twitter login credentials: Twitter](http://docs.inboundnow.com/guide/create-twitter-application/) . 2. Sign in to the WSO2 Identity Server [Management - Console](https://docs.wso2.com/display/IS530/Getting+Started+with+the+Management+Console) + Console](../../setup/getting-started-with-the-management-console) at ` https://:9443/carbon ` using your ` username ` and ` password ` . @@ -39,7 +39,7 @@ authenticate users using their Twitter login credentials: Identity Server via SAML, OpenID Connect, SCIM, or WS-Trust. For an example on how a resident identity provider is used to implement a security token service, see [Configuring WS-Trust Security Token - Service](https://docs.wso2.com/display/IS580/Configuring+WS-Trust+Security+Token+Service) + Service](../../tutorials/configuring-ws-trust-security-token-service) . The Resident identity provider configuration is a one-time configuration for a given tenant. It shows WSO2 Identity Server's metadata, e.g., endpoints. The resident identity provider @@ -54,9 +54,10 @@ authenticate users using their Twitter login credentials: 2. Sign in as an admin user. 3. On the **Main** tab, click **Identity \> Identity Providers \> Resident** . - ![](attachments/103329675/112391524.png){width="200"} + ![main-tab-resident](../../assets/img/tutorials/main-tab-resident.png) + The Resident Identity Provider page appears. - ![](attachments/103329675/112391525.png){width="800"} + ![resident-identity-provider](../../assets/img/tutorials/resident-identity-provider.png) 4. Enter the required values as given below. @@ -93,11 +94,11 @@ authenticate users using their Twitter login credentials: 5. You may configure inbound authentication by expanding the **Inbound Authentication Configuration** section. 1. To configure SAML2 configurations: - 1. Click **SAML2 Web SSO Configuration** . - ![](attachments/103329675/112391531.png){width="750"} + - Click **SAML2 Web SSO Configuration** . + ![saml2-web-sso-config](../../assets/img/tutorials/saml2-web-sso-config.png) The SAML2 Web SSO Configuration form appears. - ![](attachments/103329675/112391532.png){width="750"} - 2. Enter the required values and learn the fixed values as + ![saml2-web-sso-config](../../assets/img/tutorials/saml2-web-sso-config.png) + - Enter the required values and learn the fixed values as given below. | Field | Description | Sample/Fixed Value | @@ -112,7 +113,7 @@ authenticate users using their Twitter login credentials: 2. To configure OAuth2 or OIDC, click **OAuth2/OpenID Connect Configuration** . - ![](attachments/103329675/112391636.png){width="750"} + ![oauth2-openid-connect-config](../../assets/img/tutorials/oauth2-openid-connect-config.png) | Field | Description | Sample/Fixed Value | |----------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------| @@ -131,15 +132,14 @@ authenticate users using their Twitter login credentials: 3. To secure the WS-Trust endpoint with a security policy, click **Security Token Service Configuration** section. - ![](attachments/103329675/112391635.png){width="750"} + ![security-token-service-config](../../assets/img/tutorials/security-token-service-config.png) For more information on security token service (STS), see - [Configuring WS-Trust Security Token - Service](https://docs.wso2.com/display/IS580/Configuring+WS-Trust+Security+Token+Service) + [Configuring WS-Trust Security Token Service](../../tutorials/configuring-ws-trust-security-token-service). . 6. You may view the inbound provisioning configurations by clicking **Inbound Provisioning Configuration** section. - ![](attachments/103329675/112391638.png){width="750"} + ![inbound-provisioning-config](../../assets/img/tutorials/inbound-provisioning-config.png) | Field | Description | Sample Value | |-------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------| @@ -155,21 +155,18 @@ authenticate users using their Twitter login credentials: 1. open the ` carbon.xml ` file in the ` /repository/conf ` directory and update the value of the - ` ` parameter. - - ``` xml - localhost + ` ` parameter. + ```xml + localhost ``` 2. Open the ` identity.xml ` file in the ` /repository/conf/identity ` directory and update the vaule of the ` ` parameter. - - ``` xml - https://localhost:9443/samlsso + ```xml + https://localhost:9443/samlsso ``` - To ensure the client application is communicating with the right identity provider, WSO2 Identity Server compares the destination value in the SAML request with the URL in the above @@ -202,10 +199,10 @@ authenticate users using their Twitter login credentials: relevant service provider to configure WSO2 Identity Server as a trusted identity provider for your application. - ![](attachments/103329675/119115136.png){width="800"} + ![import-metadata-file](../../assets/img/tutorials/import-metadata-file.png) 4. Expand **Twitter Configuration** under **Federated Authenticators** - . ![](attachments/103331004/103331005.png){height="250"} + . ![twitter-config-federated-auth.png](../../assets/img/tutorials/twitter-config-federated-auth.png) Fill in the following fields details: diff --git a/en/docs/tutorials/configuring-Yahoo.md b/en/docs/tutorials/configuring-yahoo.md similarity index 87% rename from en/docs/tutorials/configuring-Yahoo.md rename to en/docs/tutorials/configuring-yahoo.md index af3e6d3665..b5b609768e 100644 --- a/en/docs/tutorials/configuring-Yahoo.md +++ b/en/docs/tutorials/configuring-yahoo.md @@ -12,7 +12,7 @@ authenticate users using their Yahoo user accounts. account](https://developer.yahoo.com/oauth2/guide/openid_connect/getting_started.html#getting-started-setup=) . 2. Sign in to the WSO2 Identity Server [Management - Console](_Getting_Started_with_the_Management_Console_) at + Console](../../setup/getting-started-with-the-management-console) at ` https://:9443/carbon ` using your ` username ` and ` password ` . @@ -21,12 +21,12 @@ authenticate users using their Yahoo user accounts. do the following. 1. Sign in. Enter your username and password to log on to the [Management - Console](https://docs.wso2.com/display/IS580/Getting+Started+with+the+Management+Console) + Console](../../setup/getting-started-with-the-management-console) . 2. Navigate to the **Main** menu to access the **Identity** menu. Click **Add** under **Identity Providers** . For more information, see [Adding and Configuring an Identity - Provider](https://docs.wso2.com/display/IS580/Adding+and+Configuring+an+Identity+Provider) + Provider](../../using-wso2-identity-server/adding-and-configuring-an-identity-provider) . 3. Fill in the details in the **Basic Information** section. @@ -35,7 +35,8 @@ authenticate users using their Yahoo user accounts. Yahoo. See [Getting Started](https://developer.yahoo.com/oauth2/guide/openid_connect/getting_started.html) section in Yahoo document. - ![](attachments/103330998/103330999.png) + ![yahoo-configuration](../../assets/img/tutorials/yahoo-configuration.png) + 3. Fill in the following fields where relevant. | Field | Description | Sample value | @@ -46,9 +47,9 @@ authenticate users using their Yahoo user accounts. | Callback URL | This is the URL to which the browser should be redirected after the authentication is successful. It should have this format: ` https://(host-name):(port)/acs ` . | [https://localhost:9443/commonauth](https://www.google.com/url?q=https%3A%2F%2Flocalhost%3A9443%2Fcommonauth&sa=D&sntz=1&usg=AFQjCNG7dB10sZ-F07Du9Q5fT-mVDMfobg) | | Client Id | This is the username from the Yahoo application. | 1421263438188909 | -**Related Topics** +!!! info "Related Topics" -- Identity Federation is part of the process of configuring an - identity provider. For more information on how to configure an - identity provider, see [Configuring an Identity - Provider.](https://docs.wso2.com/display/IS510/Configuring+an+Identity+Provider) + - Identity Federation is part of the process of configuring an + identity provider. For more information on how to configure an + identity provider, see [Configuring an Identity + Provider.](../../using-wso2-identity-server/adding-and-configuring-an-identity-provider) diff --git a/en/docs/tutorials/creating-a-XACML-Policy.md b/en/docs/tutorials/creating-a-xacml-policy.md similarity index 56% rename from en/docs/tutorials/creating-a-XACML-Policy.md rename to en/docs/tutorials/creating-a-xacml-policy.md index a46c10d64c..c3d906139e 100644 --- a/en/docs/tutorials/creating-a-XACML-Policy.md +++ b/en/docs/tutorials/creating-a-xacml-policy.md @@ -20,38 +20,28 @@ an XACML Policy. !!! note - To get more details on available XACML templates. [Read - me](https://docs.wso2.com/display/IS540/Writing+a+XACML+Policy+using+a+Policy+Template) - . + To get more details on available XACML templates, [Read + me](../../tutorials/writing-a-xacml-policy-using-a-policy-template). - -- A set of UI editors to create an XACML policy using UI +- A set of UI editors to create a XACML policy using UI configurations. -The below steps explain how you can create an XACML policy using the +The below steps explain how you can create a XACML policy using the management console of WSO2 Identity Server. 1. Sign in. Log in to the [Management - Console](https://docs.wso2.com/display/IS540/Getting+Started+with+the+Management+Console) + Console](../../setup/getting-started-with-the-management-console) using your username and password. 2. Navigate to the **Main** menu to access the **Entitlement** menu. - Click **Policy Administration** under **PAP** . -3. Click **Add New Entitlement Policy** . - ![](attachments/103331171/103331194.png){width="750"} + Click **Policy Administration** under **PAP**. +3. Click **Add New Entitlement Policy**. + ![new-entitlement-policy](../../assets/img/tutorials/new-entitlement-policy.png) The **Add New Policy** page appears which gives the 6 ways of writing an -XACML 3.0 policy. You can select one out of six methods to create the -policy using UI according to your preference as follows. - -- [Simple Policy Editor](#CreatingaXACMLPolicy-SimplePolicyEditor) -- [Basic Policy Editor](#CreatingaXACMLPolicy-BasicPolicyEditor) -- [Standard Policy Editor](#CreatingaXACMLPolicy-StandardPolicyEditor) -- [Policy Set Editor](#CreatingaXACMLPolicy-PolicySetEditor) -- [Import Existing Policy](#CreatingaXACMLPolicy-ImportExistingPolicy) -- [Write Policy in XML](#CreatingaXACMLPolicy-WritePolicyinXML) +XACML 3.0 policy. You can select one out of the six methods mentioned below to create the +policy using UI according to your preference. - -![](attachments/103331171/103331175.png){width="750"} +![add-new-policy](../../assets/img/tutorials/add-new-policy.png) #### **Simple Policy Editor** @@ -62,73 +52,70 @@ policy using UI according to your preference as follows. control rules. -![](attachments/103331171/103331173.png){width="750"} +![create-xacml-policy](../../assets/img/tutorials/create-xacml-policy.png) This editor is based on four categories which we are mostly talking about access control rules. i.e User, Resource, Action, and Environment where **User** is the person who is going to access the resource, **Resource** is an entity that we are trying to protect with access -control rules, **Action** is, what user is going to perform on Resource +control rules, **Action** is what user is going to perform on Resource and **Environment** is the time, domain or any other factors that could cause to control the user’s access. -In the Simple Editor, you can see the following, - -**Entitlement Policy Name** : Name of the policy. - -**Entitlement Policy Description:** A description of the policy. - -**This policy is based on** : Define **based on** what entity, that you -are going to write this policy. - -!!! note - - Note - - If you are writing policy based on web service. You can select - “Resource” category and continue. Or less, if you are writing policy - based on email domain of users. You can select “Subject” category and - select the “Email” attribute Id and then define the email. - - -**You can define multiple permit rules:** As an example, “Only users in -admin role can do GET” This rule can be defined as follows. You need to -select “Role” attribute id for “User” and fill the text box with the -role name (admin) and then fill the text box of near “Action” with -action name (GET) - -**Deny rule** **is automatically created as the final rule** . Permitted -rules are **evaluated from top to blow** . - -!!! note - - Important - - - If you want to define value as java regexp expression, you need to - embedded value in the **curly brackets “{ }”** - - Ex : ***{ ^(\[a-zA-Z0-9\_.-\])+@ [wso2.com](http://wso2.com/) }*** - - - If you want to define multiple values as OR or AND value sets. you - can separate those multiple values with **“\|” or “&”** separates - - Ex : ***read \| write \| delete*** - - Ex : ***ReadRole & WriteRole*** - - - If you want to define value as a greater or lesser than value. you - can use **“\<” or “\>” ( We do not support "\>=" or "\<=")** - - Ex  : ***\< 34*** - - - If you want to define two values that are in a range, you can use - square brackets **“\[ \]”** and round brackets **“(  )”** . And two - values are coma **“, “** separated. - - Ex: ***\[09:00:00+05:00, 16:00:00+05:00\]** time between 09.00am and - 04.00 pm* - - Ex: ***(18, 30\]*** *greater than 18 and less than or equal to 30* +!!! info + In the Simple Editor, you can see the following, + + **Entitlement Policy Name** : Name of the policy. + + **Entitlement Policy Description:** A description of the policy. + + **This policy is based on** : Define **based on** what entity, that you + are going to write this policy. + + !!! Note + + If you are writing policy based on web service. You can select + “Resource” category and continue. Or less, if you are writing policy + based on email domain of users. You can select “Subject” category and + select the “Email” attribute Id and then define the email. + + + **You can define multiple permit rules:** As an example, “Only users in + admin role can do GET” This rule can be defined as follows. You need to + select “Role” attribute id for “User” and fill the text box with the + role name (admin) and then fill the text box of near “Action” with + action name (GET) + + **Deny rule** **is automatically created as the final rule**. Permitted + rules are **evaluated from top to bottom**. + + !!! Note + + - If you want to define value as java regexp expression, you need to + embedded value in the **curly brackets “{ }”** + + Ex : ***{ ^(\[a-zA-Z0-9\_.-\])+@ [wso2.com](http://wso2.com/) }*** + + - If you want to define multiple values as OR or AND value sets. you + can separate those multiple values with **“\|” or “&”** separates + + Ex : ***read \| write \| delete*** + + Ex : ***ReadRole & WriteRole*** + + - If you want to define value as a greater or lesser than value. you + can use **“\<” or “\>” ( We do not support "\>=" or "\<=")** + + Ex  : ***\< 34*** + + - If you want to define two values that are in a range, you can use + square brackets **“\[ \]”** and round brackets **“(  )”**. And two + values are coma **“, “** separated. + + Ex: ***\[09:00:00+05:00, 16:00:00+05:00\]** time between 09.00am and + 04.00 pm* + + Ex: ***(18, 30\]*** *greater than 18 and less than or equal to 30* ##### A sample policy example: This policy is defined for accessing “foo” resource @@ -148,11 +135,11 @@ satisfied* You can build the above-mentioned policy example using Simple Policy Editor as shown below. Here, "foo" can be the main resource and the other resource “foo/wso2″ can be the child resource. If you have further -resources to evaluate you can add them as child resources by clicking on -![](attachments/103331171/103331174.png) the icon and create separate +resources to evaluate you can add them as child resources by clicking on the +![simple-policy-editor-child-resource](../../assets/img/tutorials/simple-policy-editor-child-resource.png) the icon and create separate rules. -![](attachments/103331171/103331197.png){width="1026"} +![sample-policy-editor](../../assets/img/tutorials/sample-policy-editor.png) #### Basic Policy Editor @@ -170,20 +157,23 @@ rules. value sources for the resource, subject and action attributes respectively. There are extension points that you can use to extend and bring more attribute values on to the policy editor UI. + +![xacml-basic-policy](../../assets/img/tutorials/xacml-basic-policy.png) -In the Basic Editor, you can see the following, +!!! Info + In the Basic Editor, you can see the following, -**Entitlement Policy Name** : Name of the policy. + **Entitlement Policy Name** : Name of the policy. -**Entitlement Policy Description:** A description of the policy. + **Entitlement Policy Description:** A description of the policy. -**The policy is going to be evaluated Only when following matched:** -*You can define; for what attribute values, this policy is going to be -applied (or picked). This is similar to defining the policy target -element.* + **The policy is going to be evaluated Only when following matched:** + *You can define; for what attribute values, this policy is going to be + applied (or picked). This is similar to defining the policy target + element.* -**Define Entitlement Rule(s):** You can define rules which you want to -evaluate after they are matched with above. + **Define Entitlement Rule(s):** You can define rules which you want to + evaluate after they are matched with above. ##### A sample policy requirement: @@ -206,80 +196,13 @@ Let's implement this sample policy using Basic Policy Editor, **Step1:** Define a name for the policy. -[![1](https://i1.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/1.png?resize=780%2C215){.aligncenter -.wp-image-429 .size-large .image-left width="778" -height="214"}](https://i1.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/1.png) - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** +![edit-xacml-policy](../../assets/img/tutorials/edit-xacml-policy.png) **Step 2:** This is similar to defining the policy target element. -Configure it such as ***“policy is applied for resource attribute value -/patient//\*  with reg-ex match”*** . - -[![2](https://i1.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/2.png?resize=780%2C362){.aligncenter -.wp-image-430 .size-large .image-left width="778" -height="361"}](https://i1.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/2.png) - -** -** - -** -** - -** -** +Configure it such as **“policy is applied for resource attribute value +/patient//\*  with reg-ex match”**. -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** +![basic-policy-resource-names](../../assets/img/tutorials/basic-policy-resource-names.png) **Step 3:** Define the 1st rule. The rule is “Users can only access patient records from 09.00pm to 04.00pm”. It means that if the user @@ -291,154 +214,22 @@ from the environment.  Select functions as “is not” and  “greater than and less than”. Write the time with GMT offset value.  After defining you can add this rule to the policy. -[![3](https://i0.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/3.png?resize=780%2C386){.aligncenter -.wp-image-431 .size-large .image-left width="778" -height="386"}](https://i0.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/3.png) - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - - - - +![define-entitlement](../../assets/img/tutorials/define-entitlement.png) **Step 4:** Define the 2nd rule. Rule name must be given. Then select “Role” as user’s attribute. You can select your “MedAdminstrator” role name from user attribute source. So just click on the icon. -[![4](https://i2.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/4.png?resize=780%2C370){.aligncenter -.wp-image-432 .size-large .image-left width="778" -height="369"}](https://i2.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/4.png) - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** +![define-entitlement-rules](../../assets/img/tutorials/define-entitlement-rules.png) **Step 5:** You can do a search for attributes values. -[![5](https://i0.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/5.png?resize=780%2C184){.aligncenter -.wp-image-433 .size-large width="778" -height="183"}](https://i0.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/5.png) +![select-attribute-values](../../assets/img/tutorials/select-attribute-values.png) **Step 6:** Select only the “MediAdminstrator” role from the attribute source. -[![7](https://i2.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/7.png?resize=780%2C392){.aligncenter -.wp-image-434 .size-large .image-left width="778" -height="390"}](https://i2.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/7.png) - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** +![attribute-role](../../assets/img/tutorials/attribute-role.png) **Step 7:** You can see, the text box has been filled with the selected “MediAdminstrator” role name. Now let define actions. Here let us make @@ -446,165 +237,29 @@ the function name as “at-least-one”. Then this rule would be satisfied even when at least one action is going to perform.  Finally, let us add this rule in to the policy -[![8](https://i2.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/8.png?resize=780%2C370){.aligncenter -.wp-image-435 .size-large .image-left width="778" -height="369"}](https://i2.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/8.png) - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** +![action-name](../../assets/img/tutorials/action-name.png) **Step 8:** Let's define the 3rd rule. Which allows “MediStaff” roles to access the resource with action read and edit. You can follow same -***steps 4, 5, 6, 7.*** Then finally, add this rule into the policy. - -[![13](https://i1.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/13.png?resize=780%2C377){.aligncenter -.wp-image-436 .size-large .image-left width="778" -height="376"}](https://i1.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/13.png) - -** -** - -** -** - -** -** - -** -** - -** -** +**steps 4, 5, 6, 7**. Then finally, add this rule into the policy. -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** +![action-read-and-write](../../assets/img/tutorials/action-read-and-write.png) **Step 9:** Finally define the rule to deny all other access,  as follows: - -[![14](https://i2.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/14.png?resize=780%2C408){.aligncenter -.wp-image-437 .size-large .image-left width="778" -height="407"}](https://i2.wp.com/xacmlinfo.org/wp-content/uploads/2013/09/14.png) - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** - -** -** +![deny-rule](../../assets/img/tutorials/deny-rule.png) **Step 10:** We have defined the target and rules.  Now it is time to define the rule-combining algorithm. Let select is as “first applicable”. Then rule effect of the 1st rule that is evaluated -properly,  would be the final result of the policy. +properly, would be the final result of the policy. You can click on “finish” and finish policy creation. #### Standard Policy Editor -- The standard policy editor is little similar to Basic Policy Editor. - But it is basically designed for creating XACML 3.0 policy rules. +- The standard policy editor is similar to Basic Policy Editor. + However, it is basically designed for creating XACML 3.0 policy rules. Because there are several improvements with Obligation in XACML 3.0 when compare to 2.0. In XACML 2.0, obligations can only be added to policies and policy sets. But with XACML 3.0, rules can also contain @@ -613,11 +268,10 @@ You can click on “finish” and finish policy creation. Standard Policy Editor. - As in Basic Policy Editor, there is a place to define the conditions - which make the rules evaluated as " **The policy is evaluated only - when** **following are matched** " and a place to define entitlement + which make the rules evaluated as **The policy is evaluated only + when following are matched** and a place to define entitlement rules. - ** - ** + - **Advice** is a newly introduced feature with XACML 3.0 which is similar to Obligations. But only different, when compared to Obligations, PEPs do not have to comply with advice statements. PEPs @@ -625,10 +279,9 @@ You can click on “finish” and finish policy creation. explain why something was denied. “User Bob is denied because he has not a valid email” -- Here the attribute " **Define Policy Obligation or Advice** " is not - mandatory. +- Here the attribute, **Define Policy Obligation or Advice** is optional. -![](attachments/103331171/103331172.png){width="750"} +![create-xacml-policy-in-standard-policy-editor](../../assets/img/tutorials/create-xacml-policy-in-standard-policy-editor.png) ##### A sample policy requirement: @@ -651,18 +304,11 @@ Since this editor is very similar to Basic Policy Editor we can use the same steps from **Step 1** to **Step 9** to configure the above requirement in Advance Policy Editor. -** -** - **Step 10** : In advance, if you want to see the details of the -obligation after the policy evaluated, you can by defining a policy +obligation after the policy is evaluated, you can define a policy obligation or advice as follows: -![](attachments/103331171/103331199.png){width="750" height="437"} - -** -** - +![define-a-policy-obligation](../../assets/img/tutorials/define-a-policy-obligation.png) **Step 11:** We have defined the target, rules, and obligation.  Now it is time to define the rule-combining algorithm. Let select is as “first applicable”. Then rule effect of the 1st rule that is evaluated @@ -675,7 +321,7 @@ You can click on “finish” and finish policy creation. When you want to create a set of policies to evaluate at one time, you can create a **Policy Set** . You can add policies as shown in the figure and Click "Finish" to create the policy set. -![](attachments/103331171/103331196.png){width="1026"} +![policy-set-editor](../../assets/img/tutorials/policy-set-editor.png) #### Import Existing Policy @@ -683,16 +329,16 @@ You can add a policy by using a policy XML file. - Write a policy in an XML file and upload it. -![](attachments/103331171/103331183.png){width="750"} +![import-existing-policy](../../assets/img/tutorials/import-existing-policy.png) Click **Choose File** and browse to the location of the policy in your local machine. #### Write Policy in XML -![](attachments/103331171/103331181.png){width="750"} !!! note +![write-policy-in-xml](../../assets/img/tutorials/write-policy-in-xml.png) - Note +!!!Note There are **Policy Combining Algorithms** which are used by *Policy Sets* and **Rule Combining Algorithms** which are used by *Policies* . @@ -700,21 +346,21 @@ local machine. algorithm and its Rule Combining algorithms as follows: - Standard combining algorithms defined in XACML 3.0: - - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides - - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides - - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides - - urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable - - urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable - - urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable - - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-deny-overrides - - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-deny-overrides - - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-permit-overrides - - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-permit-overrides - - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit - - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny - - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit - - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny + - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides + - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides + - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides + - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides + - urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable + - urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable + - urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable + - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-deny-overrides + - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-deny-overrides + - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-permit-overrides + - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-permit-overrides + - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit + - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny + - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit + - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny These algorithms are explained in detail as follows, @@ -743,32 +389,28 @@ local machine. response would be denied with all the applicable reasons for access being denied: - - - Policy Set (deny overrides): role==manager AND action==view AND + - Policy Set (deny overrides): role==manager AND action==view AND resourceType==resource - - Policy 1 (permit overrides) - - Rule 1: deny if resourceOwner != userId + Advice(“you + - Policy 1 (permit overrides) + - Rule 1: deny if resourceOwner != userId + Advice(“you are not the owner of the resource”) - - Rule 2: deny if rsourceDepartment != userDepartment+ + - Rule 2: deny if rsourceDepartment != userDepartment+ Advice(“you are not in the same department as the resource) - - Policy 2 - - Rule 1: permit - - + - Policy 2 + - Rule 1: permit - **First Applicable:** This combining algorithm combines decisions in such a way that the final decision returned is the first one produced either of Permit - or Deny. ** - ** + or Deny. + First applicable is useful to shortcut policy evaluation. For instance, if a policy set contains a long series of not applicable policies and one applicable policy which returns either of Permit or Deny, then if that policy comes first and does produce Permit or Deny, the PDP will stop there and not process the other siblings. - - ** - ** + - **Deny Unless Permit \| Permit Unless Deny:** @@ -776,9 +418,7 @@ local machine. NotApplicable, and Indeterminate. Sometimes, it is desirable to hide the NotApplicable and Indeterminate decisions to only allow for Permit or Deny. It makes the PEP logic potentially simpler. - - ** - ** + - **Only One Applicable:** @@ -800,8 +440,7 @@ local machine. Click **Finish** / **Upload** depending on the option you chose to create your policy. -**Related Topics** - -To evaluate the policy you just created and see a sample request and -response to it, see [Evaluating a XACML -Policy](_Evaluating_a_XACML_Policy_) . +!!! Info "Related Topics" + To evaluate the policy you just created and see a sample request and + response to it, see [Evaluating a XACML + Policy](../../using-wso2-identity-server/evaluating-a-xacml-policy). diff --git a/en/docs/tutorials/delete-totp-authenticator.png b/en/docs/tutorials/delete-totp-authenticator.png deleted file mode 100644 index 64c7bd8ea9..0000000000 Binary files a/en/docs/tutorials/delete-totp-authenticator.png and /dev/null differ diff --git a/en/docs/tutorials/editing-a-XACML-Policy.md b/en/docs/tutorials/editing-a-xacml-policy.md similarity index 51% rename from en/docs/tutorials/editing-a-XACML-Policy.md rename to en/docs/tutorials/editing-a-xacml-policy.md index 9e05b36025..616d568c9f 100644 --- a/en/docs/tutorials/editing-a-XACML-Policy.md +++ b/en/docs/tutorials/editing-a-xacml-policy.md @@ -3,47 +3,48 @@ Follow the instructions below to edit a XACML policy. 1. Sign in. Enter your username and password to log on to the - [Management Console](_Getting_Started_with_the_Management_Console_) + [Management Console](../../setup/getting-started-with-the-management-console) . 2. Navigate to the **Main** menu to access the **Entitlement** menu. - Click **Policy Administration** under **PAP** . + Click **Policy Administration** under **PAP**. 3. Locate the policy you want to edit in the list of **Available - Entitlement Policies** , and click on the **Edit** link to access + Entitlement Policies**, and click on the **Edit** link to access the **Policy Editor** window. - ![](attachments/103331214/103331219.png){width="750"} + ![policy-editor](../../assets/img/tutorials/policy-editor.png) 4. On the **Policy Editor** window, you will get the created policy in XML format and you can edit the XML file according to your requirement. Finally, you can click **Save Policy** to save the changes you did to the policy. - ![](attachments/103331214/103331218.png){width="750"} + ![edit-xml-policy-editor](../../assets/img/tutorials/edit-xml-policy-editor.png) - Remember this when editing a policy created by Simple Policy Editor + !!! info + Remember this when editing a policy created by Simple Policy Editor - Note the following: + Note the following: - - Simple Policy Editor is specially designed for XACML 2.0. - - When you edit a policy created by a Simple Policy Editor, you - get the design view instead of the XML view as shown below. - - Also, the base condition that executes the policy cannot be - changed once it is created as highlighted below. - - You can edit other parameters of the policy and click **Finish** - to save the changes. + - Simple Policy Editor is specially designed for XACML 2.0. + - When you edit a policy created by a Simple Policy Editor, you + get the design view instead of the XML view as shown below. + - Also, the base condition that executes the policy cannot be + changed once it is created as highlighted below. + - You can edit other parameters of the policy and click **Finish** + to save the changes. - ![](attachments/103331214/103331226.png){height="250"} + ![simple-policy-editor-edit-policy](../../assets/img/tutorials/simple-policy-editor-edit-policy.png) 5. Once you successfully edit the policy, you can publish it to the PDP by clicking **Publish To My PDP** in the **Available Entitlement Policies** window as shown below. - ![](attachments/103331214/103331217.png){width="750"} + ![publish-to-my-pdp](../../assets/img/tutorials/publish-to-my-pdp.png) 6. When the policy is published to PDP, it will display in **Policy View** under **PDP** . 7. If you want to delete an existing published policy, first go to the **Policy View** in **PDP** and delete it from the PDP by clicking **Delete** against that relevant published policy. - ![](attachments/103331214/103331228.png){width="750"} + ![delete-from-pdp](../../assets/img/tutorials/delete-from-pdp.png) 8. Click **Yes** to confirm the complete removal of policy from PDP. - ![](attachments/103331214/103331227.png){width="750"} + ![remove-policy-from-pdp](../../assets/img/tutorials/remove-policy-from-pdp.png) After deleting the policy permanently from PDP, you can follow the above steps again to edit the policy and publish it to PDP again. diff --git a/en/docs/tutorials/enable-saas-app.png b/en/docs/tutorials/enable-saas-app.png deleted file mode 100644 index c0b24b3c9a..0000000000 Binary files a/en/docs/tutorials/enable-saas-app.png and /dev/null differ diff --git a/en/docs/tutorials/enabling-and-Disabling-a-XACML-Policy.md b/en/docs/tutorials/enabling-and-disabling-a-xacml-policy.md similarity index 68% rename from en/docs/tutorials/enabling-and-Disabling-a-XACML-Policy.md rename to en/docs/tutorials/enabling-and-disabling-a-xacml-policy.md index fd159e3013..8fac2da4a6 100644 --- a/en/docs/tutorials/enabling-and-Disabling-a-XACML-Policy.md +++ b/en/docs/tutorials/enabling-and-disabling-a-xacml-policy.md @@ -3,19 +3,18 @@ This topic provides instructions on how to enable or disable a XACML policy that has been published to the PDP. -See [Publishing a XACML Policy](_Publishing_a_XACML_Policy_) for +See [Publishing a XACML Policy](../../tutorials/publishing-a-xacml-policy) for information on how to enable or disable a policy before it is published to the PDP. Follow the instructions below to enable/disable a XACML policy. 1. Sign in. Enter your user name and password to log in to the - [Management Console](_Getting_Started_with_the_Management_Console_) - . + [Management Console](../../setup/getting-started-with-the-management-console). 2. Navigate to the **Main** menu to access the **Entitlement** menu. - Click **Policy View** under **PDP** . + Click **Policy View** under **PDP**. 3. Locate the policy you want to enable/disable in the list of policies published to PDP. Click on **Enable** to activate the policy and click on **Disable** to deactivate the policy. - ![](attachments/103331260/103331262.png) + ![enable-or-disable-policy](../../assets/img/tutorials/enable-or-disable-policy.png) diff --git a/en/docs/tutorials/identity-Federation.md b/en/docs/tutorials/identity-federation.md similarity index 67% rename from en/docs/tutorials/identity-Federation.md rename to en/docs/tutorials/identity-federation.md index ab395d4467..4716a2dbd7 100644 --- a/en/docs/tutorials/identity-Federation.md +++ b/en/docs/tutorials/identity-federation.md @@ -25,20 +25,7 @@ their session is terminated. The following topics discuss the various features that are key to using Identity Federation and Single-Sign-On (SSO). -- [Configuring Federated - Authentication](_Configuring_Federated_Authentication_) -- [Identity Federation with - WS-Trust](_Identity_Federation_with_WS-Trust_) -- [Configuring SAML2 Single-Sign-On Across Different WSO2 - Products](_Configuring_SAML2_Single-Sign-On_Across_Different_WSO2_Products_) -- [Client-side Support for SAML Artifact - Binding](_Client-side_Support_for_SAML_Artifact_Binding_) -- [eIDAS SAML Attribute Profile Support via WSO2 Identity - Server](_eIDAS_SAML_Attribute_Profile_Support_via_WSO2_Identity_Server_) - -**Related Topics** - -- See [Adding and Configuring an Identity - Provider](_Adding_and_Configuring_an_Identity_Provider_) for - instructions on how to configure an identity provider so that - identity federation is possible. +!!! info "Related Topics" + See [Adding and Configuring an Identity + Provider](using-wso2-identity-server/adding-and-configuring-an-identity-provider) for + instructions on how to configure an identity provider so that identity federation is possible. diff --git a/en/docs/tutorials/managing-the-Version-of-a-XACML-Policy.md b/en/docs/tutorials/managing-the-version-of-a-xacml-policy.md similarity index 76% rename from en/docs/tutorials/managing-the-Version-of-a-XACML-Policy.md rename to en/docs/tutorials/managing-the-version-of-a-xacml-policy.md index 361e3d5726..91bda44e3f 100644 --- a/en/docs/tutorials/managing-the-Version-of-a-XACML-Policy.md +++ b/en/docs/tutorials/managing-the-version-of-a-xacml-policy.md @@ -4,13 +4,13 @@ You can manage the version of a XACML policy using the instructions in this topic. 1. Sign in. Enter your user name and password to log on to the - [Management Console](_Getting_Started_with_the_Management_Console_) + [Management Console](../../setup/getting-started-with-the-management-console) . 2. Navigate to the **Main** menu to access the **Entitlement** menu. - Click **Policy Administration** under **PAP** . + Click **Policy Administration** under **PAP**. 3. Click **Versions** next to the policy you require. - ![](attachments/103331208/103331209.png){width="750"} The following - information is provided in the resulting screen. + ![managing-a-xacml-policy-version](../../assets/img/tutorials/managing-a-xacml-policy-version.png) + The following information is provided in the resulting screen. - **Entitlement Policy Id** - This is the name of the policy you created. diff --git a/en/docs/tutorials/publishing-a-XACML-Policy.md b/en/docs/tutorials/publishing-a-XACML-Policy.md deleted file mode 100644 index b36599f27a..0000000000 --- a/en/docs/tutorials/publishing-a-XACML-Policy.md +++ /dev/null @@ -1,234 +0,0 @@ -# Publishing a XACML Policy - -!!! tip - - Before you begin - - Before publishing a XACML policy to the Policy Decision Point (PDP), you - need to create the policy first. For more information on how to create a - XACML policy, see [Creating a XACML Policy](_Creating_a_XACML_Policy_) . - - -In order to use a XACML policy for authorization in WSO2 Identity -Server, you need to publish it to the Policy Decision Point (PDP) where -the authorization decision is made. The policy will not be enforced -unless it is published. - -At the point of publishing the policy, the policy in the Policy -Administration Point(PAP) policy store will sync up with PDP policy -store. The PDP will access one or more policies in the Policy -Administration Point(PAP), and other additional information such as -subject, resource, action and environmental resources in the Policy -Information Point(PIP) to make the decision. For more information about -this process, see [XACML system -architecture](Access-Control-and-Entitlement-Management_103329208.html#AccessControlandEntitlementManagement-XACMLsystemarchitecture) -. - -You can publish a XACML policy to PDP for runtime evaluation using the -instructions in this topic. - -1. Sign in. Enter your username and password to log on to the - [Management Console](_Getting_Started_with_the_Management_Console_) - . -2. Navigate to the **Main** menu to access the **Entitlement** menu. - Click **Policy Administration** under **PAP** . -3. The policies that you created are listed in the **Available - Entitlement Policies** table. - ![](attachments/103331202/103331207.png) -4. You can publish policies using one of the following options. - 1. Click **Publish to My PDP** next to the policy you wish to - publish - *This will publish the specific policy to PDP.* - 2. Select the specific policies you wish to publish using the - checkboxes available and click **Publish** - *This will allow us - to publish multiple* *policies at the same time to the PDP.* - 3. Click **Publish All** to publish all the available policies - - *This will publish all the policies available in the "Available - Entitlement Policy" to the PDP* - 4. The **Publish Policy** page appears. - - ![](attachments/103331202/103331203.png){width="750"} -5. Here you can do the following by selecting an option from each - section. - 1. **Select policy publishing action.** - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ActionDiscription
Add PolicyThe target action of the policy is "CREATE". This option works only for the initial policy publishing process. The policy is published to the PDP and can be viewed by navigating to PDP>Policy View.
Update PolicyThe target action of the policy is "UPDATE". This option updates an existing policy that has already been published to the PDP. The existing policy listed in the Policy View will be updated.
Order Policy

The target action of the policy is "ORDER". This option is used to put the existing published policies in order. The policies will be ordered in descending order in the Policy View .

-

This is not relevant for the initial policy publishing process.

Enable Policy
-

The target action of the policy is "ENABLE". This option enables the policy in the PDP.

-

This is not relevant for the initial policy publishing process.
-

-
Disable Policy
-

The target action of the policy is "DISABLE". This option disables the policy in the PDP.

-


-

-

This is not relevant for the initial policy publishing process.

-
Delete PolicyThe target action of the policy is "DELETE". This option deletes an existing published policy in the PDP. The relevant policy will be removed from the Policy View in the PDP.
- - 2. **Select policy Enable/Disable.** - - **Publish As Enabled Policy** - Allows you to enable the - policy to be published. This is available by default when - publishing to PDP. - - **Publish As Disabled Policy** - Allows you to disable the - policy to be published. - 3. **Select policy order.** - - **Use default policy order** - Sets the default order of a - policy as " **0** ". - - **Define policy order** - Allows you to set a policy order - according to your preference. - -6. Click **Publish** . -7. Once you publish, you can see published policies in the **Policy - View** in the **Entitlement** menu under **PDP** . -8. By clicking "Edit Order"(2), you can edit the order of the policy - and the order will be displayed in the policy view(1). - -![](attachments/103331202/103331204.png){height="250"} - -When you have multiple policies published, you can select a policy -combining algorithm from(3) and click "Update". - -When you have multiple ordered policies, the least order will evaluate -first and the policies will evaluate in the ascending order of the order -number(priority). When the priority is high, the order number is low. - - - -!!! note - - Note - - There are **Policy Combining Algorithms** which are used by *Policy - Sets* and **Rule Combining Algorithms** which are used by *Policies* . - Each of the algorithms mentioned below has its Policy Combining - algorithm and its Rule Combining algorithms as follows: - - - Standard combining algorithms defined in XACML 3.0: - - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides - - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides - - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides - - urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable - - urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable - - urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable - - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-deny-overrides - - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-deny-overrides - - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-permit-overrides - - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-permit-overrides - - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit - - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny - - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit - - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny - - These algorithms are explained in detail as follows, - - - **Deny Overrides:** - This combining algorithm combines decisions in such a way that if - any decision is a Deny, then that decision wins. - Deny overrides is one of the safest combining algorithms since it - favors a Deny decision. However, if none of the children return a - Deny decision, then the combining algorithm will never produce a - Deny. - - - **Permit Overrides:** - This combining algorithm combines decisions in such a way that if - any decision is a Permit, then that decision wins. - - The permit overrides combining algorithm can be interesting when: - - At least one child must return a Permit for access to be granted overall - regardless of restrictions. - - One wants to return all the reasons why access is being denied. This is - what one could call a “greedy deny overrides”.Forinstanceifthe reason - for not being able to view a resource is that(a) you are not the owner - and (b) you are in the wrong department, then we could rework the - previous example as follows. When any of the deny reason triggers, the - response would be denied with all the applicable reasons for access - being denied: - - - - Policy Set (deny overrides): role==manager AND action==view AND - resourceType==resource - - Policy 1 (permit overrides) - - Rule 1: deny if resourceOwner != userId + Advice(“you - are not the owner of the resource”) - - Rule 2: deny if rsourceDepartment != userDepartment+ - Advice(“you are not in the same department as the - resource) - - Policy 2 - - Rule 1: permit - - - - - **First Applicable:** - This combining algorithm combines decisions in such a way that the - final decision returned is the first one produced either of Permit - or Deny. ** - ** - First applicable is useful to shortcut policy evaluation. For - instance, if a policy set contains a long series of not applicable - policies and one applicable policy which returns either of Permit or - Deny, then if that policy comes first and does produce Permit or - Deny, the PDP will stop there and not process the other siblings. - - ** - ** - - - **Deny Unless Permit \| Permit Unless Deny:** - - In XACML there are 4 possible decisions: Permit, Deny, - NotApplicable, and Indeterminate. Sometimes, it is desirable to hide - the NotApplicable and Indeterminate decisions to only allow for - Permit or Deny. It makes the PEP logic potentially simpler. - - ** - ** - - - **Only One Applicable:** - - This combining algorithm exists only for policy sets to combine policy - sets and policies. It cannot be used to combine rules. With this - combining algorithm, in order for either of a Permit or Deny to be - returned, then only one of the children must produce a valid decision – - whether Deny or Permit. - - - **Ordered Deny Overrides \| Ordered Permit Overrides:** - The ordered combining algorithms combine decisions in the same way - as their (unordered) cousins. In, addition they bring the guarantee - that policies, policy sets, and rules are considered in the order in - which they are defined. The need to define an ordered combining - algorithm stems from the fact the XACML specification does not - specify whether order matters in the deny-overrides and - permit-overrides combining algorithms. - diff --git a/en/docs/tutorials/publishing-a-xacml-policy.md b/en/docs/tutorials/publishing-a-xacml-policy.md new file mode 100644 index 0000000000..0f437b1c9a --- /dev/null +++ b/en/docs/tutorials/publishing-a-xacml-policy.md @@ -0,0 +1,225 @@ +# Publishing a XACML Policy + +!!! tip "Before you begin" + + Before publishing a XACML policy to the Policy Decision Point (PDP), you + need to create the policy first. For more information on how to create a + XACML policy, see [Creating a XACML Policy](../../tutorials/creating-a-xacml-policy). + + +In order to use a XACML policy for authorization in WSO2 Identity +Server, you need to publish it to the Policy Decision Point (PDP) where +the authorization decision is made. The policy will not be enforced +unless it is published. + +At the point of publishing the policy, the policy in the Policy +Administration Point(PAP) policy store will sync up with PDP policy +store. The PDP will access one or more policies in the Policy +Administration Point(PAP), and other additional information such as +subject, resource, action and environmental resources in the Policy +Information Point(PIP) to make the decision. For more information about +this process, see [XACML system +architecture](../../getting-started/access-control-and-entitlement-management#xacml-system-architecture). + +You can publish a XACML policy to PDP for runtime evaluation using the +instructions in this topic. + +1. Sign in. Enter your username and password to log on to the + [Management Console](../../setup/getting-started-with-the-management-console). +2. Navigate to the **Main** menu to access the **Entitlement** menu. + Click **Policy Administration** under **PAP**. +3. The policies that you created are listed in the **Available + Entitlement Policies** table. + ![available-entitlement-policies](../../assets/img/tutorials/available-entitlement-policies.png) +4. You can publish policies using one of the following options. + 1. Click **Publish to My PDP** next to the policy you wish to + publish - *This will publish the specific policy to PDP.* + 2. Select the specific policies you wish to publish using the + checkboxes available and click **Publish** - *This will allow us + to publish multiple policies at the same time to the PDP.* + 3. Click **Publish All** to publish all the available policies - + *This will publish all the policies available in the "Available + Entitlement Policy" to the PDP*. + 4. The **Publish Policy** page appears. + + ![publish-policy](../../assets/img/tutorials/publish-policy.png) + +5. Here you can do the following by selecting an option from each + section. + + a. **Select policy publishing action** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ActionDiscription
Add PolicyThe target action of the policy is "CREATE". This option works only for the initial policy publishing process. The policy is published to the PDP and can be viewed by navigating to PDP>Policy View.
Update PolicyThe target action of the policy is "UPDATE". This option updates an existing policy that has already been published to the PDP. The existing policy listed in the Policy View will be updated.
Order Policy

The target action of the policy is "ORDER". This option is used to put the existing published policies in order. The policies will be ordered in descending order in the Policy View .

+

This is not relevant for the initial policy publishing process.

Enable Policy
+

The target action of the policy is "ENABLE". This option enables the policy in the PDP.

+

This is not relevant for the initial policy publishing process.
+

+
Disable Policy
+

The target action of the policy is "DISABLE". This option disables the policy in the PDP.

+


+

+

This is not relevant for the initial policy publishing process.

+
Delete PolicyThe target action of the policy is "DELETE". This option deletes an existing published policy in the PDP. The relevant policy will be removed from the Policy View in the PDP.
+ + b. **Select policy Enable/Disable** + + - **Publish As Enabled Policy** - Allows you to enable the policy to be published. This is available by default when publishing to PDP. + + - **Publish As Disabled Policy** - Allows you to disable the policy to be published. + + c. **Select policy order** + + - **Use default policy order** - Sets the default order of a policy as **0**. + + - **Define policy order** - Allows you to set a policy order according to your preference. + +6. Click **Publish**. +7. Once you publish, you can see published policies in the **Policy + View** in the **Entitlement** menu under **PDP**. +8. By clicking "Edit Order"(2), you can edit the order of the policy + and the order will be displayed in the policy view(1). + +![edit-the-order-of-the-policy](../../assets/img/tutorials/edit-the-order-of-the-policy.png) + +When you have multiple policies published, you can select a policy +combining algorithm from(3) and click **Update**. + +When you have multiple ordered policies, the least order will evaluate +first and the policies will evaluate in the ascending order of the order +number(priority). When the priority is high, the order number is low. + + + +!!! note + + Note + + There are **Policy Combining Algorithms** which are used by *Policy + Sets* and **Rule Combining Algorithms** which are used by *Policies*. + Each of the algorithms mentioned below has its Policy Combining + algorithm and its Rule Combining algorithms as follows: + + - Standard combining algorithms defined in XACML 3.0: + - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides + - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides + - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides + - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides + - urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable + - urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable + - urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable + - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-deny-overrides + - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-deny-overrides + - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-permit-overrides + - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-permit-overrides + - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit + - urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny + - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit + - urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny + + These algorithms are explained in detail as follows, + + - **Deny Overrides:** + This combining algorithm combines decisions in such a way that if + any decision is a Deny, then that decision wins. + Deny overrides is one of the safest combining algorithms since it + favors a Deny decision. However, if none of the children return a + Deny decision, then the combining algorithm will never produce a + Deny. + + - **Permit Overrides:** + This combining algorithm combines decisions in such a way that if + any decision is a Permit, then that decision wins. + + The permit overrides combining algorithm can be interesting when: + + At least one child must return a Permit for access to be granted overall + regardless of restrictions. + + One wants to return all the reasons why access is being denied. This is + what one could call a “greedy deny overrides”.Forinstanceifthe reason + for not being able to view a resource is that(a) you are not the owner + and (b) you are in the wrong department, then we could rework the + previous example as follows. When any of the deny reason triggers, the + response would be denied with all the applicable reasons for access + being denied: + + - Policy Set (deny overrides): role==manager AND action==view AND + resourceType==resource + - Policy 1 (permit overrides) + - Rule 1: deny if resourceOwner != userId + Advice(“you + are not the owner of the resource”) + - Rule 2: deny if rsourceDepartment != userDepartment+ + Advice(“you are not in the same department as the + resource) + - Policy 2 + - Rule 1: permit + + + - **First Applicable:** + This combining algorithm combines decisions in such a way that the + final decision returned is the first one produced either of Permit + or Deny. + + First applicable is useful to shortcut policy evaluation. For + instance, if a policy set contains a long series of not applicable + policies and one applicable policy which returns either of Permit or + Deny, then if that policy comes first and does produce Permit or + Deny, the PDP will stop there and not process the other siblings. + + - **Deny Unless Permit \| Permit Unless Deny:** + + In XACML there are 4 possible decisions: Permit, Deny, + NotApplicable, and Indeterminate. Sometimes, it is desirable to hide + the NotApplicable and Indeterminate decisions to only allow for + Permit or Deny. It makes the PEP logic potentially simpler. + + - **Only One Applicable:** + + This combining algorithm exists only for policy sets to combine policy + sets and policies. It cannot be used to combine rules. With this + combining algorithm, in order for either of a Permit or Deny to be + returned, then only one of the children must produce a valid decision – + whether Deny or Permit. + + - **Ordered Deny Overrides \| Ordered Permit Overrides:** + The ordered combining algorithms combine decisions in the same way + as their (unordered) cousins. In, addition they bring the guarantee + that policies, policy sets, and rules are considered in the order in + which they are defined. The need to define an ordered combining + algorithm stems from the fact the XACML specification does not + specify whether order matters in the deny-overrides and + permit-overrides combining algorithms. + diff --git a/en/docs/tutorials/single-sign-on.md b/en/docs/tutorials/single-sign-on.md deleted file mode 100644 index a128e30b59..0000000000 --- a/en/docs/tutorials/single-sign-on.md +++ /dev/null @@ -1,153 +0,0 @@ -# Single Sign-On - -Single sign-on (SSO) is one of the key features of WSO2 Identity Server -that enables users to provide their credentials once and obtain access -to multiple applications. The users are not prompted for their -credentials when accessing each application until their session is -terminated. Additionally, the user can access all these applications -without having to log into each and every one of them individually. So, -if users log into application A, for example, they would automatically -have access to application B as well for the duration of that session -without having to re-enter their credentials. - -WSO2 Identity Server can act as the identity provider of a single -sign-on system with minimal configurations. This topic briefly -introduces single-sign-on and how to configure the WSO2 Identity Server -with different inbound authenticators by [Configuring a Service -Provider](/using-wso2-identity-server/adding-and-configuring-a-service-provider) to achieve this. - -!!! Info - - **Note:** For a tutorial on how to configure single sign on with a - sample application, see [Configuring Single - Sign-On](/tutorials/configuring-single-sign-on) . - -### About SSO - -Single Sign-On which is known as SSO, is a property of access control -for independent software systems which are multiple related. With this -property, a user can access to a connected system or systems using one -user name and password without using a different user name or password. - -In a single sign-on system there are two roles; Service Providers and -Identity Providers (IP). The important characteristic of a single -sign-on system is the pre-defined trust relationship between the service -providers and the identity providers. Service providers trust the -assertions issued by identity providers which are essentially statements -reading the authentication, authorization, and attributes related to the -principal. Identity providers issue assertions based on the results of -authentication and authorization of principles which access services on -the service provider's side. - -The following are some of the advantages you can have with SSO: - -- Users need only a single username/password pair to access multiple - services. Thus they do not have the issue of remembering multiple - username/password pairs. -- Users are authenticated only once at the identity provider and then - they are automatically logged into all services within that - "trust-domain". This process is more convenient to users since they - do not have to provide their username/password at every service - provider. -- Service providers do not have the overhead of managing user - identities, which is more convenient for them. -- User identities are managed at a central point. This is more secure, - less complex and easily manageable. - -### SSO in reality - -Single Sign-On is widely used in web technologies. Google is one of the -best examples. - -Try this simple exercise, - -1. Visit [www.google.com](http://www.google.com/) from your web - browser. -2. Click on the **SIGN IN** button on the top right of the page. -3. Once you sign in, you are redirected to - . There you are requested - to enter your Username and Password. Enter your Google credentials - there. -4. Once you enter your Username and Password, you are directed back to - [www.google.com](http://www.google.com/) where you started. -5. Next visit [www.gmail.com](http://www.gmail.com/) , the Google mail - server. -6. Notice that you are automatically signed in and you directly access - your Gmail Inbox. You did not have to enter your Username and - Password at Gmail. -7. In addition to that; now try - [www.youtube.com](http://www.youtube.com/) . -8. You are automatically signed in. You do not have to enter your - username and password at YouTube. - - !!! tip - - Note the URL of the web browser. Each time you access an - application, you see that you are being redirected to - just before you return to - the website. - - -Single Sign-On (SSO) requires you to sign in only once but provides -access to multiple resources without having to re-enter your username -and password. - -### SSO and Federation - -You use SSO on it's own or use SSO and Federation coupled together. -Identity Federation involves configuring a third party identity provider -as the federated authenticator to login to an application. When -federation is coupled with SSO, the user can log in to one application -using the credentials of the federated authenticator, and simultaneously -be authenticated to other connected applications without having to -provide credentials again. - -For instance, you can set up google as a federated authenticator and -then set up SSO between App1 and App2.  This will allow users to log in -to App1 using their google credentials. Once the user is logged in, when -the user attempts to access App2, he/she will not be prompted for -credentails again and is logged in automatically. - -For more information on Identity Federation on it's own (without SSO), -see the [Identity -Federation](https://docs.wso2.com/display/IS530/Identity+Federation) -topic. - - -### Configuring SSO -The following topics discuss the various protocols that can be used to configure SSO: - - - [SAML 2.0 Web SSO](/tutorials/saml-2.0-web-sso) - - - [WS-Trust](/tutorials/ws-trust) - - - [WS-Federation](/tutorials/ws-federation) - - - [Integrated Windows - Authentication](/tutorials/integrated-windows-authentication) - - - [OAuth2-OpenID Connect](/tutorials/oauth-openid-connect) - -!!! warning "Removed Feature!" - - OpenID 2.0 has been removed from the base product in WSO2 Identity - Server version 5.3.0 onwards as it is now an obsolete specification and - has been superseded by OpenID Connect. Alternatively, we recommend that - you use [OpenID - Connect](/tutorials/oauth-openid-connect) - instead. - - -!!! Info "Related Topics" - - See [Configuring a Service - Provider](/tutorials/configuring-a-service-provider) for more - information on using single sign-on with a service provider. - - See [Configuring Single Sign-On](/tutorials/configuring-single-sign-on) for a - tutorial on how this works with a sample application. - - See [Single Sign-On for Native iOS Applications with WSO2 Identity - Server](/tutorials/single-sign-on-for-native-ios-applications-wit-wso2-identity-server) to configure SSO with native iOS applications. - - See [\[Tutorial\] SSO for Microsoft Sharepoint Web Applications with - WSO2 Identity - Server](http://wso2.com/library/tutorials/2015/05/tutorial-sso-for-microsoft-sharepoint-web-applications-with-wso2-identity-server/) - to configure single sign on for Microsoft Sharepoint web - applications with the WSO2 Identity Server. \ No newline at end of file diff --git a/en/docs/tutorials/validating-the-Scope-of-OAuth-Access-Tokens-using-XACML-Policies.md b/en/docs/tutorials/validating-the-scope-of-oauth-access-tokens-using-xacml-policies.md similarity index 72% rename from en/docs/tutorials/validating-the-Scope-of-OAuth-Access-Tokens-using-XACML-Policies.md rename to en/docs/tutorials/validating-the-scope-of-oauth-access-tokens-using-xacml-policies.md index 2d7186d611..9c8c8788c7 100644 --- a/en/docs/tutorials/validating-the-Scope-of-OAuth-Access-Tokens-using-XACML-Policies.md +++ b/en/docs/tutorials/validating-the-scope-of-oauth-access-tokens-using-xacml-policies.md @@ -9,43 +9,39 @@ validity of the access token in an OAuth access token validation flow, you can select the scope validator as XACML when you configure a service provider. This provides fine-grained access control to APIs. -The following sections of this tutorial walk you through the basic steps +The following sections walk you through the basic steps you need to follow to validate the scope of OAuth access tokens using XACML policies: -- [Configure the service - provider](#ValidatingtheScopeofOAuthAccessTokensusingXACMLPolicies-Configuretheserviceprovider) -- [Set up the - policy](#ValidatingtheScopeofOAuthAccessTokensusingXACMLPolicies-Setupthepolicy) -- [Try it - out](#ValidatingtheScopeofOAuthAccessTokensusingXACMLPolicies-Tryitout) - ### Configure the service provider Follow the steps below to configure a service provider in WSO2 Identity Server so that the authentication happens as expected. For more information on how the service provider fits into the WSO2 IS -architecture, see [Architecture](_Architecture_) . +architecture, see [Architecture](../../getting-started/architecture). 1. Start WSO2 Identity Server and access the Management Console via . -2. On the **Main** tab, navigate to **Service Providers** \> **Add** +2. On the **Main** tab, navigate to **Service Providers**\> **Add** under the **Identity** menu, and enter a name for the service provider. -3. Click **Register** . This adds a new service provider. +3. Click **Register**. This adds a new service provider. 4. Expand the **Inbound Authentication Configuration** section, then - expand the **OAuth2/OpenID Connect Configuration** , and then click - **Configure** . This displays the **Register New Application** + expand the **OAuth2/OpenID Connect Configuration**, and then click + **Configure**. This displays the **Register New Application** screen. 5. Specify required values for the fields. When you specify values, be sure to select **XACML Scope Validator** as the scope validator. - ![](attachments/103331267/103331268.png){width="650"} -6. Click **Add** . This registers the new application. -7. Click **Update** . This updates the service provider with details of + + ![xacml-scope-validator](../../assets/img/tutorials/xacml-scope-validator.png) + +6. Click **Add**. This registers the new application. + +7. Click **Update**. This updates the service provider with details of the OAuth/OpenID connect configurations that you specified. Now that you have configured the service provider, the next step is to @@ -61,14 +57,16 @@ template that is available by default with WSO2 IS: **PAP** \> **Policy Administration** under the **Entitlement** menu. For more information on Policy Administration Point (PAP), see [Configuring the Policy Administration - Point](_Configuring_the_Policy_Administration_Point_) . + Point](../../tutorials/configuring-the-policy-administration-point). + 2. Select the ` scope_based_token_validation_policy_template ` policy, and click **Edit** to view the selected policy in the policy editor. - XACML template policies provide a pre-configured template with place - holders to customize the policy depending on your requirement. + !!! info + XACML template policies provide a pre-configured template with place + holders to customize the policy depending on your requirement. 3. Edit the policy to customize it depending on your requirement. You can change the values of attributes and rules. @@ -80,13 +78,12 @@ template that is available by default with WSO2 IS: 5. Click the link **Publish to My PDP** corresponding to the new policy. 6. On the UI that appears, leave the default values as they are and - click **Publish** . + click **Publish**. !!! note For more information on Publishing a XACML policy, see - [here](https://docs.wso2.com/display/IS540/Publishing+a+XACML+Policy) - . + [here](../../tutorials/publishing-a-xacml-policy). To ensure that the policy has been published successfully, click on @@ -111,10 +108,12 @@ Follow the steps below to try out the policy using the XACML TryIt tool: XML format and try them using the web UI of the TryIt tool -1. On the Management Console, click **Tools** , and then click +1. On the Management Console, click **Tools**, and then click **TryIt** under the **XACML** section. -2. Click **Create Request Using Editor** . - ![](attachments/103331267/103331269.png){width="650"} + +2. Click **Create Request Using Editor**. + ![create-request-using-editor](../../assets/img/tutorials/create-request-using-editor.png) + 3. Specify the following as the sample request: ``` java @@ -137,19 +136,18 @@ Follow the steps below to try out the policy using the XACML TryIt tool: ``` -4. Click **Evaluate With PDP** . You will see a response message that +4. Click **Evaluate With PDP**. You will see a response message that says either ` Permit ` or ` Deny ` depending on whether the XACML scope is validated or not at the time of OAuth token validation. - -**Related Topics** +!!! Info "Related Topics" -For detailed instructions on how to add and configure a service -provider, see [Adding and Configuring a Service -Provider](_Adding_and_Configuring_a_Service_Provider_) . + For detailed instructions on how to add and configure a service + provider, see [Adding and Configuring a Service + Provider](../../using-wso2-identity-server/adding-and-configuring-a-service-provider). -For a tutorial on how to configure an access control policy for a -service provider, see [Configuring Access Control Policy for a Service -Provider](_Configuring_Access_Control_Policy_for_a_Service_Provider_) . + For a tutorial on how to configure an access control policy for a + service provider, see [Configuring Access Control Policy for a Service + Provider](../../tutorials/configuring-access-control-policy-for-a-service-provider). diff --git a/en/docs/tutorials/viewing-the-Status-of-a-XACML-Policy.md b/en/docs/tutorials/viewing-the-status-of-a-xacml-policy.md similarity index 82% rename from en/docs/tutorials/viewing-the-Status-of-a-XACML-Policy.md rename to en/docs/tutorials/viewing-the-status-of-a-xacml-policy.md index 24173267cc..ac7fde17e2 100644 --- a/en/docs/tutorials/viewing-the-Status-of-a-XACML-Policy.md +++ b/en/docs/tutorials/viewing-the-status-of-a-xacml-policy.md @@ -4,16 +4,15 @@ You can view the current status of an XACML policy using the instructions in this topic. 1. Sign in. Enter your username and password to log in to the - [Management Console](_Getting_Started_with_the_Management_Console_) - . + [Management Console](../../setup/getting-started-with-the-management-console). 2. Navigate to the **Main** menu to access the **Entitlement** menu. Click **Policy Administration** under **PAP** . 3. The policies that you created are listed in the **Available Entitlement Policies** table. Click **View Status** to check the current status of the policy you require. - ![](attachments/103331210/103331211.png){width="750"} + ![checking-the-status-policy](../../assets/img/tutorials/checking-the-status-policy.png) 4. The resulting page lists out the following information as follows. - ![](attachments/103331210/103331213.png?effects=border-simple,blur-border){width="750"} + ![status-policy-results](../../assets/img/tutorials/status-policy-results.png) The following are the status details of the policy: - **Time Stamp** - This is the timestamp of the action performed. - **Action** - The action performed by the user. @@ -25,12 +24,12 @@ instructions in this topic. !!! note - **Note** : The **Policy Status Type** lists out all the possible actions + The **Policy Status Type** lists out all the possible actions that can be performed by a user. This is available so that you can filter out the status details according to the action performed by the user. - ![](attachments/103331210/103331212.png?effects=border-simple,blur-border){height="250"} + ![policy-status-type](../../assets/img/tutorials/policy-status-type.png) Currently available policy status types: diff --git a/en/docs/tutorials/working-with-Entitlement.md b/en/docs/tutorials/working-with-Entitlement.md deleted file mode 100644 index 5623a3cdda..0000000000 --- a/en/docs/tutorials/working-with-Entitlement.md +++ /dev/null @@ -1,21 +0,0 @@ -# Working with Entitlement - -Entitlement management is a technology that grants, resolves, enforces, -revokes and administers fine-grained access privileges. The Entitlement -Management component of WSO2 Carbon facilitates the management and -control of policies defined in XACML. - -The key functions of this component are listed below. - -- [Configuring the Policy Administration - Point](_Configuring_the_Policy_Administration_Point_) -- [Configuring the Policy Decision - Point](_Configuring_the_Policy_Decision_Point_) -- [Configuring Access Control Policy for a Service - Provider](_Configuring_Access_Control_Policy_for_a_Service_Provider_) -- [Validating the Scope of OAuth Access Tokens using XACML - Policies](_Validating_the_Scope_of_OAuth_Access_Tokens_using_XACML_Policies_) - -For more general information on XACML and entitlement management, see -[Access Control and Entitlement -Management](_Access_Control_and_Entitlement_Management_) . diff --git a/en/docs/tutorials/writing-a-XACML-Policy-using-a-Policy-Template.md b/en/docs/tutorials/writing-a-XACML-Policy-using-a-Policy-Template.md deleted file mode 100644 index 87ee0ed63c..0000000000 --- a/en/docs/tutorials/writing-a-XACML-Policy-using-a-Policy-Template.md +++ /dev/null @@ -1,50 +0,0 @@ -# Writing a XACML Policy using a Policy Template - -This section guides you through using and editing the XACML policy -templates available in WSO2 Identity Server to write your own policy. - -1. Start WSO2 Identity Server and log in to the management console. -2. Click on **Policy Administration** under the **Entitlement\>PAP** - section on the **Main** tab. - ![](attachments/103331229/103331230.png){width="900"} -3. You will see the following list of available policy templates. - - | Template Name | Description | - |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| - | [authn\_role\_based\_policy\_template](https://localhost:9443/carbon/entitlement/policy-view.jsp?policyid=authn_role_based_policy_template) | This policy template provides the abilitity to authorize users to a given service provider (defined by the ` SP_NAME ` placeholder) in the authentication flow based on the roles of the user (defined by ` ROLE_1 ` and ` ROLE_2 ` placeholders). Users who have at least one of the given roles are permitted to log in and any others are denied. | - | [authn\_scope\_based\_policy\_template](https://localhost:9443/carbon/entitlement/policy-view.jsp?policyid=authn_scope_based_policy_template) | This template policy provides the ability to authorize users to a given service provider (defined by ` SP_NAME ` placeholder) in the authentication flow based on the OAuth scope(s) ( ` SCOPE1, SCOPE2 ` ). Users who are authenticated with the given scopes are allowed and any other users are denied. | - | [authn\_time\_and\_role\_based\_policy\_template](https://localhost:9443/carbon/entitlement/policy-view.jsp?policyid=authn_time_and_role_based_policy_template) | This policy template provides the ability to authorize users to a given service provider (defined by ` SP_NAME ` placeholder) in the authentication flow based on the roles of the user (defined by ` ROLE_1 ` and ` ROLE_2 ` ) **and** the time of the day (e.g., between 09:00:00 to 17:00:00). Users who have at least one of the given roles are permitted to login within the given time. Any other requests will be denied. | - | [authn\_time\_and\_scope\_based\_policy\_template](https://localhost:9443/carbon/entitlement/policy-view.jsp?policyid=authn_time_and_scope_based_policy_template) | This template policy provides the ability to authorize users to a given service provider (defined by ` SP_NAME ` placeholder) in the authentication flow based on the oauth scope(s) ( ` SCOPE1 ` or ` SCOPE2 ` ) and the time of the day (e.g., between 09:00:00 to 17:00:00). Users who are logging in between the given time and who grant the given scopes are permitted to login and any other user will be denied. | - | [authn\_time\_and\_user\_claim\_based\_policy\_template](https://localhost:9443/carbon/entitlement/policy-view.jsp?policyid=authn_time_and_user_claim_based_policy_template) | This template policy provides the ability to authorize users to a given service provider (defined by ` SP_NAME ` placeholder) in the authentication flow based on the claim values of the user ( ` CLAIM_URI_1=CLAIM_VALUE_1 ` and ` CLAIM_URI_2=CLAIM_VALUE_2 ` ) and the time of the day (e.g., between 09:00:00 to 17:00:00). Users with the given claim values and who are logged in within the given time range are permitted and any other users will be denied. | - | [authn\_time\_based\_policy\_template](https://localhost:9443/carbon/entitlement/policy-view.jsp?policyid=authn_time_based_policy_template) | This template policy provides the ability to authorize users to a given service provider(defined by ` SP_NAME ` placeholder) in the authentication flow based on the login time. Any authentication attempt outside the specified time range (09:00:00 to 17:00:00) will be denied. | - | [provisioning\_role\_based\_policy\_template](https://localhost:9443/carbon/entitlement/policy-view.jsp?policyid=provisioning_role_based_policy_template) | This template policy provides the ability to authorize provisioning requests initiated from a given service provider (defined by ` SP_NAME ` placeholder) to a given identity provider (defined by ` IDP_NAME ` placeholder) in the outbound provisioning flow based on the roles of the user ( ` ROLE_1, ROLE_2 ` ). Provisioning attempts to the users with given role(s) are permitted and all others will be denied. | - | [provisioning\_time\_and\_role\_based\_policy\_template](https://localhost:9443/carbon/entitlement/policy-view.jsp?policyid=provisioning_time_and_role_based_policy_template) | This template policy provides the ability to authorize provisioning requests initiated from a given service provider (defined by ` SP_NAME ` placeholder) to a given identity provider (defined by ` IDP_NAME ` placeholder) in the outbound provisioning flow based on the roles of the user ( ` ROLE_1, ROLE_2 ` ) and time of the day (e.g., between 09:00:00 to 17:00:00). Provisioning attempts to the users with given role(s) between the given time are permitted and all others will be denied. | - | [provisioning\_time\_and\_user\_claim\_based\_policy\_template](https://localhost:9443/carbon/entitlement/policy-view.jsp?policyid=provisioning_time_and_user_claim_based_policy_template) | This template policy provides the ability to authorize provisioning requests initiated from a given service provider (defined by ` SP_NAME ` placeholder) to a given identity provider(defined by ` IDP_NAME ` placeholder) in the outbound provisioning flow based on the claim values of the user ( ` CLAIM_URI_1=CLAIM_VALUE_1 ` and ` CLAIM_URI_2=CLAIM_VALUE_2 ` ) and time of the day (e.g., between 09:00:00 to 17:00:00). Provisioning attempts to the users with the given claim values between the given time are permitted and all others will be denied. | - | [provisioning\_time\_based\_policy\_template](https://localhost:9443/carbon/entitlement/policy-view.jsp?policyid=provisioning_time_based_policy_template) | This template policy provides the ability to authorize provisioning requests initiated from a given service provider (defined by ` SP_NAME ` placeholder) to a given identity provider(defined by ` IDP_NAME ` placeholder) in the outbound provisioning flow based on the requested time. Any provisioning attempt outside the specified time range(09:00:00 to 17:00:00) will be denied. | - | [provisioning\_user\_claim\_based\_policy\_template](https://localhost:9443/carbon/entitlement/policy-view.jsp?policyid=provisioning_user_claim_based_policy_template) | This template policy provides ability to authorize provisioning requests initiated from a given service provider (defined by ` SP_NAME ` placeholder) to a given identity provider (defined by ` IDP_NAME ` placeholder) in the outbound provisioning flow based on the claim values of the user ( ` CLAIM_URI_1=CLAIM_VALUE_1 ` and ` CLAIM_URI_2=CLAIM_VALUE_2 ` ). Users with the given claim values are permitted and any other users will be denied. | - -4. Click the corresponding **Edit** button of the policy template that - you want to use. -5. Edit the **Policy ID** with a name relevant to your policy. -6. Edit the placeholders with the relevant values and click **Save - Policy** . - You can see the policy you just created on the policy list (the - original template policy will remain unchanged for later use). -7. Click on the **Publish to My PDP** link corresponding to the new - policy. - ![](attachments/103331229/103331231.png) -8. On the UI that appears, leave the default selected values as they - are and click **Publish** . - ![](attachments/103331229/103331232.png){height="250"} - - !!! note - - For more information on Publishing a XACML policy, click - [here](_Publishing_a_XACML_Policy_) . - - -9. Click on **Policy View** under the **Entitlement\>PDP** section on - the **Main** tab of the management console. -10. To ensure that the policy has been published successfully, check if - the policy is listed. - ![](attachments/103331229/103331233.png){width="606"} diff --git a/en/docs/tutorials/writing-a-xacml-policy-using-a-policy-template.md b/en/docs/tutorials/writing-a-xacml-policy-using-a-policy-template.md new file mode 100644 index 0000000000..fe39105c89 --- /dev/null +++ b/en/docs/tutorials/writing-a-xacml-policy-using-a-policy-template.md @@ -0,0 +1,50 @@ +# Writing a XACML Policy using a Policy Template + +This section guides you through using and editing the XACML policy +templates available in WSO2 Identity Server to write your own policy. + +1. Start WSO2 Identity Server and log in to the management console. +2. Click on **Policy Administration** under the **Entitlement\>PAP** + section on the **Main** tab. + ![](attachments/103331229/103331230.png){width="900"} +3. You will see the following list of available policy templates. + + | Template Name | Description | + |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| + | authn\_role\_based\_policy\_template | This policy template provides the abilitity to authorize users to a given service provider (defined by the ` SP_NAME ` placeholder) in the authentication flow based on the roles of the user (defined by ` ROLE_1 ` and ` ROLE_2 ` placeholders). Users who have at least one of the given roles are permitted to log in and any others are denied. | + | authn\_scope\_based\_policy\_template | This template policy provides the ability to authorize users to a given service provider (defined by ` SP_NAME ` placeholder) in the authentication flow based on the OAuth scope(s) ( ` SCOPE1, SCOPE2 ` ). Users who are authenticated with the given scopes are allowed and any other users are denied. | + | authn\_time\_and\_role\_based\_policy\_template | This policy template provides the ability to authorize users to a given service provider (defined by ` SP_NAME ` placeholder) in the authentication flow based on the roles of the user (defined by ` ROLE_1 ` and ` ROLE_2 ` ) **and** the time of the day (e.g., between 09:00:00 to 17:00:00). Users who have at least one of the given roles are permitted to login within the given time. Any other requests will be denied. | + | authn\_time\_and\_scope\_based\_policy\_template | This template policy provides the ability to authorize users to a given service provider (defined by ` SP_NAME ` placeholder) in the authentication flow based on the oauth scope(s) ( ` SCOPE1 ` or ` SCOPE2 ` ) and the time of the day (e.g., between 09:00:00 to 17:00:00). Users who are logging in between the given time and who grant the given scopes are permitted to login and any other user will be denied. | + | authn\_time\_and\_user\_claim\_based\_policy\_template | This template policy provides the ability to authorize users to a given service provider (defined by ` SP_NAME ` placeholder) in the authentication flow based on the claim values of the user ( ` CLAIM_URI_1=CLAIM_VALUE_1 ` and ` CLAIM_URI_2=CLAIM_VALUE_2 ` ) and the time of the day (e.g., between 09:00:00 to 17:00:00). Users with the given claim values and who are logged in within the given time range are permitted and any other users will be denied. | + | authn\_time\_based\_policy\_template | This template policy provides the ability to authorize users to a given service provider(defined by ` SP_NAME ` placeholder) in the authentication flow based on the login time. Any authentication attempt outside the specified time range (09:00:00 to 17:00:00) will be denied. | + | provisioning\_role\_based\_policy\_template | This template policy provides the ability to authorize provisioning requests initiated from a given service provider (defined by ` SP_NAME ` placeholder) to a given identity provider (defined by ` IDP_NAME ` placeholder) in the outbound provisioning flow based on the roles of the user ( ` ROLE_1, ROLE_2 ` ). Provisioning attempts to the users with given role(s) are permitted and all others will be denied. | + | provisioning\_time\_and\_role\_based\_policy\_template | This template policy provides the ability to authorize provisioning requests initiated from a given service provider (defined by ` SP_NAME ` placeholder) to a given identity provider (defined by ` IDP_NAME ` placeholder) in the outbound provisioning flow based on the roles of the user ( ` ROLE_1, ROLE_2 ` ) and time of the day (e.g., between 09:00:00 to 17:00:00). Provisioning attempts to the users with given role(s) between the given time are permitted and all others will be denied. | + | provisioning\_time\_and\_user\_claim\_based\_policy\_template | This template policy provides the ability to authorize provisioning requests initiated from a given service provider (defined by ` SP_NAME ` placeholder) to a given identity provider(defined by ` IDP_NAME ` placeholder) in the outbound provisioning flow based on the claim values of the user ( ` CLAIM_URI_1=CLAIM_VALUE_1 ` and ` CLAIM_URI_2=CLAIM_VALUE_2 ` ) and time of the day (e.g., between 09:00:00 to 17:00:00). Provisioning attempts to the users with the given claim values between the given time are permitted and all others will be denied. | + | provisioning\_time\_based\_policy\_template | This template policy provides the ability to authorize provisioning requests initiated from a given service provider (defined by ` SP_NAME ` placeholder) to a given identity provider(defined by ` IDP_NAME ` placeholder) in the outbound provisioning flow based on the requested time. Any provisioning attempt outside the specified time range(09:00:00 to 17:00:00) will be denied. | + | provisioning\_user\_claim\_based\_policy\_template | This template policy provides ability to authorize provisioning requests initiated from a given service provider (defined by ` SP_NAME ` placeholder) to a given identity provider (defined by ` IDP_NAME ` placeholder) in the outbound provisioning flow based on the claim values of the user ( ` CLAIM_URI_1=CLAIM_VALUE_1 ` and ` CLAIM_URI_2=CLAIM_VALUE_2 ` ). Users with the given claim values are permitted and any other users will be denied. | + +4. Click the corresponding **Edit** button of the policy template that + you want to use. +5. Edit the **Policy ID** with a name relevant to your policy. +6. Edit the placeholders with the relevant values and click **Save + Policy** . + You can see the policy you just created on the policy list (the + original template policy will remain unchanged for later use). +7. Click on the **Publish to My PDP** link corresponding to the new + policy. + ![publish-to-pdp](../../assets/img/tutorials/publish-to-pdp.png) +8. On the UI that appears, leave the default selected values as they + are and click **Publish** . + ![publishing-a-xacml-policy](../../assets/img/tutorials/publishing-a-xacml-policy.png) + + !!! note + + For more information on Publishing a XACML policy, click + [here](../../tutorials/publishing-a-xacml-policy) . + + +9. Click on **Policy View** under the **Entitlement\>PDP** section on + the **Main** tab of the management console. +10. To ensure that the policy has been published successfully, check if + the policy is listed. + ![check-policy-list](../../assets/img/tutorials/check-policy-list.png) \ No newline at end of file diff --git a/en/docs/tutorials/wS-Federation.md b/en/docs/tutorials/ws-federation.md similarity index 78% rename from en/docs/tutorials/wS-Federation.md rename to en/docs/tutorials/ws-federation.md index d68e8978eb..5e4022297b 100644 --- a/en/docs/tutorials/wS-Federation.md +++ b/en/docs/tutorials/ws-federation.md @@ -8,8 +8,7 @@ Security Token Service (STS) by providing mechanisms that facilitate interactions. In the WS-Federation Model, an Identity Provider is a Security Token Service (STS). -**Related Topics** - -- See [Configuring WS-Federation Single - Sign-On](_Configuring_WS-Federation_Single_Sign-On_) via Identity +!!! info "Related Topics" + See [Configuring WS-Federation Single + Sign-On](../../tutorials/configuring-ws-federation-single-sign-on) via Identity Server to configure WS-Federation in WSO2 Identity Server diff --git a/en/docs/tutorials/wS-Trust.md b/en/docs/tutorials/ws-trust.md similarity index 91% rename from en/docs/tutorials/wS-Trust.md rename to en/docs/tutorials/ws-trust.md index 607945b746..ccfbaff4b7 100644 --- a/en/docs/tutorials/wS-Trust.md +++ b/en/docs/tutorials/ws-trust.md @@ -11,10 +11,8 @@ specifications. The WSDL of this service can be accessed by clicking the URL having the format: -` https://(hostname):(port)/services/wso2carbon-sts?wsdl ` -. For instance, with the default configuration, the URL is -` https://localhost:9443/services/wso2carbon-sts?wsdl ` -. +` https://(hostname):(port)/services/wso2carbon-sts?wsdl `. For instance, with the default configuration, the URL is +[https://localhost:9443/services/wso2carbon-sts?wsdl](https://localhost:9443/services/wso2carbon-sts?wsdl). Both SAML 1.1 and SAML 2.0 token types are supported by default. The issued token type is decided based on the type of token defined in the @@ -60,5 +58,5 @@ The following are the three methods of confirmation. **Related Topics** - See [Configuring WS-Trust Security Token - Service](_Configuring_WS-Trust_Security_Token_Service_) to configure + Service](../../tutorials/configuring-ws-trust-security-token-service) to configure WS-Trust in WSO2 Identity Server. diff --git a/en/mkdocs.yml b/en/mkdocs.yml index 46a5103e08..51fc492e1e 100644 --- a/en/mkdocs.yml +++ b/en/mkdocs.yml @@ -147,11 +147,11 @@ nav: - 'Querying SAML Assertions': tutorials/querying-SAML-Assertions.md - 'Configuring SAML 2.0 Artifact Binding': tutorials/configuring-SAML-2.0-Artifact-Binding.md - 'WS-Trust': - - 'WS-Trust': tutorials/wS-Trust.md - - 'Configuring WS-Trust Security Token Service': configuring-WS-Trust-Security-Token-Service.md + - 'WS-Trust': tutorials/ws-trust.md + - 'Configuring WS-Trust Security Token Service': configuring-ws-trust-security-token-service.md - 'WS-Federation': - - 'WS-Federation': tutorials/wS-Federation.md - - 'Configuring WS-Federation Single Sign-On': tutorials/configuring-WS-Federation-Single-Sign-On.md + - 'WS-Federation': tutorials/ws-federation.md + - 'Configuring WS-Federation Single Sign-On': tutorials/configuring-ws-federation-single-sign-on.md - 'Integrated Windows Authentication': - 'Integrated Windows Authentication': tutorials/integrated-Windows-Authentication.md - 'Configuring IWA Single-Sign-On': tutorials/configuring-IWA-Single-Sign-On.md @@ -159,21 +159,21 @@ nav: - 'OAuth2-OpenID Connect': tutorials/oAuth2-OpenID-Connect.md - 'Configuring OAuth2-OpenID Connect Single-Sign-On': tutorials/configuring-OAuth2-OpenID-Connect-Single-Sign-On.md - 'Identity Federation': - - 'Identity Federation': tutorials/identity-Federation.md + - 'Identity Federation': tutorials/identity-federation.md - 'Configuring Federated Authentication': - - 'Configuring Federated Authentication': tutorials/configuring-Federated-Authentication.md - - 'Configuring SAML 2.0 Web SSO': tutorials/configuring-SAML-2.0-Web-SSO.md - - 'Configuring OAuth2-OpenID Connect': tutorials/configuring-OAuth2-OpenID-Connect.md - - 'Configuring WS-Federation': tutorials/configuring-WS-Federation.md - - 'Configuring Facebook': tutorials/configuring-Facebook.md - - 'Configuring Yahoo': tutorials/configuring-Yahoo.md - - 'Configuring Google': tutorials/configuring-Google.md - - 'Configuring Microsoft Windows Live': tutorials/configuring-Microsoft-Windows-Live.md - - 'Configuring IWA on Linux': tutorials/configuring-IWA-on-Linux.md - - 'Configuring AD FS as a Federated Authenticator': tutorials/configuring-AD-FS-as-a-Federated-Authenticator.md - - 'Configuring Twitter': tutorials/configuring-Twitter.md - - 'Configuring SMS OTP': tutorials/configuring-SMS-OTP.md - - 'Configuring Email OTP': tutorials/configuring-Email-OTP.md + - 'Configuring Federated Authentication': tutorials/configuring-federated-authentication.md + - 'Configuring SAML 2.0 Web SSO': tutorials/configuring-saml-2.0-web-sso.md + - 'Configuring OAuth2-OpenID Connect': tutorials/configuring-oauth2-openid-connect.md + - 'Configuring WS-Federation': tutorials/configuring-ws-federation.md + - 'Configuring Facebook': tutorials/configuring-facebook.md + - 'Configuring Yahoo': tutorials/configuring-yahoo.md + - 'Configuring Google': tutorials/configuring-google.md + - 'Configuring Microsoft Windows Live': tutorials/configuring-microsoft-windows-live.md + - 'Configuring IWA on Linux': tutorials/configuring-iwa-on-linux.md + - 'Configuring AD FS as a Federated Authenticator': tutorials/configuring-ad-fs-as-a-federated-authenticator.md + - 'Configuring Twitter': tutorials/configuring-twitter.md + - 'Configuring SMS OTP': tutorials/configuring-sms-otp.md + - 'Configuring Email OTP': tutorials/configuring-email-otp.md - 'Identity Federation with WS-Trust': - 'Identity Federation with WS-Trust': tutorials/wS-Trust.md - 'Configuring STS for Obtaining Tokens with Holder-Of-Key Subject Confirmation': tutorials/configuring-STS-for-Obtaining-Tokens-with-Holder-Of-Key-Subject-Confirmation.md @@ -184,23 +184,22 @@ nav: - 'Client-side Support for SAML Artifact Binding': tutorials/client-side-Support-for-SAML-Artifact-Binding.md - 'eIDAS SAML Attribute Profile Support via WSO2 Identity Server': tutorials/eIDAS-SAML-Attribute-Profile-Support-via-WSO2-Identity-Server.md - 'Access Control': - - 'Access Control': tutorials/access-Control.md + - 'Access Control': tutorials/access-control.md - 'Working with Entitlement': - - 'Working with Entitlement': tutorials/working-with-Entitlement.md - 'Configuring the Policy Administration Point': - - 'Configuring the Policy Administration Point': tutorials/configuring-the-Policy-Administration-Point.md - - 'Creating a XACML Policy': tutorials/creating-a-XACML-Policy.md - - 'Editing a XACML Policy': tutorials/editing-a-XACML-Policy.md - - 'Managing the Version of a XACML Policy': tutorials/managing-the-Version-of-a-XACML-Policy.md - - 'Publishing a XACML Policy': tutorials/publishing-a-XACML-Policy.md - - 'Viewing the Status of a XACML Policy': tutorials/viewing-the-Status-of-a-XACML-Policy.md - - 'Writing a XACML Policy using a Policy Template': tutorials/writing-a-XACML-Policy-using-a-Policy-Template.md + - 'Configuring the Policy Administration Point': tutorials/configuring-the-policy-administration-point.md + - 'Creating a XACML Policy': tutorials/creating-a-xacml-policy.md + - 'Editing a XACML Policy': tutorials/editing-a-xacml-policy.md + - 'Managing the Version of a XACML Policy': tutorials/managing-the-version-of-a-xacml-policy.md + - 'Publishing a XACML Policy': tutorials/publishing-a-xacml-policy.md + - 'Viewing the Status of a XACML Policy': tutorials/viewing-the-status-of-a-xacml-policy.md + - 'Writing a XACML Policy using a Policy Template': tutorials/writing-a-xacml-policy-using-a-policy-template.md - 'Configuring the Policy Decision Point': - - 'Configuring the Policy Decision Point': tutorials/configuring-the-Policy-Decision-Point.md - - 'Clearing a Cache': tutorials/clearing-a-Cache.md - - 'Enabling and Disabling a XACML Policy': tutorials/enabling-and-Disabling-a-XACML-Policy.md - - 'Configuring Access Control Policy for a Service Provider': tutorials/configuring-Access-Control-Policy-for-a-Service-Provider.md - - 'Validating the Scope of OAuth Access Tokens using XACML Policies': tutorials/validating-the-Scope-of-OAuth-Access-Tokens-using-XACML-Policies.md + - 'Configuring the Policy Decision Point': tutorials/configuring-the-policy-decision-point.md + - 'Clearing a Cache': tutorials/clearing-a-cache.md + - 'Enabling and Disabling a XACML Policy': tutorials/enabling-and-disabling-a-xacml-policy.md + - 'Configuring Access Control Policy for a Service Provider': tutorials/configuring-access-control-policy-for-a-service-provider.md + - 'Validating the Scope of OAuth Access Tokens using XACML Policies': tutorials/validating-the-scope-of-oauth-access-tokens-using-xacml-policies.md - 'Working with XACML': - 'Working with XACML': tutorials/working-with-XACML.md - 'Configuring WSO2 EI Entitlement Mediator with Identity Server': tutorials/configuring-WSO2-EI-Entitlement-Mediator-with-Identity-Server.md