In WSO2 Stream Processor, user management is carried out through the Identity Provider Client (IdP Client) interface which that can be switched as per required for the user scenario. Furthermore, a custom IdP Client can be written to encompass the needed required user store connection and authentication.Following are the
IdP Clients available in the Stream Processor,
- Local IdP Client
- External IdP Client
IdP clients can be switched by the following configurations in the specifying te required IdP client in the auth.configs: section in the <SP_HOME>/conf/<PROFILE>/deployment.yaml file, file.
| Code Block |
|---|
auth.configs: # Type of the IdP Client used for the user authentication type: local |
'Local' IdP Client is active by default in the SP.The active IdP client is local by default.
Following are the IdP Clients available for WSO2 SP:
| Table of Contents | ||||
|---|---|---|---|---|
|
Local IdP Client
Local The local IdP Client interacts with the file-based user store that is defined in the the <SP_HOME>/conf/<PROFILE>/deployment.yaml under the “ file under auth.configs" namespace namespace as follows,:
| Code Block | ||
|---|---|---|
| ||
auth.configs:
type: 'local'
userManager:
adminRole: admin
userStore:
users:
-
user:
username: admin
password: YWRtaW4=
roles: 1
roles:
-
role:
id: 1
displayName: admin |
The above user and role is added by default.
Parameters
The parameters used in the above configurations are as follows:
| Note |
|---|
If new users/roles are added and the above default user and role are also needed, these the following parameters must be added to the user store along with the added user/role. |
...
| Parameter | Default Value | Description |
|---|---|---|
|
| The name of the role that has administrator administration privileges. |
|
| The username of the user. |
|
| The encrypted password of the user. |
|
| Comma seperated A comma separated list of the ids IDs of the roles assigned to the user. |
| 1 | The unique ID for the role. |
userManager > userStore > roles > role > admin | admin | The name of the role. |
Further more Furthermore, Local IdP Client functionalites functionality can be changed through controlled via the properties defined in the the <SP_HOME>/conf/<PROFILE>/deployment.yaml under the "yaml file under the auth.configs" namespace as follows, namespace as shown below.
| Code Block |
|---|
auth.configs:
type: local
proerties:
sessionTimeout: 3600
refreshSessionTimeout: 86400 |
The parameters in the properties are,
...
following are the properties that can be configured for the local IdP provider:
| Property | Default Value | Description | ||
|---|---|---|---|---|
properties > sessiontimeout | 3600 | Validity period of The number of seconds for which the session is valid once the user logs in .
| ||
properties > refreshSessionTimeout | 86400 | Validity period of the refrsh The number of seconds for which the refresh token used to extend the session in seconds |
...
| is valid. |
The complete default configuration of the 'Local' IdP Client are local IdP Client is as follows,:
| Code Block |
|---|
auth.configs:
type: 'local'
proerties:
sessionTimeout: 3600
refreshSessionTimeout: 86400
userManager:
adminRole: admin
userStore:
users:
-
user:
username: admin
password: YWRtaW4=
roles: 1
roles:
-
role:
id: 1
displayName: admin |
External IdP Client
External IdP Client authenticates users by interacting with and External Identity Provider using an external identity provider via OAuth2 and SCIM2 protocols. User The user store is maintained by the external Identity Provider and SP will authenticate identity provider. WSO2 SP authenticates by requesting an access access token from the Identity Provider identity provider using the password grant type.
| Note |
|---|
Identity Provider to which Stream Processor should interact should The identity provider with which WSO2 SP interacts with to authenticate users must be started before the SP server. |
User manger under 'The auth manager must be configured under the auth.configs' namespace must be configured namespace as shown below,:
| Code Block |
|---|
auth.configs:
type: external
authManager:
adminRole: admin |
The parameters used in the above configurations are,areas follows:
| Parameter | Default Value | Description |
|---|---|---|
|
| The name of the role that has administrator administration privilages. |
Further more External IdP Client functionalites can be changed through Furthermore, external IdP client functionality can be controlled via the properties defined in the the <SP_HOME>/conf/<PROFILE>/deployment.yaml file under the "the auth.configs" namespace as follows, namespace as shown below.
| Code Block |
|---|
auth.configs: type: external properties: kmDcrUrl: https://localhost:9443/identity/connect/register kmTokenUrl: https://localhost:9443/oauth2 kmUsername: admin kmPassword: admin idpBaseUrl: https://localhost:9443/scim2 idpUsername: admin idpPassword: admin portalAppContext: portal statusDashboardAppContext: monitoring businessRulesAppContext : business-rules databaseName: WSO2_OAUTH_APP_DB cacheTimeout: 900 baseUrl: https://localhost:9643 grantType: password |
Properties to The following are the properties that can be configured for the external IdP Client are as follows,provider:
Property | Default Value | Description |
|---|---|---|
| kmDcrUrl | https://localhost:9443/identity/connect/register | The Dynamic Client Registration (DCR) endpoint of the key manager in the IdP. |
dcrAppOwner | kmUsername | |
kmTokenUrl | The token endpoint of the key manager in the IdP. | |
| admin | Username The username for the key manager in the IdP. |
| admin | Password The password for the key manager in the IdP. |
| The SCIM2 endpoint of the IdP. | |
| admin | Username The username for the IdP. |
| admin | Password The password for the IdP. |
| portal | App The application context of the dashboard app in the SPDashboard Portal application in WSO2 SP. |
statusDashboardAppContext | monitoring | App The application context of the status dashboard app in the SPStatus Dashboard application in WSO2 SP. |
| business-rulesApp | The application context of the business rules app in the SPBusiness Rules application in WSO2 SP. |
databaseName |
| Name The name of the wso2.datasource used to store the OAuth app credentialapplication credentials |
cacheTimeout | 900 | Cache of tokens The cache timeout for the validity period of the token in seconds. |
| Base The base URL to which the token should be redirected after the code returned from the 'Authorization Code' grant type is used to get the token. | |
| password | Grant The grant type used in the OAuth app application token request. |
| N/A | Client Id The client ID of the OAuth App, If left empty, DCR will be. If no value is specified for this property, the DCR is called to register the app application and persist the client id ID in the data store. |
| N/A | Client Secret The client secret of the OAuth App, If left empty, DCR will beapplication. If no value is specified for this property, the DCR is called to register the app application and persist the client secrect secret in the data store. |
Writing custom custom IdP Client
When writtig writing a custom IdP client, the following two interfaces must be implemented namely,:
...
- : This is a factory OSGi service that
...
- initialtes the custom
...
- IdP client using the properties
...
- from
IdPClientConfiguration. - IdPClient
...
- : An interface with functions to provide user authentication and retrieval by the other services.