Page Comparison

Do we support Enterprise Single Sign On (E-SSO) to enable internal desktop users to seamlessly access heterogeneous applications (including web applications)?

This not supported out of the box. But there are several extension points that can be implemented to support such capabilities.

Does WSO2 products provide single-sign-on (SSO) and identity assertion features for services, applications, portal, etc across the SDP?

WSO2 Identity Server supports SAML and SAML 2.0 web browser single sign-on profile. With this feature, WSO2 Identity Server can act as the Identity Provider in single sign-on scenarios while third party service providers can delegate user authentication to Identity Server. Also this SSO feature is supported for our entire product stack with the above mentioned security standards.

Does WSO2 Identity Server support SAML security token standard and a framework for exchanging security information?

WSO2Identity Server supports SAML 1.0/1.1 and SAML2.0. SAML token can be used to exchange security information using WS-trust scenarios.

When dealing with Credential Mapping it is possible to map different credentials such as User name Token, X.509 tokens, SAML tokens, Kerberos tokens, etc.

Does WSO2 products provide single-sign-on (SSO) and identity assertion features for services, applications, portal, etc across the SDP?

WSO2 Identity Server supports SAML and SAML 2.0 web browser single sign-on profile. With this feature, WSO2 Identity Server can act as the Identity Provider in single sign-on scenarios while third party service providers can delegate user authentication to Identity Server. Also this SSO feature is supported for our entire product stack with the above mentioned security standards.

WSO2 Identity Server supports SAML and SAML 2.0 web browser single sign-on profile. With this feature, WSO2 Identity Server can act as the Identity Provider in single sign-on scenarios while third party service providers can delegate user authentication to Identity Server. Also this SSO feature is supported for our entire product stack with the above mentioned security standards.

WSO2Identity Server supports centralized and policy based access control mechanism based on XACML. Authentication mechanism, such as username token, X.509 SAML , OAuth and kerberos can be easily plugged with the XACML access control engine.

Where can I find a sample on SSO across web apps and web services?

Please find the doc at [1] [1]https://svn.wso2.com/wso2/svn/supsup/Documents/IS/4.0.0/Sample%20on%20Single%20Sign%20On%20across%20Web%20Applications%20and%20Web%20Services.pdf

What is the difference between SP-Initiated SSO and IDP-Initiated SSO? Do WSO2 products support both scenarios?

In SP-Initiated SSO, user tries to access a resource on SP without logging in. The service provider initiates the SSO message flow by sending authentication request to the Identity Provider (IdP)

But in IdP-Initiated flow, user loges on to IdP first and then tries to access the resource on SP. So IdP initiate the flow by sending an authentication response to the SP directly.

Currently, WSO2 onlly supports SP initiated flow.

Usually when setting up SSO between carbon based products, we use default key store, i.e. wso2carbon.jks, as primary key store. But how can we replace one of these key stores with a different key store and configure sso successfully?

The following steps can be applied to Carbon 3.2.x based products.

1.Configure SSO between IS and the other relevant carbon product (e.g : Greg). WSO2 IS acts as IdP and Greg acts as SP.

2.Change IS configuration files to use a new keystore as the primary key store. The other carbon product use wso2carbon.jks as primary key store.

3.Import new certificate of IS into the primary key store (wso2carbon.jks) of Greg using following command. keytool -import -v -alias iscert -file newiscert.pem -keystore wso2carbon.jks -keypass wso2carbon -storepass wso2carbon

4.Add following parameter to authenticators.xml (Greg_home/repository/conf/security). The parameter value should be equal to the alias of IS certificate. <parameter name="IdPCertAlias">iscert</parameter>

5.Restart Greg. Now SP initiated SSO flow will be successful.

What are differences between SAML2 and PassiveSTS based authentication ?

SAML2 enables a SSO system where users can login to multiple applications within a "trust domain". Identities of the users in the "trust domain" are managed by the identity provider/s withing the same "trust domain". So only the users whose identities are managed within the same "trust domain" can access applications withing the "trust domain".

But PassiveSTS is a cross domain authentication mechanism where users in one "trust domain" can access applications in another "trust domain". The mechanism of brokering trust between "trust domain"s is defined in the WS-Federation specification. PassiveSTS is defined under the topic "Web (Passive) Requesters" of the specification.

Where can I find a sample on SSO across web apps and web services?

Please find the doc at [1] [1]https://svn.wso2.com/wso2/svn/supsup/Documents/IS/4.0.0/Sample%20on%20Single%20Sign%20On%20across%20Web%20Applications%20and%20Web%20Services.pdf

STS

Do WSO2 products provide authentication services to authenticate client access to various services across platforms by supporting security tokens and STS?

STS is shipped with WSO2 Identity Server. Services can be protected with a security policy to accept a token issued by STS.

Where can I get a working Active STS sample?

Follow the steps below to run the sample given in [1].

1. Follow "Step 1" in blog [2], to configure WSO2 App Server. You may use a prefferred service of yours, in your case, Echo service. 
   Instead of the policy 'axis2service.policy.xml' that is mentioned in the article, upload the policy "bearer-policy.xml" which resides in sts-sample\src\main\resources directory. 
2. Follow "Step 2" in blog [2], to configure WSO2 IS to achieve STS. 
3. Do the following changes to the sts-sample\src\main\resources\client.properties 

i) Change the SAML Token type to 2.0 

saml.token.type=2.0 

ii) Change the enable relyingParty to 'true' 

enable.relyingParty=true 

iii) Make sure the Endpoint addresses are pointing to the correct services 

address.relyingParty=http://localhost:9764/services/echo 

address.sts=https://localhost:9443/services/wso2carbon-sts 

4.Run the command sts-client.bat 

At the successful invocation you get the following output at client console. 

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="urn:uuid:FF7F36F2DC68C5987C1377114779114" IssueInstant="20 
13-08-21T19:52:59.118Z" Version="2.0"><saml2:Issuer>localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
<ds:SignedInfo> 
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
<ds:Reference URI="#urn:uuid:FF7F36F2DC68C5987C1377114779114"> 
<ds:Transforms> 
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> 
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" /></ds:Transform> 
</ds:Transforms> 
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
<ds:DigestValue>dmVzma4jtxt42kfdV1anRmz12MQ=</ds:DigestValue> 
</ds:Reference> 
</ds:SignedInfo> 
<ds:SignatureValue> 
B2kLRrvZrEc0+APpCwYqfTAX16GggXAdkr7Nryn0EDZP6/kCxvb3jBOsvBp/Gg3uZ/aaj7CPvikl 
W6GV0At1GIGkK+9FJR3JErC+3QbOhtP5JMjn7cw+dNiezcIPn/vj7wp3LXf3XMOmhRoplVgEQ6sv 
fIFFKPbn6G5h9gaizWU= 
</ds:SignatureValue> 
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE 
CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv 
Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw 
CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE 
AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou 
sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5 
HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID 
AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i 
QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR 
O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format= 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /></saml2:Subject><saml2 
:Conditions NotBefore="2013-08-21T19:52:59.147Z" NotOnOrAfter="2013-08-21T19:57:59.147Z" /><saml2:AuthnStatement AuthnInstant="2013-08-21T19:52:59.149Z"><saml2:AuthnContext><s 
aml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><sa 
ml2:Attribute Name="http://wso2.org/claims/emailaddress" NameFormat="http://wso2.org/claims/emailaddress"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-ins 
tance" xsi:type="xs:string">manisha.eleperuma@gmail.com</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="http://wso2.org/claims/givenname" NameFormat="http://wso 
2.org/claims/givenname"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manisha</saml2:AttributeValue></saml2:Attribute></saml 
2:AttributeStatement></saml2:Assertion> 
Token is valid 
<ns:echoStringResponse xmlns:ns="http://echo.services.core.carbon.wso2.org"><return>Hello World</return></ns:echoStringResponse>

[1]. https://svn.wso2.org/repos/wso2/people/prabath/is-4.5.0/sts-sample.zip 
[2]. http://charithaka.blogspot.com/2013/07/broker-trust-relationships-with-wso2.html 

Is it possible to have STS exposed to the external world for external clients?

It is possible for external users (who reside outside the domain where STS is setup) to connect to the STS and get a security token. However, in order to do so, the user store which is associated with the STS, should have these external users' data (credentials etc.) stored in there. 

Does a client need to make a call for each and every request to get the token from STS server, or could it be session based? 

This can be configured at the client's end according to your requirement. For example, if the user needs to keep the token alive for the whole session, you can set up an expiry time for the token. Then the end service (ESB here) successfully authenticates this token until the specified expiration time limit is exceeded. 

How does ESB validate the SAML token?

As described in [1], the ESB (external service here) has the STS's certificate with it, and based on the policies in the certificate and the signature sent with the token, the ESB itself validates the security token sent by the client. However, it is also possible to do the token validation by the End service contacting the STS each time when a token arrives. According to the current implementation, ESB only supports self validation of tokens without re-contacting the STS. 

[1] http://wso2.com/library/articles/2012/08/securing-sts-security-token-service-kerberos 

How is the identity mapping done after interpreting SAML?

First the client goes to the STS and receives a Security Token. Then it contacts ESB with this token. ESB authenticates the client using this token and then it gets the 'Username' (and some other data which was received from the token as well) from this SAML token and writes it into the MessageContext. After that, it directs the MessageContext to the Entitlement Mediator which acts as the XACML PEP in this scenario. After receiving the 'username', PEP send this back to PDP in WSO2 IS which validates the username and authorizes it. When the ESB gets back the 'authorized success' response for the user from PDP, it allows the request to go to the SP end.

How do I handle SAML responses which are received from the client via STS using WSO2 IS and WSO2 ESB?

__ Getting the STS Sample App __ 
1. Download the sts sample (java app) from: https://svn.wso2.org/repos/wso2/people/dulanja/samples/sts-sample.zip and extract it. 
__ Configuring the IS 4.0.0 __ 
[STS] 
2. Start IS 4.0.0 and go to "Security Token Service" in the Management Console. 
3. Click "Apply Security Policy" and select "yes" for "Enable Security" 
4. Choose first option - "UsernameToken" and press "Next". 
5. Select "admin" and "everyone" user groups and press "Finish". 
[PDP] 
6. In IS Management Console, go to Entitlement --> Administration and click "Import New Entitlement Policy" 
7. Using the "Browse" button, upload the attached 'echoServicePolicy.xml' file. 
8. Back again in the "Policy Administration" page, you will see the uploaded policy file displayed in "Available Entitlement Policies" table. Click "Enable" and "Promote To PDP" links in that table. 
__ Configuring ESB 4.5.0 __ 
9. Place the attached 'EchoProxy.xml' in "wso2esb-4.5.0/repository/deployment/server/synapse-configs/default/proxy-services" folder. 
10. Start ESB 4.5.0 
11. In the Management Console, go to Registry --> Browse. Go to '/_system/config/repository/esb' and create a new collection named "policies" by using "Add Collection" link. 
12. Go inside the policies collection and click "Add Resource". Then using the "Browse" button, upload the 'service-policy.xml' file at 'sts-sample/src/main/resources' folder and press 'Add'. 
__ Running the STS Sample __ 
13. Run the sts-sample by using the sts-client.sh (sts-client.bat if windows) which is located at sample's root level. You should see an output similar to the attached 'sts-sample-output.png'. 
      It shows the received token from STS and the response ("Hello World") from the ESB echo service. 
Please note that, in this scenario IS runs with the port offset 0 (i.e. on port 9443) and ESB with offset 1 (i.e. 9444). If your servers run on different ports, you should configure the following: 
* 'address.relyingParty' and 'address.sts' properties in 'sts-sample/src/main/resources/client.properties' file. 
* service endpoint address in EchoProxy.xml 
* resource value in echoServicePolicy.xml 

User Store

When using a JDBC based user store - can we use a different database for the User Manager? 

Yes you can use different databases by adding the JDBC driver to the classpath. Following are the steps that you should follow.

1) Add the JDBC driver to the classpath by dropping the jar into ${carbon-home}/repository/components/lib

2) Edit the ${carbon-home}/repository/conf/user-mgt.xml with the relevant property values for

    url

    userName

    password

    driverName

    maxActive

    maxWait

    minIdle

( refer table 2.2 of this for property descriptions) 

3) Create the database by running the relevant script in ${carbon-home}/dbscript/and start the server as sh wso2server.sh (wso2server.bat) or start the server as sh wso2server.sh -Dsetup (wso2server.bat -Dsetup)

Is there any way to define a custom class to access a custom user store ?

Yes, you can define a custom class and configure the server with a custom user store. The AbstractUserStoreManager and the other related classes in the user.core bundle from the URL below [1] can be used to understand the implementation. Further this custom class can be extended to provide the functionality required by the STS configuration and issuing a SAML token with requested claim values.

[1] https://svn.wso2.org/repos/wso2/carbon/kernel/branches/4.2.0/core/org.wso2.carbon.user.core/4.2.0/src/

XACML

How can I write a custom PIP extension for WSO2 IS XACML engine?

This blog post [1] will be helpful in writing custom PIP extensions as well as custom designators which are applicable for WSO2 IS 3.2.x

http://blog.facilelogin.com/2011/04/xacml-policy-information-point.html

Do you support hierarchical roles in Carbon based products?

Carbon products do not support hierarchical roles out of the box, but with the support of WSO2 XACML engine(feature of Identity server), we can define set of policies to cater the requirement

Does WSO2 products provide complex user entitlement support with XACML?

WSO2 products support authorization through entitlement policies defined in XACML. In XACML, complex user entitlement can be defined.

Does WSO2 products support complex user entitlement support with XACML?

WSO2 products support authorization through entitlement policies defined in XACML. In XACML, complex user entitlement can be defined.

Does WSO2 products provide policy based authorization services?

WSO2 products support centralized, policy-based authorization through entitlement policies defined in XACML.

Does WSO2 products provide fine grained authorization services to determine access rights for users and user groups?

To support authorization requirements, we support RBAC (Role Based Access Control) and XACML. XACML is specifically used to define fine-grained authorization policies that help align your business level security requirements with the security implementation.