FAQ

Common

Are WSO2 products able to integrate with and provide security management services for external entities?

External entities are incorporated in the following scenarios.

Authentication - STS that issues SAML tokens and can accept SAML tokens
Open ID Provider and relying party
SSO IDP and relying party
Authorization - XACML

Do WSO2 products support cross domain federated identity management functionality to authenticate and authorize individuals of internal and external entities into the system, determine their permissions, and control access to the resources accordingly?

This can be achieved with WS-Trust (e.g., service in ESB can be protected with a security policy to accept a security token issued by a trusted STS confirming the authentication of a user in a outside domain), XACML - PDP, PAP and PIP supported by WSO2 Identity Server. PEPs can communicate with PDP of Identity Server to grant authorization

Do WSO2 products support different user access technologies such as user credentials, biometrics, smart card, token, etc ?

User credentials, SAML tokens X.509 tokens are supported out of the box. Biometrics and smart card can be integrated via the custom authenticators available in the WSO2 Identity Server.

Do WSO2 products provide encryption and data integrity functionality (symmetric & asymmetric signatures) to maintain secure messaging across the platform and support various encryption and signature standards ?

For Encryption/Decryption, Symmetric/Asymmetric key based encryption/decryption algorithms recommended in WS-Security specification are being used.

For Digital Signature, the Identity module supports Symmetric/Asymmetric key based digital signature algorithms recommended in WS-Security specification

Does the WSO2 Identity Server support security standards and protocols such as WS-Trust, WS-Federation, WS-Policy, etc?

Throughout the WSO2 product stack, WS-Trust and WS-Policy along with some other WS-* standards are supported.

We currently do not have complete support for WS-Federation (only Passive profile is supported).

How do I sort out the following error that occurs when initializing Cipher while using a custom Key Store for Secure Vault: If you try with a custom keystore, you might encounter the following error for certain instances:

Exception in thread "main" org.wso2.ciphertool.CipherToolException: Error initializing Cipher at org.wso2.ciphertool.CipherTool.handleException(CipherTool.java:861) at org.wso2.ciphertool.CipherTool.initCipher(CipherTool.java:202) at org.wso2.ciphertool.CipherTool.main(CipherTool.java:80) Caused by: java.security.InvalidKeyException: Wrong key usage at javax.crypto.Cipher.init(DashoA13..) at javax.crypto.Cipher.init(DashoA13..) at org.wso2.ciphertool.CipherTool.initCipher(CipherTool.java:200) ... 1 more

You can analyze the public certificates of the two jks's - In the default wso2carbon.jks, the KeyUsage is KeyUsage [ DigitalSignature Non_repudiation Key_Encipherment Data_Encipherment ] - In the custom .jks file, the KeyUsage is KeyUsage [ DigitalSignature Key_Encipherment ]. Since the custom key store's certificate does not have 'Data_Encipherment' it can't use the Ciphertool and encrypt data for secure vault. So you may have to generate a new key store with at least a Self signed certificate.

Do WSO2 products provide encryption and data integrity functionality to maintain secure messaging across the platform?

For Encryption/Decryption, Symmetric/Asymmetric key based encryption/decryption algorithms recommended in WS-Security specification are being used.

For Digital Signature, the Identity module supports Symmetric/Asymmetric key based digital signature algorithms recommended in WS-Security specification

Can we store user identity, user attributes as well as Trust Level (TL) and Consent level (CL) as user data stored in the data repositories?

User store includes the user identity and user attributes. TL and CL are not stored directly. But role/user are stored there. Role permission model is hierarchical (permissions are inherited from parent and/or grandparent(s).

Unless it has been overridden at the child-level). With this permission model, the permissions can be given either to a specific user or a user role (a user role may have multiple users in it)

What provisioning standards does WSO2 support?

SPML was there for more than a decade but never became a main stream provisioning standard - mostly because this is very much biased to SOAP.

SPML (now at version 2.0) was originally developed for the enterprise provisioning market. While many Identity Management vendors support sending and accepting SPML requests, few vendors of the target systems support SPML as their “API” for provisioning. As a result, most integrations from IAM vendors still use the API provided by the vendor (and those APIs vary greatly from vendor to vendor).

SCIM is a relatively new standard put forward by Ping Identity, Google and Salesforce...

The SCIM specification is designed to make managing user identity in cloud-based applications and services easier. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models.

Coming from the lessons of SPML, the first S of SCIM is important: It’s designed to be simple. SCIM doesn’t try to cover every provisioning situation; rather, it just covers the most common use cases and as a result is much simpler than SPML. It can handle creation, update, and deletion of users and groups; search; XML and JSON representations; and SAML binding for just-in-time provisioning.

SCIM has a common user schema, so name-value pairs (e.g., first name, last name, email address) mean the same thing regardless of which SaaS vendor you’re provisioning to, and this schema can be extended if necessary to handle specific identity or service-provider requirements. It uses a RESTful API, which makes it easier to integrate into existing cloud services. And SCIM has been designed to be fast for the service provider to implement.

Unlike with SPML, the industry itself has been developing this specification based on practical experience. Salesforce.com, Cisco, Google, Ping Identity, Technology Nexus, and UnboundID, among others, are committed to its success .

WSO2 supports SCIM specification with its Charos implementation.

These blog posts by Hasini provide great details on WSO2 Charon.

Here are some other links, which were extracted out of the above information.

How can I change the host-name of the Identity Server ?

If you want to change the host-name you need to do the following configuration changes.

The following two elements can be found in the <IS_HOME>/repository/conf/identity.xml file. Change the localhost value to your IP address.

<openidserverurl>https://localhost:9443/openidserver</OpenIDServerUrl> <openiduserpattern>https://localhost:9443/openid/</OpenIDUserPattern>

You do not need to change the keystore (JKS files) to change the host name. However, in a production setup we would recommend you to change the key store. You can create a keystore using the keytool that comes with JDK.

How to install a new feature in WSO2 Identity Server ?

See the Features section of the Identity Server documentation.

How do WSO2 products support running multiple instances using Virtual ip?

You can refer the following JIRA [1] to make relevant changes for public transports. Also, local ports for JMX, Qpid and LDAP need to be changed in order to support virtual ip with carbon instances.

Qpid is currently supporting virtual ip. JMX and LDAP will also support in future. After that you can run carbon instances with same port by configuring virtual ips.

[1]. https://wso2.org/jira/browse/CARBON-13143

Does the Identity Server support "no-encryption" association session?

no-encryption modes works with no issues with WSO2 Identity Server. In fact, openid4java client side library keeps this as the last option - so even-though in our client code if we set this as the preferred way, since this is not encouraged - openid4java takes this as last option and keeps on to build the association with HMAC-SHA256 and encryption. To avoid that to use the week form - we had to tweak the openid4java client side library - you can find it at https://svn.wso2.org/repos/wso2/people/pradeeban/jars/openid4java-nodeps-0.9.6.jar

You can try this by your self in the rp1 webapp...

*** Modify the RP1 code - RP1Servlet.java search for

manager = new ConsumerManager();

and just after the above line add the following...

manager.setPrefAssocSessEnc(AssociationSessionType.NO_ENCRYPTION_SHA1MAC);

*** Now build rp1.war

*** Once the war file is exploded in Tomcat, please replace the openid4java library there with the attached one. [[CATALINA_HOME\webapps\rp1\WEB-INF\lib]

*** If you look at the association request, it will be like this.

openid.ns:http://specs.openid.net/auth/2.0 openid.mode:associate openid.session_type:no-encryption openid.assoc_type:HMAC-SHA1

*** If you look at the association response, it will be like this..

ns:http://specs.openid.net/auth/2.0 session_type:no-encryption assoc_type:HMAC-SHA1 assoc_handle:1336219492632-9 expires_in:1799 mac_key:crnx2KRe+REA/h0WtJXkg/nhiJc=
End to end flow works with no issue.

Deploy WSO2 Identity Server over MySQL

Yes, It is possible. This blog post by Prabath explains the steps which should be followed in order to deploy WSO2 Identity Server over MySQL.

How to map Identity Server schemas for specific profiles?

Identity Server does not have specific schemas for different profiles. Rather it has a generic schema for profiles which can be extended by adding new claims. And it has a concept of the dialects which represents a set of claims required for particular format.

For example, if you take Facebook, then it is possible to define a new dialect for Facebook containing the claims provided by a Facebook profile. Then these Facebook claims can be mapped with the generic claim definitions. This concept is known as claim mapping.

So in summary, for storing the claims, it uses a generic schema. But the claims can be retrieved through the claim definitions of that particular dialect which are internally mapped with the generic schema.

In claim-config.xml, you can find the dialect URI "http://wso2.org/claims" which is the first of the dialect URIs (which is also used as the carbon dialect). Under this you can find all the claims that are used by our carbon servers to store user profile data in user stores. We can used the same dialect and store some of the properties that can be obtained using the Facebook and Twitter APIs. E.g. in Facebook we store full name, gender, email address and country, while in Twitter we store full name, country and locality.

Please list out all the non-apache 2 licensed software in IS, if any ?

Non-apache2 licenses used in IS are listed below. The licensing information can be found using the CARBON_HOME/LICENSE.txt file.

lgpl3 [GNU LESSER GENERAL PUBLIC LICENSE Version 3]

cpl1 [Common Public License 1.0]

epl1 [Eclipse Public License]

lgpl2 [Lesser GPL v2.1]

icu [ICU License]

sunbinary [Binary Code License Agreement]

mit [MIT License]

bsd [Berkeley License]

cddl1 [Common Development and Distribution License]

bouncy [Bouncy Castle License]

other http://sunxacml.sourceforge.net/license.txt

Does WSO2 platform provide support for mobile phone access?

In the mobile phone access scenarios lightweight authentication mechanisms such as sending REST like tokens from OAuth and using Mutual SSL can be considered.

Do we have a way to support off-line process to support off-line verification / validation of user identities

No current support is available for this feature.

Do we have SPML (Service Provisioning Markup Language) XML-based standard in the WSO2 platform?

The WSO2 platform supports both SPML and SCIM (Simple Cloud Identity Management) specifications.

How easy it is to use carbon administration console and a security monitoring tool for security based administration?

The WSO2 Identity Server packages an UI based PAP component for XACML and a collection of relying party components in an easy to use, rich UI based and intuitive management console. Any security configuration can be done and the applied security policies and other viewing capabilities can be handled via this GUI based admin console.

How can I write my own custom authenticator?

The blog post [1] by Hasini, describes how to write an authenticator, including a sample custom authenticator.

[1]http://hasini-gunasinghe.blogspot.com/2011/08/carbon-authentication-framework.html

How can I access the XDAS audit information of the WSO2 Identity Server? Is there any User Interface for this?

We have XDAS based logs in the UserAdmin component and few other Identity components. The general audit logs of IS can be found at $IS_ROOT/repository/logs/audit.log.

Where can I get the use case diagrams and the documents such as Software Requirements specification and use cases?

The documents can be found at https://svn.wso2.org/repos/wso2/people/pradeeban/IS/docs

The use case and the other diagrams, along with their respective umbrello source files, can be found at https://svn.wso2.org/repos/wso2/people/pradeeban/IS/diagrams

The Google Spread sheet of the SRS is at https://docs.google.com/a/wso2.com/document/d/1eXeliLdaxymJmS5C3kz5JFuV4PQb36jWgflBMo8FuCo/edit?pli=1#

Where can I find a document about "API for integrating identity management to any application"?

You can find the information in the following links.

OAuth

How can I secure a proxy service running in ESB with 2-legged OAuth?

To secure a proxy service running in ESB with 2-legged OAuth, you have to add OAuth mediator which supports 2-legged OAuth.

The following is the Syntax of OAuth mediator:

<oauthService xmlns="http://ws.apache.org/ns/synapse" remoteServiceUrl="" />

Where remoteServiceUrl is the server url of WSO2 Identity Server against which users are authenticated.

After securing the proxy, the syntax will be similar to following.

<proxy name="ProxyName" transports="https http" startOnLoad="true" trace="disable"> 
 <target>
  <inSequence> 
 <oauthService remoteServiceUrl="https://localhost:9443/services/"/>
  <send> ..... </send> ...
  </inSequence>
 <outSequence> ...
 </outSequence> 
</target> 
</proxy>

See 2-legged OAuth for Securing a RESTful Service for more information.

How to secure IFrame content using OAuth2?

In the OAuth instance you have to embed access token within your iframe. So you have to implement authentication plus domain/IP based filter process to validate the request source.

To do this using WSO2 API Manager 1.4.0:

Create simple HTML source under /var/www/test directory which i'm going to use inside the iframe.
Create API using https://localhost:9443/publisher/add with http://localhost/test/index.html as the Production URL and enable OPTIONS HTTP verb for the particular URL Prefix.
Save and change the life-cycle status as published.
Login to https://localhost:9443/store/ and subscribe to the API.
It provides the Access Token which you need to use within iframe to get the content.
Define partner domain in allowed domains. This ensures that content is accessed only through this domain.

You can even use a sample API without creating your own (step 1, 2 and 3) and set iframe content using the following Ajax request:

$.ajax({
    type: "GET",
    url: "{API URL}",
    beforeSend: function(xhr, settings){
            xhr.setRequestHeader('Authorization', 'Bearer {Access Token}');}, //set access token from step5
    success: function(data){
        alert(data);
    }
});

Open ID

Is there any way to disable stateless mode in OpenID Provider?

With the current implementation of carbon.identity.provider-3.2.0 (carbon-3.2.3) there is no configuration to disable stateless mode - by default it will support both.

If this is a required feature we need to modify the OpenID provider code to throw an exception if the mode of the OpenID request is "check_authentication" - which is the verification phase.

This is being implemented as the patch0388.

How to implement SSO with OpenID ?

Yes, WSO2 Identity Server provides a complete OpenID implementation. Please follow this blog post [1] to implement an OpenID based SSO system with the WSO2 Identity Server.

[1] http://sureshatt.blogspot.com/2012/03/openid-based-sso-with-wso2-identity.html

Can I use WSO2 IS as the OpenID Provider for Liferay ?

This blog post [1] provides step by step guide on how to use WSO2 IS as the OpenID provider for Liferay.

http://www.soasecurity.org/2010/07/wso2-identity-server-as-openid-provider.html

Does WSO2 Identity Server supports Directed Identity in their OpenID implementation ?

Yes, WSO2 Identity Server OpenID implementation supports Directed Identity and You do not need to do any configurations at the server end. If your hostname is localhost and the Identity Server is running on port 9443, then you have to use the Identifier https://localhost:9443/openid/admin as the "openid.claimed_id" value to use Directed Identity with the WSO2 Identity Server.

Does WSO2 IS support OpenID standard to allow for the registration of OpenID compliant identities for decentralized authentication.

WSO2 Identity Server can act as an OpenID provider. OpenID provided by WSO2 Identity Server can be used to sign-in and sign-up for external services. Also WSO2 Identity Server acts as an openId consumer. Any openId can be used to sign-in and sign-up for the WSO2 Identity Server.

SAML and SSO Support

Do we support Enterprise Single Sign On (E-SSO) to enable internal desktop users to seamlessly access heterogeneous applications (including web applications)?

This not supported out of the box. But there are several extension points that can be implemented to support such capabilities.

Does WSO2 products provide single-sign-on (SSO) and identity assertion features for services, applications, portal, etc across the SDP?

WSO2 Identity Server supports SAML and SAML 2.0 web browser single sign-on profile. With this feature, WSO2 Identity Server can act as the Identity Provider in single sign-on scenarios while third party service providers can delegate user authentication to Identity Server. Also this SSO feature is supported for our entire product stack with the above mentioned security standards.

Does WSO2 Identity Server support SAML security token standard and a framework for exchanging security information?

WSO2Identity Server supports SAML 1.0/1.1 and SAML2.0. SAML token can be used to exchange security information using WS-trust scenarios.

When dealing with Credential Mapping it is possible to map different credentials such as User name Token, X.509 tokens, SAML tokens, Kerberos tokens, etc.

Does WSO2 products provide single-sign-on (SSO) and identity assertion features for services, applications, portal, etc across the SDP?

WSO2 Identity Server supports SAML and SAML 2.0 web browser single sign-on profile. With this feature, WSO2 Identity Server can act as the Identity Provider in single sign-on scenarios while third party service providers can delegate user authentication to Identity Server. Also this SSO feature is supported for our entire product stack with the above mentioned security standards.

WSO2Identity Server supports centralized and policy based access control mechanism based on XACML. Authentication mechanism, such as username token, X.509 SAML , OAuth and kerberos can be easily plugged with the XACML access control engine.

Where can I find a sample on SSO across web apps and web services?

Please find the doc at [1] [1]https://svn.wso2.com/wso2/svn/supsup/Documents/IS/4.0.0/Sample%20on%20Single%20Sign%20On%20across%20Web%20Applications%20and%20Web%20Services.pdf

What is the difference between SP-Initiated SSO and IDP-Initiated SSO? Do WSO2 products support both scenarios?

In SP-Initiated SSO, user tries to access a resource on SP without logging in. The service provider initiates the SSO message flow by sending authentication request to the Identity Provider (IdP)

But in IdP-Initiated flow, user loges on to IdP first and then tries to access the resource on SP. So IdP initiate the flow by sending an authentication response to the SP directly.

Currently, WSO2 onlly supports SP initiated flow.

Usually when setting up SSO between carbon based products, we use default key store, i.e. wso2carbon.jks, as primary key store. But how can we replace one of these key stores with a different key store and configure sso successfully?

The following steps can be applied to Carbon 3.2.x based products.

1.Configure SSO between IS and the other relevant carbon product (e.g : Greg). WSO2 IS acts as IdP and Greg acts as SP.

2.Change IS configuration files to use a new keystore as the primary key store. The other carbon product use wso2carbon.jks as primary key store.

3.Import new certificate of IS into the primary key store (wso2carbon.jks) of Greg using following command. keytool -import -v -alias iscert -file newiscert.pem -keystore wso2carbon.jks -keypass wso2carbon -storepass wso2carbon

4.Add following parameter to authenticators.xml (Greg_home/repository/conf/security). The parameter value should be equal to the alias of IS certificate. <parameter name="IdPCertAlias">iscert</parameter>

5.Restart Greg. Now SP initiated SSO flow will be successful.

What are differences between SAML2 and PassiveSTS based authentication ?

SAML2 enables a SSO system where users can login to multiple applications within a "trust domain". Identities of the users in the "trust domain" are managed by the identity provider/s withing the same "trust domain". So only the users whose identities are managed within the same "trust domain" can access applications withing the "trust domain".

But PassiveSTS is a cross domain authentication mechanism where users in one "trust domain" can access applications in another "trust domain". The mechanism of brokering trust between "trust domain"s is defined in the WS-Federation specification. PassiveSTS is defined under the topic "Web (Passive) Requesters" of the specification.

STS

Do WSO2 products provide authentication services to authenticate client access to various services across platforms by supporting security tokens and STS?

STS is shipped with WSO2 Identity Server. Services can be protected with a security policy to accept a token issued by STS.

Where can I get a working Active STS sample?

Follow the steps below to run the sample given in [1].

Follow "Step 1" in blog [2], to configure WSO2 App Server. You may use a prefferred service of yours, in your case, Echo service.
Instead of the policy 'axis2service.policy.xml' that is mentioned in the article, upload the policy "bearer-policy.xml" which resides in sts-sample\src\main\resources directory.
Follow "Step 2" in blog [2], to configure WSO2 IS to achieve STS.
Do the following changes to the sts-sample\src\main\resources\client.properties

i) Change the SAML Token type to 2.0

saml.token.type=2.0

ii) Change the enable relyingParty to 'true'

enable.relyingParty=true

iii) Make sure the Endpoint addresses are pointing to the correct services

address.relyingParty=http://localhost:9764/services/echo

address.sts=https://localhost:9443/services/wso2carbon-sts

Note that the policy that is used to secure the BE service in AS should be identical to the policy that exists in the client side.

4.Run the command sts-client.bat

At the successful invocation you get the following output at client console.

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="urn:uuid:FF7F36F2DC68C5987C1377114779114" IssueInstant="20 
13-08-21T19:52:59.118Z" Version="2.0"><saml2:Issuer>localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
<ds:SignedInfo> 
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
<ds:Reference URI="#urn:uuid:FF7F36F2DC68C5987C1377114779114"> 
<ds:Transforms> 
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> 
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" /></ds:Transform> 
</ds:Transforms> 
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
<ds:DigestValue>dmVzma4jtxt42kfdV1anRmz12MQ=</ds:DigestValue> 
</ds:Reference> 
</ds:SignedInfo> 
<ds:SignatureValue> 
B2kLRrvZrEc0+APpCwYqfTAX16GggXAdkr7Nryn0EDZP6/kCxvb3jBOsvBp/Gg3uZ/aaj7CPvikl 
W6GV0At1GIGkK+9FJR3JErC+3QbOhtP5JMjn7cw+dNiezcIPn/vj7wp3LXf3XMOmhRoplVgEQ6sv 
fIFFKPbn6G5h9gaizWU= 
</ds:SignatureValue> 
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE 
CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv 
Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw 
CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE 
AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou 
sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5 
HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID 
AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i 
QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR 
O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format= 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /></saml2:Subject><saml2 
:Conditions NotBefore="2013-08-21T19:52:59.147Z" NotOnOrAfter="2013-08-21T19:57:59.147Z" /><saml2:AuthnStatement AuthnInstant="2013-08-21T19:52:59.149Z"><saml2:AuthnContext><s 
aml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><sa 
ml2:Attribute Name="http://wso2.org/claims/emailaddress" NameFormat="http://wso2.org/claims/emailaddress"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-ins 
tance" xsi:type="xs:string">manisha.eleperuma@gmail.com</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="http://wso2.org/claims/givenname" NameFormat="http://wso 
2.org/claims/givenname"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manisha</saml2:AttributeValue></saml2:Attribute></saml 
2:AttributeStatement></saml2:Assertion> 
Token is valid 
<ns:echoStringResponse xmlns:ns="http://echo.services.core.carbon.wso2.org"><return>Hello World</return></ns:echoStringResponse>

[1]. https://svn.wso2.org/repos/wso2/people/prabath/is-4.5.0/sts-sample.zip
[2]. http://charithaka.blogspot.com/2013/07/broker-trust-relationships-with-wso2.html

Is it possible to have STS exposed to the external world for external clients?

It is possible for external users (who reside outside the domain where STS is setup) to connect to the STS and get a security token. However, in order to do so, the user store which is associated with the STS, should have these external users' data (credentials etc.) stored in there.

Does a client need to make a call for each and every request to get the token from STS server, or could it be session based?

This can be configured at the client's end according to your requirement. For example, if the user needs to keep the token alive for the whole session, you can set up an expiry time for the token. Then the end service (ESB here) successfully authenticates this token until the specified expiration time limit is exceeded.

How does ESB validate the SAML token?

As described in [1], the ESB (external service here) has the STS's certificate with it, and based on the policies in the certificate and the signature sent with the token, the ESB itself validates the security token sent by the client. However, it is also possible to do the token validation by the End service contacting the STS each time when a token arrives. According to the current implementation, ESB only supports self validation of tokens without re-contacting the STS.

[1] http://wso2.com/library/articles/2012/08/securing-sts-security-token-service-kerberos

How is the identity mapping done after interpreting SAML?

First the client goes to the STS and receives a Security Token. Then it contacts ESB with this token. ESB authenticates the client using this token and then it gets the 'Username' (and some other data which was received from the token as well) from this SAML token and writes it into the MessageContext. After that, it directs the MessageContext to the Entitlement Mediator which acts as the XACML PEP in this scenario. After receiving the 'username', PEP send this back to PDP in WSO2 IS which validates the username and authorizes it. When the ESB gets back the 'authorized success' response for the user from PDP, it allows the request to go to the SP end.

User Store

When using a JDBC based user store, can I use a different database for the User Store Manager?

Yes you can use different databases by adding the JDBC driver to the classpath. The following are the steps that you should follow.

Add the JDBC driver to the classpath by dropping the jar into the <IS_HOME>/repository/components/lib directory.
Edit the <IS_HOME>/repository/conf/user-mgt.xml file with the relevant property values for the following.
    url
    userName
    password
    driverName
    maxActive
    maxWait
    minIdle
Create the database by running the relevant script in the <IS_HOME>/dbscript/ directory and start the server with the following command.
sh wso2server.sh (or wso2server.bat for Windows).

How do I define a custom class to access a custom user store?

You can define a custom class and configure the server with a custom user store. See Writing a Custom User Store Manager for more information on how to do this.

XACML

How can I write a custom PIP extension for WSO2 IS XACML engine?

This blog post [1] will be helpful in writing custom PIP extensions as well as custom designators which are applicable for WSO2 IS 3.2.x

http://blog.facilelogin.com/2011/04/xacml-policy-information-point.html

Do you support hierarchical roles in Carbon based products?

Carbon products do not support hierarchical roles out of the box, but with the support of WSO2 XACML engine(feature of Identity server), we can define set of policies to cater the requirement

Do WSO2 products provide complex user entitlement support with XACML?

WSO2 products support authorization through entitlement policies defined in XACML. In XACML, complex user entitlement can be defined.

Do WSO2 products provide policy based authorization services?

WSO2 products support centralized, policy-based authorization through entitlement policies defined in XACML.

Do WSO2 products provide fine grained authorization services to determine access rights for users and user groups?

To support authorization requirements, we support RBAC (Role Based Access Control) and XACML. XACML is specifically used to define fine-grained authorization policies that help align your business level security requirements with the security implementation.