diff --git a/.gitignore b/.gitignore index 51a0e72bcf..43e14a4ef2 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,5 @@ hs_err_pid* .DS_Store en/site +*.iml + diff --git a/en/docs/administer/blue-green-data-encryption-keyrotation.md b/en/docs/administer/blue-green-data-encryption-keyrotation.md new file mode 100644 index 0000000000..36d3076716 --- /dev/null +++ b/en/docs/administer/blue-green-data-encryption-keyrotation.md @@ -0,0 +1,277 @@ +# Blue-Green Data Encryption Key Rotation + +This section contains the complete process you need to follow in order to perform symmetric data encryption key rotation in WSO2 Identity Sever(WSO2 IS version 5.11.0 and above). + +Key rotation can be defined as retiring an encryption key and replacing it with a new key. Data is encrypted using a key known as Data Encryption Key(DEK) and the DEK is then encrypted with another key called Key Encryption Key(KEK). This is known as envelope encryption. Frequent rotations of these encryption keys are considered as an industry best practice by PCI DSS and NIST standards. + +------------------------------------------------------------------------ + +## Why should you rotate encryption keys? + +!!! note + Originator Usage Period(OUP) is the time period during which encryption is applied to data. + +* A cryptoperiod is the time span during which a specific key is authorized for use. [NIST SP 800-57](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf) recommends different cryptoperiods for different encryption key types. + * Symmetric Data Encryption Keys + * OUP recommended for large volumes of data is about a day or a week + * OUP recommended for smaller volumes of data is about 2 years + * Symmetric Key, Wrapping Keys + * OUP recommended for a key that wraps a large number of keys is about a day or a week + * OUP recommended for key that wraps smaller number of keys is upto 2 years +* Security compliance requirements +* Security breach requirements + +!!! note + The above mentioned cryptoperiods can vary based on other factors like the sensitivity of data and the amount of data we have. + +------------------------------------------------------------------------ + +## Background + +WSO2 Identity Server has the following key usages for signing/encrypting data and each of these types will have different key rotation requirements. + +1. TLS Connection +2. Signing and encryption of data (JWT assertions, payloads) shared with external parties (SP, IdP) +3. Encryption of sensitive runtime level configuration secrets/user data persisted in datastores and userstores +4. Encryption of sensitive deployment level configuration data in configuration files + +From WSO2 IS 5.11.0 onwards, symmetric encryption is used to encrypt the internal sensitive runtime data above. The DEK used to encrypt these data is configured in the `deployment.toml` file and it is protected by a KEK. The secure vault is utilized as of now to protect this DEK. Here, only the rotation of the Data Encryption Key configured in the `deployment.toml` file is considered. + +------------------------------------------------------------------------ + +## DEK rotation frequency + +In the case of a security compliance requirement, we can see that symmetric DEK rotation can be done in 2 years or less based on the volume of data present. + +In a security breach scenario, we must rotate the DEK immediately and re-encrypt all the data to the new DEK. + +------------------------------------------------------------------------ + +## Key Rotation Approach + +WSO2 IS has introduced an external tool that re-encrypts internal data after rotation of the configured symmetric data encryption key. Here, the re-encryption of the identity and registry databases and some configuration files is considered. Apart from that, the tool syncs end user data that gets generated in the live system to the new setup. + +The external java client that performs the above tasks can be created by following the steps [here](../../administer/blue-green-data-encryption-keyrotation/#how-to-create-the-key-rotation-tool). + +------------------------------------------------------------------------ + +## Tables that support re-encryption + +At the moment, the tables given below are supported for re-encryption. + +!!! info "Tables that support re-encryption" + + | **Table** | **Fields** | + |------------------------------------------|---------------------------------------------------------------------------------| + | IDN_IDENTITY_USER_DATA | TOTP secretKey and verifiedSecretKey claims | + | IDN_OAUTH2_AUTHORIZATION_CODE | OAuth2 authorization codes | + | IDN_OAUTH2_ACCESS_TOKEN | OAuth2 access and refresh tokens | + | IDN_OAUTH_CONSUMER_APPS | Consumer secrets | + | WF_BPS_PROFILE | BPS profile password | + | WF_REQUEST | WF request credentials | + | REG_PROPERTY | Keystore passwords, Keystore privatekeyPass and Entitlement subscriberPasswords | + +------------------------------------------------------------------------ + +## Configuration files that support re-encryption + +At the moment, the configuration files given below are supported for re-encryption. + +!!! info "Configuration files that support re-encryption" + + | **Configuration file** | **Path** | **Property** | + |-----------------------------------|-------------------------------------------------------------------|--------------| + | Event publishers | `/repository/deployment/server/eventpublishers` files | Password | + | Super tenant secondary userstores | `/repository/deployment/server/userstores/` files | Password | + | Tenant secondary userstores | `/repository/tenants//userstores/` files | Password | + +------------------------------------------------------------------------ + +## Tables that support syncing + +At the moment, the tables given below can be synced during key rotation from the old setup to the new setup. Any other data will not be persisted in the new setup. + +!!! info "Tables that support syncing" + + | **Table** | **Purpose** | **Recommendation** | + |-------------------------------|---------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------| + | IDN_IDENTITY_USER_DATA | Identity claims when the identity data store is enabled | Usually recommended to sync if identity management features are enabled in the system | + | IDN_OAUTH2_ACCESS_TOKEN | OAuth 2.0 tokens | Need to sync if the tokens created during the key rotation period needs to be valid after key rotation | + | IDN_OAUTH2_ACCESS_TOKEN_SCOPE | OAuth 2.0 scopes | If the IDN_OAUTH2_ACCESS_TOKEN is synced, this table also needs to be synced | + | IDN_OAUTH2_AUTHORIZATION_CODE | OAuth 2.0 authorization codes | Need to sync if the authorization codes created during the key rotation period need to be valid after key rotation | + + +!!! note + In this section, `` is the directory where the current Identity Server resides, and `` is the directory where the copy of the current Identity Server resides. `` refers to the location [here](https://github.com/wso2/identity-tools/components/org.wso2.carbon.identity.keyrotation) and the `` refers to the location of the external tool. + +------------------------------------------------------------------------ + +## How To Create The Key Rotation Tool + +1. Clone the repository, [identity-tools](https://github.com/wso2/identity-tools). + +2. Build it using maven by running the command `mvn clean install`. + +3. Go to the `/target` folder and copy the `keyrotation-tool--SNAPSHOT.jar` file and the `/target/lib` folder to ``. Get the `properties.yaml` file, `keyrotation.sh` file, and the `triggers` folder from `/src/main/resources` and copy them to the same `` location. + +------------------------------------------------------------------------ + +## Performing blue-green key rotation + +1. Block all privileged user flows and allow only end user flows. + + !!! note + For the privileged user flows, block all admin services from the load balancer and the management console as well. For end user flows, the above [tables](../../administer/blue-green-data-encryption-keyrotation/#tables-that-support-syncing) will be synced to the ``, so only these end user data flows should be allowed to generate in ``. + +2. Execute the `old.sql` script in the `` identity database to create temp tables and triggers. + + !!! note + The triggers can be found inside the `/triggers` folder. + +3. Create a copy of the ``(This copied directory will be refered to as the `NEW_IS_HOME`) and dump `` identity and registry databases and create the new databases. + +4. Drop the temp tables and triggers in the `` identity database using the `new.sql` script. + + !!! note + The triggers can be found inside the `/triggers` folder. + +5. Open the `properties.yaml` file in `` and edit the configurations accordingly. + + * oldSecretKey - The symmetric encryption key used in the `` + !!! note + If the key is encrypted using cipher tool, decrypt it back as shown [here](https://shagihan.medium.com/decrypt-encrypted-text-with-the-wso2-cipher-tool-15b67624620a). + * newSecretKey - The new symmetric encryption key + !!! tip + Generate using a tool like openssl using the command, `openssl rand -hex 16`. + * newISHome - The absolute path of the `` + * oldIdnDBUrl - `` identity database URL + * oldIdnUsername - `` identity database username + * oldIdnPassword - `` identity database password + !!! note + Encode the `` identity database plaintext password in [base64](https://www.base64encode.org/) and insert here. + * newIdnDBUrl - `` identity database URL + * newIdnUsername - `` identity database username + * newIdnPassword - `` identity database password + !!! note + Encode the `` identity database plaintext password in [base64](https://www.base64encode.org/) and insert here. + * newRegDBUrl - `` registry database URL + * newRegUsername - `` registry database username + * newRegPassword - `` registry database password + !!! note + Encode the `` registry database plaintext password in [base64](https://www.base64encode.org/) and insert here. + * enableDBMigrator - Enable/disable re-encryption for the identity and registry databases + !!! note + Keep this to always **true** to avoid unnecessary issues. + * enableConfigMigrator - Enable/disable re-encryption for the configuration files + !!! note + Keep this to always **true** to avoid unnecessary issues. + * enableSyncMigrator - Enable/disable syncing mechanism + !!! note + You only need to set this to **true**, if you have opted in for blue-green key rotation with zero downtime for the end user flows. + * chunkSize - Size of the record chunks being retrieved from the database tables for syncing. + + ??? tip "Sample configuration written for the properties.yaml file" + + ``` + oldSecretKey: AFA27B44D43B02A9FEA41D13CEDC2E40 + newSecretKey: 1fc0bc7a3805b42afa5f5af07a595f56 + newISHome: /home/IS/wso2is-5.12.0 + oldIdnDBUrl: jdbc:mysql://localhost:3306/regdb?useSSL=false + oldIdnUsername: root + oldIdnPassword: cm9vdA== + newIdnDBUrl: jdbc:mysql://localhost:3306/regdb1?useSSL=false + newIdnUsername: root + newIdnPassword: cm9vdA== + newRegDBUrl: jdbc:mysql://localhost:3306/regdb1?useSSL=false + newRegUsername: root + newRegPassword: cm9vdA== + enableDBMigrator: true + enableConfigMigrator: true + enableSyncMigrator: true + chunkSize: 2 + ``` + ??? tip "Sample configuration written for H2 DB type URL" + + ``` + jdbc:h2:~/Desktop/IS/copy/wso2is-5.11.0-beta5-SNAPSHOT/repository/database/WSO2IDENTITY_DB + ``` + ??? tip "Sample configuration written for MySQL DB type URL" + + ``` + jdbc:mysql://localhost:3306/idndb?useSSL=false + ``` + ??? tip "Sample configuration written for DB2 DB type URL" + + ``` + jdbc:db2://localhost:50000/idndb + ``` + ??? tip "Sample configuration written for PostgreSQL DB type URL" + + ``` + jdbc:postgresql://localhost:5432/idndb + ``` + ??? tip "Sample configuration written for MSSQL DB type URL" + + ``` + jdbc:sqlserver://localhost:1433;databaseName=idndb + ``` + ??? tip "Sample configuration written for Oracle DB type URL" + + ``` + jdbc:oracle:thin:@localhost:1521/ORCLCDB.LOCALDOMAIN + ``` + +6. Run the tool using the `./keyrotation.sh keyrotation-tool--SNAPSHOT.jar` command from ``. + +7. Edit the `` `deployment.toml` file having the new configured databases and the new key. + +8. Start `` once the re-encryption for the existing DB and config file is done. + +9. When no new entries are being synced in the logs, route traffic to `` and enable all load balancer API endpoints(privileged and end user flows). + +!!! note + Do not stop the tool at once, let it sync any remaining data in the temp tables after routing the traffic. + +------------------------------------------------------------------------ + +## Verifying the key rotation + +* Check the log files to verify if re-encryption happened successfully for the 7 identity and registry database tables. Check the logs given below for the successful/failed re-encryption counts of OAuth2 access and refresh tokens. + + ```tab="DB log sample" + Successfully updated OAuth2 access and refresh tokens data records in IDN_OAUTH2_ACCESS_TOKEN: 897 + Failed OAuth2 access and refresh tokens data records in IDN_OAUTH2_ACCESS_TOKEN: 0 + ``` + +!!! note + If the key rotation task is successful, the failed logs count should be `0` for all the tables. + +* Check the log files to verify if re-encryption happened successfully for the 3 configuration files. Check the logs given below for the successful/failed re-encryption counts of event publisher configuration files. + + ```tab="Config file log sample" + Updated event publisher configuration files: 8 + Failed event publisher configuration files: 0 + ``` + +!!! note + If the key rotation task is successful, the failed logs count should be `0` for all the configuration files. + +* Check the log files to verify if transformation of the synced data happened successfully for the 4 tables. Check the logs given below for the successful/failed transformation counts of `IDN_IDENTITY_USER_DATA` table. + + ```tab="Synced log sample" + Successfully transformed totp data records in IDN_IDENTITY_USER_DATA_TEMP: 2 + Transformation failed totp data records in IDN_IDENTITY_USER_DATA_TEMP: 0 + ``` + +!!! note + If the synced task is successful, the failed logs count should be `0` for all the synced tables. + +* Check for any errors in the log files and carefully analyze the logs if the error can be ignored and other steps can be proceeded with. Otherwise, check what has caused the error. + +------------------------------------------------------------------------ + +## Recovering from any failure + +If the key rotation task stops midway, follow the blue green key rotation user guide steps again. + +If there are errors logged in the log files, carefully go through the errors and find what has caused the error. diff --git a/en/docs/administer/product-level-security-guidelines.md b/en/docs/administer/product-level-security-guidelines.md index b060e3f7f0..6add0327fe 100644 --- a/en/docs/administer/product-level-security-guidelines.md +++ b/en/docs/administer/product-level-security-guidelines.md @@ -36,6 +36,9 @@ Change the default key stores and create new keys for all the cryptographic oper For more information, see [Recommendations for using keystores](../../administer/using-asymmetric-encryption#recommendations-for-setting-up-keystores-in-wso2-products) and [Creating New Keystores](../../administer/creating-new-keystores). +## Symmetric Encryption Key + +Generate a secure secret key by following the instructions given in [Using Symmetric Encryption](../../administer/using-symmetric-encryption/#internal-crypto-provider). ## Passwords in config files @@ -251,7 +254,7 @@ Log forging can be prevented by appending a UUID to the log message. !!! info - For more information on configuring the `log4j.properties` file, see Monitoring Logs. + For more information on configuring the `log4j2.properties` file, see Monitoring Logs. ## JVM parameters @@ -269,3 +272,49 @@ Log forging can be prevented by appending a UUID to the log message. If mutual SSL is enabled, [enable intermediate certificate validation](../../develop/authenticating-and-authorizing-rest-apis/#configure-intermediate-certificate-validation) as well to make sure that only certificates signed by the issuers mentioned in the **IntermediateCertValidation** configuration are allowed to be used during mutual SSL authentication. If mutual SSL authentication capabilities are not required, you can [disable it](../../administer/enabling-mutual-ssl/#enabling-mutual-ssl-in-the-wso2-is). + +## Configuring client authentication + +Client authentication is used to identify the application or the client that is making the request. +The web applications provided out-of-the-box use a set of default credentials to authenticate with WSO2 Identity Server REST APIs that are marked as **secure** under the 'ResourceAccessControl' tag of the the`/repository/conf/identity/identity.xml` file. + +Follow the steps below to change the default credentials. + +1. Shut the server down in case you have already started it. + +2. Add the following configuration changes to the `/repository/conf/deployment.toml` file. + + - Add the `app_password` property and enter a preferred password as the value. + + ``` toml + [identity.auth_framework.endpoint] + app_password="" + ``` + + - Add the `hash` property and enter the SHA-256 hash value of the `app_password` as the property value. + + ``` toml + [account_recovery.endpoint.auth] + hash="" + ``` + + - If the `authenticationendpoint` web app is hosted externally, do the following: + + a. Open the `EndpointConfig.properties` file found in the root of the `authenticationendpoint` folder. + + b. Change the `app.password` property value to the value added as `app_password` in the `deployment.toml` file. + + c. Do the same changes to the `EndpointConfig.properties` file located in the `/repository/deployment/server/webapps/authenticationendpoint/WEB-INF/classes` directory. + + - If the `accountrecoveryendpoint` web app is hosted externally, do the following: + + a. Open the `RecoveryEndpointConfig. properties` file found in the root of the `accountrecoveryendpoint` folder. + + b. Change the `app.password` property value to the value added as `app_password` in the `deployment.toml` file. + + c. Do the same changes to the `RecoveryEndpointConfig.properties` file located in the `/repository/deployment/server/webapps/accountrecoveryendpoint/WEB-INF/classes` directory. + +3. Once these changes are configured, restart the server with, + + - Linux/Unix : sh wso2server.sh + - Windows : wso2server.bat diff --git a/en/docs/administer/using-tools.md b/en/docs/administer/using-tools.md index bcf8997a37..a204d53f25 100644 --- a/en/docs/administer/using-tools.md +++ b/en/docs/administer/using-tools.md @@ -6,6 +6,5 @@ to validate the configurations and build sample response.  These tools in the [management console](../../setup/getting-started-with-the-management-console) are described in the following topics. -- Using the SAML2 Toolkit - Using the XACML TryIt Tool - Identity Anonymization tool \ No newline at end of file diff --git a/en/docs/assets/attachments/learn/geo-location/linux/update-geolocation-data.sh b/en/docs/assets/attachments/learn/geo-location/linux/update-geolocation-data.sh new file mode 100644 index 0000000000..2b7098d18a --- /dev/null +++ b/en/docs/assets/attachments/learn/geo-location/linux/update-geolocation-data.sh @@ -0,0 +1,58 @@ +echo " ======== Converting GeoLite2-City-Blocks-IPv4.csv =======" + +echo "Enter path to GeoLite2-City-Blocks-IPv4 directory: " +read original_dir +if [ -z $original_dir ]; then + echo "path to patched directory not provided, execution terminated!" + exit 0; +elif [ ! -d "$original_dir" ]; then + echo "Cannot find the directory path $patch_dir, execution terminated! " + exit 0; +elif [ -d "$original_dir" ];then + echo "Enter path to GeoLite2-City-Blocks-IPv4-converted.csv directory: " + read converted_dir + if [ -z $converted_dir ]; then + echo "path to patched directory not provided, execution terminated!" + exit 0; + elif [ ! -d "$converted_dir" ]; then + echo "Cannot find the directory path $converted_dir, execution terminated! " + exit 0; + elif [ -d "$original_dir" ];then + + #Convert GeoLite2-City-Blocks-IPv4 + echo " ** convert GeoLite2-City-Blocks-IPv4" + $converted_dir/geoip2-csv-converter -block-file=$original_dir/"GeoLite2-City-Blocks-IPv4.csv" -include-integer-range=true -output-file=$original_dir/"GeoLite2-City-Blocks-IPv4-converted.csv" + + #Get first column form original GeoLite2-City-Blocks-IPv4 + echo " ** get first column form original" + cut -d , -f 1 $original_dir/GeoLite2-City-Blocks-IPv4.csv > first.csv + + #Change column name ‘network’ to ‘network_cidr’ + echo " ** change column name to ‘network_cidr’" + sed -i '1s/network/network_cidr/' first.csv + + #Extract first two numbers from first.csv + echo " ** Extract ip address data" + cut -d "." -f -2 first.csv > last.csv + + #Change column name ‘network_cidr’ to ‘network_blocks’ + echo " ** change column name to ‘network_blocks’" + sed -i '1s/network_cidr/network_blocks/' last.csv + + #Extract entries from GeoLite2-City-Blocks-IPv4-converted.csv + echo " ** extract entries from original" + cut -d , -f 1-10 $original_dir/GeoLite2-City-Blocks-IPv4-converted.csv > middle.csv + + #Change column name ‘network_start_integer’ to ‘network’ + echo " ** change column name to ‘network’" + sed -i '1s/network_start_integer/network/' middle.csv + + #Change column name ‘network_last_integer’ to ‘broadcast’ + echo " ** change column name to ‘broadcast’" + sed -i '1s/network_last_integer/broadcast/' middle.csv + + #Merge csv files + echo " ** merge csv files" + paste -d , first.csv middle.csv last.csv > final.csv + fi +fi diff --git a/en/docs/assets/attachments/learn/geo-location/mac/update-geolocation-data.sh b/en/docs/assets/attachments/learn/geo-location/mac/update-geolocation-data.sh new file mode 100644 index 0000000000..12b08c62b6 --- /dev/null +++ b/en/docs/assets/attachments/learn/geo-location/mac/update-geolocation-data.sh @@ -0,0 +1,60 @@ +echo " ======== Converting GeoLite2-City-Blocks-IPv4.csv =======" + +echo "Enter path to GeoLite2-City-Blocks-IPv4 directory: " +read original_dir +if [ -z $original_dir ]; then + echo "path to patched directory not provided, execution terminated!" + exit 0; +elif [ ! -d "$original_dir" ]; then + echo "Cannot find the directory path $patch_dir, execution terminated! " + exit 0; +elif [ -d "$original_dir" ];then + echo "Enter path to geoip2-csv-converter home directory: " + read bin_dir + if [ -z $bin_dir ]; then + echo "path to patched directory not provided, execution terminated!" + exit 0; + elif [ ! -d "$bin_dir" ]; then + echo "Cannot find the directory path $bin_dir, execution terminated! " + exit 0; + elif [ -d "$bin_dir" ];then + + #Convert GeoLite2-City-Blocks-IPv4 + echo " ** convert GeoLite2-City-Blocks-IPv4" + $bin_dir/geoip2-csv-converter -block-file=$original_dir/"GeoLite2-City-Blocks-IPv4.csv" -include-integer-range=true -output-file=$original_dir/"GeoLite2-City-Blocks-IPv4-converted.csv" + + #Get first column form original GeoLite2-City-Blocks-IPv4 + echo " ** get first column form original" + cut -d , -f 1 $original_dir/GeoLite2-City-Blocks-IPv4.csv > first.csv + + #Change column name ‘network’ to ‘network_cidr’ + echo " ** change column name to ‘network_cidr’" + sed -i '' '1s/network/network_cidr/' first.csv + + #Extract first two numbers from first.csv + echo " ** Extract ip address data" + cut -d "." -f -2 first.csv > last.csv + + #Change column name ‘network_cidr’ to ‘network_blocks’ + echo " ** change column name to ‘network_blocks’" + sed -i '' '1s/network_cidr/network_blocks/' last.csv + + #Extract entries from GeoLite2-City-Blocks-IPv4-converted.csv + echo " ** extract entries from original" + cut -d , -f 1-10 $original_dir/GeoLite2-City-Blocks-IPv4-converted.csv > middle.csv + + #Change column name ‘network_start_integer’ to ‘network’ + echo " ** change column name to ‘network’" + sed -i '' '1s/network_start_integer/network/' middle.csv + + #Change column name ‘network_last_integer’ to ‘broadcast’ + echo " ** change column name to ‘broadcast’" + sed -i '' '1s/network_last_integer/broadcast/' middle.csv + + #Merge csv files + echo " ** merge csv files" + paste -d , first.csv middle.csv last.csv > final.csv + + fi +fi + diff --git a/en/docs/assets/img/develop/add-custom-local-claim.png b/en/docs/assets/img/develop/add-custom-local-claim.png new file mode 100644 index 0000000000..77e6c3cd5f Binary files /dev/null and b/en/docs/assets/img/develop/add-custom-local-claim.png differ diff --git a/en/docs/assets/img/develop/add-custom-schema-dialect.png b/en/docs/assets/img/develop/add-custom-schema-dialect.png new file mode 100644 index 0000000000..82b4633293 Binary files /dev/null and b/en/docs/assets/img/develop/add-custom-schema-dialect.png differ diff --git a/en/docs/assets/img/develop/add-local-claim-device-names.png b/en/docs/assets/img/develop/add-local-claim-device-names.png new file mode 100644 index 0000000000..1fc9a928ea Binary files /dev/null and b/en/docs/assets/img/develop/add-local-claim-device-names.png differ diff --git a/en/docs/assets/img/develop/add-manager-displayname-local-claim.png b/en/docs/assets/img/develop/add-manager-displayname-local-claim.png new file mode 100644 index 0000000000..5bc14e53fb Binary files /dev/null and b/en/docs/assets/img/develop/add-manager-displayname-local-claim.png differ diff --git a/en/docs/assets/img/develop/add-manager-displayname-remote-claim.png b/en/docs/assets/img/develop/add-manager-displayname-remote-claim.png new file mode 100644 index 0000000000..01302b2a65 Binary files /dev/null and b/en/docs/assets/img/develop/add-manager-displayname-remote-claim.png differ diff --git a/en/docs/assets/img/develop/add-manager-email-remote-claim.png b/en/docs/assets/img/develop/add-manager-email-remote-claim.png new file mode 100644 index 0000000000..7bb8f5ff33 Binary files /dev/null and b/en/docs/assets/img/develop/add-manager-email-remote-claim.png differ diff --git a/en/docs/assets/img/develop/add-manager-emailaddress-localclaim.png b/en/docs/assets/img/develop/add-manager-emailaddress-localclaim.png new file mode 100644 index 0000000000..717ef3d3ca Binary files /dev/null and b/en/docs/assets/img/develop/add-manager-emailaddress-localclaim.png differ diff --git a/en/docs/assets/img/develop/add-manager-local-claim.png b/en/docs/assets/img/develop/add-manager-local-claim.png new file mode 100644 index 0000000000..91c0fb78dd Binary files /dev/null and b/en/docs/assets/img/develop/add-manager-local-claim.png differ diff --git a/en/docs/assets/img/develop/add-manager-remote-claim.png b/en/docs/assets/img/develop/add-manager-remote-claim.png new file mode 100644 index 0000000000..47d6413bf5 Binary files /dev/null and b/en/docs/assets/img/develop/add-manager-remote-claim.png differ diff --git a/en/docs/assets/img/develop/add-remote-claim-device-names.png b/en/docs/assets/img/develop/add-remote-claim-device-names.png new file mode 100644 index 0000000000..ef4dd33f7d Binary files /dev/null and b/en/docs/assets/img/develop/add-remote-claim-device-names.png differ diff --git a/en/docs/assets/img/develop/map-remote-claim.png b/en/docs/assets/img/develop/map-remote-claim.png new file mode 100644 index 0000000000..76aa6c7538 Binary files /dev/null and b/en/docs/assets/img/develop/map-remote-claim.png differ diff --git a/en/docs/assets/img/favicon.png b/en/docs/assets/img/favicon.png new file mode 100644 index 0000000000..a1deab3581 Binary files /dev/null and b/en/docs/assets/img/favicon.png differ diff --git a/en/docs/assets/img/learn/account-pending-state.png b/en/docs/assets/img/learn/account-pending-state.png new file mode 100644 index 0000000000..ae841e1b35 Binary files /dev/null and b/en/docs/assets/img/learn/account-pending-state.png differ diff --git a/en/docs/assets/img/learn/multi-attribute-login/adding-claims-for-multi-attribute-login.png b/en/docs/assets/img/learn/multi-attribute-login/adding-claims-for-multi-attribute-login.png new file mode 100644 index 0000000000..5a15999a12 Binary files /dev/null and b/en/docs/assets/img/learn/multi-attribute-login/adding-claims-for-multi-attribute-login.png differ diff --git a/en/docs/assets/img/learn/multi-attribute-login/adding-regex-pattern-to-claim.png b/en/docs/assets/img/learn/multi-attribute-login/adding-regex-pattern-to-claim.png new file mode 100644 index 0000000000..e045277d54 Binary files /dev/null and b/en/docs/assets/img/learn/multi-attribute-login/adding-regex-pattern-to-claim.png differ diff --git a/en/docs/assets/img/learn/multi-attribute-login/additional-claim-properties.png b/en/docs/assets/img/learn/multi-attribute-login/additional-claim-properties.png new file mode 100644 index 0000000000..c6df3c8764 Binary files /dev/null and b/en/docs/assets/img/learn/multi-attribute-login/additional-claim-properties.png differ diff --git a/en/docs/assets/img/learn/multi-attribute-login/claim-edite-window.png b/en/docs/assets/img/learn/multi-attribute-login/claim-edite-window.png new file mode 100644 index 0000000000..f21aa0e73d Binary files /dev/null and b/en/docs/assets/img/learn/multi-attribute-login/claim-edite-window.png differ diff --git a/en/docs/assets/img/learn/multi-attribute-login/login-with-mobile-number.png b/en/docs/assets/img/learn/multi-attribute-login/login-with-mobile-number.png new file mode 100644 index 0000000000..15d1e71216 Binary files /dev/null and b/en/docs/assets/img/learn/multi-attribute-login/login-with-mobile-number.png differ diff --git a/en/docs/assets/img/learn/multi-attribute-login/select-claim-from-list.png b/en/docs/assets/img/learn/multi-attribute-login/select-claim-from-list.png new file mode 100644 index 0000000000..97d93b0af5 Binary files /dev/null and b/en/docs/assets/img/learn/multi-attribute-login/select-claim-from-list.png differ diff --git a/en/docs/assets/img/tutorials/oidc-back-channel-logout-url.png b/en/docs/assets/img/tutorials/oidc-back-channel-logout-url.png new file mode 100644 index 0000000000..f0697a58ed Binary files /dev/null and b/en/docs/assets/img/tutorials/oidc-back-channel-logout-url.png differ diff --git a/en/docs/assets/img/tutorials/oidc-backchannel-logout-issuer-name.png b/en/docs/assets/img/tutorials/oidc-backchannel-logout-issuer-name.png new file mode 100644 index 0000000000..7ff7808705 Binary files /dev/null and b/en/docs/assets/img/tutorials/oidc-backchannel-logout-issuer-name.png differ diff --git a/en/docs/assets/img/tutorials/oidc-fed-idp-config-in-primary-idp.png b/en/docs/assets/img/tutorials/oidc-fed-idp-config-in-primary-idp.png new file mode 100644 index 0000000000..17a66a3418 Binary files /dev/null and b/en/docs/assets/img/tutorials/oidc-fed-idp-config-in-primary-idp.png differ diff --git a/en/docs/assets/img/tutorials/oidc-fed-idp-init-logout-scenario.png b/en/docs/assets/img/tutorials/oidc-fed-idp-init-logout-scenario.png new file mode 100644 index 0000000000..1ca4a9fe37 Binary files /dev/null and b/en/docs/assets/img/tutorials/oidc-fed-idp-init-logout-scenario.png differ diff --git a/en/docs/assets/img/tutorials/oidc-federated-idp-config.png b/en/docs/assets/img/tutorials/oidc-federated-idp-config.png new file mode 100644 index 0000000000..dd1df2aae5 Binary files /dev/null and b/en/docs/assets/img/tutorials/oidc-federated-idp-config.png differ diff --git a/en/docs/assets/img/tutorials/oidc-primary-idp-certificate-config.png b/en/docs/assets/img/tutorials/oidc-primary-idp-certificate-config.png new file mode 100644 index 0000000000..abb818ad1d Binary files /dev/null and b/en/docs/assets/img/tutorials/oidc-primary-idp-certificate-config.png differ diff --git a/en/docs/assets/img/tutorials/oidc-primary-idp-jwks-uri-config.png b/en/docs/assets/img/tutorials/oidc-primary-idp-jwks-uri-config.png new file mode 100644 index 0000000000..c70341194e Binary files /dev/null and b/en/docs/assets/img/tutorials/oidc-primary-idp-jwks-uri-config.png differ diff --git a/en/docs/assets/img/tutorials/oidc-service-provider-federated-authentication.png b/en/docs/assets/img/tutorials/oidc-service-provider-federated-authentication.png new file mode 100644 index 0000000000..2b8f8534bd Binary files /dev/null and b/en/docs/assets/img/tutorials/oidc-service-provider-federated-authentication.png differ diff --git a/en/docs/assets/img/tutorials/sms-otp/add-mobile-number-regex-pattern.png b/en/docs/assets/img/tutorials/sms-otp/add-mobile-number-regex-pattern.png new file mode 100644 index 0000000000..02da71a41a Binary files /dev/null and b/en/docs/assets/img/tutorials/sms-otp/add-mobile-number-regex-pattern.png differ diff --git a/en/docs/assets/img/tutorials/sms-otp/add-regex-violation-error-message.png b/en/docs/assets/img/tutorials/sms-otp/add-regex-violation-error-message.png new file mode 100644 index 0000000000..24ce504e2c Binary files /dev/null and b/en/docs/assets/img/tutorials/sms-otp/add-regex-violation-error-message.png differ diff --git a/en/docs/assets/img/using-wso2-identity-server/device-code-enter.jpg b/en/docs/assets/img/using-wso2-identity-server/device-code-enter.jpg index f819abb052..7ce4d629dc 100644 Binary files a/en/docs/assets/img/using-wso2-identity-server/device-code-enter.jpg and b/en/docs/assets/img/using-wso2-identity-server/device-code-enter.jpg differ diff --git a/en/docs/assets/img/using-wso2-identity-server/device-scopes.jpg b/en/docs/assets/img/using-wso2-identity-server/device-scopes.jpg index e92df987bd..b17e98ba42 100644 Binary files a/en/docs/assets/img/using-wso2-identity-server/device-scopes.jpg and b/en/docs/assets/img/using-wso2-identity-server/device-scopes.jpg differ diff --git a/en/docs/assets/img/using-wso2-identity-server/device-username-password.jpg b/en/docs/assets/img/using-wso2-identity-server/device-username-password.jpg index 384f47c32a..b133b6e906 100644 Binary files a/en/docs/assets/img/using-wso2-identity-server/device-username-password.jpg and b/en/docs/assets/img/using-wso2-identity-server/device-username-password.jpg differ diff --git a/en/docs/assets/img/using-wso2-identity-server/federated-authentication-diagram.png b/en/docs/assets/img/using-wso2-identity-server/federated-authentication-diagram.png new file mode 100644 index 0000000000..df5cb08dba Binary files /dev/null and b/en/docs/assets/img/using-wso2-identity-server/federated-authentication-diagram.png differ diff --git a/en/docs/assets/img/using-wso2-identity-server/federated-authenticator.png b/en/docs/assets/img/using-wso2-identity-server/federated-authenticator.png new file mode 100644 index 0000000000..c789a32aec Binary files /dev/null and b/en/docs/assets/img/using-wso2-identity-server/federated-authenticator.png differ diff --git a/en/docs/assets/img/using-wso2-identity-server/partner-identity-provider.png b/en/docs/assets/img/using-wso2-identity-server/partner-identity-provider.png new file mode 100644 index 0000000000..eebe7a5ae5 Binary files /dev/null and b/en/docs/assets/img/using-wso2-identity-server/partner-identity-provider.png differ diff --git a/en/docs/assets/img/using-wso2-identity-server/partner-idp-config.png b/en/docs/assets/img/using-wso2-identity-server/partner-idp-config.png new file mode 100644 index 0000000000..8f51094ef5 Binary files /dev/null and b/en/docs/assets/img/using-wso2-identity-server/partner-idp-config.png differ diff --git a/en/docs/assets/js/theme.js b/en/docs/assets/js/theme.js index 345b4eb028..ecf98495e3 100644 --- a/en/docs/assets/js/theme.js +++ b/en/docs/assets/js/theme.js @@ -97,7 +97,7 @@ request.onload = function() { * Appending versions to the version selector dropdown */ if (dropdown){ - data.list.sort().forEach(function(key, index){ + data.list.forEach(function(key, index){ var versionData = data.all[key]; if(versionData) { diff --git a/en/docs/develop/adding-scim2-custom-user-schema-support.md b/en/docs/develop/adding-scim2-custom-user-schema-support.md new file mode 100644 index 0000000000..48a6ab3558 --- /dev/null +++ b/en/docs/develop/adding-scim2-custom-user-schema-support.md @@ -0,0 +1,529 @@ +# Adding SCIM2 Custom User Schema Support + +WSO2 Identity Server allows adding custom attributes into user objects through [Enterprise User Extension](../../develop/extending-scim2-user-schemas). From 5.12.0 onwards, +you can use this custom schema to add custom attributes of the user. + +!!! Note + **Reasons why we introduced custom schema to add custom attributes:** + 1. According to the current model, Enterprise User Extension attributes are in a file and those configurations are applicable in the server level. + 2. Enterprise User Extension is a defined schema and it should not be allowed to be modified. + +!!! Note + SCIM2 Custom User Schema Support is added by default in WSO2 Identity Server + version 5.12.0 onwards. + +## Add custom schema dialect + +1. Log in to Management console as admin/admin credentials +2. Add the custom schema dialect if it is not found + - Click **Add** under **Main** > **Identity** > **Claims**. + - Click **Add Claim Dialect** . + - Add the **urn:scim:custom:schema** claim dialect. + + ![add-scim-custom-schema-dialect](../assets/img/develop/add-custom-schema-dialect.png) + + - Click **Add**. + +## How to add claims to support simple attributes. + +### Add custom local claim + +1. Click **Add** under **Main** > **Identity** > **Claims**. +2. Click **Add Local Claim** and enter the following values.  + - **Claim URI**: http://wso2.org/claims/customclaim + - **Display Name**: Custom Claim + - **Description**: Custom Claim + - **Mapped Attribute(s**): + - **User Store Domain Name**: PRIMARY + - **Mapped Attribute**: customClaim + - **Supported By Default**: True + + ![add-scim-local-custom-claim](../assets/img/develop/add-custom-local-claim.png) + + If you want to add any additional properties for the scim attribute, you can add it using **Additional Properties** + in the claim configuration. + + The following additional properties can be added to the custom schema via **Additional Properties** element. + + - dataType + - multiValued + - required + - caseExact + - mutability + - returned + - uniqueness + - subAttributes + - referenceTypes + + Eg: dataType: boolean + + +!!! note + + - You can use the word `customClaim` or any other preferred word as the **Mapped Attribute** when using a JDBC userstore because JDBC userstores will automatically create a new attribute if it does not already exist in the userstore. However, If you are using LDAP or Active Directory, you will have to use an attribute that exists in the userstore already. + + - The configuration above is valid when using the PRIMARY userstore. If you have a secondary userstore configured, make sure to add another attribute mapping by clicking **Add Attribute Mapping** and select the secondary userstore as well. + +### Map the custom claim + +1. Click **Add** under **Main** > **Identity** > **Claims**. + +2. Click **Add External Claim** and enter the following values. + - **Dialect URI**: urn:scim:custom:schema + - **External Claim URI**: urn:scim:custom:schema:customClaim + - **Mapped Local Claim**:http://wso2.org/claims/customclaim + + ![add-scim-external-claim](../assets/img/develop/map-remote-claim.png) + +3. Click **Add**. + +### Try it out + +1. Click **Add** under **Main** > **Identity** > **Users and Roles**. + +2. Click **Add New User** and give the user a username and password.  + +3. Click **List** under **Users and Roles** and then go to the **User Profile** of the user you just created.  + +4. Add a value for the **Custom Claim** field and click **Save**.  + +5. Retrieve the user using SCIM and ensure that the custom claim value is present.  + + ```bash tab="SCIM Request" + curl -v -k --user admin:admin https://localhost:9443/scim2/Users + ``` + + ``` bash tab="SCIM Response" + { + "totalResults": 2, + "startIndex": 1, + "itemsPerPage": 2, + "schemas": [ + "urn:ietf:params:scim:api:messages:2.0:ListResponse" + ], + "Resources": [ + { + "emails": [ + "user1@gmail.com" + ], + "urn:scim:custom:schema": { + "customClaim": "custom" + }, + "meta": { + "created": "2021-05-13T13:45:29.026Z", + "location": "https://localhost:9443/scim2/Users/f92dff10-8142-415c-aac7-30bd3d250431", + "lastModified": "2021-05-21T05:58:08.044Z", + "resourceType": "User" + }, + "roles": [ + { + "display": "everyone", + "value": "1457e626-df8a-4421-a16e-a191d8e310d3", + "$ref": "https://localhost:9443/scim2/Roles/1457e626-df8a-4421-a16e-a191d8e310d3" + } + ], + "name": { + "givenName": "kim", + "familyName": "jackson" + }, + "id": "f92dff10-8142-415c-aac7-30bd3d250431", + "userName": "user1", + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { + "accountLocked": false, + "country": "France", + "failedLoginLockoutCount": 0, + "unlockTime": "0", + "failedLoginAttemptsBeforeSuccess": 1, + "failedLoginAttempts": 0 + } + }, + { + "emails": [ + "admin@wso2.com" + ], + "meta": { + "location": "https://localhost:9443/scim2/Users/fc4ffb25-ad0a-4d43-bf4a-d914f4ced339", + "lastModified": "2021-04-28T13:47:05.314Z", + "resourceType": "User" + }, + "roles": [ + { + "display": "admin", + "value": "88fd66e8-ae44-4bee-91f8-2d49f9ce7aba", + "$ref": "https://localhost:9443/scim2/Roles/88fd66e8-ae44-4bee-91f8-2d49f9ce7aba" + }, + { + "display": "everyone", + "value": "1457e626-df8a-4421-a16e-a191d8e310d3", + "$ref": "https://localhost:9443/scim2/Roles/1457e626-df8a-4421-a16e-a191d8e310d3" + } + ], + "name": { + "givenName": "admin", + "familyName": "admin" + }, + "id": "fc4ffb25-ad0a-4d43-bf4a-d914f4ced339", + "userName": "admin" + } + ] + } + ``` + +You can also try out updating the Custom Claim value using the following SCIM command and checking if the value is +updated by accessing the user profile on the management console.  + +```curl + curl --location --request PATCH 'https://localhost:9443/scim2/Users/f92dff10-8142-415c-aac7-30bd3d250431' \ + --header 'Authorization: Basic YWRtaW46YWRtaW4=' \ + --header 'Content-Type: application/json' \ + --data-raw '{ + "schemas": [ + "urn:ietf:params:scim:api:messages:2.0:PatchOp" + ], + "Operations": [ + { + "op": "replace", + "value": { + "urn:scim:custom:schema": { + "customClaim": "new value" + } + } + } + ] + }' +``` + +## How to add claims to support complex attributes. + +Let's see if we have a **manager** complex attribute and it has **displayName** and **emailAddress** as the subattributes. + + +### Create claim mappings for Manager-Display claim + +**Add local claim for displayname attribute** +1. Click **Add** under **Claims**. +2. Click **Add Local Claim** and enter the following values.  + - **Claim URI**: http://wso2.org/claims/manager.displayname + - **Display Name**: Manager displayname + - **Description**: Manager displayname + - **Mapped Attribute(s**): + - **User Store Domain Name**: PRIMARY + - **Mapped Attribute**: manager.displayname + - **Supported By Default**: True + + ![add-scim-local-custom-claim](../assets/img/develop/add-manager-displayname-local-claim.png) + + If you want to add any additional properties for the scim attribute, you can add it using **Additional Properties** + in the claim configuration. + +**Map to remote claim** + +1. Click **Add** under **Main** > **Identity** > **Claims**. + +2. Click **Add External Claim** and enter the following values. + - **Dialect URI**: urn:scim:custom:schema + - **External Claim URI**: urn:scim:custom:schema:manager.displayName + - **Mapped Local Claim**:http://wso2.org/claims/manager.displayName + + ![add-scim-external-claim](../assets/img/develop/add-manager-displayname-remote-claim.png) + +3. Click **Add**. + +### Create claim mappings for Manager-Email address claim + +**Add local claim for emailaddress attribute** +1. Click **Add** under **Main** > **Identity** > **Claims**. +2. Click **Add Local Claim** and enter the following values.  + - **Claim URI**: http://wso2.org/claims/manager.emailaddress + - **Display Name**: Manager Emailaddress + - **Description**: Manager Emailaddress + - **Mapped Attribute(s**): + - **User Store Domain Name**: PRIMARY + - **Mapped Attribute**: manager.emailaddress + - **Supported By Default**: True + + ![add-scim-local-custom-claim](../assets/img/develop/add-manager-emailaddress-localclaim.png) + + If you want to add any additional properties for the scim attribute, you can add it using **Additional Properties** + in the claim configuration. + +**Map to remote claim** + +1. Click **Add** under **Main** > **Identity** > **Claims**. + +2. Click **Add External Claim** and enter the following values. + - **Dialect URI**: urn:scim:custom:schema + - **External Claim URI**: urn:scim:custom:schema:manager.emailaddress + - **Mapped Local Claim**:http://wso2.org/claims/manager.emailaddress + + ![add-scim-external-claim](../assets/img/develop/add-manager-email-remote-claim.png) + +3. Click **Add**. + + +### Create claim mappings for Manager claim + +**Add local claim for manager attribute** +1. Click **Add** under **Claims**. +2. Click **Add Local Claim** and enter the following values.  + - **Claim URI**: http://wso2.org/claims/manager + - **Display Name**: Manager + - **Description**: Manager + - **Mapped Attribute(s**): + - **User Store Domain Name**: PRIMARY + - **Mapped Attribute**: manager + - **Supported By Default**: false + - **Additional properties**: + - dataType : complex + - subattributes: http://wso2.org/claims/manager.emailaddress http://wso2.org/claims/manager.displayName + + ![add-scim-local-custom-claim](../assets/img/develop/add-manager-local-claim.png) + +**Map to remote claim** + +1. Click **Add** under **Main** > **Identity** > **Claims**. + +2. Click **Add External Claim** and enter the following values. + - **Dialect URI**: urn:scim:custom:schema + - **External Claim URI**: urn:scim:custom:schema:manager + - **Mapped Local Claim**:http://wso2.org/claims/manager + + ![add-scim-external-claim](../assets/img/develop/add-manager-remote-claim.png) + +3. Click **Add**. + + +### Try it out + +1. Click **Add** under **Main** > **Identity** > **Users and Roles**. + +2. Click **List** under **Users and Roles** and then go to the **User Profile** of the user you created earlier.  + +3. Add a value for the **Manager Emailaddress** field and click **Save**.  + +4. Add a value for the **Manager Emailaddress** field and click **Save**.  + +5. Retrieve the user using SCIM and ensure that the manager claim is present.  + + + ```bash tab="SCIM Request" + curl -v -k --user admin:admin https://localhost:9443/scim2/Users/f92dff10-8142-415c-aac7-30bd3d250431 + ``` + +The response will be as follows: + ``` bash tab="SCIM Response" +{ + "emails": [ + "user1@gmail.com" + ], + "urn:scim:custom:schema": { + "manager": { + "displayName": "manager_displayname", + "emailaddress": "manager_email@wso2.com" + }, + "customClaim": "new value" + }, + "meta": { + "created": "2021-05-13T13:45:29.026Z", + "location": "https://localhost:9443/scim2/Users/f92dff10-8142-415c-aac7-30bd3d250431", + "lastModified": "2021-05-21T07:05:08.286Z", + "resourceType": "User" + }, + "schemas": [ + "urn:ietf:params:scim:schemas:core:2.0:User", + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", + "urn:scim:custom:schema" + ], + "roles": [ + { + "display": "everyone", + "value": "1457e626-df8a-4421-a16e-a191d8e310d3", + "$ref": "https://localhost:9443/scim2/Roles/1457e626-df8a-4421-a16e-a191d8e310d3" + } + ], + "name": { + "givenName": "kim", + "familyName": "jackson" + }, + "id": "f92dff10-8142-415c-aac7-30bd3d250431", + "userName": "user1", + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { + "accountLocked": false, + "country": "France", + "failedLoginLockoutCount": 0, + "unlockTime": "0", + "failedLoginAttemptsBeforeSuccess": 1, + "failedLoginAttempts": 0 + } +} +``` +You can also try out updating the `manager.displayName` and `manager.emailaddress` claim values using the following SCIM +command and checking if the value is updated by accessing the user profile on the management console.  + +```curl + curl --location --request PATCH 'https://localhost:9443/scim2/Users/f92dff10-8142-415c-aac7-30bd3d250431' \ + --header 'Authorization: Basic YWRtaW46YWRtaW4=' \ + --header 'Content-Type: application/json' \ + --data-raw '{ + "schemas": [ + "urn:ietf:params:scim:api:messages:2.0:PatchOp" + ], + "Operations": [ + { + "op": "replace", + "value": { + "urn:scim:custom:schema": { + "manager":{ + "displayName": "new_manager_displayname", + "emailaddress": "new_manager_email@wso2.com" + } + } + } + } + ] + }' +``` + +## How to add claims to support multivalued simple attributes. + +Let's see when we have a **deviceNames** simple multivalued attribute. + +### Create claim mappings. + +Let's see if we have a **deviceNames** simple multivalued attribute. + +**Add local claim for deviceNames** +1. Click **Add** under **Claims**. +2. Click **Add Local Claim** and enter the following values.  + - **Claim URI**: http://wso2.org/claims/deviceNames + - **Display Name**: DeviceNames + - **Description**: DeviceNames + - **Mapped Attribute(s**): + - **User Store Domain Name**: PRIMARY + - **Mapped Attribute**: deviceNames + - **Supported By Default**: true + - **Additional properties**: + - multivalued : true + + ![add-scim-local-custom-claim](../assets/img/develop/add-local-claim-device-names.png) + +**Map to remote claim** + +1. Click **Add** under **Main** > **Identity** > **Claims**. + +2. Click **Add External Claim** and enter the following values. + - **Dialect URI**: urn:scim:custom:schema + - **External Claim URI**: urn:scim:custom:schema:deviceNames + - **Mapped Local Claim**:http://wso2.org/claims/deviceNames + + ![add-scim-external-claim](../assets/img/develop/add-remote-claim-device-names.png) + + +3. Click **Add**. + +### Try it out + +1. Click **List** under **Main** > **Identity** > **Users and Roles** and then go to the **User Profile** of the user you created earlier.  + +2. Add a value (Eg: device1,device2,device3) for the **Device Names** field and click **Save**.  + +3. Retrieve the user using SCIM and ensure that the `deviceNames` claim is present.  + + + ```bash tab="SCIM Request" + curl -v -k --user admin:admin https://localhost:9443/scim2/Users/f92dff10-8142-415c-aac7-30bd3d250431 + ``` + +The response will be as follows: + ``` bash tab="SCIM Response" +{ + { + "emails": [ + "user1@gmail.com" + ], + "urn:scim:custom:schema": { + "deviceNames": [ + "device1", + "device2", + "device3" + ], + "manager": { + "displayName": "new_manager_displayname", + "emailaddress": "new_manager_email@wso2.com" + }, + "customClaim": "new value" + }, + "meta": { + "created": "2021-05-13T13:45:29.026Z", + "location": "https://localhost:9443/scim2/Users/f92dff10-8142-415c-aac7-30bd3d250431", + "lastModified": "2021-05-21T08:10:12.639Z", + "resourceType": "User" + }, + "schemas": [ + "urn:ietf:params:scim:schemas:core:2.0:User", + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", + "urn:scim:custom:schema" + ], + "roles": [ + { + "display": "everyone", + "value": "1457e626-df8a-4421-a16e-a191d8e310d3", + "$ref": "https://localhost:9443/scim2/Roles/1457e626-df8a-4421-a16e-a191d8e310d3" + } + ], + "name": { + "givenName": "kim", + "familyName": "jackson" + }, + "id": "f92dff10-8142-415c-aac7-30bd3d250431", + "userName": "user1", + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { + "accountLocked": false, + "country": "France", + "failedLoginLockoutCount": 0, + "unlockTime": "0", + "failedLoginAttemptsBeforeSuccess": 1, + "failedLoginAttempts": 0 + } + } +``` +You can also try out updating the deviceNames claim values using the following SCIM +command and checking if the value is updated by accessing the user profile on the management console.  + +```curl + curl --location --request PATCH 'https://localhost:9443/scim2/Users/f92dff10-8142-415c-aac7-30bd3d250431' \ + --header 'Authorization: Basic YWRtaW46YWRtaW4=' \ + --header 'Content-Type: application/json' \ + --data-raw '{ + "schemas": [ + "urn:ietf:params:scim:api:messages:2.0:PatchOp" + ], + "Operations": [ + { + "op": "replace", + "value": { + "urn:scim:custom:schema": { + "deviceNames":["new_device1", "new_device2"] + } + } + } + ] + }' +``` + +!!! note + + - If you want to disable this schema, you can add the configuration give below in the + `/repository/conf/identity/charon-config.xml` file. + + ``` + false + ``` + + - If you want to chage the name of the schema, you can add the configuration give below to the + `/repository/conf/identity/charon-config.xml` file. + + ``` + urn:scim:custom:schema:new + ``` + \ No newline at end of file diff --git a/en/docs/develop/authenticating-and-authorizing-rest-apis.md b/en/docs/develop/authenticating-and-authorizing-rest-apis.md index 434dc8b76a..f44305adcf 100644 --- a/en/docs/develop/authenticating-and-authorizing-rest-apis.md +++ b/en/docs/develop/authenticating-and-authorizing-rest-apis.md @@ -8,7 +8,8 @@ The requests that are sent via REST APIs are intercepted by tomcat valves and au ## REST API authentication -WSO2 Identity Server supports three ways of API authentication: +WSO2 Identity Server supports three ways of API authentication: + - Basic authentication: Uses the user’s credentials in the API invocation - OAuth 2 common flows: Obtains a token using an oauth2 flow and uses it to invoke the API - Client certificate-based: Uses Mutual SSL to authenticate in order to consume the APIs diff --git a/en/docs/develop/authentication-data-api.md b/en/docs/develop/authentication-data-api.md index f24cb32d14..1e1f8632c4 100644 --- a/en/docs/develop/authentication-data-api.md +++ b/en/docs/develop/authentication-data-api.md @@ -28,7 +28,7 @@ need to configure the Identity Server as follows. [authentication.endpoint.redirect_params] filter_policy = "include" remove_on_consume_from_api = "true" - parameters = [sessionDataKey] + parameters = ["sessionDataKey"] ``` diff --git a/en/docs/develop/authorized-apps-v2-rest-api.md b/en/docs/develop/authorized-apps-v2-rest-api.md index cc998f87db..239e6877ab 100644 --- a/en/docs/develop/authorized-apps-v2-rest-api.md +++ b/en/docs/develop/authorized-apps-v2-rest-api.md @@ -39,4 +39,4 @@ window.onload = function() { } -[![Run in Postman](https://run.pstmn.io/button.svg)](https://app.getpostman.com/run-collection/112cf1de37658c1b09d5) +[![Run in Postman](https://run.pstmn.io/button.svg)](https://www.getpostman.com/collections/e40709cf91ef563f6dac) diff --git a/en/docs/develop/customizing-error-pages.md b/en/docs/develop/customizing-error-pages.md index 4ed16bb60f..8b158a9e5f 100644 --- a/en/docs/develop/customizing-error-pages.md +++ b/en/docs/develop/customizing-error-pages.md @@ -53,7 +53,7 @@ given below. ``` 5. Add the `new_ error_404.html` file inside the - ` /src/main/web ` directory. + ` /src/main/resources/web ` directory. 6. Add the following property below the ` ` element in the ` /pom.xml` file: diff --git a/en/docs/develop/customizing-the-authentication-endpoint.md b/en/docs/develop/customizing-the-authentication-endpoint.md index 5ac4d48d09..1f7d8ca683 100644 --- a/en/docs/develop/customizing-the-authentication-endpoint.md +++ b/en/docs/develop/customizing-the-authentication-endpoint.md @@ -355,7 +355,7 @@ below steps: - Following are two sample values for Name and value: - Name : USER_PORTAL - - Value : https://localhost:9443/user-portal/overview + - Value : https://localhost:9443/myaccount/overview - If you are using travelocity as the sample app, you can use the below values: - Name : travelocity.com diff --git a/en/docs/develop/enable-email-account-verification-for-an-updated-email-address.md b/en/docs/develop/enable-email-account-verification-for-an-updated-email-address.md index f501931530..8c49dc6432 100644 --- a/en/docs/develop/enable-email-account-verification-for-an-updated-email-address.md +++ b/en/docs/develop/enable-email-account-verification-for-an-updated-email-address.md @@ -83,4 +83,4 @@ HTTP/1.1 201 Created ``` !!! info "Related Topics" - See [Using the SCIM 2.0 Rest APIs](../../develop/using-the-scim-2.0-rest-apis) for instructions on using SCIM 2.0 REST APIs. + See [Using the SCIM 2.0 Rest APIs](../../develop/scim2-rest-apis) for instructions on using SCIM 2.0 REST APIs. diff --git a/en/docs/develop/enable-verification-for-updated-mobile-number.md b/en/docs/develop/enable-verification-for-updated-mobile-number.md index 8df74bde8a..c1222db4e3 100644 --- a/en/docs/develop/enable-verification-for-updated-mobile-number.md +++ b/en/docs/develop/enable-verification-for-updated-mobile-number.md @@ -8,7 +8,9 @@ When a user updates their mobile number in the user profile, an SMS OTP is sent - This feature can be invoked via a PUT/PATCH request to the SCIM 2.0 /Users endpoint or /Me endpoint. - The verification on update capability is **only** supported for the http://wso2.org/claims/mobile claim. - An SMS OTP verification is not triggered if the mobile number to be updated is the same as the previously verified mobile number of the user. - - Sending the SMS OTP verification is skipped when updating the mobile number as long as the `verifyMobile` claim is not set to true. + - Sending the SMS OTP verification is skipped in the following instances: + 1. The `verifyMobile` claim is not set to true in the SCIM 2.0 request. + 2. The claim update is invoked by a user other than the claim owner. - This feature only manages the verification flow internally. External verification capability is not offered. ## Step 01 - Add an event publisher to send SMS @@ -25,7 +27,7 @@ When a user updates their mobile number in the user profile, an SMS OTP is sent {"api_key"="4c9374", "api_secret"="FtqyPggE93", "from"="NEXMO", - "to"={{mobile}}, + "to"={{send-to}}, "text"={{body}} } @@ -79,8 +81,9 @@ curl -v -k --user [username]:[password] -X PATCH -d '{"schemas":[],"Operations": **Sample Request** ```curl -curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"], -"Operations":[{"op":"replace","value":{"phoneNumbers":[{"type":"mobile","value":"0123456789"}]}}]}' +curl -v -k --user bob123:pass123 -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"], +"Operations":[{"op":"replace","value":{"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {"verifyMobile": "true"}, +"phoneNumbers":[{"type":"mobile","value":"0123456789"}]}}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users/1e624046-520c-4628-a245-091e04b03f21 ``` @@ -144,7 +147,7 @@ curl -k -v -X POST -H "Authorization: " -H "Con **Sample Request** ```curl -curl -k -v -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{ "code": "123ABC","properties": []}' +curl -k -v -X POST -H "Authorization: Basic Ym9iMTIzOnBhc3MxMjM=" -H "Content-Type: application/json" -d '{ "code": "123ABC","properties": []}' "https://localhost:9443/api/identity/user/v1.0/me/validate-code" ``` @@ -175,7 +178,7 @@ The verification scenario should be specified in the properties parameter of the **Sample Request** ```curl -curl -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{"properties": [{"key":"RecoveryScenario","value": "MOBILE_VERIFICATION_ON_UPDATE"}]}' +curl -X POST -H "Authorization: Basic Ym9iMTIzOnBhc3MxMjM=" -H "Content-Type: application/json" -d '{"properties": [{"key":"RecoveryScenario","value": "MOBILE_VERIFICATION_ON_UPDATE"}]}' "https://localhost:9443/api/identity/user/v1.0/me/resend-code" ``` diff --git a/en/docs/develop/extending-the-identity-server.md b/en/docs/develop/extending-the-identity-server.md index 436165ff9f..1df6e2d8b6 100644 --- a/en/docs/develop/extending-the-identity-server.md +++ b/en/docs/develop/extending-the-identity-server.md @@ -14,6 +14,7 @@ This section is a guide on the commonly used extension points in WSO2 Identity S - [Error Codes and Descriptions](../../develop/error-codes-and-descriptions) - [Supporting Email Account Verification for an Updated Email Address](../../develop/supporting-email-account-verification-for-an-updated-email-address) - [Extending SCIM 2.0 User Schemas](../../develop/extending-scim2-user-schemas) +- [Adding SCIM2 Custom User Schema Support](../../develop/adding-scim2-custom-user-schema-support) - [Writing an Outbound Provisioning Connector](../../develop/writing-an-outbound-provisioning-connector) - [Extensible SCIM User Schemas With WSO2 Identity Server](../../develop/extensible-scim-user-schemas-with-wso2-identity-server) - [Writing a Custom Federated Authenticator](../../develop/writing-a-custom-federated-authenticator) diff --git a/en/docs/develop/hosting-authentication-endpoint-on-a-different-server.md b/en/docs/develop/hosting-authentication-endpoint-on-a-different-server.md index cb18479a37..0a28757967 100644 --- a/en/docs/develop/hosting-authentication-endpoint-on-a-different-server.md +++ b/en/docs/develop/hosting-authentication-endpoint-on-a-different-server.md @@ -193,7 +193,7 @@ This is an additional improvement which enables hosting `accountrecoveryendpoin identity_server_service_url="https://$ref{server.hostname}:9443/services" ``` -2. Uncomment and change the user portal reference in `/accountrecoveryendpoint/WEB-INF/web.xml`. +2. Uncomment and change the my account reference in `/accountrecoveryendpoint/WEB-INF/web.xml`. ``` xml @@ -410,7 +410,7 @@ This is an additional improvement which enables hosting `accountrecoveryendpoin … ``` -13. Uncomment and change the user portal reference in the `/accountrecoveryendpoint/WEB-INF/web.xml` file. +13. Uncomment and change the my account reference in the `/accountrecoveryendpoint/WEB-INF/web.xml` file. ``` xml … diff --git a/en/docs/develop/identity-governance-rest-api.md b/en/docs/develop/identity-governance-rest-api.md index a27b552c4f..7c9433bc17 100644 --- a/en/docs/develop/identity-governance-rest-api.md +++ b/en/docs/develop/identity-governance-rest-api.md @@ -81,7 +81,7 @@ and properties of connectors as mentioned below.
| Enable Internal Notification Management | Recovery.Notification.InternallyManage | Set to false if the client application handles notification sending | | Notify when Recovery Success | Recovery.NotifySuccess | | | Notify when Questions Based Recovery Starts | Recovery.Question.Password.NotifyStart | | - | Recovery Link Expiry Time | Recovery.ExpiryTime | | + | Recovery Link Expiry Time in Minutes | Recovery.ExpiryTime | | | Enable forced challenge questions | Recovery.Question.Password.Forced.Enable | Force users to provide answers to challenge questions during sign in | | Recovery callback URL regex | Recovery.CallbackRegex | | diff --git a/en/docs/develop/idp-rest-api.md b/en/docs/develop/idp-rest-api.md index 795418350f..2b2ad9adbd 100644 --- a/en/docs/develop/idp-rest-api.md +++ b/en/docs/develop/idp-rest-api.md @@ -36,4 +36,4 @@ window.onload = function() { } -[![Run in Postman](https://run.pstmn.io/button.svg)](https://app.getpostman.com/run-collection/88672dbc6afe81e8c5d2) \ No newline at end of file +[![Run in Postman](https://run.pstmn.io/button.svg)](https://app.getpostman.com/run-collection/e90892712c661d031b29) diff --git a/en/docs/develop/idp-session-extender-endpoint.md b/en/docs/develop/idp-session-extender-endpoint.md new file mode 100644 index 0000000000..ef184d5ac5 --- /dev/null +++ b/en/docs/develop/idp-session-extender-endpoint.md @@ -0,0 +1,55 @@ +# Identity Provider Session Extending API + +!!! info + To access this API, use the following endpoint URL. + ``` + https://:/t//identity/extend-session + ``` + +This API can be used to extend the user's session at the identity provider. To identify the session that + needs to be extended, this API requires one of the following. + +1. **Session identifier as a request parameter:** This can be obtained from the ID token. +2. **Session identifier cookie:** This is the `commonAuthId` cookie. + +!!! info + Currently, the session identifier value can only be obtained via OIDC flows that have sessions involved. + +### Extracting the session identifier value + +If the above config has been enabled, the session identifier can be extracted from the ID token. +To do this, decode the ID token and read the value of the claim `isk`, which is the identifier of the session. + +### Supported requests + +##### Sending session identifier as a request parameter + +```java +curl --location --request GET 'https://:/t//identity/extend-session?idpSessionKey=' +``` + +Replace the `` with the `isk` value obtained from the ID token. This method is ideal + in cases where the use of third party cookies has been blocked. + +##### Sending session identifier as a cookie + +```java +curl --location --request GET 'https://:/t//identity/extend-session' \ +--header 'Cookie: ' +``` + +In this case, replace the `` with the `commonAuthId` cookie. + +### API responses + +If session extension has been successful, a `200 OK` response will be returned. + +If session extension has failed, the response could be one of the following. + +| Response status code | Error code | Description | +|-----------------------|--------------|--------------------------------------------------| +| 500 | ISE-65001 | Unexpected server error | +| 400 | ISE-60001 | Invalid request | +| 400 | ISE-60002 | Session Key param value invalid | +| 400 | ISE-60003 | Session cookie invalid | +| 400 | ISE-60004 | Session not available/already expired | \ No newline at end of file diff --git a/en/docs/develop/localization-support-in-identity-server.md b/en/docs/develop/localization-support-in-identity-server.md index 73a33c9e0a..f489f52dcd 100644 --- a/en/docs/develop/localization-support-in-identity-server.md +++ b/en/docs/develop/localization-support-in-identity-server.md @@ -35,9 +35,9 @@ directory). The following steps describe how you can configure this: 6. Restart the server. To try out, do the following: 1. Open up a browser. - 2. Type the user portal URL. (If you are running the server in your + 2. Type the my account URL. (If you are running the server in your localhost, the URL is: - ` https://localhost:9443/user-portal/ ` + ` https://localhost:9443/myaccount ` ). You will see the login screen having the contents in the configured language. diff --git a/en/docs/develop/managing-users-and-roles-with-apis.md b/en/docs/develop/managing-users-and-roles-with-apis.md index 468fb29cb8..c44d80189d 100644 --- a/en/docs/develop/managing-users-and-roles-with-apis.md +++ b/en/docs/develop/managing-users-and-roles-with-apis.md @@ -6,7 +6,7 @@ WSO2 Identity Server and is recommended for user store management. For more information on using the SCIM 2.0 REST APIs instead of the SOAP service given below, see [Using the SCIM 2.0 REST - APIs](../../develop/using-the-scim-2.0-rest-apis). + APIs](../../develop/scim2-rest-apis). This section guides you through invoking and working with the diff --git a/en/docs/develop/notification-sender-rest-api.md b/en/docs/develop/notification-sender-rest-api.md new file mode 100644 index 0000000000..8e2e756968 --- /dev/null +++ b/en/docs/develop/notification-sender-rest-api.md @@ -0,0 +1,105 @@ +--- +template: templates/swagger.html +--- + +# Notification Senders API Definition - v1 + +This is the RESTful API for managing notification sender configurations in WSO2 Identity Server. +It supports Email and SMS as the notification channels. +The following section provides the instructions to contruct requests for each notification sender type.
+ +??? "NOTE" + + * This API is not supported for notification sender configuration for carbon.super tenant. + + If you want to configure event publishers in carbon.super tenant, add or modify event publishers in + `IS_HOME/repository/deployment/server/eventpublishers`. + For more information on writing an event publisher, see [Event Publisher Types](https://docs.wso2.com/display/DAS300/Event+Publisher+Types). + + * The following properties are used for internal operations. Therefore, avoid using these properties when configuring notification senders. + + | Property | Purpose | + | ------- | -------| + | streamName | The name of the event stream where events are picked for notification sending | + | version | The version of the event stream | + | type | Type of the notification sender (email/sms) | + +??? "Email Sender Configuration" + + * If you want to add properties related to email adaptor configurations (eg: SMTP configurations), + define property keys with the exact names given in [Email Event Publisher](https://docs.wso2.com/display/DAS300/Email+Event+Publisher) documentation. + +??? "SMS Sender Configuration" + + 1. Some SMS providers’ SMS sending API payloads are templated in the + `IS_HOME/repository/conf/sms/sms-providers-api-body-templates.xml` file. + 2. You can add new SMS providers’ payloads, or modify the existing SMS provider payloads by adding new attributes. + 3. Attribute values that need to be replaced by **POST /notification-senders/sms** API’s input should be templated with + a prefix, **“$”**. + + ``` + Example: + $sender will be replaced by the input value of the “sender” attribute. + $body.routingGroup will be replaced by the input value of the property defined with key - “body.routingGroup”. + ``` + + **Properties in POST /notification-senders/sms request** + + 1. Properties that need to be included in SMS provider API’s body define with the prefix, **”body.”**. + 2. If the property named **“body”** is present, the corresponding value will be used as the SMS provider API’s body. + 3. If you want to add properties related to HTTPOutputEventAdaptor, define keys with the exact names defined in the + [HTTP Event Publisher](https://docs.wso2.com/display/DAS300/HTTP+Event+Publisher) documentation. + + Example: + + * Let’s assume you change the `Bulksms` template as follows. + ``` + + + [{ "from": $sender, "to": {{mobile}}, "body": {{body}}, "routingGroup": $body.routingGroup}] + + + ``` + + * The POST /notification-senders/sms request should have a property with a key named “body.routingGroup”. + ``` + { + "provider": "Bulksms", + "providerURL": "https://webhook.site/9b79bebd-445a-4dec-ad5e-622b856fa184", + "key": "123", + "secret": "1234", + "sender": "073923902", + "properties": [ + { + "key": "body.routingGroup", + "value": "ECONOMY" + } + ] + } + ``` + +
+ + +[![Run in Postman](https://run.pstmn.io/button.svg)](https://app.getpostman.com/run-collection/7bc59cc3e9c958bffaf4) diff --git a/en/docs/develop/oauth2-scope-management-rest-apis.md b/en/docs/develop/oauth2-scope-management-rest-apis.md index 20fd99138f..21db399a73 100644 --- a/en/docs/develop/oauth2-scope-management-rest-apis.md +++ b/en/docs/develop/oauth2-scope-management-rest-apis.md @@ -7,7 +7,7 @@ template: templates/swagger.html The OAuth2 scope API in WSO2 Identity Server (IS) can be used to manage oauth2 scopes and scope bindings such as roles and permissions. Since OIDC scope is a sub category of OAuth2 scopes, these end points cannot have the same scope names in WSO2 IS. For information about the OIDC scope endpoint, -see [OIDC Scope Management REST APIs](../../develop/oidc-scope-management-rest-apis.md) +see [OIDC Scope Management REST APIs](../../develop/oidc-scope-management-rest-apis) ??? Note "Click For Instructions" Follow the steps given below to try out the REST APIs with your local instance of WSO2 IS. @@ -47,4 +47,4 @@ window.onload = function() { } -[![Run in Postman](https://run.pstmn.io/button.svg)](https://app.getpostman.com/run-collection/80f948e159dd8e0a8a6a) \ No newline at end of file +[![Run in Postman](https://run.pstmn.io/button.svg)](https://app.getpostman.com/run-collection/80f948e159dd8e0a8a6a) diff --git a/en/docs/develop/rest-apis.md b/en/docs/develop/rest-apis.md index 281201aceb..dd6df35181 100644 --- a/en/docs/develop/rest-apis.md +++ b/en/docs/develop/rest-apis.md @@ -23,6 +23,7 @@ including the sample requests and responses. - [Identity Governance](../../develop/identity-governance-rest-api) - [Identity Providers](../../develop/idp-rest-api) - [Keystore Management](../../develop/keystore-rest-api) +- [Notification Senders](../../develop/notification-sender-rest-api) - [OAuth2 Scope Management](../../develop/oauth2-scope-management-rest-apis) - [OpenID Connect Scope Management](../../develop/oidc-scope-management-rest-apis) - [OIDC Dynamic Client Registration](../../develop/using-the-openid-connect-dynamic-client-registration-rest-apis) diff --git a/en/docs/develop/restapis/scim2.yaml b/en/docs/develop/restapis/scim2.yaml index 273fae5792..9e91729b59 100644 --- a/en/docs/develop/restapis/scim2.yaml +++ b/en/docs/develop/restapis/scim2.yaml @@ -310,18 +310,6 @@ paths: required: false type: integer format: int32 - - name: sortBy - in: query - description: |- - Specifies the attribute whose value - SHALL be used to order the returned responses - required: false - type: string - - name: sortOder - in: query - description: The order in which the "sortBy" parameter is applied. - required: false - type: string - name: domain in: query description: The name of the user store where filtering needs to be applied. @@ -652,7 +640,12 @@ paths: - Users Endpoint summary: Filter Users description: | - This API returns users according to the filter, sort and pagination parameters. Pagination is not supported across user stores and LDAP multi-attribute group filtering. However, filtering is supported across multiple user stores. + This API returns users according to the filter, sort and pagination parameters. Pagination is not supported across user stores and LDAP multi-attribute group filtering. However, filtering is supported across multiple user stores.

+ + By default, duplicate user entries in the SCIM2 users response are persisted. To remove the duplicate user entries, add the following configuration to the deployment.toml file.

+ + [scim2] + remove_duplicate_users_in_users_response = true Permission required: * /permission/admin/manage/identity/usermgt/view @@ -692,18 +685,6 @@ paths: required: false type: integer format: int32 - - name: sortBy - in: query - description: |- - Specifies the attribute whose value - SHALL be used to order the returned responses. - required: false - type: string - - name: sortOder - in: query - description: The order in which the "sortBy" parameter is applied. - required: false - type: string - name: domain in: query description: The name of the user store where filtering needs to be applied. @@ -1073,18 +1054,6 @@ paths: required: false type: integer format: int32 - - name: sortBy - in: query - description: |- - Specifies the attribute whose value - SHALL be used to order the returned responses - required: false - type: string - - name: sortOder - in: query - description: The order in which the "sortBy" parameter is applied. - required: false - type: string responses: 200: description: Valid roles are found diff --git a/en/docs/develop/scim-1.1-apis.md b/en/docs/develop/scim-1.1-apis.md index 5870d876f4..771024c23b 100644 --- a/en/docs/develop/scim-1.1-apis.md +++ b/en/docs/develop/scim-1.1-apis.md @@ -2,7 +2,7 @@ !!! warning - **WSO2 recommends using** **[SCIM 2.0 APIs](../../develop/using-the-scim-2.0-rest-apis/)** because of the following + **WSO2 recommends using** **[SCIM 2.0 APIs](../../develop/scim2-rest-apis/)** because of the following reasons: - SCIM 2.0 APIs provide additional methods that are not available with diff --git a/en/docs/develop/sdk-overview.md b/en/docs/develop/sdk-overview.md index ee6391029a..040be9206c 100644 --- a/en/docs/develop/sdk-overview.md +++ b/en/docs/develop/sdk-overview.md @@ -2,11 +2,11 @@ This section lists all the SDKs related to identity written using various technologies. The samples to test out each SDK's features are mentioned in the respective SDK docs listed below. -- [SAML-based login using Asgardio Tomcat SAML Agent](https://github.com/asgardio/asgardio-tomcat-saml-agent) +- [SAML-based login using Asgardeo Tomcat SAML Agent](https://github.com/asgardeo/asgardeo-tomcat-saml-agent) -- [Javascript OIDC SDK for OIDC or OAuth2 authentication in to single page applications](https://github.com/asgardio/asgardio-js-oidc-sdk) +- [Javascript OIDC SDK for OIDC or OAuth2 authentication in to single page applications](https://github.com/asgardeo/asgardeo-js-oidc-sdk) -- [Android OIDC SDK to secure android-based applications](https://github.com/asgardio/asgardio-android-oidc-sdk) +- [Android OIDC SDK to secure android-based applications](https://github.com/asgardeo/asgardeo-android-oidc-sdk) - [.NET SDK for OIDC](TODO:link-to-repo) diff --git a/en/docs/develop/session-mgt-rest-api.md b/en/docs/develop/session-mgt-rest-api.md index 3e3457df24..a2ac915fd0 100644 --- a/en/docs/develop/session-mgt-rest-api.md +++ b/en/docs/develop/session-mgt-rest-api.md @@ -19,6 +19,16 @@ template: templates/swagger.html 4. Add a `-k` header to the curl command and run the curl command on the terminal with a running instance of WSO2 IS. +!!! Note + + - From WSO2 IS 5.12 onwards, access tokens that are mapped with the session via REST API can be revoked. + This is applicable for authorization code grant, implicit flow, refresh token grant, and hybrid flow. + - If one session is terminated via the API and the same access token is used by multiple sessions, + the other sessions may then lose their tokens. Therefore, it is recommended to use sso-session binding if + you wish to retain the capability to revoke the access token when the session is terminated via REST API. + - WSO2 Identity Server sends SAML/OIDC back-channel logouts also when session is terminated via API. To support + this, the application should be configured to enable back-channel logout. +
-[![Run in Postman](https://run.pstmn.io/button.svg)](https://app.getpostman.com/run-collection/42f50c4510ed5e47f9f2) \ No newline at end of file +[![Run in Postman](https://run.pstmn.io/button.svg)](https://www.getpostman.com/collections/4b7454af08aaa3c5de3c) diff --git a/en/docs/develop/writing-a-custom-federated-authenticator.md b/en/docs/develop/writing-a-custom-federated-authenticator.md index f1021d6a7a..991200fa4c 100644 --- a/en/docs/develop/writing-a-custom-federated-authenticator.md +++ b/en/docs/develop/writing-a-custom-federated-authenticator.md @@ -1,1367 +1,233 @@ # Writing a Custom Federated Authenticator -It is possible to use the extension points available in the WSO2 -Identity Server to create custom federated authenticators. +A custom federated authenticator can be written to authenticate a user with an external system. +The external system can be any Identity provider including Facebook, Twitter, Google, Yahoo, etc. +You can use the extension points available in WSO2 Identity Server to create custom federated authenticators. -### Authenticator API +![Federated authentication diagram](../assets/img/using-wso2-identity-server/federated-authentication-diagram.png) + +## Authenticator API The following is the API used to implement a custom federated authenticator. -``` java -/* -* Copyright (c) 2005-2013, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -* -* WSO2 Inc. licenses this file to you under the Apache License, -* Version 2.0 (the "License"); you may not use this file except -* in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, -* software distributed under the License is distributed on an -* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -* KIND, either express or implied. See the License for the -* specific language governing permissions and limitations -* under the License. -*/ +??? example "Click to view the API of the Application Authenticators" + ``` java + /* + * Copyright (c) 2005-2013, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.wso2.carbon.identity.application.authentication.framework; + + import java.io.Serializable; + import java.util.List; + + import javax.servlet.http.HttpServletRequest; + import javax.servlet.http.HttpServletResponse; + + import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext; + import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException; + import org.wso2.carbon.identity.application.authentication.framework.exception.LogoutFailedException; + import org.wso2.carbon.identity.application.common.model.Property; + + /** + * API of the Application Authenticators. + * + */ + public interface ApplicationAuthenticator extends Serializable { + + /** + * Check whether the authentication or logout request can be handled by the + * authenticator + * + * @param request + * @return boolean + */ + public boolean canHandle(HttpServletRequest request); + + /** + * Process the authentication or logout request. + * + * @param request + * @param response + * @param context + * @return the status of the flow + * @throws AuthenticationFailedException + * @throws LogoutFailedException + */ + public AuthenticatorFlowStatus process(HttpServletRequest request, + HttpServletResponse response, AuthenticationContext context) + throws AuthenticationFailedException, LogoutFailedException; + + /** + * Get the Context identifier sent with the request. This identifier is used + * to retrieve the state of the authentication/logout flow + * + * @param request + * @return + */ + public String getContextIdentifier(HttpServletRequest request); + + /** + * Get the name of the Authenticator + * @return name + */ + public String getName(); + + /** + * @return + */ + public String getFriendlyName(); + + /** + * Get the claim dialect URI if this authenticator receives claims in a standard dialect + * and needs to be mapped to the Carbon dialect http://wso2.org/claims + * @return boolean + */ + public String getClaimDialectURI(); + + /** + * @return + */ + public List getConfigurationProperties(); + } + ``` -package org.wso2.carbon.identity.application.authentication.framework; +This API can be used to configure a custom authenticator. -import java.io.Serializable; -import java.util.List; +## Writing a custom federated authenticator -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +1. First create a maven project for the custom federated authenticator. Refer the [pom.xml](https://github.com/wso2/samples-is/blob/master/authenticators/components/org.wso2.carbon.identity.sample.federated.authenticator/pom.xml) + file used for the sample custom federated authenticator. +2. Refer the [service component class](https://github.com/wso2/samples-is/blob/master/authenticators/components/org.wso2.carbon.identity.sample.federated.authenticator/src/main/java/org/wso2/carbon/identity/custom/federated/authenticator/internal/CustomFederatedAuthenticatorServiceComponent.java) + as well since the authenticator is written as an OSGI service to deploy in WSO2 Identity Server and register + it as a federated authenticator +3. The [custom federated authenticator](https://github.com/wso2/samples-is/blob/master/authenticators/components/org.wso2.carbon.identity.sample.federated.authenticator/src/main/java/org/wso2/carbon/identity/custom/federated/authenticator/CustomFederatedAuthenticator.java) + should be written by extending the [AbstractApplicationAuthenticator](https://github.com/wso2/carbon-identity-framework/blob/v5.18.187/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/AbstractApplicationAuthenticator.java) class + and implementing the [FederatedApplicationAuthenticator](https://github.com/wso2/carbon-identity-framework/blob/v5.18.187/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/FederatedApplicationAuthenticator.java) class. +4. You can find a custom federated authenticator [here](https://github.com/wso2/samples-is/tree/master/authenticators/components/org.wso2.carbon.identity.sample.federated.authenticator) for your reference -import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext; -import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException; -import org.wso2.carbon.identity.application.authentication.framework.exception.LogoutFailedException; -import org.wso2.carbon.identity.application.common.model.Property; +The important methods in the `AbstractApplicationAuthenticator` class, and the `FederatedApplicationAuthenticator` interface are listed as follows. -/** - * API of the Application Authenticators. - * - */ -public interface ApplicationAuthenticator extends Serializable { +* **[public String getName()](https://github.com/wso2/samples-is/blob/master/authenticators/components/org.wso2.carbon.identity.sample.federated.authenticator/src/main/java/org/wso2/carbon/identity/custom/federated/authenticator/CustomFederatedAuthenticator.java#L73-L77)** - /** - * Check whether the authentication or logout request can be handled by the - * authenticator - * - * @param request - * @return boolean - */ - public boolean canHandle(HttpServletRequest request); - - /** - * Process the authentication or logout request. - * - * @param request - * @param response - * @param context - * @return the status of the flow - * @throws AuthenticationFailedException - * @throws LogoutFailedException - */ - public AuthenticatorFlowStatus process(HttpServletRequest request, - HttpServletResponse response, AuthenticationContext context) - throws AuthenticationFailedException, LogoutFailedException; - - /** - * Get the Context identifier sent with the request. This identifier is used - * to retrieve the state of the authentication/logout flow - * - * @param request - * @return - */ - public String getContextIdentifier(HttpServletRequest request); - - /** - * Get the name of the Authenticator - * @return name - */ - public String getName(); - - /** - * @return - */ - public String getFriendlyName(); - - /** - * Get the claim dialect URI if this authenticator receives claims in a standard dialect - * and needs to be mapped to the Carbon dialect http://wso2.org/claims - * @return boolean - */ - public String getClaimDialectURI(); - - /** - * @return - */ - public List getConfigurationProperties(); -} -``` +Return the name of the authenticator -This API can be used to configure a custom authenticator. As an example, -a Twitter authenticator is configured using the above API. +* **[public String getFriendlyName()](https://github.com/wso2/samples-is/blob/master/authenticators/components/org.wso2.carbon.identity.sample.federated.authenticator/src/main/java/org/wso2/carbon/identity/custom/federated/authenticator/CustomFederatedAuthenticator.java#L67-L71)** -### Writing a custom authenticator for Twitter +Returns the display name for the custom federated authenticator. In this sample we are using custom-federated-authenticator -The WSO2 Identity Server comes with several built in authenticators like -Facebook, Google, OpenID, and SAML. This topic provides instructions on -how to authenticate users via Twitter using the SAML configurations -available in the Identity Server. +* **[public String getContextIdentifier(HttpServletRequest request)](https://github.com/wso2/samples-is/blob/master/authenticators/components/org.wso2.carbon.identity.sample.federated.authenticator/src/main/java/org/wso2/carbon/identity/custom/federated/authenticator/CustomFederatedAuthenticator.java#L215-L224)** -!!! info "Related links" - - See [here](https://dev.twitter.com/web/sign-in/desktop-browser) for - information on browser sign in flow. This information is useful when - working with websites and applications that are able to open or - embed a web browser. - - See [here](https://dev.twitter.com/web/sign-in/implementing) for - information on implementing the sign in functionality using Twitter. - - If you are doing this using Java, there is a library you can use - called [twitter4j](http://twitter4j.org/en/index.html). See the link for code samples on signing - in with Twitter. +Returns a unique identifier that will map the authentication request and the response. The value returned by the invocation of authentication request and the response should be the same. -The following code block represents the structure of an authenticator -**pom.xml**. Authenticators are basically OSGi (Open Service Gateway -initiative) bundles, which are units of modularization that are -comprised of Java classes and other resources that provide functions to -end users. The **pom.xml** includes the dependencies for the project. -Other than the twitter4j dependency, other dependencies are mandatory. +* **[public boolean canHandle(HttpServletRequest request)](https://github.com/wso2/samples-is/blob/master/authenticators/components/org.wso2.carbon.identity.sample.federated.authenticator/src/main/java/org/wso2/carbon/identity/custom/federated/authenticator/CustomFederatedAuthenticator.java#L60-L65)** - -??? info "Click here to view the code block" - ``` xml - - - org.emojotFoundation - 4.0.0 - authenticator-twitter - bundle - 1.0.0 - - - - - org.wso2.carbon - org.wso2.carbon.logging - 4.2.0 - - - - org.wso2.carbon - org.wso2.carbon.identity.application.authentication.framework - 4.2.2 - - - - org.wso2.carbon - org.wso2.carbon.ui - 4.2.0 - - - - org.apache.amber.wso2 - amber - 0.22.1358727.wso2v4 - - - - org.wso2.carbon - org.wso2.carbon.identity.application.common - 4.2.0 - - - - org.twitter4j - twitter4j-core - [4.0,) - - - - - - wso2-nexus - WSO2 Internal Repository - http://maven.wso2.org/nexus/content/groups/wso2-public/ - - true - daily - ignore - - - - twitter4j.org - twitter4j.org Repository - http://twitter4j.org/maven2 - - true - - - true - - - - - - - - org.apache.felix - maven-scr-plugin - 1.7.4 - - - generate-scr-scrdescriptor - - scr - - - - - - org.apache.felix - maven-bundle-plugin - true - - - ${project.artifactId} - ${project.artifactId} - org.emojotFoundation.authenticator.twitter.internal - org.twitter4j.*; - version="[4.0,)", - org.apache.axis2.*; - version="[1.6.1.wso2v1, 1.7.0)", - org.apache.axiom.*; - version="[1.2.11.wso2v2, 1.3.0)", - org.wso2.carbon.ui.*, - org.apache.commons.logging.*; version="1.0.4", - org.osgi.framework, - org.wso2.carbon.identity.application.authentication.framework.*, - javax.servlet;version="[2.6.0,3.0.0)", - javax.servlet.http;version="[2.6.0,3.0.0)", - *;resolution:=optional - - !org.emojotFoundation.authenticator.twitter.internal, - org.emojotFoundation.authenticator.twitter.* - - * - - - - - - - ``` +Specifies whether this authenticator can handle the authentication response. -As the project is an OSGi bundle, you must add this class to define -the bundle activate method and deactivate method. +* **[protected void initiateAuthenticationRequest(HttpServletRequest request,HttpServletResponse response, AuthenticationContext context)](https://github.com/wso2/samples-is/blob/master/authenticators/components/org.wso2.carbon.identity.sample.federated.authenticator/src/main/java/org/wso2/carbon/identity/custom/federated/authenticator/CustomFederatedAuthenticator.java#L138-L139)** -??? info "Click here to view the class used to define the bundle activate method and deactivate method" - ``` java - package org.emojotFoundation.authenticator.twitter.internal; - - import java.util.Hashtable; - import org.apache.commons.logging.Log; - import org.apache.commons.logging.LogFactory; - import org.osgi.service.component.ComponentContext; - import org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator; - import org.emojotFoundation.authenticator.twitter.TwitterAuthenticator; - - /** - * @scr.component name="authenticator.twitter" immediate="true" - */ - - public class TwitterAuthenticatorServiceComponent { - - private static final Log LOGGER = LogFactory.getLog(TwitterAuthenticatorServiceComponent.class); - - protected void activate(ComponentContext ctxt) { - try { - TwitterAuthenticator twitterAuthenticator = new TwitterAuthenticator(); - Hashtable props = new Hashtable() - ctxt.getBundleContext().registerService(ApplicationAuthenticator.class.getName(),twitterAuthenticator, props); - - LOGGER.info("----Twitter Authenticator bundle is activated----"); - - } catch (Throwable e) { - LOGGER.fatal("----Error while activating Twitter authenticator----", e); - } - } - - protected void deactivate(ComponentContext ctxt) { - LOGGER.info("----Twitter Authenticator bundle is deactivated----"); - } - } - ``` +Redirects the user to the login page in order to authenticate and in this sample, the user is redirected to the login page of the application which is configured in the partner identity server which acts as the external service. -After adding this to your project, you are in a position to write your -authenticator. Authenticators are defined by extending the -` AbstractApplicationAuthenticator ` class and -implementing the ` FederatedApplicationAuthenticator ` -interface. The important methods in the -` AbstractApplicationAuthenticator ` class and the -` FederatedApplicationAuthenticator ` interface are -listed as follows. +* **[protected void processAuthenticationResponse(HttpServletRequest request,HttpServletResponse response, AuthenticationContext context)](https://github.com/wso2/samples-is/blob/master/authenticators/components/org.wso2.carbon.identity.sample.federated.authenticator/src/main/java/org/wso2/carbon/identity/custom/federated/authenticator/CustomFederatedAuthenticator.java#L169-L171)** -- `public String getName()` -- `public String getFriendlyName()` -- `public String getContextIdentifier(HttpServletRequest request`) - - Returns a unique identifier that will map the authentication request - and the response. The value returned by the invocation of - authentication request and the response should be the same. -- `public boolean canHandle(HttpServletRequest request)` - Specifies - whether this authenticator can handle the authentication response. -- `protected void initiateAuthenticationRequest(HttpServletRequest - request,HttpServletResponse response, AuthenticationContext context)` -- `protected void processAuthenticationResponse(HttpServletRequest - request,HttpServletResponse response, AuthenticationContext context)` +Implements the logic of the custom federated authenticator. -Use the following steps to write the Twitter authenticator. +## Deploy the custom federated authenticator in WSO2 IS -1. Implement the ` canHandle() ` method using the - above methods. When Twitter sends the OAuth response, it sends the - parameters ` oauth_token ` and - ` oauth_verifier ` in the request. This is a - notification to identify that this response can be handled by the - authenticator. +1. Once the implementation is done, navigate to the root of your project and run the following command to compile the service +2. Copy the compiled jar file insider _/target._ +3. Copy the jar file **org.wso2.carbon.identity.custom.federated.authenticator-1.0.0.jar** file to the _/repository/components/dropins._ - ??? example "Click here to view a sample canHandle() method" - ``` java - public boolean canHandle(HttpServletRequest request) { - if (request.getParameter("oauth_token")!=null && request.getParameter("oauth_verifier")!=null) { - return true; - } - return false; - } - ``` +## Configure the partner identity server -2. For each authentication request that comes into the Identity Server, - there is unique value that comes along as a parameter. That - parameter is the ` sessionDataKey ` . Store this - in the Twitter authentication redirection session to facilitate the - requirement where ` getContextIdentifier ` gives - the same value for authentication request and its response. +In this sample the partner identity server acts as the external system. +Therefore, that partner identity server will be running on the same machine in a different port +by adding the following config to the deployment.toml file. - !!! note - The `sessionDataKey` query parameter is used to coordinate the request state across components participating in the request flow. It does not correlate with the user session. Furthermore, the request state maintained against the 'sessionDataKey' parameter value is cleared by each participating component at the end of request flow. This means that even if an external party grabs the 'sessionDataKey' they will not be able to get into the authentication sequence, as the user session is not associated with that key. - - ??? info "Click here to view getContextIdentifier()" - ``` java - public String getContextIdentifier(HttpServletRequest request) { - if(request.getSession().getAttribute("contextIdentifier")==null){ - request.getSession().setAttribute("contextIdentifier",request.getParameter("sessionDataKey")); - return request.getParameter("sessionDataKey"); - }else{ - return (String) request.getSession().getAttribute("contextIdentifier"); - } - } - ``` +``` +[server] +offset=1 +``` -3. Next, implement the - ` initiateAuthenticationRequest ` method and the - ` processAuthenticationResponse ` method as - follows. +After starting that partner identity server, it will run on [localhost:9444](https://localhost:9444/carbon). - ??? info "Click here to view the initiateAuthenticationRequest method and processAuthenticationResponse method" - ``` java - protected void initiateAuthenticationRequest(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws AuthenticationFailedException { - - String apiKey= resourceBundle.getString("API_Key"); - String apiSecret= resourceBundle.getString("API_Secret"); - - Twitter twitter = new TwitterFactory().getInstance(); - twitter.setOAuthConsumer(apiKey, apiSecret); - - try { - String callbackURL = resourceBundle.getString("Call_Back_URL"); - RequestToken requestToken = twitter.getOAuthRequestToken(callbackURL.toString()); - request.getSession().setAttribute("requestToken",requestToken); - request.getSession().setAttribute("twitter",twitter); - response.sendRedirect(requestToken.getAuthenticationURL()); - - } catch (TwitterException e) { - LOGGER.error("Exception while sending to the Twitter login page.", e); - throw new AuthenticationFailedException(e.getMessage(), e); - } catch (IOException e) { - LOGGER.error("Exception while sending to the Twitter login page.", e); - throw new AuthenticationFailedException(e.getMessage(), e); - } - return; - } - - protected void processAuthenticationResponse(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws AuthenticationFailedException { - Twitter twitter = (Twitter) request.getSession().getAttribute("twitter"); - RequestToken requestToken = (RequestToken) request.getSession().getAttribute("requestToken"); - String verifier = request.getParameter("oauth_verifier"); - try { - AccessToken token=twitter.getOAuthAccessToken(requestToken, verifier); - request.getSession().removeAttribute("requestToken"); - User user= twitter.verifyCredentials(); - buildClaims(user,context); - } catch (TwitterException e) { - LOGGER.error("Exception while obtaining OAuth token form Twitter", e); - throw new AuthenticationFailedException("Exception while obtaining OAuth token form Twitter",e); - } - } - - public void buildClaims(User user, AuthenticationContext context) { - - context.setSubject(String.valueOf(user.getId())); - Map claims = new HashMap(); - claims.put(ClaimMapping.build("name", "name", null,false), user.getName()); - claims.put(ClaimMapping.build("screen_name", "screen_name", null,false), user.getScreenName()); - claims.put(ClaimMapping.build("url", "url", null,false), user.getURL()); - - context.setSubjectAttributes(claims); - } - ``` +1. Access the Management console of the partner identity server. +2. Navigate to Main > Identity > Service Providers > Add. +3. Add a Service Provider name and optionally, add a description. +4. Click Register. (Let’s use the playground app and refer to + [this](../../learn/deploying-the-sample-app/#deploying-the-playground2-webapp) + to configure the playground app). +3. Then List the Service Providers and edit the service provider by navigation to the** + OAuth/OpenID Configuration** under **Inbound Authentication Configuration** and add + `https://localhost:9443/commonauth` as the callback URL. +4. Create a user **Alex** in the partner identity server. -4. The ` buildClaims ` method saves the retrieved user - attributes to the authenticated context in the Identity Server. That - is needed to map the claims to the built in claims of IS. -5. After implementing these methods you can build your bundle. After - building it you have to put that into the - ` /repository/components/dropins ` - directory. -6. [Restart the Identity Server](../../setup/running-the-product) to use the - Twitter authenticator in IS. +## Configure Federated Authenticator -### Custom authenticator for Facebook +To configure the federated authenticator, click the **Add** button under **Identity Providers** and add the IDP name as +**Partner-Identity-Server**. Register the new IDP. -This section includes the code used to write the custom authenticator -for Facebook. +![Partner idp config](../assets/img/using-wso2-identity-server/partner-idp-config.png) -1. Download the source code from - [here](https://svn.wso2.org/repos/wso2/people/isura/org.wso2.carbon.identity.application.authenticator.social/) - using the following command on your terminal. +Click **Federated Authenticators** and expand **custom-federated-authenticator configurations**. +Configure it as follows. - ``` java - $ svn checkout https://svn.wso2.org/repos/wso2/people/isura/org.wso2.carbon.identity.application.authenticator.social/ - ``` +Here, the Client Id and Client Secret are the values of external service provider from the Partner-Identity-Server. -2. Navigate to the folder you just downloaded, which contains the - ` pom.xml ` file and build the source code by - running the following command on your terminal. +* _Enable / Default - You can **enable** and set to **default**_ +* _Authorization Endpoint UR - `https://localhost:9444/oauth2/authorize/`_ +* _Token Endpoint URL - [https://localhost:9444/oauth2/token/](https://localhost:9444/oauth2/token/)_ +* _Client Id - The value generated by the service provider of the partner IS_ +* _Client Secret - The value generated by the service provider of the partner IS_ - ``` java - $ mvn clean install - ``` +![Federated Authenticator](../assets/img/using-wso2-identity-server/federated-authenticator.png) -3. Copy the - ` org.wso2.carbon.identity.application.authenticator.social.facebook2-5.0.0.jar ` - file found inside the **target** folder and paste it in the - ` /repository/components/dropins ` folder. +## Configure an application with the custom federated authenticator - ??? info "Click here to view the source code" - ``` java - /* - * Copyright (c) 2014, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. - * - * WSO2 Inc. licenses this file to you under the Apache License, - * Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE­2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - package org.wso2.carbon.identity.application.authenticator.social.facebook2; - import org.apache.commons.lang.StringUtils; - import org.apache.commons.logging.Log; - import org.apache.commons.logging.LogFactory; - import org.apache.oltu.oauth2.client.request.OAuthClientRequest; - import org.apache.oltu.oauth2.client.response.OAuthAuthzResponse; - import org.apache.oltu.oauth2.common.exception.OAuthProblemException; - import org.apache.oltu.oauth2.common.exception.OAuthSystemException; - import org.apache.oltu.oauth2.common.utils.JSONUtils; - import org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator; - import org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator; - import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext; - import org.wso2.carbon.identity.application.authentication.framework.exception.ApplicationAuthenticatorException; - import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException; - import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser; - import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants; - import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils; - import org.wso2.carbon.identity.application.common.model.ClaimMapping; - import org.wso2.carbon.identity.application.common.model.Property; - import org.wso2.carbon.identity.application.common.util.IdentityApplicationConstants; - import org.wso2.carbon.identity.base.IdentityConstants; - import org.wso2.carbon.identity.core.util.IdentityUtil; - import org.wso2.carbon.identity.core.util.IdentityIOStreamUtils; - import javax.servlet.http.HttpServletRequest; - import javax.servlet.http.HttpServletResponse; - import java.io.BufferedReader; - import java.io.IOException; - import java.io.InputStreamReader; - import java.net.MalformedURLException; - import java.net.URL; - import java.net.URLConnection; - import java.nio.charset.Charset; - import java.util.*; - public class FacebookCustomAuthenticator extends AbstractApplicationAuthenticator implements - FederatedApplicationAuthenticator { - private static final Log log = LogFactory.getLog(FacebookCustomAuthenticator.class); - private static final long serialVersionUID = ­1465329490183756028 L; - private String tokenEndpoint; - private String oAuthEndpoint; - private String userInfoEndpoint; - /** - * initiate tokenEndpoint - */ - private void initTokenEndpoint() { - this.tokenEndpoint = - getAuthenticatorConfig().getParameterMap().get(FacebookCustomAuthenticatorConstants - .FB_TOKEN_URL); - if (StringUtils.isBlank(this.tokenEndpoint)) { - this.tokenEndpoint = IdentityApplicationConstants.FB_TOKEN_URL; - } - } - /** - * initiate authorization server endpoint - */ - private void initOAuthEndpoint() { - this.oAuthEndpoint = - getAuthenticatorConfig().getParameterMap().get(FacebookCustomAuthenticatorConstants - .FB_AUTHZ_URL); - if (StringUtils.isBlank(this.oAuthEndpoint)) { - this.oAuthEndpoint = IdentityApplicationConstants.FB_AUTHZ_URL; - } - } - /** - * initiate userInfoEndpoint - */ - private void initUserInfoEndPoint() { - this.userInfoEndpoint = - getAuthenticatorConfig().getParameterMap().get(FacebookCustomAuthenticatorConstants - .FB_USER_INFO_URL); - if (StringUtils.isBlank(this.userInfoEndpoint)) { - this.userInfoEndpoint = IdentityApplicationConstants.FB_USER_INFO_URL; - } - } - /** - * get the tokenEndpoint. - * @return tokenEndpoint - */ - private String getTokenEndpoint() { - if (StringUtils.isBlank(this.tokenEndpoint)) { - initTokenEndpoint(); - } - return this.tokenEndpoint; - } - /** - * get the oAuthEndpoint. - * @return oAuthEndpoint - */ - private String getAuthorizationServerEndpoint() { - if (StringUtils.isBlank(this.oAuthEndpoint)) { - initOAuthEndpoint(); - } - return this.oAuthEndpoint; - } - /** - * get the userInfoEndpoint. - * @return userInfoEndpoint - */ - private String getUserInfoEndpoint() { - if (StringUtils.isBlank(this.userInfoEndpoint)) { - initUserInfoEndPoint(); - } - return this.userInfoEndpoint; - } - @Override - public boolean canHandle(HttpServletRequest request) { - log.trace("Inside FacebookAuthenticator.canHandle()"); - if (request.getParameter(FacebookCustomAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE) != null && - request.getParameter(FacebookCustomAuthenticatorConstants.OAUTH2_PARAM_STATE) != null && - FacebookCustomAuthenticatorConstants.FACEBOOK_LOGIN_TYPE.equals(getLoginType(request))) { - return true; - } - return false; - } - @Override - protected void initiateAuthenticationRequest(HttpServletRequest request, - HttpServletResponse response, AuthenticationContext context) - throws AuthenticationFailedException { - try { - Map authenticatorProperties = context.getAuthenticatorProperties(); - String clientId = authenticatorProperties.get(FacebookCustomAuthenticatorConstants.CLIENT_ID); - String authorizationEP = getAuthorizationServerEndpoint(); - String scope = authenticatorProperties.get(FacebookCustomAuthenticatorConstants.SCOPE); - if (StringUtils.isEmpty(scope)) { - scope = FacebookCustomAuthenticatorConstants.EMAIL; - } - String callbackUrl = IdentityUtil.getServerURL(FrameworkConstants.COMMONAUTH, true, true); - String state = context.getContextIdentifier() + "," + - FacebookCustomAuthenticatorConstants.FACEBOOK_LOGIN_TYPE; - OAuthClientRequest authzRequest = - OAuthClientRequest.authorizationLocation(authorizationEP) - .setClientId(clientId) - .setRedirectURI(callbackUrl) - .setResponseType(FacebookCustomAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE) - .setScope(scope).setState(state) - .buildQueryMessage(); - response.sendRedirect(authzRequest.getLocationUri()); - } catch (IOException e) { - log.error("Exception while sending to the login page.", e); - throw new AuthenticationFailedException(e.getMessage(), e); - } catch (OAuthSystemException e) { - log.error("Exception while building authorization code request.", e); - throw new AuthenticationFailedException(e.getMessage(), e); - } - return; - } - @Override - protected void processAuthenticationResponse(HttpServletRequest request, - HttpServletResponse response, - AuthenticationContext context) - throws AuthenticationFailedException { - log.trace("Inside FacebookAuthenticator.authenticate()"); - try { - Map authenticatorProperties = context.getAuthenticatorProperties(); - String clientId = authenticatorProperties.get(FacebookCustomAuthenticatorConstants.CLIENT_ID); - String clientSecret = - authenticatorProperties.get(FacebookCustomAuthenticatorConstants.CLIENT_SECRET); - String userInfoFields = - authenticatorProperties.get(FacebookCustomAuthenticatorConstants.USER_INFO_FIELDS); - String tokenEndPoint = getTokenEndpoint(); - String fbauthUserInfoUrl = getUserInfoEndpoint(); - String callbackUrl = IdentityUtil.getServerURL(FrameworkConstants.COMMONAUTH, true, true); - String code = getAuthorizationCode(request); - String token = getToken(tokenEndPoint, clientId, clientSecret, callbackUrl, code); - if (!StringUtils.isBlank(userInfoFields)) { - if (context.getExternalIdP().getIdentityProvider().getClaimConfig() != null && !StringUtils.isBlank(context.getExternalIdP().getIdentityProvider().getClaimConfig().getUserClaimURI())) { - String userClaimUri = context.getExternalIdP().getIdentityProvider().getClaimConfig() - .getUserClaimURI(); - if (!Arrays.asList(userInfoFields.split(",")).contains(userClaimUri)) { - userInfoFields += ("," + userClaimUri); - } - } else { - if (!Arrays.asList(userInfoFields.split(",")).contains(FacebookCustomAuthenticatorConstants - .DEFAULT_USER_IDENTIFIER)) { - userInfoFields += ("," + FacebookCustomAuthenticatorConstants.DEFAULT_USER_IDENTIFIER); - } - } - } - Map userInfoJson = getUserInfoJson(fbauthUserInfoUrl, userInfoFields, token); - buildClaims(context, userInfoJson); - } catch (ApplicationAuthenticatorException e) { - log.error("Failed to process Facebook Connect response.", e); - throw new AuthenticationFailedException(e.getMessage(), e); - } - } - private String getAuthorizationCode(HttpServletRequest request) throws ApplicationAuthenticatorException { - OAuthAuthzResponse authzResponse; - try { - authzResponse = OAuthAuthzResponse.oauthCodeAuthzResponse(request); - return authzResponse.getCode(); - } catch (OAuthProblemException e) { - throw new ApplicationAuthenticatorException("Exception while reading authorization code.", e); - } - } - private String getToken(String tokenEndPoint, String clientId, String clientSecret, - String callbackurl, String code) throws ApplicationAuthenticatorException { - OAuthClientRequest tokenRequest = null; - String token = null; - try { - tokenRequest = - buidTokenRequest(tokenEndPoint, clientId, clientSecret, callbackurl, - code); - token = sendRequest(tokenRequest.getLocationUri()); - if (token.startsWith("{")) { - throw new ApplicationAuthenticatorException("Received access token is invalid."); - } - } catch (MalformedURLException e) { - if (log.isDebugEnabled()) { - log.debug("URL : " + tokenRequest.getLocationUri()); - } - throw new ApplicationAuthenticatorException( - "MalformedURLException while sending access token request.", - e); - } catch (IOException e) { - throw new ApplicationAuthenticatorException("IOException while sending access token request.", e); - } - return token; - } - private OAuthClientRequest buidTokenRequest( - String tokenEndPoint, String clientId, String clientSecret, String callbackurl, String code) - throws ApplicationAuthenticatorException { - OAuthClientRequest tokenRequest = null; - try { - tokenRequest = - OAuthClientRequest.tokenLocation(tokenEndPoint).setClientId(clientId) - .setClientSecret(clientSecret) - .setRedirectURI(callbackurl).setCode(code) - .buildQueryMessage(); - } catch (OAuthSystemException e) { - throw new ApplicationAuthenticatorException("Exception while building access token request.", e); - } - return tokenRequest; - } - private String getUserInfoString(String fbAuthUserInfoUrl, String userInfoFields, String token) - throws ApplicationAuthenticatorException { - String userInfoString; - try { - if (StringUtils.isBlank(userInfoFields)) { - userInfoString = sendRequest(String.format("%s?%s", fbAuthUserInfoUrl, token)); - } else { - userInfoString = sendRequest(String.format("%s?fields=%s&%s", fbAuthUserInfoUrl, userInfoFields, - token)); - } - } catch (MalformedURLException e) { - if (log.isDebugEnabled()) { - log.debug("URL : " + fbAuthUserInfoUrl, e); - } - throw new ApplicationAuthenticatorException( - "MalformedURLException while sending user information request.", - e); - } catch (IOException e) { - throw new ApplicationAuthenticatorException( - "IOException while sending sending user information request.", - e); - } - return userInfoString; - } - private void setSubject(AuthenticationContext context, Map jsonObject) - throws ApplicationAuthenticatorException { - String authenticatedUserId = (String) - jsonObject.get(FacebookCustomAuthenticatorConstants.DEFAULT_USER_IDENTIFIER); - if (StringUtils.isEmpty(authenticatedUserId)) { - throw new ApplicationAuthenticatorException("Authenticated user identifier is empty"); - } - AuthenticatedUser authenticatedUser = - AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(authenticatedUserId); - context.setSubject(authenticatedUser); - } - private Map getUserInfoJson(String fbAuthUserInfoUrl, String userInfoFields, String token) - throws ApplicationAuthenticatorException { - String userInfoString = getUserInfoString(fbAuthUserInfoUrl, userInfoFields, token); - if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable(IdentityConstants.IdentityTokens.USER_ID_TOKEN)) { - log.debug("UserInfoString : " + userInfoString); - } - Map jsonObject = JSONUtils.parseJSON(userInfoString); - return jsonObject; - } - public void buildClaims(AuthenticationContext context, Map jsonObject) - throws ApplicationAuthenticatorException { - if (jsonObject != null) { - Map claims = new HashMap(); - for (Map.Entry entry: jsonObject.entrySet()) { - claims.put(ClaimMapping.build(entry.getKey(), entry.getKey(), null, - false), entry.getValue().toString()); - if (log.isDebugEnabled() && - IdentityUtil.isTokenLoggable(IdentityConstants.IdentityTokens.USER_CLAIMS)) { - log.debug("Adding claim mapping : " + entry.getKey() + " <> " + entry.getKey() + " : " + entry.getValue()); - } - } - if (StringUtils.isBlank(context.getExternalIdP().getIdentityProvider().getClaimConfig().getUserClaimURI())) { - context.getExternalIdP().getIdentityProvider().getClaimConfig().setUserClaimURI(FacebookCustomAuthenticatorConstants.EMAIL); - } - String subjectFromClaims = FrameworkUtils.getFederatedSubjectFromClaims( - context.getExternalIdP().getIdentityProvider(), claims); - if (subjectFromClaims != null && !subjectFromClaims.isEmpty()) { - AuthenticatedUser authenticatedUser = - AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(subjectFromClaims); - context.setSubject(authenticatedUser); - } else { - setSubject(context, jsonObject); - } - context.getSubject().setUserAttributes(claims); - } else { - if (log.isDebugEnabled()) { - log.debug("Decoded json object is null"); - } - throw new ApplicationAuthenticatorException("Decoded json object is null"); - } - } - @Override - public String getContextIdentifier(HttpServletRequest request) { - log.trace("Inside FacebookAuthenticator.getContextIdentifier()"); - String state = request.getParameter(FacebookCustomAuthenticatorConstants.OAUTH2_PARAM_STATE); - if (state != null) { - return state.split(",")[0]; - } else { - return null; - } - } - private String sendRequest(String url) throws IOException { - BufferedReader in = null; - StringBuilder b = new StringBuilder(); - try { - URLConnection urlConnection = new URL(url).openConnection(); in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream(), - Charset.forName("utf­8"))); - String inputLine = in .readLine(); - while (inputLine != null) { - b.append(inputLine).append("\n"); - inputLine = in .readLine(); - } - } finally { - IdentityIOStreamUtils.closeReader( in ); - } - return b.toString(); - } - private String getLoginType(HttpServletRequest request) { - String state = request.getParameter(FacebookCustomAuthenticatorConstants.OAUTH2_PARAM_STATE); - if (state != null) { - return state.split(",")[1]; - } else { - return null; - } - } - @Override - public String getFriendlyName() { - return "Custom­Facebook"; - } - @Override - public String getName() { - return FacebookCustomAuthenticatorConstants.AUTHENTICATOR_NAME; - } - @Override - public List getConfigurationProperties() { - List configProperties = new ArrayList(); - Property clientId = new Property(); - clientId.setName(FacebookCustomAuthenticatorConstants.CLIENT_ID); - clientId.setDisplayName("Client Id"); - clientId.setRequired(true); - clientId.setDescription("Enter Facebook client identifier value"); - configProperties.add(clientId); - Property clientSecret = new Property(); - clientSecret.setName(FacebookCustomAuthenticatorConstants.CLIENT_SECRET); - clientSecret.setDisplayName("Client Secret"); - clientSecret.setRequired(true); - clientSecret.setConfidential(true); - clientSecret.setDescription("Enter Facebook client secret value"); - configProperties.add(clientSecret); - Property scope = new Property(); - scope.setName(FacebookCustomAuthenticatorConstants.SCOPE); - scope.setDisplayName("Scope"); - scope.setDescription("Enter Facebook scopes"); - scope.setDefaultValue("id"); - scope.setRequired(false); - configProperties.add(scope); - Property userIdentifier = new Property(); - userIdentifier.setName(FacebookCustomAuthenticatorConstants.USER_INFO_FIELDS); - userIdentifier.setDisplayName("User Identifier Field"); - userIdentifier.setDescription("Enter Facebook user identifier field"); - userIdentifier.setDefaultValue("id"); - userIdentifier.setRequired(false); - configProperties.add(userIdentifier); - return configProperties; - } - } - /* - * Copyright (c) 2014, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. - * - * WSO2 Inc. licenses this file to you under the Apache License, - * Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE­2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - package org.wso2.carbon.identity.application.authenticator.social.facebook2; - public class FacebookCustomAuthenticatorConstants { - public static final String AUTHENTICATOR_NAME = "FacebookAuthenticator­Custom"; - public static final String FACEBOOK_LOGIN_TYPE = "facebook"; - public static final String OAUTH2_GRANT_TYPE_CODE = "code"; - public static final String OAUTH2_PARAM_STATE = "state"; - public static final String EMAIL = "email"; - public static final String SCOPE = "Scope"; - public static final String USER_INFO_FIELDS = "UserInfoFields"; - public static final String DEFAULT_USER_IDENTIFIER = "id"; - public static final String CLIENT_ID = "ClientId"; - public static final String CLIENT_SECRET = "ClientSecret"; - public static final String FB_AUTHZ_URL = "AuthnEndpoint"; - public static final String FB_TOKEN_URL = "AuthTokenEndpoint"; - public static final String FB_USER_INFO_URL = "UserInfoEndpoint"; - private FacebookCustomAuthenticatorConstants() {} - } - /* - * Copyright (c) WSO2 Inc. (http://www.wso2.org) All Rights Reserved. - * - * WSO2 Inc. licenses this file to you under the Apache License, - * Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE­2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - package org.wso2.carbon.identity.application.authenticator.social.internal; - import org.apache.commons.logging.Log; - import org.apache.commons.logging.LogFactory; - import org.osgi.service.component.ComponentContext; - import org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator; - import org.wso2.carbon.identity.application.authenticator.social.facebook2.FacebookCustomAuthenticator; - import java.util.Hashtable; - /** - * @scr.component name="identity.application.authenticator.facebook.component" - * immediate="true" - */ - public class FacebookCustomAuthenticatorServiceComponent { - private static final Log LOGGER = LogFactory.getLog(FacebookCustomAuthenticatorServiceComponent.class); - protected void activate(ComponentContext ctxt) { - try { - FacebookCustomAuthenticator facebookAuthenticator = new FacebookCustomAuthenticator(); - Hashtable props = new Hashtable(); - ctxt.getBundleContext().registerService(ApplicationAuthenticator.class.getName(), - facebookAuthenticator, props); - if (LOGGER.isDebugEnabled()) { - LOGGER.debug("Facebook Custome Authenticator bundle is activated"); - } - } catch (Throwable e) { - LOGGER.fatal(" Error while activating Facebook authenticator ", e); - } - } - protected void deactivate(ComponentContext ctxt) { - if (LOGGER.isDebugEnabled()) { - LOGGER.debug("Facebook Custom Authenticator bundle is deactivated"); - } - } - } - ``` +1. Start the server and log in to the WSO2 IS Management Console. -### Custom authenticator for Google +2. Navigate to **Main** > **Identity** > **Service Providers** > **Add**. + +3. Add a Service Provider name and optionally, add a description. + +4. Click **Register**. (Let’s use the playground app and refer + [this](https://is.docs.wso2.com/en/latest/learn/deploying-the-sample-app/#deploying-the-playground2-webapp) + to configure playground app. -This section includes the code used to write the custom authenticator -for Google. +3. List the Service Providers and edit the service provider as follows by navigating to the + **OAuth/OpenID Configuration** section under **Inbound Authentication Configuration** as explained above. -1. Download the source code from - [here](https://svn.wso2.org/repos/wso2/people/thanuja/org.wso2.carbon.identity.application.authenticator.social/) - using the following command on your terminal. +4. Click Configure and add `http://localhost:8080/playground2/oauth2client` as the call back URL. Click Update. - ``` java - $ svn checkout https://svn.wso2.org/repos/wso2/people/thanuja/org.wso2.carbon.identity.application.authenticator.social/ - ``` +5. Navigate to **Local & Outbound Authentication Configuration** as follows, and you can find the Authentication Type. + Select **Federated Authentication** and select the configured federated authenticator and update to save the changed + configurations. -2. Navigate to the folder you just downloaded, which contains the - ` pom.xml ` file and build the source code by - running the following command on your terminal. +![Partner identity provider](../assets/img/using-wso2-identity-server/partner-identity-provider.png) - ``` java - $ mvn clean install - ``` +## Try the scenario -3. Copy the - ` org.wso2.carbon.identity.application.authenticator.custom.google­5.0.0.jar ` - file found inside the **target** folder and paste it in the - ` /repository/components/dropins ` folder. +1. Access the playground app by using `http://localhost:8080/playground2`. + +2. This will redirect to the login page of the application which is configured in the partner identity server which acts as the external service. + +3. Enter Alex's username and password (The user was created, in the partner identity server). + +4. Now Alex is authenticated by the partner Identity Server. - ??? info "Click here to view the source code" - ``` java - /* - * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. - * - * WSO2 Inc. licenses this file to you under the Apache License, - * Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE­2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - package org.wso2.carbon.identity.application.authenticator.custom.google; - import org.apache.commons.lang.StringUtils; - import org.apache.oltu.oauth2.client.response.OAuthClientResponse; - import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext; - import org.wso2.carbon.identity.application.authenticator.oidc.OIDCAuthenticatorConstants; - import org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator; - import org.wso2.carbon.identity.application.common.model.Property; - import org.wso2.carbon.identity.application.common.util.IdentityApplicationConstants; - import java.util.ArrayList; - import java.util.List; - import java.util.Map; - public class GoogleCustomOAuth2Authenticator extends OpenIDConnectAuthenticator { - private static final long serialVersionUID = ­4154255583070524011 L; - private String tokenEndpoint; - private String oAuthEndpoint; - private String userInfoURL; - /** - * initiate tokenEndpoint - */ - private void initTokenEndpoint() { - this.tokenEndpoint = - getAuthenticatorConfig().getParameterMap().get(GoogleCustomOAuth2AuthenticationConstant - .GOOGLE_TOKEN_ENDPOINT); - if (StringUtils.isBlank(this.tokenEndpoint)) { - this.tokenEndpoint = IdentityApplicationConstants.GOOGLE_TOKEN_URL; - } - } - /** - * initiate authorization server endpoint - */ - private void initOAuthEndpoint() { - this.oAuthEndpoint = - getAuthenticatorConfig().getParameterMap().get(GoogleCustomOAuth2AuthenticationConstant - .GOOGLE_AUTHZ_ENDPOINT); - if (StringUtils.isBlank(this.oAuthEndpoint)) { - this.oAuthEndpoint = IdentityApplicationConstants.GOOGLE_OAUTH_URL; - } - } - /** - * Initialize the Yahoo user info url. - */ - private void initUserInfoURL() { - userInfoURL = getAuthenticatorConfig() - .getParameterMap() - .get(GoogleCustomOAuth2AuthenticationConstant.GOOGLE_USERINFO_ENDPOINT); - if (userInfoURL == null) { - userInfoURL = IdentityApplicationConstants.GOOGLE_USERINFO_URL; - } - } - /** - * Get the user info endpoint url. - * @return User info endpoint url. - */ - private String getUserInfoURL() { - if (userInfoURL == null) { - initUserInfoURL(); - } - return userInfoURL; - } - /** - * Get Authorization Server Endpoint - * - * @param authenticatorProperties this is not used currently in the method - * @return oAuthEndpoint - */ - @Override - protected String getAuthorizationServerEndpoint(Map < String, String > authenticatorProperties) { - if (StringUtils.isBlank(this.oAuthEndpoint)) { - initOAuthEndpoint(); - } - return this.oAuthEndpoint; - } - /** - * Get Token Endpoint - * - * @param authenticatorProperties this is not used currently in the method - * @return tokenEndpoint - */ - @Override - protected String getTokenEndpoint(Map < String, String > authenticatorProperties) { - if (StringUtils.isBlank(this.tokenEndpoint)) { - initTokenEndpoint(); - } - return this.tokenEndpoint; - } - /** - * Get Scope - * - * @param scope - * @param authenticatorProperties - * @return - */ - @Override - protected String getScope(String scope, - Map < String, String > authenticatorProperties) { - return GoogleCustomOAuth2AuthenticationConstant.GOOGLE_SCOPE; - } - @Override - protected String getAuthenticateUser(AuthenticationContext context, Map < String, Object > jsonObject, - OAuthClientResponse token) { - if (jsonObject.get(OIDCAuthenticatorConstants.Claim.EMAIL) == null) { - return (String) jsonObject.get("sub"); - } else { - return (String) jsonObject.get(OIDCAuthenticatorConstants.Claim.EMAIL); - } - } - /** - * Get google user info endpoint. - * @param token OAuth client response. - * @return User info endpoint. - */ - @Override - protected String getUserInfoEndpoint(OAuthClientResponse token, Map < String, String > authenticatorProperties) { - return getUserInfoURL(); - } - @Override - protected String getQueryString(Map < String, String > authenticatorProperties) { - return - authenticatorProperties.get(GoogleCustomOAuth2AuthenticationConstant.ADDITIONAL_QUERY_PARAMS); - } - /** - * Get Configuration Properties - * - * @return - */ - @Override - public List < Property > getConfigurationProperties() { - List < Property > configProperties = new ArrayList < Property > (); - Property clientId = new Property(); - clientId.setName(OIDCAuthenticatorConstants.CLIENT_ID); - clientId.setDisplayName("Client Id"); - clientId.setRequired(true); - clientId.setDescription("Enter Google IDP client identifier value"); - clientId.setDisplayOrder(1); - configProperties.add(clientId); - Property clientSecret = new Property(); - clientSecret.setName(OIDCAuthenticatorConstants.CLIENT_SECRET); - clientSecret.setDisplayName("Client Secret"); - clientSecret.setRequired(true); - clientSecret.setConfidential(true); - clientSecret.setDescription("Enter Google IDP client secret value"); - clientSecret.setDisplayOrder(2); - configProperties.add(clientSecret); - Property callbackUrl = new Property(); - callbackUrl.setDisplayName("Callback Url"); - callbackUrl.setName(IdentityApplicationConstants.OAuth2.CALLBACK_URL); - callbackUrl.setDescription("Enter value corresponding to callback url."); - callbackUrl.setDisplayOrder(3); - configProperties.add(callbackUrl); - Property scope = new Property(); - scope.setDisplayName("Additional Query Parameters"); - scope.setName("AdditionalQueryParameters"); - scope.setValue("scope=openid email profile"); - scope.setDescription("Additional query parameters. e.g: paramName1=value1"); - scope.setDisplayOrder(4); - configProperties.add(scope); - return configProperties; - } - /** - * Get Friendly Name - * - * @return - */ - @Override - public String getFriendlyName() { - return GoogleCustomOAuth2AuthenticationConstant.GOOGLE_CONNECTOR_FRIENDLY_NAME; - } - /** - * GetName - * - * @return - */ - @Override - public String getName() { - return GoogleCustomOAuth2AuthenticationConstant.GOOGLE_CONNECTOR_NAME; - } - } - /* - * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. - * - * WSO2 Inc. licenses this file to you under the Apache License, - * Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE­2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - package org.wso2.carbon.identity.application.authenticator.custom.google; - public class GoogleCustomOAuth2AuthenticationConstant { - private GoogleCustomOAuth2AuthenticationConstant() {} - public static final String GOOGLE_AUTHZ_ENDPOINT = "GoogleAuthzEndpoint"; - public static final String GOOGLE_TOKEN_ENDPOINT = "GoogleTokenEndpoint"; - public static final String GOOGLE_USERINFO_ENDPOINT = "GoogleUserInfoEndpoint"; - public static final String GOOGLE_CONNECTOR_FRIENDLY_NAME = "Custom Google Authenticator"; - public static final String GOOGLE_CONNECTOR_NAME = "CustomGoogleOAUth2OpenIDAuthenticator"; - public static final String GOOGLE_SCOPE = "openid email profile"; - public static final String CALLBACK_URL = "Google­callback­url"; - public static final String ADDITIONAL_QUERY_PARAMS = "AdditionalQueryParameters"; - } - /* - * Copyright (c) WSO2 Inc. (http://www.wso2.org) All Rights Reserved. - * - * WSO2 Inc. licenses this file to you under the Apache License, - * Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE­2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - package org.wso2.carbon.identity.application.authenticator.custom.internal; - import org.apache.commons.logging.Log; - import org.apache.commons.logging.LogFactory; - import org.osgi.service.component.ComponentContext; - import org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator; - import org.wso2.carbon.identity.application.authenticator.custom.google.GoogleCustomOAuth2Authenticator; - import java.util.Hashtable; - /** - * @scr.component name="identity.application.authenticator.custom.google.component" immediate="true" - */ - public class GoogleCustomAuthenticatorServiceComponent { - private static final Log LOGGER = LogFactory.getLog(GoogleCustomAuthenticatorServiceComponent.class); - protected void activate(ComponentContext context) { - try { - GoogleCustomOAuth2Authenticator googleAuthenticator = new GoogleCustomOAuth2Authenticator(); - Hashtable < String, String > props = new Hashtable < String, String > (); - context.getBundleContext().registerService(ApplicationAuthenticator.class.getName(), - googleAuthenticator, props); - if (LOGGER.isDebugEnabled()) { - LOGGER.debug("Google custom authenticator bundle is activated"); - } - } catch (Exception e) { - LOGGER.fatal(" Error while activating Google authenticator ", e); - } - } - protected void deactivate(ComponentContext context) { - if (LOGGER.isDebugEnabled()) { - LOGGER.debug("Google custom authenticator bundle is deactivated"); - } - } - } -   - - - - - org.wso2.carbon.identity - application­authenticators - 5.0.7 - - 4.0.0 - org.wso2.carbon.identity.application.authenticator.custom.google - bundle - 5.0.0 - - - - wso2­nexus - WSO2 internal Repository - http://maven.wso2.org/nexus/content/groups/wso2­public/ - - true - daily - ignore - - - - wso2.releases - WSO2 internal Repository - http://maven.wso2.org/nexus/content/repositories/releases/ - - true - daily - ignore - - - - wso2.snapshots - WSO2 Snapshot Repository - http://maven.wso2.org/nexus/content/repositories/snapshots/ - - true - daily - - - false - - - - - - org.wso2.carbon - org.wso2.carbon.logging - - - org.wso2.carbon.identity - org.wso2.carbon.identity.application.authentication.framework - - - org.wso2.carbon - org.wso2.carbon.ui - - - org.wso2.orbit.org.apache.oltu.oauth2 - oltu - - - org.wso2.carbon.identity - org.wso2.carbon.identity.application.common - - - org.wso2.carbon.identity - org.wso2.carbon.identity.application.authenticator.openid - - - org.wso2.carbon.identity - org.wso2.carbon.identity.application.authenticator.oidc - - - - - - org.apache.felix - maven­scr­plugin - - - org.apache.felix - maven­bundle­plugin - true - - - ${project.artifactId} - ${project.artifactId} - - org.wso2.carbon.identity.application.authenticator.custom.internal - - - javax.servlet.http; version="${imp.pkg.version.javax.servlet}", org.apache.oltu.oauth2.*; version="${oltu.package.import.version.range}", org.apache.commons.lang; version="${commons­lang.wso2.osgi.version.range}", org.apache.commons.logging; version="${commons­logging.osgi.version.range}", org.apache.commons.codec.binary; version="${commons­codec.wso2.osgi.version.range}", org.osgi.framework; version="${osgi.framework.imp.pkg.version.range}", org.osgi.service.component; version="${osgi.service.component.imp.pkg.version.range}", org.wso2.carbon.identity.application.authentication.framework.*; version="${carbon.identity.package.import.version.range}", org.wso2.carbon.identity.application.common.model; version="${carbon.identity.package.import.version.range}", org.wso2.carbon.identity.core.util; version="${carbon.identity.package.import.version.range}", org.wso2.carbon.ui; version="${carbon.kernel.package.import.version.range}", org.wso2.carbon.identity.application.authenticator.oidc; version="[5.0.7, 5.1.0)" - - - !org.wso2.carbon.identity.application.authenticator.custom.internal, org.wso2.carbon.identity.application.authenticator.custom.google.*; version="5.0.0" - - - - - - - - ``` +Similarly, you can write a federated authenticator to authenticate the users using an external system. diff --git a/en/docs/get-started/overview.md b/en/docs/get-started/overview.md index 827e7489ea..4fa2abcaac 100644 --- a/en/docs/get-started/overview.md +++ b/en/docs/get-started/overview.md @@ -88,7 +88,7 @@ efficiency. WSO2 Identity Server has the ‘ [Jaggery](http://jaggeryjs.org/) ’ user interface for end users. Apart from the [Management Console](../../setup/getting-started-with-the-management-console), an [end user -view](../../learn/user-portal) is available to manage profiles, +view](../../learn/my-account) is available to manage profiles, to recover accounts and to manage authorized apps. The log in and consent pages in the UI can be completely customized because they run on a separate context as a separate web application. These web applications diff --git a/en/docs/get-started/quick-start-guide.md b/en/docs/get-started/quick-start-guide.md index c898eafbfa..ce86dd3542 100644 --- a/en/docs/get-started/quick-start-guide.md +++ b/en/docs/get-started/quick-start-guide.md @@ -12,9 +12,9 @@ sample scenario. credentials to sign in to different internal enterprise applications. Following are two such applications: -- **Pickup Dispatch** : This application helps manage the overall +- **Pickup Dispatch** : This application helps to manage the overall operations at Pickup. -- **Pickup Manager** : This application helps allocate vehicles to +- **Pickup Manager** : This application helps to allocate vehicles to drivers. Pickup needs to identify the necessary permission levels to be granted @@ -85,8 +85,24 @@ using WSO2 Identity Server. server.host.domain=localhost.com server.host.port=8080 ``` +3. Add the following configurations to the deployment.toml file in `/repository/conf` directory to make the CORS configurations applicable. + + ``` toml + [cors] + allow_generic_http_requests = true + allow_any_origin = true + supported_methods = [ + "POST", + "HEAD", + "OPTIONS" + ] + supports_credentials = false + max_age = 3600 + tag_requests = false + ``` + See the [CORS configuration](../../learn/cors) for more information for the other parameters. -3. Navigate to `/bin` using the command prompt and start the server. +4. Navigate to `/bin` using the command prompt and start the server. ``` java Linux --> sh wso2server.sh @@ -100,22 +116,22 @@ using WSO2 Identity Server. Note that following log appears in the command prompt after the server shutdown. ![qsg-stop-server](../assets/img/getting-started/qsg-stop-server.png) -4. Navigate to `/IS-QSG/bin` and execute either of the following commands to start the sample application. +5. Navigate to `/IS-QSG/bin` and execute either of the following commands to start the sample application. ``` java Linux --> sh app-server.sh Windows --> app-server.bat ``` -5. Navigate to `/IS-QSG/bin` and execute the following commands to start the Quick Start samples accordingly. +6. Navigate to `/IS-QSG/bin` and execute the following commands to start the Quick Start samples accordingly. ``` java Linux --> sh qsg.sh Windows --> qsg.bat ``` -6. When prompted, confirm the configurations. -7. Note that a message appears to pick a scenario, which indicates that the samples are deployed and WSO2 Identity Server is up and running. +7. When prompted, confirm the configurations. +8. Note that a message appears to pick a scenario, which indicates that the samples are deployed and WSO2 Identity Server is up and running. Let's try out the samples. @@ -453,7 +469,7 @@ A message appears to pick a scenario. ![register-oauth2](../assets/img/tutorials/register-oauth2.png) Select a web application and give it a name (e.g., - SampleWebApllication). Enter the Authorized **redirect URI** as + SampleWebApplication). Enter the Authorized **redirect URI** as `https://localhost.com:9443/commonauth` (this is the endpoint in WSO2 Identity Server that accepts the response sent by Google). @@ -527,7 +543,7 @@ Pickup is going through a major expansion and is in the process of hiring new employees. Currently, when a new employee joins, the Pickup HR team requests for their details, and creates user accounts and then asks them to verify, edit and customize their user profiles. This -process sometimes takes few days. Thus, the Rowan and the Pickup HR team +process sometimes takes few days. Thus, Rowan and the Pickup HR team is having a hard time doing this one by one for especially when a larger number of employees come on-board. Cameron realizes that allowing the new employees to self sign-up to Pickup web applications will speed up diff --git a/en/docs/learn/adding-and-configuring-a-service-provider.md b/en/docs/learn/adding-and-configuring-a-service-provider.md index 790ecd4933..4374806f1e 100644 --- a/en/docs/learn/adding-and-configuring-a-service-provider.md +++ b/en/docs/learn/adding-and-configuring-a-service-provider.md @@ -73,6 +73,15 @@ the following: Name** is a required field. ![sp-name](../assets/img/using-wso2-identity-server/sp-name.png) + !!! note "Configure validation for service provider name" + The default javascript regex used to validate the service provider name entered in the Management Console is `^[a-zA-Z0-9\\s.+_-]*$`. + This regex can be modified by adding the following configuration to the `deployment.toml` file located in `/repository/conf/`. + + ``` java + [service_provider] + sp_name_java_script_regex = '' + ``` + 4. Click **Register** to add the new service provider. !!! note diff --git a/en/docs/learn/adding-users-and-roles.md b/en/docs/learn/adding-users-and-roles.md index 8ecacc6009..5e6bf9c52e 100644 --- a/en/docs/learn/adding-users-and-roles.md +++ b/en/docs/learn/adding-users-and-roles.md @@ -3,7 +3,7 @@ User management involves defining and managing users, roles, and access levels in a system. A typical user management implementation involves a wide range of functionality such as adding/deleting users, controlling user activity through permissions, and managing user roles. This tutorial demonstrates how to create a new user, create a role with a set of permissions, and then log in to the - WSO2 Identity Server user portal using the newly created user's credentials. + WSO2 Identity Server **My Account** using the newly created user's credentials. ## Scenario @@ -94,8 +94,7 @@ To achieve this, Pickup's administrator can create user roles for each designati 2. Create a new role named "Manager" with `Login` permission and assign the user Alex to this role. -3. Navigate to the following URL on a new browser window to access the WSO2 Identity Server user portal: https -://localhost:9443/user-portal +3. Navigate to the following URL on a new browser window to access the WSO2 Identity Server **My Account**: https://localhost:9443/myaccount 4. Log in using the credentials for Alex's user account. Note that you are successfully logged in. diff --git a/en/docs/learn/associating-user-accounts.md b/en/docs/learn/associating-user-accounts.md index a3bfc8cbda..8eb28a18af 100644 --- a/en/docs/learn/associating-user-accounts.md +++ b/en/docs/learn/associating-user-accounts.md @@ -8,8 +8,9 @@ how to associate all your user accounts to the account with which you have logged on. !!! note - If you want to associate user accounts of federated users via the - user portal, add the following configuration to the `/repository/conf/deployment.toml` + + If you want to associate user accounts of federated users via + **My Account**, add the following configuration to the `/repository/conf/deployment.toml` file. ``` toml @@ -18,7 +19,7 @@ have logged on. ``` The **recommended approach** is to have the `enable_for_federated_users` parameter set to `false` so that manual - federated user association is not allowed by default via the user portal. + federated user association is not allowed by default via **My Account**. @@ -41,10 +42,6 @@ The following actions can be performed using above admin service. - Switch between associated user accounts without re-authenticate with the system -## Using the user portal - -The WSO2 Identity Server [user -portal](../../learn/user-portal) can be used to associate the -accounts. You can associate a local user account or a federated user -account. See [Linked Accounts](../../learn/user-portal/#linked-accounts) under -User Portal for details. +## Using the **My Account** +The WSO2 Identity Server [**My Account**](../learn/my-account.md) can be used to associate the accounts. You can associate a local user account or a federated user +accounts. See [Linked Accounts](../learn/my-account.md#linked-accounts) under **My Account** for details. diff --git a/en/docs/learn/associating-user-accounts.md.orig b/en/docs/learn/associating-user-accounts.md.orig new file mode 100644 index 0000000000..003be93184 --- /dev/null +++ b/en/docs/learn/associating-user-accounts.md.orig @@ -0,0 +1,54 @@ +# Associating User Accounts + +WSO2 Identity Server (WSO2 IS) allows you to associate multiple accounts +you may have, and switch between accounts once you associate accounts. +WSO2 IS also allows you to connect your federated user credentials with +your WSO2 Identity Server account. This topic provides instructions on +how to associate all your user accounts to the account with which you +have logged on. + +!!! note +<<<<<<< HEAD + If you want to associate user accounts of federated users via the + **My Account**, add the following configuration to the `/repository/conf/deployment.toml` +======= + If you want to associate user accounts of federated users via + my account, add the following configuration to the `/repository/conf/deployment.toml` +>>>>>>> b32ebc7751fa4bc34c009b9ab213156efe77687e + file. + + ``` toml + [user.association] + enable_for_federated_users = true + ``` + + The **recommended approach** is to have the `enable_for_federated_users` parameter set to `false` so that manual + federated user association is not allowed by default via the **My Account**. + + + +Follow one of the two approaches below to associate all your user +accounts: + +## Using the AdminService + +The first approach is to use the ` AdminService ` . You +can access this admin service using the following URL: ' +` https://:9443/services/UserAccountAssociationService?wsdl ` +'. If you are new to admin services, see [Calling Admin +Services](../../develop/calling-admin-services). + +The following actions can be performed using above admin service. + +- Create a new user account association +- Delete an existing user account association +- Get all associated user accounts of the logged in user +- Switch between associated user accounts without re-authenticate with + the system + +## Using the **My Account** + +The WSO2 Identity Server [**My Account**](../learn/my-account.md) can be used to associate the +accounts. You can associate a local user account or a federated user +account. See [Linked Accounts](../learn/my-account.md#linked-accounts) under +**My Account** for details. diff --git a/en/docs/learn/basic-client-profile-with-playground.md b/en/docs/learn/basic-client-profile-with-playground.md index 05c7367f49..5d69a41b5e 100644 --- a/en/docs/learn/basic-client-profile-with-playground.md +++ b/en/docs/learn/basic-client-profile-with-playground.md @@ -46,7 +46,7 @@ http://wso2is.local:8080/playground2/ ` ??? note "Complete the user profile" 1. [Create a user](../../learn/configuring-users). 2. Log in as the user you created and go to the - [User Portal](../../learn/user-portal). + [**My Account**](../learn/my-account.md). 3. [Update your profile](../../learn/configuring-users#update-users) filling the user attributes. diff --git a/en/docs/learn/configuring-account-disabling.md b/en/docs/learn/configuring-account-disabling.md index ae5976c49f..8b351751ac 100644 --- a/en/docs/learn/configuring-account-disabling.md +++ b/en/docs/learn/configuring-account-disabling.md @@ -112,7 +112,7 @@ Follow the steps below to configure account disabling in WSO2 Identity Server. Account Disabled email - 5. Access the WSO2 Identity Server User Portal at `https://localhost:9443/user-portal/`. + 5. Access the WSO2 Identity Server **My Account** at `https://localhost:9443/myaccount`. Sign In form @@ -131,5 +131,5 @@ Follow the steps below to configure account disabling in WSO2 Identity Server. Account Enabled email - 5. Trying logging in to the WSO2 Identity Server User Portal with Alex's credentials. The WSO2 Identity Server - User Portal home screen appears. + 5. Trying logging in to the WSO2 Identity Server **My Account** with Alex's credentials. The WSO2 Identity Server + **My Account** home screen appears. diff --git a/en/docs/learn/configuring-account-locking-due-to-failed-login-attempts.md b/en/docs/learn/configuring-account-locking-due-to-failed-login-attempts.md index abada506cb..910e842d14 100644 --- a/en/docs/learn/configuring-account-locking-due-to-failed-login-attempts.md +++ b/en/docs/learn/configuring-account-locking-due-to-failed-login-attempts.md @@ -95,7 +95,7 @@ Follow the steps below to configure account locking due to failed login attempts 4. To mimic account locking: - 1. Access the WSO2 Identity Server User Portal at `https://localhost:9443/user-portal/`. + 1. Access the WSO2 Identity Server **My Account** at `https://localhost:9443/myaccount`. Sign In form @@ -110,7 +110,7 @@ Follow the steps below to configure account locking due to failed login attempts Account Locked email - 4. Wait for 15 minutes and try to log in again with the correct credentials. The WSO2 Identity Server User Portal + 4. Wait for 15 minutes and try to log in again with the correct credentials. The WSO2 Identity Server **My Account** home screen appears. diff --git a/en/docs/learn/configuring-active-directory-user-stores-for-scim-2.0-based-inbound-provisioning.md b/en/docs/learn/configuring-active-directory-user-stores-for-scim-2.0-based-inbound-provisioning.md index 5ee3a9757c..53e432651d 100644 --- a/en/docs/learn/configuring-active-directory-user-stores-for-scim-2.0-based-inbound-provisioning.md +++ b/en/docs/learn/configuring-active-directory-user-stores-for-scim-2.0-based-inbound-provisioning.md @@ -30,7 +30,7 @@ Log in to WSO2 Identity Server using your credentials.This claim mapping can be 5. Edit the other four claims in the same way. -Now the basic claim mapping is done. You can now add a user using the curl commands [here](../../develop/using-the-scim-2.0-rest-apis/). +Now the basic claim mapping is done. You can now add a user using the curl commands [here](../../develop/scim2-rest-apis/). In RestClient, the following header parameters must be added and the double quotations must be removed from the message body. diff --git a/en/docs/learn/configuring-admin-initiated-account-locking.md b/en/docs/learn/configuring-admin-initiated-account-locking.md index e0b0a32510..7d7821f7cc 100644 --- a/en/docs/learn/configuring-admin-initiated-account-locking.md +++ b/en/docs/learn/configuring-admin-initiated-account-locking.md @@ -112,14 +112,14 @@ Follow the steps below to configure admin-initiated account locking in WSO2 Iden Account Locked email - 5. Access the WSO2 Identity Server User Portal at `https://localhost:9443/user-portal/`. + 5. Access the WSO2 Identity Server **My Account** at `https://localhost:9443/myaccount`. Sign In form 6. Try logging in with Alex's credentials. Note that an error message appears. - 7. Wait for 15 minutes and try to log in again. The WSO2 Identity Server User Portal home screen appears. + 7. Wait for 15 minutes and try to log in again. The WSO2 Identity Server **My Account** home screen appears. 4. To unlock Alex's user account: @@ -133,5 +133,5 @@ Follow the steps below to configure admin-initiated account locking in WSO2 Iden Account Unlocked email - 5. Try logging in to the WSO2 Identity Server User Portal with Alex's credentials. The WSO2 Identity Server - User Portal home screen appears. + 5. Try logging in to the WSO2 Identity Server **My Account** with Alex's credentials. The WSO2 Identity Server + **My Account** home screen appears. diff --git a/en/docs/learn/configuring-email-otp.md b/en/docs/learn/configuring-email-otp.md index aa6c1cf58c..f986b030f6 100644 --- a/en/docs/learn/configuring-email-otp.md +++ b/en/docs/learn/configuring-email-otp.md @@ -63,6 +63,7 @@ as explained [here](../../setup/configuring-email-sending). CaptureAndUpdateEmailAddress = true showEmailAddressInUI = true useEventHandlerBasedEmailSender = true + emailAddressRegex = '(?<=.{1}).(?=.*@)' ``` @@ -82,8 +83,8 @@ as explained [here](../../setup/configuring-email-sending).
  • local: This is the default value and is based on the federated username. You must set the federated username in the local userstore . The federated username must be the same as the local username.
  • assocication: The federated username must be associated with the - local account in advance in the user portal. The local username is retrieved - from the association. To associate the user, log into the [user portal](../../learn + local account in advance in the **My Account**. The local username is retrieved + from the association. To associate the user, log into the [**My Account**](../../learn /user-portal) and go to **Associated Account** by clicking **View details**.
  • subjectUri: When configuring the federated authenticator, select the attribute in the subject identifier under the service provider section in UI, this is used as the username of the EmailOTP authenticator.
  • @@ -236,6 +237,16 @@ as explained [here](../../setup/configuring-email-sending).
+ + + + +
emailAddressRegexWhen `showEmailAddressInUI` is enabled, it provides the capability to define the way the email address should be displayed in the UI. This can be configured with a proper regex pattern as required. +
    +
  • (?<=.{1}).(?=.*@)  :  `t***@mail.com`
    • +
  • (?<=.)[^@](?=[^@]*?@)|(?:(?<=@.)|(?!^)\\G(?=[^@]*$)).(?=.*\\.)  :  `t***@m***.com`
    • +
+
@@ -376,6 +387,7 @@ Follow the steps below to send the One Time Password (OTP) using Gmail APIs or u CaptureAndUpdateEmailAddress = true showEmailAddressInUI = true useEventHandlerBasedEmailSender = true + emailAddressRegex = '(?<=.{1}).(?=.*@)' ``` !!! Tip diff --git a/en/docs/learn/configuring-identity-analytics.md b/en/docs/learn/configuring-identity-analytics.md index d964d86547..50fbac9134 100644 --- a/en/docs/learn/configuring-identity-analytics.md +++ b/en/docs/learn/configuring-identity-analytics.md @@ -16,15 +16,7 @@ To do this, the developers need to view authentication statistics about the logi ## Enable analytics -Open the `deployment.toml` file found in the `/repository/conf` folder and add the following event listeners to enable analytics in WSO2 Identity Server. - -``` toml -[[event_listener]] -id = "authn_data_publisher_proxy" -type = "org.wso2.carbon.identity.core.handler.AbstractIdentityMessageHandler" -name = "org.wso2.carbon.identity.data.publisher.application.authentication.AuthnDataPublisherProxy" -order = 11 -``` +Open the `deployment.toml` file found in the `/repository/conf` folder and enable the following event publishers to enable analytics in WSO2 Identity Server. ``` toml [identity_mgt.analytics_login_data_publisher] @@ -77,7 +69,7 @@ If you do not need to change the default values, proceed to start the servers. Let's create some basic authentication statistics. To do this, log in to the WSO2 IS dashboard. This login attempt will be published to WSO2 IS Analytics and you will be able to view the login attempt using the WSO2 IS Analytics dashboard. -1. Log in to the [WSO2 Identity Server User Portal](https://localhost:9443/user-portal/) using admin/admin credentials. +1. Log in to the [WSO2 Identity Server **My Account**](https://localhost:9443/myaccount) using admin/admin credentials. 2. Next, access the WSO2 Identity Server Analytics Dashboard at the following URL: diff --git a/en/docs/learn/configuring-local-and-outbound-authentication-for-a-service-provider.md b/en/docs/learn/configuring-local-and-outbound-authentication-for-a-service-provider.md index 46207ec90c..43baaa170f 100644 --- a/en/docs/learn/configuring-local-and-outbound-authentication-for-a-service-provider.md +++ b/en/docs/learn/configuring-local-and-outbound-authentication-for-a-service-provider.md @@ -25,6 +25,11 @@ You can configure the following for local and outbound authentication. - **Assert identity using mapped local subject identifier** : Select this to use the local subject identifier when asserting the identity. + + !!! note + It is mandatory to enable the above option to authorize scopes for provisioned + federated users. + - **Always send back the authenticated list of identity providers** : Select this to send back the list of identity providers that the current user is authenticated by. diff --git a/en/docs/learn/configuring-multi-tenancy.md b/en/docs/learn/configuring-multi-tenancy.md index b1c6188c4b..a9449d7776 100644 --- a/en/docs/learn/configuring-multi-tenancy.md +++ b/en/docs/learn/configuring-multi-tenancy.md @@ -54,7 +54,7 @@ You have succesfully created a user in the `pickup-eats` tenant. Now repeat step ## Try it out -1. Log in to the [WSO2 Identity Server User Portal](https://localhost:9443/user-portal) using the pickup-eats user +1. Log in to the [WSO2 Identity Server **My Account**](https://localhost:9443/myaccount) using the pickup-eats user credentials. - `Username:` cameron@pickup-eats.com @@ -66,7 +66,7 @@ You have succesfully created a user in the `pickup-eats` tenant. Now repeat step - `Password:` alex123 Note the relevant tenant domain appended to the user name of each user. You have successfully configured two separate - tenants for PickupEats and PickupTaxis with shared access to the user portal. + tenants for PickupEats and PickupTaxis with shared access to the **My Account**. diff --git a/en/docs/learn/configuring-oauth2-openid-connect.md b/en/docs/learn/configuring-oauth2-openid-connect.md index 29d59d40d7..04ada36eca 100644 --- a/en/docs/learn/configuring-oauth2-openid-connect.md +++ b/en/docs/learn/configuring-oauth2-openid-connect.md @@ -118,10 +118,10 @@ the users with an authorization server-based authentication. This is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by this IS or application so these can be specified here.

If you wish to send query parameters that need to be updated dynamically with each OIDC request, the value needs to be defined within parenthesis.This value should be the key of the query parameter sent in the OIDC request URL.
- Format: login_hint={paramName}
+ Format: `login_hint=${paramName}`

Multiple parameters can be defined by separation of query parameters using the & character.
- Sample:
login_hint={paramName}&scope=openid email profile

+ Sample:
`login_hint=${paramName}&scope=openid email profile`

Alternatively, use the following format to send query parameters that are resolved using an adaptive authentication script.
Format: login_hint=$authparam{paramName}

diff --git a/en/docs/learn/configuring-oidc-federated-idp-initiated-logout.md b/en/docs/learn/configuring-oidc-federated-idp-initiated-logout.md new file mode 100644 index 0000000000..45bf631dce --- /dev/null +++ b/en/docs/learn/configuring-oidc-federated-idp-initiated-logout.md @@ -0,0 +1,214 @@ +# Configuring OIDC Federated IdP Initiated Logout + +WSO2 Identity Server (WSO2 IS) supports handling logout requests from OIDC federated identity providers. When an OIDC +back-channel logout request is received from the OIDC federated identity provider to the back-channel logout endpoint of +WSO2 IS (`https://:/identity/oidc/slo`), WSO2 IS processes the request, terminates the sessions of +the particular user, and then responds to the identity provider. + +Refer [OIDC Back-channel logout](../../learn/openid-connect-single-logout/#oidc-back-channel-logout) for more +information. + +## Scenario + +The diagram below illustrates the OIDC federated identity provider initiated logout scenario. **WSO2 IS** and +**Application2** are configured as service providers in the **OIDC provider**. **OIDC provider** is configured as an +identity provider, and **Application1** is configured as a service provider in **WSO2 IS**. When the user initiates the +logout from **Application2**, first the federated **OIDC provider** handles the request and propagates the logout +request to **WSO2 IS**. After receiving the logout request from the federated identity provider, **WSO2 IS** processes +the request and terminates the session and sends back a logout response to the OIDC provider. Once the session is +terminated on WSO2 IS side, it will propagate the logout request to all the connected Relying Parties. User is logged +out from the **Application1**. + +!!! note + + If logout is successful in WSO2 IS, it will respond with `200 OK`. If there are any server-side errors or client + errors(e.g., claim validation fails), it will respond with `Bad Request` or `Internal Server Error`. + +![oidc-fed-idp-init-logout-scenario](../assets/img/tutorials/oidc-fed-idp-init-logout-scenario.png) + +## Trying out the flow with WSO2 Identity Server + +To demonstrate the OIDC federated identity provider initiated logout, this tutorial uses two WSO2 identity servers which +run on ports, 9443 (Primary IS) and 9444 (Secondary IS), and two sample web applications, **Pickup-Dispatch** and +**Pickup-Manager**. In this scenario, Secondary IS acts as a federated OIDC identity provider and +**Pickup-Dispatch** and **Pickup-Manager** acts as **Application1** and **Application2** respectively. The following +section provides a guide for configuring the OIDC federated identity provider initiated logout and trying it out with +the sample applications. + +1. Configure Primary IS as a service provider in the Secondary IS. +2. Configure Secondary IS as an identity provider in the Primary IS. +3. Configure Pickup Dispatch in Primary IS. +4. Configure Pickup Manager in Secondary IS. + +!!! note + + Since there can be issues with cookies when the same hostname is configured for both WSO2 identity servers + (primary and federated), you need to configure different hostnames for both servers. + Follow [Change hostname of the WSO2 IS](../../setup/changing-the-hostname) guide to change the hostname of the + Secondary IS. In this guide, the hostname of the Secondary IS is configured as `localhost.com`. + +### Configure Primary IS as a Service Provider in the Secondary IS + +1. Run WSO2 Identity Server on port 9444 (Secondary IS). +2. Log in to the management console as an administrator using the admin, admin credentials. +3. Navigate to **Main** to access the **Identity** menu. +4. Click **Add** under **Service Providers**. +5. Fill in the details in the **Basic Information** section. Give a suitable name for the service provider like + `PrimaryIS` and click **Register**. +6. Expand the **OAuth2/OpenID Connect Configuration** section under the **Inbound Authentication Configuration** section + and click **Configure**. +7. Add `https://localhost:9443/commonauth` as **Callback Url**. + + ![oidc-federated-idp-config](../assets/img/tutorials/oidc-federated-idp-config.png) + +8. Tick the **Enable OIDC Back-channel Logout** checkbox and add `https://localhost:9443/identity/oidc/slo` as + **Back-channel Logout Url**. + + ![oidc-back-channel-logout-url](../assets/img/tutorials/oidc-back-channel-logout-url.png) + +9. Click **Add**. Note the generated OAuth Client Key and Secret. + +### Configure Secondary IS as an Identity Provider in the Primary IS + +1. Run WSO2 Identity Server on port 9443 (Primary IS). +2. Log in to the management console as an administrator using the admin, admin credentials. +3. Navigate to **Main** to access the **Identity** menu. +4. Click **Add** under **Identity Providers**. +5. Fill in the details in the **Basic Information** section. Give a suitable name for the identity provider. +6. Expand the **OAuth2/OpenID Connect Configuration** section under **Federated Authenticators** section. +7. Fill the fields as follows. + + Here the client id and secret is the Oauth Client Key and Secret generated in the above step. + + - Authorization Endpoint URL - `https://localhost.com:9444/oauth2/authorize` + - Token Endpoint URL - `https://localhost.com:9444/oauth2/token` + - Callback Url - `https://localhost:9443/commonauth` + - Userinfo Endpoint URL - `https://localhost.com:9444/oauth2/userinfo` + - Logout Endpoint URL - `https://localhost.com:9444/oidc/logout` + + Add `scope=openid` in **Additional Query Parameters**. + + ![oidc-fed-idp-config-in-primary-idp](../assets/img/tutorials/oidc-fed-idp-config-in-primary-idp.png) + +8. Signature of the logout token is validated using either the registered JWKS uri or uploaded certificate to the + relevant identity provider. + + - Under the **Basic Information** section, select the **Use IDP JWKS endpoint** option from **Choose IDP certificate + type** and add the JWKS uri + `https://localhost.com:9444/oauth2/jwks` to Identity Provider's JWKS Endpoint. + ![oidc-primary-idp-jwks-uri-config](../assets/img/tutorials/oidc-primary-idp-jwks-uri-config.png) + + - Alternatively, select the **Upload IDP certificate** option from **Choose IDP certificate type** and upload the + certificate of the SecondaryIS. + ![oidc-primary-idp-certificate-config](../assets/img/tutorials/oidc-primary-idp-certificate-config.png) + +9. Add `https://localhost:9444/oauth2/token` as the **Identity Provider's Issuer Name**. + + ![oidc-backchannel-logout-issuer-name](../assets/img/tutorials/oidc-backchannel-logout-issuer-name.png) + +!!! note + + **Identity Provider's Issuer Name** of the Identity Provider in **Primary IS** should be same as the **Identity + Provider Entity ID** in the `Identity Providers > Resident > Inbound Authentication Configuration > OAuth2/OpenID + Connect Configuration` in the **Secondary IS**. + +10. Click **Register**. + +### Configure Pickup Dispatch application in the Primary IS + +1. Follow the steps + in [Deploying the pickup-dispatch webapp](https://is.docs.wso2.com/en/latest/learn/deploying-the-sample-app/#deploying-the-pickup-dispatch-webapp) + to download, deploy and register the **Pickup-Dispatch** sample. +2. Once you have added the OIDC service provider, go to **Service Provider Configuration** and expand **Local & Outbound + Authentication Configuration**. +3. Select **Federated Authentication** and from the dropdown menu select **SecondaryIS**. + + ![oidc-service-provider-federated-authentication](../assets/img/tutorials/oidc-service-provider-federated-authentication.png) + +4. Click **Update**. + +### Configure Pickup Manager application in the Secondary IS + +Follow the steps +in [Deploying the pickup-manager webapp](https://is.docs.wso2.com/en/latest/learn/deploying-the-sample-app/#deploying-the-pickup-manager-webapp) +to download, deploy, and register the Pickup-Manager sample. + +## OIDC Back-channel Logout Token Validation + +The following is an example OIDC back-channel logout token. + +``` + { + "iss": "https://localhost.com:9444/oauth2/token", + "sub": "admin", + "aud": "w_Hwp05dFRwcRs_WFHv9SNwpflAa", + "iat": 1609911868, + "exp": 1609911988, + "jti": "16159e3e-c5fc-42de-b93f-b0782ab33d58", + "sid": "15043ffc-877d-4205-af41-9b107f7da38c", + "events": { + "http://schemas.openid.net/event/backchannel-logout": {} + } + } +``` + +Logout token validation is done according to +the [OIDC back-channel logout specification](https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation) +for the token signature and the `iss`, `aud`, `iat`, `sub`, `sid`, `events` and `nonce` claims. + +### Configure “iat” claim validation + +By default, the "iat" claim validation is enabled and `iatValidityPeriod` is set as 300 seconds. + +To change the “iat” claim validation, add the following configuration to the **deployment.toml** file in +`/repository/conf/` directory. + +``` +[authentication.authenticator.oidc.parameters] +iatValidityPeriod = "150" +``` + +To disable the “iat” claim validation, add the following configuration to the **deployment.toml** file. + +``` +[authentication.authenticator.oidc.parameters] +enableIatValidation = false +``` + +After adding the configurations, restart the WSO2 IS. + +- `iatValidityPeriod` should be in seconds. + +- If the `iat` claim validation is enabled in the Primary IS, the token shouldn’t be issued before the specified time. + +## Identifying Session Using sub or sid Claim + +- Logout token should contain a `sub` claim, an `sid` claim, or both. +- If the logout token contains an `sid` claim, IS will terminate the particular session of the user using the `sid` + claim. The `sid` claim in the logout token should match to the `sid` claim in the id token received for the current + session. +- If the logout token only contains a `sub` claim, IS will terminate all the session for that `sub` claim. + +## Try it out + +Once you have completed configuring WSO2 IS as instructed in the above sections, try out the flow by running the sample +applications. + +1. Access the following URL on a browser + window, [http://localhost.com:8080/pickup-dispatch/](http://localhost.com:8080/pickup-dispatch/) +2. Click **Login**. You will be redirected to the WSO2 Identity Server login page (SecondaryIS - port 9444). +3. Log in using your WSO2 Identity Server credentials. You will be redirected to the **Pickup Dispatch** application + home page. +4. Now access the following URL on another browser window to access the **Pickup Manager** application, which is + registered in the federated identity + provider: [http://localhost.com:8080/pickup-manager/](http://localhost.com:8080/pickup-manager/). + +5. Once you click **Login**, you will be automatically logged in and redirected to the **Pickup Manager** application + home page. + +6. Log out of the **Pickup Manager** application. You will be redirected back to the login page of the application. + +7. Now attempt to access the **Pickup Dispatch** application. You will be automatically logged out of this application + as well. + +This means that you have successfully configured an OIDC federated identity provider initiated logout. diff --git a/en/docs/learn/configuring-openid-connect-back-channel-logout.md b/en/docs/learn/configuring-openid-connect-back-channel-logout.md index f23eb33bf6..e8627f2532 100644 --- a/en/docs/learn/configuring-openid-connect-back-channel-logout.md +++ b/en/docs/learn/configuring-openid-connect-back-channel-logout.md @@ -219,3 +219,7 @@ the newly registered service provider: ` null ` indicating that you are also logged out from the playground2 application. ![]( ../assets/img/112390325/112391429.png) + +!!! Note + When a session is terminated via the [Session Management REST API](../develop/session-mgt-rest-api), + WSO2 Identity Server will send a back-channel logout notification. \ No newline at end of file diff --git a/en/docs/learn/configuring-password-reset-with-challenge.md b/en/docs/learn/configuring-password-reset-with-challenge.md index 5e19cbf66e..9521bfd0c5 100644 --- a/en/docs/learn/configuring-password-reset-with-challenge.md +++ b/en/docs/learn/configuring-password-reset-with-challenge.md @@ -73,7 +73,7 @@ Follow the steps below to configure WSO2 Identity Server to enable password rese 3. To configure the challenge questions: - 1. Access WSO2 Identity Server User Portal at `https://localhost:9443/user-portal/`. + 1. Access WSO2 Identity Server **My Account** at `https://localhost:9443/myaccount`. 2. Log in with the credentials of the user account that you created. @@ -100,7 +100,7 @@ Follow the steps below to configure WSO2 Identity Server to enable password rese 4. To mimic a forgotten password: - 1. On the Sign In screen of the WSO2 Identity Server User Portal at `https://localhost:9443/user-portal/`, click + 1. On the Sign In screen of the WSO2 Identity Server **My Account** at `https://localhost:9443/myaccount`, click **Password**. Sign In form @@ -123,4 +123,4 @@ Follow the steps below to configure WSO2 Identity Server to enable password rese Password Reset form - 8. Enter the user name and new password and click **Sign In**. The User Portal home screen appears. + 8. Enter the user name and new password and click **Sign In**. The **My Account** home screen appears. diff --git a/en/docs/learn/configuring-password-reset-with-email.md b/en/docs/learn/configuring-password-reset-with-email.md index fe9880fda4..0df49d7a87 100644 --- a/en/docs/learn/configuring-password-reset-with-email.md +++ b/en/docs/learn/configuring-password-reset-with-email.md @@ -131,7 +131,7 @@ Follow the steps below to configure WSO2 Identity Server to enable password rese 3. To mimic a forgotten password: - 1. Access WSO2 Identity Server User Portal at `https://localhost:9443/user-portal/`. + 1. Access WSO2 Identity Server **My Account** at `https://localhost:9443/myaccount`. 2. Click **Password**. diff --git a/en/docs/learn/configuring-recaptcha-for-password-recovery.md b/en/docs/learn/configuring-recaptcha-for-password-recovery.md index 53eb83a380..f6c8fb3e30 100644 --- a/en/docs/learn/configuring-recaptcha-for-password-recovery.md +++ b/en/docs/learn/configuring-recaptcha-for-password-recovery.md @@ -48,7 +48,7 @@ reCaptcha for a specific tenant. 7. You have now successfully configured reCaptcha for the password recovery flow. Start WSO2 Identity Server and log into the end user - [user portal](https://localhost:9443/user-portal). + [**My Account**](https://localhost:9443/myaccount). !!! tip @@ -89,7 +89,7 @@ password recovery with reCaptcha. 3. You have now successfully configured reCaptcha for the password recovery flow. Start WSO2 Identity Server and log into the end user - [user portal.](https://localhost:9443/user-portal) + [**My Account**.](https://localhost:9443/myaccount) !!! tip diff --git a/en/docs/learn/configuring-recaptcha-for-self-registration.md b/en/docs/learn/configuring-recaptcha-for-self-registration.md index 62ba5d485e..ab391776fd 100644 --- a/en/docs/learn/configuring-recaptcha-for-self-registration.md +++ b/en/docs/learn/configuring-recaptcha-for-self-registration.md @@ -33,8 +33,8 @@ You can either configure the recaptcha for a tenant, or configure it globally. ![self-registration-enable-recaptcha](../assets/img/using-wso2-identity-server/self-registration-enable-recaptcha.png) 7. You have now successfully configured reCaptcha for the self registration flow. Start the WSO2 Identity Server and log in to the - user portal using the following link: - + **My Account** using the following link: + !!! tip If you have changed the port offset or modified the hostname, change the port or @@ -140,8 +140,8 @@ You can either configure the recaptcha for a tenant, or configure it globally. 4. Set up reCaptcha with the WSO2 Identity Server. For instructions on how to do this and more information about reCaptcha, see [Setting Up ReCaptcha](../../learn/setting-up-recaptcha). -5. Start the WSO2 Identity Server and log in to the user portal - using the following link: `` +5. Start the WSO2 Identity Server and log in to the **My Account** + using the following link: `` !!! tip If you have changed the port offset or modified the hostname, change the port or diff --git a/en/docs/learn/configuring-recaptcha-for-single-sign-on.md b/en/docs/learn/configuring-recaptcha-for-single-sign-on.md index 8cbc8e20b3..1f13f2736c 100644 --- a/en/docs/learn/configuring-recaptcha-for-single-sign-on.md +++ b/en/docs/learn/configuring-recaptcha-for-single-sign-on.md @@ -13,30 +13,6 @@ attacks. 1. Set up reCaptcha with the WSO2 Identity Server. For instructions on how to do this and more information about reCaptcha, see [Setting Up ReCaptcha](../../learn/setting-up-recaptcha). - - !!! tip - - To modify the filter mapping for reCaptcha, open the - ` web.xml ` file located in the - ` /repository/conf/tomcat/carbon/WEB-INF ` - directory and find the following filter. You can modify the relevant - URL patterns if required. - - ``` xml - - CaptchaFilter - org.wso2.carbon.identity.captcha.filter.CaptchaFilter - - - CaptchaFilter - /samlsso - /oauth2 - /commonauth - FORWARD - REQUEST - - ``` - 2. Start the WSO2 IS Server and login to the management console. 3. Click **List** under **Identity Providers** found in the **Main** tab. diff --git a/en/docs/learn/configuring-recaptcha-for-username-recovery.md b/en/docs/learn/configuring-recaptcha-for-username-recovery.md index 73ec38c22c..49d5fd818e 100644 --- a/en/docs/learn/configuring-recaptcha-for-username-recovery.md +++ b/en/docs/learn/configuring-recaptcha-for-username-recovery.md @@ -45,7 +45,7 @@ reCaptcha for a specific tenant. 7. You have now successfully configured reCaptcha for the username recovery flow. Start the WSO2 Identity Server and log into the end - user [user portal](https://localhost:9443/user-portal). + user [**My Account**](https://localhost:9443/myaccount). !!! tip @@ -95,7 +95,7 @@ username recovery with reCaptcha. 3. You have now successfully configured reCaptcha for the username recovery flow. Start WSO2 Identity Server and log into the end user - [user portal](https://localhost:9443/user-portal). + [**My Account**](https://localhost:9443/myaccount). !!! tip diff --git a/en/docs/learn/configuring-saml2-web-single-sign-on.md b/en/docs/learn/configuring-saml2-web-single-sign-on.md index bbaa476255..77295a5c73 100644 --- a/en/docs/learn/configuring-saml2-web-single-sign-on.md +++ b/en/docs/learn/configuring-saml2-web-single-sign-on.md @@ -123,6 +123,17 @@ To configure SAML2 Web SSO: Certificate Alias
+

Tip

+

From WSO2 IS 5.12.0 onwards, the Certificate Alias option is hidden from the application + configurations. To enable the Certificate Alias option in the console UI, add the following + configuration to the <IS_HOME>/repository/deployment.toml file. + + ```toml + [console.applications.ui] + certificate_alias_enabled=true + ``` +

+

Select the Certificate Alias from the dropdown. This is used to validate the signature of SAML2 requests and is used to generate encryption. Basically the service provider’s certificate must be selected here. Note that this can also be the Identity Server tenant's public certificate in a scenario where you are doing a tenant specific configuration.

Tip

@@ -384,6 +395,3 @@ of entity configuration. Server](../../learn/logging-in-to-salesforce-with-integrated-windows-authentication) - [Configuring SAML2 Single-Sign-On Across Different WSO2 Products](../../learn/configuring-saml2-single-sign-on-across-different-wso2-products) - - See [Using the SAML2 - Toolkit](../../administer/using-the-saml2-toolkit) for support on debugging issues with SAML2 configurations. diff --git a/en/docs/learn/configuring-sms-otp.md b/en/docs/learn/configuring-sms-otp.md index 615dc92028..a6062f7a69 100644 --- a/en/docs/learn/configuring-sms-otp.md +++ b/en/docs/learn/configuring-sms-otp.md @@ -492,6 +492,28 @@ You can configure any of the above as following in the SendOTPDirectlyToMobile = false redirectToMultiOptionPageOnFailure = false ``` + +## Validating the mobile number format of the user + +Follow the steps given below to validate the mobile number of the users in +WSO2 IS. + +!!! note +The `CaptureAndUpdateMobileNumber` property in the SMS OTP configuration properties should be set to **true**. + +1. Expand **SMS OTP Configuration** under **Federated Authenticators**. + +2. Enter the regex pattern you wish to validate the mobile number against when the user enters the mobile number on the registration page. + + ![add-mobile-number-regex-pattern](../assets/img/tutorials/sms-otp/add-mobile-number-regex-pattern.png) + + !!! info + - For example, if the entered mobile number is to be validated against the **E.164** format, enter the regex pattern as `\\+[1-9]\\d{1,14}\$`. + +3. Enter the error message that should be displayed to the user when the mobile number is entered in the incorrect format. + + ![add-regex-violation-error-message](../assets/img/tutorials/sms-otp/add-regex-violation-error-message.png) + !!! note diff --git a/en/docs/learn/configuring-the-bpm-profile-of-wso2-ei-as-a-workflow-engine.md b/en/docs/learn/configuring-the-bpm-profile-of-wso2-ei-as-a-workflow-engine.md index fa7ba12f7c..87ef7f5dde 100644 --- a/en/docs/learn/configuring-the-bpm-profile-of-wso2-ei-as-a-workflow-engine.md +++ b/en/docs/learn/configuring-the-bpm-profile-of-wso2-ei-as-a-workflow-engine.md @@ -70,7 +70,7 @@ WSO2 Identity Server to define work flows. ```toml [user_store] - type = "database" + type = "database_unique_id" ``` 6. Start WSO2 IS if you have not started it already and the WSO2 EI business-process profile using the following commands. Alternatively for running the products in Windows, execute `wso2server.bat`. diff --git a/en/docs/learn/configuring-totp.md b/en/docs/learn/configuring-totp.md index 8ee0cd0020..7a9ddf2409 100644 --- a/en/docs/learn/configuring-totp.md +++ b/en/docs/learn/configuring-totp.md @@ -92,7 +92,7 @@ and security during the authentication for this application. ## Configuring the user profile 1. Login to the - [user portal](../../learn/user-portal) and go to **Personal info**. + [**My Account**](../learn/my-account.md) and go to **Personal info**. 2. Update your email address in **Profile**(this email address is used to send the token). ![my-profile-gadget](../assets/img/tutorials/update-email-in-profile.png) @@ -186,9 +186,9 @@ You can configure any of the above as following in the enrolUserInAuthenticationFlow=true usecase="local" secondaryUserstore="primary" - TOTPAuthenticationEndpointURL="totpauthenticationendpoint/totp.jsp" - TOTPAuthenticationEndpointErrorPage="totpauthenticationendpoint/totpError.jsp" - TOTPAuthenticationEndpointEnableTOTPPage="totpauthenticationendpoint/enableTOTP.jsp" + TOTPAuthenticationEndpointURL="authenticationendpoint/totp.do" + TOTPAuthenticationEndpointErrorPage="authenticationendpoint/totp_error.do" + TOTPAuthenticationEndpointEnableTOTPPage="authenticationendpoint/totp_enroll.do" Issuer="WSO2" UseCommonIssuer=true ``` @@ -247,10 +247,9 @@ configuration change in the `/repository/conf/deployment.toml ` file. property values. -## Obtaining the QR code without using the user portal - -If you need to obtain the QR code without using the user portal, -you can call the REST API or call the Admin Service(SOAP) that does +## Obtaining the QR code without using the **My Account** +If you need to obtain the QR code without using the **My Account**, +you can call the REST API or call the Admin Service(SOAP) that does this. ### Using REST API diff --git a/en/docs/learn/configuring-totp.md.orig b/en/docs/learn/configuring-totp.md.orig new file mode 100644 index 0000000000..3e86716301 --- /dev/null +++ b/en/docs/learn/configuring-totp.md.orig @@ -0,0 +1,337 @@ +# Configuring TOTP Authenticator + +The TOTP authenticator allows you to authenticate a user using +**Time-Based One Time Password** (TOTP) through WSO2 Identity Server. It +uses the TOTP specification to calculate the access tokens based on the +time and the shared secret key between the user and the identity +provider. + +TOTP is an **algorithm-generated temporary passcode** that is used for +strong authentication. The algorithm that generates each passcode uses +the current time of day as one of its factors, ensuring that each +password is unique. + +!!! Info + - For more information about TOTP specification, click + [here](https://tools.ietf.org/html/rfc6238). + - For information on MFA concepts, see [About MFA](../../learn/multi-factor-authentication). + +!!! Tip "Before You begin" + + 1. Download the WSO2 Identity Server from + [here](http://wso2.com/products/identity-server/ ) and + [run it](../../setup/running-the-product/#starting-the-server). + + 2. Sign in to the [Management Console](../../setup/getting-started-with-the-management-console/) by entering your + username and password. + +??? Warning "If you have migrated from older version of WSO2 Identity Server" + + 1. Under the WSO2 local claim dialect, check whether the `http://wso2.org/claims/identity/secretkey ` claim exists. + 2. Unless, in the **Main** menu, click **Add** under **Claims** . + 2. Click [Add Local Claim](../../learn/adding-claim-mapping/#add-local-claim) . + This displays the **Add Local Claim** screen. + 3. Specify the following claim details in the appropriate fields: + + | | | + |----------------------|-------------------------------------------| + | Claim URI | http://wso2.org/claims/identity/secretkey | + | Display Name | Secret Key | + | Description | Claim to store the secret key | + | Mapped Attribute | totpSecretkey
if you are using a LDAP or AD, set a proper attribute for this. | + + ![](../assets/img/tutorials/add-claim-secret-key.png) + +## Deploying travelocity.com sample application + +You need to deploy and configure **travelocity.com** sample application +to try out the TOTP authenticator. See +[deploy the sample application](../../learn/deploying-the-sample-app/#deploying-the-travelocity-webapp) +for more information on configuring travelocity application. + +## Configuring the service provider + +The next step is to configure the service provider. + +1. In the + [previous section of this guide](#deploying-travelocitycom-sample-application) + you have deployed and + [registered the `travelocity.com` webapp](../../learn/deploying-the-sample-app/#configuring-the-service-provider). + Let's edit the same service provider to configure `totp` as an + additional authentication factor. + +2. Locate the "travelocity.com" service provider and navigate to the + **Local and Outbound Authentication Configuration** section. + + 1. Select the **Advanced configuration** radio button option. + + 2. To create the first authentication step: + + 1. Click **Add Authentication Step**. + + 2. Click **Add Authenticator** that is under **Local + Authenticators** of Step 1 to add the `basic` authentication + as the first step. + Adding basic authentication as a first step ensures that the + first step of authentication will be done using the user's + credentials that are configured with the WSO2 Identity + Server + + 3. To create the second authentication step: + + 1. Click **Add Authentication Step**. + + 2. Click **Add Authenticator** that is under **Local + Authenticators** of Step 2 to add the `totp` from the drop + down as the second step. + ![creating-the-second-authentication-step-totp](../assets/img/tutorials/creating-the-second-authentication-step-totp.png) + +Now `totp' is a second step that adds another layer of authentication +and security during the authentication for this application. + +## Configuring the user profile + +1. Login to the + [**My Account**](../learn/my-account.md) and go to **Personal info**. +2. Update your email address in **Profile**(this email address is used to send the + token). + ![my-profile-gadget](../assets/img/tutorials/update-email-in-profile.png) +4. You can use the [Google Authenticator](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en) + Application to generate the one-time passwords (tokens). Click on + **Security** and go to **Multi-factor authentication**. Click on the eye icon + to scan the QR-Code using the Google Authenticator mobile app. + + ![my-profile-gadget](../assets/img/tutorials/totp-authenticator-app.png) + ![my-profile-gadget](../assets/img/tutorials/totp-authenticator-qr-code.png) + +## Testing the sample + +1. To test the sample, go to the following URL: + ` http://:/travelocity.com/index.jsp. ` + For example, this looks like + [http://localhost:8080/travelocity.com. + ](http://localhost:8080/travelocity.com) + +2. Click the link to log in with SAML from the WSO2 Identity Server. +3. The basic authentication page is visible. Use your username and + password to log in. +4. Enter the verification code from your Google Authenticator Mobile + Application to authenticate. + ![](../assets/img/tutorials/enter-totp.png) + + !!! Tip + Alternatively, you can generate the verification code by + clicking on **Get a Verification Code** and use the code that is + sent to your email address. See + [send email with totp](#send-email-with-totp) for more details on + how to configure email sending. + +7. If your verification is successful, you are taken to the home page + of the travelocity.com application. + +## Advanced Configurations of TOTP authenticator + +### Disable TOTP + +From WSO2 Identity Server 5.9.0 onwards, TOTP authenticator is enabled by +default. + +You can disable the TOTP authenticator by adding the following +configuration to the `deployment.toml` file in the +`/repository/conf` folder. + +```toml +[authentication.authenticator.totp] +enable=false +``` + +### TOTP Configuration Properties + +You may configure any of the following parameters to change the +behaviour of the TOTP authenticator according to your requirements. + +The following table describes the definition of the parameters and +the various values you can configure for the authenticator. + +| Feild | Description | +|----------------------|-------------------------------------------| +| usecase | This field can take one of the following values: `local, association, userAttribute, subjectUri`. If you do not specify any usecase, the default value is `local`.
If you have chosen userAttribute as the `usecase`, add the following parmeter to specify the user attribute.
    userAttribute = "http://wso2.org/foursquare/claims/email"
| +| encodingMethod | The encoding method which is used to generate the TOTP. | +| authenticationMandatory | If this value is true, the TOTP authentication will be enforced as a second step. | +| timeStepSize | The time step size, which is used to validate the TOTP. | +| windowSize | The window size, which is used to validate the TOTP. | +| enrolUserInAuthenticationFlow | If this value is true, it will ask the user to enable the TOTP authenticator in the authentication flow. | +| secondaryUserstore | The user store configuration is maintained per tenant as comma separated values. For example, secondaryUserstore = "jdbc, abc, xyz" | +| TOTPAuthenticationEndpointURL | This is the endpoint of the UI which is used to gather the TOTP. | +| TOTPAuthenticationEndpointErrorPage | This is the endpoint of the error page. | +| TOTPAuthenticationEndpointEnableTOTPPage | This is the endpoint of the TOTPauthenticator enrollment page. | +| Issuer | This is the issuer name which will be shown the Mobile Application. If not configured, tenant domain will be shown. | +| UseCommonIssuer | If true, the issuer name defined in deployment.toml will be used as the issuer for all the tenants. | + +You can configure any of the above as following in the +`/repository/conf/deployment.toml` file. +```toml +[authentication.authenticator.totp.parameters] + = +``` + +!!! Example "Sample configurations of the authenticator with default Values" + + ```toml + [authentication.authenticator.totp.parameters] + encodingMethod="Base32" + timeStepSize="30" + windowSize="3" + authenticationMandatory=true + enrolUserInAuthenticationFlow=true + usecase="local" + secondaryUserstore="primary" + TOTPAuthenticationEndpointURL="authenticationendpoint/totp.do" + TOTPAuthenticationEndpointErrorPage="authenticationendpoint/totp_error.do" + TOTPAuthenticationEndpointEnableTOTPPage="authenticationendpoint/totp_enroll.do" + Issuer="WSO2" + UseCommonIssuer=true + ``` + + !!! Note + You may choose to configure any of the above property in the `/repository/conf/deployment.toml` file according to your requirements. + If you do not configure any of the property from the `/repository/conf/deployment.toml`, the server will take the default values to the consideration + + +!!! Tip "To enable scanning QR code during authentication flow" + + An admin can activate the feature to enable the TOTP authenticator + in the authentication flow by changing the ` + enrolUserInAuthenticationFlow ` values ( ` true ` or ` false ` ). + + 1. If you specify that the user can enable TOTP in the + authentication flow `enrolUserInAuthenticationFlow=true` and TOTP is not registered for the user's profile, you will be + asked to enable TOTP in the in the authentication flow. If you + don't enable it at this stage, the TOTP error page appears. + 2. If you specify that the user can't enable TOTP in the + authentication flow `enrolUserInAuthenticationFlow=false` and TOTP is not registered for the user's profile , the TOTP + error page appears during the authentication flow. + +### TOTP for secondary user stores + +If you use the secondary user store, enter all the user store values +for the particular tenant as comma separated values. Make this +configuration change in the `/repository/conf/deployment.toml ` file. + ```toml + [authentication.authenticator.totp.parameters] + secondaryUserstore= "jdbc, abc, xyz" + ``` + +!!! Tip + The user store configuration is maintained per tenant" + If you works only in **super tenant,** mode put all the above + parameter values (mentioned in step 4) into the ` + /repository/conf/deployment.toml ` file. + + If you use a **tenant**, upload the XML file found in` + /repository/conf/identity/application-authentication.xml ` + into a specific registry location ( ` /_system/governance/totp) `. + + 1. Sign in to the Management Console as a tenant administrator. + 2. Create the collection named ` totp ` under ` /_system/governance/` + 3. Add a new resource at ` /_system/governance/totp` and upload the ` application-authentication.xml ` file into the registry location. + 3. Change the relevant properties under `` tag. + + !!! Note + While doing the authentication, first server checks whether there is an + XML file uploaded to the registry. If that is so, server reads it from + the registry but does not take the local file. If there is no file + in the registry, then it only takes the property values from the + local file. This is how the user store configuration is maintained + per tenant. You can use the registry or local file to get the + property values. + + +<<<<<<< HEAD +## Obtaining the QR code without using the **My Account** +======= +## Obtaining the QR code without using My Account +>>>>>>> b32ebc7751fa4bc34c009b9ab213156efe77687e + +If you need to obtain the QR code without using the **My Account**, +you can call the REST API or call the Admin Service(SOAP) that does +this. + +### Using REST API + +See the swagger documentation for the TOTP REST API +[here](../../develop/totp-rest-api/) to understand how to obtain TOTP +related information via the API. + +### Using Admin Services + +Prior to the REST APIs, WSO2 Identity Server exposed its TOTP +functionality via a SOAP API. The following is the Admin Service used to +obtain the QR code. + +``` java +https://localhost:9443/services/TOTPAdminService?wsdl +``` + +!!! Info + Read more about calling admin services + [here](../../develop/calling-admin-services) + +1. The QR code URL can be retrieved using the `initTOTP ` method in the + ` TOTPAdminService ` . + + !!! Example + The following is a sample cURL command that invokes the + TOTPAdminService. + + ``` java + curl -i -X POST -H 'Content-Type: application/x-www-form-urlencoded' -H 'Authorization:Basic YWRtaW46YWRtaW4=' https://localhost:9443/services/TOTPAdminService/initTOTP -k -d 'username=testuser@carbon.super' + ``` + + The following is a sample response that is obtained. + + ``` java + b3RwYXV0aDovL3RvdHAvY2FyYm9uLnN1cGVyOmR1c2hhbmk/c2VjcmV0PUJGR0RFUllPU1ZSR0s3 + TE0maXNzdWVyPWNhcmJvbi5zdXBlcg== + + ``` + +2. The Secret Key can be retrieved using the retrieveSecretKeymethod in the +` TOTPAdminService ` . + + !!! Example + The following is a sample cURL command that invokes the + TOTPAdminService. + + ``` java + curl -i -X POST -H 'Content-Type: application/x-www-form-urlencoded' -H 'Authorization:Basic YWRtaW46YWRtaW4=' https://localhost:9443/services/TOTPAdminService/retrieveSecretKey -k -d 'username=testuser@carbon.super' + ``` + + The following is a sample response that is obtained. + + ``` java + 4AAC2HEG7COGHQYI + ``` + +### Send email with TOTP + +Additionally, users may receive an email consisting the TOTP code during +the authentication flow. + +- Enable the email sending configurations of the WSO2 Identity Server + as explained [here](../../setup/configuring-email-sending) + + !!! tip + The email template used to send this email notification is + the **TOTP** template. + + You can edit and customize the email template. For more information + on how to do this, see [Customizing Automated + Emails](../../learn/customizing-automated-emails). + + Please note that you must include `{{token}}` + in the email body as a placeholder for the token generated during + the authentication flow. + + + diff --git a/en/docs/learn/configuring-twitter.md b/en/docs/learn/configuring-twitter.md index 30aa285f4d..8d8d66f526 100644 --- a/en/docs/learn/configuring-twitter.md +++ b/en/docs/learn/configuring-twitter.md @@ -29,7 +29,7 @@ In the WSO2 Identity Server management console, . ![twitter-config-federated-auth.png](../assets/img/tutorials/twitter-config-federated-auth.png) Fill in the following fields details according to the application - [registered in the Twitter](http://docs.inboundnow.com/guide/create-twitter-application/): + [registered in the Twitter](https://developer.twitter.com/en/apps): diff --git a/en/docs/learn/configuring-uniqueness-of-claims.md b/en/docs/learn/configuring-uniqueness-of-claims.md new file mode 100644 index 0000000000..68d338c437 --- /dev/null +++ b/en/docs/learn/configuring-uniqueness-of-claims.md @@ -0,0 +1,41 @@ +# Configuring Uniqueness of Claims + +WSO2 Identity Server can be configured to retain the uniqueness of user claims. +After enabling this feature you can keep a user claim value as a unique value. + +## Configuring WSO2 IS to keep the user claim values unique + +Follow the steps below to configure WSO2 Identity Server. + +1. Open the `deployment.toml` file in the `/repository/conf` directory and add the following configuration. + + ```toml + [identity_mgt.user_claim_update.uniqueness] + enable = true + scope_within_userstore = false # Optional + ``` + + To keep the uniqueness within a userstore, set `scope_within_userstore` as `true`. + +2. Restart WSO2 identity server and access the Management Console (`https://:/carbon`) . + +3. From the list of claims, select the claim you want to configure to keep it unique. + + ![select-claim-from-list](../assets/img/learn/multi-attribute-login/select-claim-from-list.png) + +4. Open the claim edit window by clicking the `Edit` button. + + ![claim-edite-window](../assets/img/learn/multi-attribute-login/claim-edite-window.png) + +5. By clicking `Add Claim Property`, add an additional claim property as follows. + + | Property Name | Property Value | + |---------------|----------------| + | isUnique | true | + + ![additional-claim-properties](../assets/img/learn/multi-attribute-login/additional-claim-properties.png) + +6. Finally, click the `Update` button to save the additional claim property. + +Now you can check and verify the functionality by adding users with existing claim value or update the user claim value of an existing claim. +If you have successfully carried out the above-mentioned steps, you will not be able to create or update users with an existing claim value. diff --git a/en/docs/learn/configuring-user-name-recovery.md b/en/docs/learn/configuring-user-name-recovery.md index a7b9fef108..d6a7ba436d 100644 --- a/en/docs/learn/configuring-user-name-recovery.md +++ b/en/docs/learn/configuring-user-name-recovery.md @@ -132,7 +132,7 @@ Follow the steps below to configure WSO2 Identity Server to enable username reco 4. To mimic a forgotten username: - 1. On the Sign In screen of the WSO2 Identity Server User Portal at `https://localhost:9443/user-portal/`, click + 1. On the Sign In screen of the WSO2 Identity Server **My Account** at `https://localhost:9443/myaccount`, click **Username**. Sign In form diff --git a/en/docs/learn/configuring-user-stores-for-scim-2.0-based-inbound-provisioning.md b/en/docs/learn/configuring-user-stores-for-scim-2.0-based-inbound-provisioning.md index 5b6d7799b2..8c184a250a 100644 --- a/en/docs/learn/configuring-user-stores-for-scim-2.0-based-inbound-provisioning.md +++ b/en/docs/learn/configuring-user-stores-for-scim-2.0-based-inbound-provisioning.md @@ -1,6 +1,6 @@ # Configuring User Stores for SCIM 2.0 based inbound provisioning -WSO2 Identity server supports inbound provisioning based on both SCIM 1.1 and SCIM 2.0. This document provides the additional steps that need to be followed if you're using **SCIM 2.0** for inbound provisioning. If you need more information on SCIM 2.0 APIs, see [SCIM 2.0 APIs](../../develop/using-the-scim-2.0-rest-apis/). +WSO2 Identity server supports inbound provisioning based on both SCIM 1.1 and SCIM 2.0. This document provides the additional steps that need to be followed if you're using **SCIM 2.0** for inbound provisioning. If you need more information on SCIM 2.0 APIs, see [SCIM 2.0 APIs](../../develop/scim2-rest-apis/). When a user or a group is created with SCIM 2.0, there are set of mandatory claim values that need to be saved along with the user or group. Some of these values are as follows. diff --git a/en/docs/learn/consent-management-with-single-sign-on.md b/en/docs/learn/consent-management-with-single-sign-on.md index d8c66be570..793400d716 100644 --- a/en/docs/learn/consent-management-with-single-sign-on.md +++ b/en/docs/learn/consent-management-with-single-sign-on.md @@ -76,13 +76,13 @@ authentication. - The user has revoked consent for the application. For more information on revoking user consent, see - [Consent management](../../learn/user-portal/#consent-management) + [Consent management](../learn/my-account.md/#consent-management) . - - The application requires new mandatory claims that the user has - not consented to previously. If the service provider requests - for any new mandatory claim values, the user will only be - prompted to provide consent for the newly added mandatory claims + - The application requires new claim that the user has + not consented previously. If the service provider is configured to request + for any claim values, the user will only be prompted to provide + consent for the newly added claims. ### Trying out consent management for SSO @@ -140,7 +140,7 @@ authentication. !!! tip For more information on revoking/accepting user consent, see - [Consent management](../../learn/user-portal/#consent-management) + [Consent management](../learn/my-account.md#consent-management) . diff --git a/en/docs/learn/consent-management.md b/en/docs/learn/consent-management.md index 776cdb8435..6636ab415e 100644 --- a/en/docs/learn/consent-management.md +++ b/en/docs/learn/consent-management.md @@ -74,7 +74,7 @@ features. infomation, see [Using the Consent Management REST APIs](../../develop/using-the-consent-management-rest-apis). - Consent portal for individuals to review, modify, and revoke already - given consents. For more information, see [Consent management](../../learn/user-portal/#consent-management) + given consents. For more information, see [Consent management](../learn/my-account.md#consent-management) . - Admin portal support for organizations to define and manage consent, data processing purposes, and user attributes per consent. For more @@ -124,7 +124,7 @@ WSO2 IS. selectively opt-in/opt-out on each of the purposes. - Users can review or revoke already given consent by logging in to - WSO2 IS user portal (self-care portal). + WSO2 IS **My Account** (self-care portal). - Personal data processing applications can check for consent for each user through the consent REST API before carrying out any data @@ -158,7 +158,7 @@ supported in WSO2 IS. the consent that the user approves at this point. - Users can review or revoke already given consent by logging in to - the WSO2 IS user portal (self-care portal). + the WSO2 IS **My Account** (self-care portal). !!! tip diff --git a/en/docs/learn/creating-geo-location-dataset.md b/en/docs/learn/creating-geo-location-dataset.md new file mode 100644 index 0000000000..65fb468ad7 --- /dev/null +++ b/en/docs/learn/creating-geo-location-dataset.md @@ -0,0 +1,45 @@ +# Creating a Geolocation Dataset + +Follow the procedure below in order to create a geolocation dataset to use when [Enabling Geolocation Based Statistics +](../../learn/enabling-geolocation-based-statistics). + +1. Create an account in [www.maxmind.com](https://www.maxmind.com/) and download the **GeoLite2 City: CSV Format** as a ZIP file. +2. Download the geoip-2-csv-converter from depending on your operating system. + +## Prepare the database entries + +1. Unzip the latest CSV file and the geoip-2-csv-converter you have downloaded in the previous step. +2. Run the `update-geolocation-data.sh` file using the command below. + + For Linux: [update-geolocation-data.sh](../../assets/attachments/learn/geo-location/linux/update-geolocation-data.sh) + + For Mac: [update-geolocation-data.sh](../../assets/attachments/learn/geo-location/mac/update-geolocation-data.sh) + + ```shell + sh update-geolocation-data.sh + ``` + +3. Enter the path to the extracted GeoLite2-City-Blocks-IPv4 directory which you downloaded first, as the response for **Enter path to GeoLite2-City-Blocks-IPv4 directory:** + + E.g : /<PATH\_TO>/GeoLite2-City-CSV_20200310 + + - Enter the path to the `geoip2-csv-converter` directory as the response for **Enter path to geoip2-csv-converter home directory:** + + E.g : /<PATH\_TO>/geoip2-csv-converter-v1.1.0 + + - After executing the script, you can find the `final.csv` file inside your current directory. + - In the `final.csv` file, + + ``` java + ** convert GeoLite2-City-Blocks-IPv4 + ** get the first column form original + ** change the column name to ‘network_cidr’ + ** Extract the ip address data + ** change the column name to ‘network_blocks’ + ** extract the entries from original + ** change the column name to ‘network’ + ** change the column name to ‘broadcast’ + ** merge the csv files + ``` + +4. The created `final.csv` file and the `GeoLite2-City-Locations-en.csv` file (located in the downloaded latest CSV zip file) will be used in the [next step](../../learn/enabling-geolocation-based-statistics). diff --git a/en/docs/learn/creating-users-using-the-ask-password-option.md b/en/docs/learn/creating-users-using-the-ask-password-option.md index 07b3432d66..b2c8548b6d 100644 --- a/en/docs/learn/creating-users-using-the-ask-password-option.md +++ b/en/docs/learn/creating-users-using-the-ask-password-option.md @@ -198,6 +198,16 @@ true in the SCIM2 user create request. curl -v -k --user admin:admin --data '{"schemas":[],"name":{"familyName":"Smith","givenName":"Paul"},"userName":"Paul","password":"password","emails":[{"primary":true,"value":"paul@somemail.com"}],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{askPassword:"true"}}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users ``` + + !!! Note + By default, WSO2 Identity Server sets a random value for the password if the `askPassword` claim is present in the request. + If you want to disable setting a random value and instead keep the `password` that is sent in the request, add the following configuration to the ` /repository/conf/deployment.toml` file. + + ``` toml + [identity_mgt.user_onboarding] + disable_random_value_for_credentials= true + ``` + #### Verify Email You need to set the **verifyEmail** attribute under the` diff --git a/en/docs/learn/customizing-automated-emails.md b/en/docs/learn/customizing-automated-emails.md index 5bb8ea927f..3692f878d4 100644 --- a/en/docs/learn/customizing-automated-emails.md +++ b/en/docs/learn/customizing-automated-emails.md @@ -168,12 +168,12 @@ corresponds to an email template type. Once you have set the template language for the user, it is also necessary to specify the locale for the user. Do the following steps to configure this. 1. Click on **List** under **Claims** and select . -2. Select the **Locality** claim and click **Edit**. Select the **Supported by Default** checkbox and click **Update**. +2. Select the **Local** claim and click **Edit**. Select the **Supported by Default** checkbox and click **Update**. 3. Logout as admin and login as a user with user profile management permissions. 4. Click on **List** under **Users and Roles** and then select **Users**. 5. Click on the **User Profile** button corresponding to the logged in user. ![updating-user-locale](../assets/img/using-wso2-identity-server/updating-user-locale.png) -6. Enter the locale code for the **Locality** field and click **Update**. +6. Enter the locale code for the **Local** field and click **Update**. !!! tip diff --git a/en/docs/learn/device-flow-grant.md b/en/docs/learn/device-flow-grant.md new file mode 100644 index 0000000000..374d72a58e --- /dev/null +++ b/en/docs/learn/device-flow-grant.md @@ -0,0 +1,48 @@ +# Device Authorization Grant (Device Flow) + +### Recommended use + +This is an OAuth 2.0 extension that enables OAuth clients to +request user authorization from applications on, + +* Input constrained devices +* Devices without a browser + +Such devices include smart TVs, printers, and play-stations. This +authorization flow is defined as the “device flow”. This specification instructs the user to + review the authorization request on a secondary device, such as a smartphone. + +### The flow + +The device flow does not require two-way communication between the OAuth client and the device. Instead of directly + contacting the end user's user-agent, it guides the end user to connect to the authorization server through another + device, and then approves the access request. + +The diagram below illustrates the device flow. + +![device-authorization-grant-diagram](../assets/img/using-wso2-identity-server/deviceflow.png) + +(A) — The client sends an access request including its client identifier to the authorization server. + +(B) — The authorization server issues a device code, an end user code, and an end user verification URI. + +(C) — The client instructs the end user to access the provided URI using a secondary device (e.g., a mobile device +). The client then provides the end user code that is used to review the authorization request, to the user. + +(D) — The authorization server prompts the end user to approve granting access via the user-agent and also prompts + the user to enter the end user code. + +(E) — While the end user reviews user credentials and consents, the device starts polling along with client id and + verification code to check the status of user authorization. + +(F) — Once the user provides authorization, the authorization server validates the verification code and responds + back to the device with an access token. + +!!! info "Support for refresh token grant - Yes" + This grant type issues a refresh token which can be used to obtain new access tokens using the [refresh token grant](../../learn/refresh-token-grant). + + +!!! info "Related Topics" + See the [Try Device Authorization + Grant](../../learn/try-device-flow) topic to try out a sample of + it with WSO2 Identity Server. diff --git a/en/docs/learn/enabling-geolocation-based-statistics.md b/en/docs/learn/enabling-geolocation-based-statistics.md index d5d9a77f46..8adb6df928 100644 --- a/en/docs/learn/enabling-geolocation-based-statistics.md +++ b/en/docs/learn/enabling-geolocation-based-statistics.md @@ -3,11 +3,9 @@ Follow the steps below to configure WSO2 IS Analytics Server to display the regions of the users authenticated though WSO2 Identity Server. -1. Download the geolocation data from - [here](https://svn.wso2.org/repos/wso2/people/tharindua/geodata/Geolocation%20Data.tar.gz) +1. Create a Geo Location dataset by following the guide given [here](../../learn/creating-geo-location-data-set/). . -2. Unzip the file that you downloaded in step 1. -3. Create the database by executing one of the scripts in the +2. Create the database by executing one of the scripts in the ` Geolocation Data/dbscripts ` directory. In this example, ` mysql.sql ` is executed. @@ -45,7 +43,7 @@ the regions of the users authenticated though WSO2 Identity Server. . -4. Populate the data to the **BLOCKS** and **LOCATION** tables from the +3. Populate the data to the **BLOCKS** and **LOCATION** tables from the following files. - ` Geolocation Data/data/BLOCKS.csv ` @@ -80,12 +78,12 @@ the regions of the users authenticated though WSO2 Identity Server. Provide the mysql password when prompted. -5. Download a JDBC provider depending on the database you are using +4. Download a JDBC provider depending on the database you are using (MySQL in this example) from [here](https://www.mysql.com/products/connector/), and extract it. -6. Copy the ` mysql-connector-java-.jar ` to - ` /lib ` directory. -7. Configure the following in +5. Copy the ` mysql-connector-java-.jar ` file to + the ` /lib ` directory. +6. Configure the following in the ` /conf/worker/deployment.yaml ` file as given below. @@ -120,7 +118,7 @@ the regions of the users authenticated though WSO2 Identity Server. name of the JDBC driver of your mysql connector, e.g., ` com.mysql.jdbc.Driver ` . -8. Open the +7. Open the ` /wso2/worker/deployment/siddhi-files/IS_ANALYTICS_AUTHENTICATION_COMMON.sidddhi ` file. @@ -145,4 +143,4 @@ the regions of the users authenticated though WSO2 Identity Server. -9. Restart WSO2 IS Analytics worker node. +8. Restart WSO2 IS Analytics worker node. diff --git a/en/docs/learn/forced-password-reset.md b/en/docs/learn/forced-password-reset.md index 9ad3e4c9c7..8b7aba4e8f 100644 --- a/en/docs/learn/forced-password-reset.md +++ b/en/docs/learn/forced-password-reset.md @@ -48,7 +48,7 @@ for forced password reset: assign it to the new user, "alex". !!! tip - You can verify this by logging in to the [user portal](https://localhost:9443/user-portal) as Alex. The log in + You can verify this by logging in to the [**My Account**](https://localhost:9443/myaccount) as Alex. The log in attempt should be successful. Log out from the portal. 6. Click on **Resident** under **Identity Providers** found in the @@ -80,7 +80,7 @@ to see a sample of how this works. 'true' for the relevant users. To do this, follow the steps explained later in this page under [Invoke Admin Force Password Reset](#invoke-admin-force-password-reset). -4. Log out of the [user portal](https://localhost:9443/user-portal) and +4. Log out of the [**My Account**](https://localhost:9443/myaccount) and attempt to log in as the user you created above, "alex". The login attempt will fail and a password reset will be prompted in the form of an error message saying "Login failed! Please recheck the @@ -88,7 +88,7 @@ to see a sample of how this works. 5. Log in to the email account you provided in Alex's user profile. You will see a new email with a password reset request. 6. Follow the link provided in the email to reset the password. You can - now log in to the [user portal](https://localhost:9443/user-portal) + now log in to the [**My Account**](https://localhost:9443/myaccount) successfully as Alex using the new password. ## Password Reset via OTP @@ -112,7 +112,7 @@ template for this option can be configured in the ` http://wso2.org/claims/identity/adminForcedPasswordReset ` claim to **true** for the relevant users. To do this, follow the steps explained later in this page under [Invoke Admin Force Password Reset](#invoke-admin-force-password-reset). -4. Log out of the [user portal](https://localhost:9443/user-portal) and +4. Log out of the [**My Account**](https://localhost:9443/myaccount) and attempt to login again as the user you created above, "alex". The login attempt will fail and a password reset will be prompted in the form of an error message saying "Login failed! Please recheck the @@ -124,7 +124,7 @@ template for this option can be configured in the redirected to the password reset UI where you are prompted to set a new password. Enter the relevant details to set a new password. 7. You can now log in to the - [user portal](https://localhost:9443/user-portal) successfully as Alex + [**My Account**](https://localhost:9443/myaccount) successfully as Alex using the new password. ## Offline Password Reset @@ -145,19 +145,19 @@ template for this option can be configured in the ` http://wso2.org/claims/identity/adminForcedPasswordReset ` claim to **true** for the relevant users. To do this, follow the steps explained later in this page under [Invoke Admin Force Password Reset](#invoke-admin-force-password-reset). -7. Log out of the [user portal](https://localhost:9443/user-portal) and +7. Log out of the [**My Account**](https://localhost:9443/myaccount) and attempt to log in again as the user you created above, "alex". The log in attempt will fail. 8. Log in again to the management console as the admin user and check Alex's user profile. You will see that there is now a code value in the **One Time Password** field. 9. Copy the code and use it as Alex's password to log in to the - [user portal](https://localhost:9443/user-portal). + [**My Account**](https://localhost:9443/myaccount). 10. You will be redirected to the password reset UI where you are prompted to set a new password. Enter the relevant details to set a new password. 11. You can now log in to the - [user portal](https://localhost:9443/user-portal) successfully as Alex using the new password. + [**My Account**](https://localhost:9443/myaccount) successfully as Alex using the new password. ## Invoke Admin Force Password Reset diff --git a/en/docs/learn/inbound-provisioning.md b/en/docs/learn/inbound-provisioning.md index 173d6b2687..9da7513005 100644 --- a/en/docs/learn/inbound-provisioning.md +++ b/en/docs/learn/inbound-provisioning.md @@ -13,10 +13,12 @@ Identity Server for inbound provisioning. Service Provider for Inbound Provisioning](../../learn/setting-up-service-provider-for-inbound-provisioning)** . -- For details on configureing inbound provisioning using SCIM 1.1 and - configuring the user stores using the Active Directory see the +- For details on configuring inbound provisioning using SCIM 1.1 and + configuring the user stores using the Active Directory based on SCIM 1.1/SCIM 2.0 see the documents given below: - - **[Configuring User Stores for SCIM 1.1 based inbound + - **[Configuring User Stores for SCIM 1.1 based inbound provisioning](../../learn/configuring-user-stores-for-scim-1.1-based-inbound-provisioning)** - - **[Configuring Active Directory User Stores for Inbound - Provisioning](../../learn/configuring-active-directory-user-stores-for-inbound-provisioning)** + - **[Configuring Active Directory User Stores for SCIM 1.1 based Inbound + Provisioning](../../learn/configuring-active-directory-user-stores-for-scim-1.1-based-inbound-provisioning)** + - **[Configuring Active Directory User Stores for SCIM 2.0 based Inbound + Provisioning](../../learn/configuring-active-directory-user-stores-for-scim-2.0-based-inbound-provisioning)** diff --git a/en/docs/learn/logging-in-to-a-.net-application-using-the-identity-server.md b/en/docs/learn/logging-in-to-a-.net-application-using-the-identity-server.md index 2edc052d18..e36db8b177 100644 --- a/en/docs/learn/logging-in-to-a-.net-application-using-the-identity-server.md +++ b/en/docs/learn/logging-in-to-a-.net-application-using-the-identity-server.md @@ -1,60 +1,4 @@ -# Logging in to a.NET application using the Identity Server +# Logging in to a .NET application using the Identity Server -This topic provides instructions on how to configure a.NET application -using the WSO2 Identity Server for authentication. It is demonstrated -using a sample OpenID Connect application. - -1. Download the sample from the following [SVN - location](https://svn.wso2.org/repos/wso2/people/lahiruc/oidc_sample/) - . -2. Start the Identity Server and log in to the management console. -3. Navigate to the **Main** tab and click on **Add** under **Service - Providers**. -4. Enter a name for the service provider and expand the **Inbound - Authentication and Configuration** section. - ![enter-sp-name](../assets/img/tutorials/enter-sp-name.png) -5. Expand the **OAuth/OpenID Connect Configuration** section and - configure it with the following callback URL - format: \[server-url\]/callback.aspx. Click **Add**. - For more information on configuring OAuth/OpenID Connect, see - [Configuring OAuth2-OpenID Connect - Single-Sign-On](../../learn/configuring-oauth2-openid-connect-single-sign-on) - . -6. Take note of the client key and client secret that you receive. - ![key-and-secret](../assets/img/tutorials/key-and-secret.png) -7. Open the ` oidc.sln ` file found in the - ` ` directory using [Visual - Studio](https://www.visualstudio.com/downloads/) and run the.NET - application. -8. Fill in the following fields and click **Submit**. - - **Client Id:** \ - - **Request URI:** http://localhost:50420/callback.aspx - - **Response Type:** code - - **Scope:** openid - - ![run-dotnet-app](../assets/img/tutorials/run-dotnet-app.png) - -9. Sign in using admin/admin credentials and then select **Approve** or - **Approve Always.** - ![admin-credentials-to-approve](../assets/img/tutorials/admin-credentials-to-approve.png) - -10. You will be redirected to the callback page along with the OAuth - code. Fill in the following fields and click **Submit** to retrieve - the token details. - - - **Client Id: \<** client key of the service provider\> - - **Secret:** \ - - **Grant Type:** authorization\_code - - **Request URI:** http://localhost:50420/callback.aspx - - ![callback-page-with-oauth-code](../assets/img/tutorials/callback-page-with-oauth-code.png) - - !!! info - It does a REST call to the token endpoint and retrieve the token - details. Since it does a server to server call, you need to import - the IS server certificate and export it to Visual Studio Management - Console to avoid SSL handshake exceptions. - -11. Once the REST call succeeds, you can see the token details with the - base64 decoded JWT (ID Token) details. - ![jwt-id-token-details](../assets/img/tutorials/jwt-id-token-details.png) +!!! info + To add OIDC based login and logout to your .NET apps in a simple manner, refer the [Asgardeo .NET OIDC SDK](https://github.com/asgardeo/asgardeo-dotnet-oidc-sdk/blob/master/README.md). diff --git a/en/docs/learn/managing-challenge-questions.md b/en/docs/learn/managing-challenge-questions.md index 9912fdef37..214774beb8 100644 --- a/en/docs/learn/managing-challenge-questions.md +++ b/en/docs/learn/managing-challenge-questions.md @@ -122,7 +122,7 @@ follow the steps below. !!! info "Try it out!" - Login to the user portal ( https://localhost:9443/user-portal ) as the user + Login to the **My Account** ( https://localhost:9443/myaccount ) as the user you configured in step 12 above, e.g.,kim, and click **View Details** under **Account Recovery**. Only the questions matching the locale set in the user profile appears (in this example, only the French question diff --git a/en/docs/learn/managing-human-tasks.md b/en/docs/learn/managing-human-tasks.md index 28b5f4fad7..3832d560c4 100644 --- a/en/docs/learn/managing-human-tasks.md +++ b/en/docs/learn/managing-human-tasks.md @@ -13,19 +13,13 @@ Human tasks are the steps that require human interaction in order to allow the p ![workflow-pending-status](../assets/img/using-wso2-identity-server/console.png) -3. [Sign in to the User Portal](../../learn/user-portal/#accessing-the-user-portal-and-its-components) as a manager. +3. Access the console URL (`https://:/console`) and sign in as a manager. -4. Choose **Operations** from the left panel. Select **Ready** tab in **Pending Approvals**. +4. In the **Manage** tab, choose **Approvals** from the left panel. - ![pending-approvals](../assets/img/using-wso2-identity-server/pending-list.png) +5. Select the approval task corresponding to the request made for user, Alex. -5. To view more information about the request, click the **show more** button corresponding to the request made for user, Alex. - - ![workflow-task-status](../assets/img/using-wso2-identity-server/pending-info.png) - -6. Click on the button corresponding to a state to move the state of the selected task to a new state and to complete - the workflow approval process. For example, clicking **Approve** will approve the pending task and complete the workflow process. Now you can find this request in the **Completed** tab. - ![approving-pending-task](../assets/img/using-wso2-identity-server/approved.png) +6. Click **Approve** to approve the pending task and complete the workflow process. Now the approval task will be changed to **Completed** state. | Operation | Description | |------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------| diff --git a/en/docs/learn/managing-user-attributes.md b/en/docs/learn/managing-user-attributes.md index 49d419ea39..5af6152969 100644 --- a/en/docs/learn/managing-user-attributes.md +++ b/en/docs/learn/managing-user-attributes.md @@ -30,7 +30,7 @@ attributes of a user in the Identity Server. **User Profile**. ![update-profile](../assets/img/using-wso2-identity-server/update-profile.png) 5. Click **Update** to save changes to the attributes. -2. You can use the REST Web service according to the SCIM provisioning specification. For more information on this, see [Using the SCIM 2.0 REST APIs](../../develop/using-the-scim-2.0-rest-apis/). +2. You can use the REST Web service according to the SCIM provisioning specification. For more information on this, see [Using the SCIM 2.0 REST APIs](../../develop/scim2-rest-apis/). 3. You can use the ` RemoteUserStoreManagerService ` API. This is a SOAP-based API and is very easy to use. For more information on using this, see [Managing Users and Roles with @@ -191,7 +191,7 @@ LDAP. ``` toml [user_store] - user_name_search_filter = "(&(objectClass=person)(uid=?))" + user_name_search_filter = "(&(objectClass=person)(|(uid=?)(email=?)))" ``` 2. Disable the `user_dn_pattern` property if @@ -242,6 +242,8 @@ file. [authentication.authenticator.basic] name ="BasicAuthenticator" enable=true + +[authentication.authenticator.basic.parameters] UserNameAttributeClaimUri = "http://wso2.org/claims/emailaddress" ``` diff --git a/en/docs/learn/multi-attribute-login.md b/en/docs/learn/multi-attribute-login.md new file mode 100644 index 0000000000..db37521721 --- /dev/null +++ b/en/docs/learn/multi-attribute-login.md @@ -0,0 +1,86 @@ +# Multi Attribute Login + +WSO2 Identity Server can be configured to use multiple attributes as the login identifier. This feature can be +useful when you need to allow the users to login with their mobile number, email address or any other preferred +attribute without restricting to the username. + +By default, WSO2 Identity server uses the username as the login identifier. The following section explains +how to configure WSO2 identity server for multi attribute authentication. + +## Configuring WSO2 IS for Multi Attribute Login + +1. Log in to the [WSO2 Identity Server Management Console](`https://:/carbon`) using your + tenant credentials. + + !!! info + 'admin' is the default administrative user in WSO2 Identity Server. + + !!! info + If you use multiple tenant domains, you need to configure the multi attribute login tenant-wise. + +2. Click **Main** > **Identity Providers** > **Resident** and expand the **Account Management** section. + +3. Expand **Multi Attribute Login** and select **Enable Multi Attribute Login**. + +4. Add claim URIs which allow for multi-attribute login in the given text box. + + + ![adding-claims-for-multi-attribute-login](../assets/img/learn/multi-attribute-login/adding-claims-for-multi-attribute-login.png) + +5. Add Regular Expression for Allowed Claims. + + Once you have configured WSO2 Identity Server for multi attribute login, you need to provide regular expression + for the allowed claims. + Some claims have a default regex. If they don't, you need to provide it. + + 1. Open the WSO2 Identity Server Management Console. + 2. In the **Main** menu, click **List** under **Claims**. + 3. Select the claim you want to provide the regular expression for and click **Edit**. + 4. Enter the regex pattern under the **Regular Expression** field. + 5. Click **Update** to save the changes. + + ![adding-regex-pattern-to-claims](../assets/img/learn/multi-attribute-login/adding-regex-pattern-to-claim.png) + + Here are a few examples for regex patterns. + + | Claim URI | Example Regex pattern | + |-------------------------------------|-----------------------------------------------------------------| + | http://wso2.org/claims/emailaddress | ^([a-zA-Z0–9_\.\-])+\@(([a-zA-Z0–9\-])+\.)+([a-zA-Z0–9]{2,4})+$ | + | http://wso2.org/claims/mobile | ^(\+\d{1,2}\s?)?1?\-?\.?\s?\(?\d{3}\)?[\s.-]?\d{3}[\s.-]?\d{4}$ | + | http://wso2.org/claims/username | ^[a-zA-Z0–9._-]{3,}$ | + +You have now successfully set up WSO2 Identity Server to enable multi-attribute login. + + +## Using Multi Attribute login +After configuring the multi attribute login in WSO2 IS, the users can use any of the configured attributes to login. + +**Example:** Allow users to user the mobile number as the login identifier. + +1. Configure Multi Attribute login for `http://wso2.org/claims/mobile` claim. +2. Go to the My Account URL: (`https://localhost:9443/myaccount`). +3. Enter mobile number as the login identifier and click **Continue**. + + ![adding-regex-pattern-to-claims](../assets/img/learn/multi-attribute-login/login-with-mobile-number.png) + +### Supported flows +This feature is supported via the following flows. So you can use multi attribute login feature +using any of following flow. + +1. Identifier first authenticator +2. Basic Authenticator +3. Request path authenticator +4. Authentication REST APIs +5. Oauth Password grant +6. Password recovery flow + +!!! Note "What happens if two users use the same value for the same claim?" + If two users use the same value for the same claim, the multi attribute login feature + does not support those claims for those users. Retaining the uniqueness of claim values avoids this conflict. + +!!! Note "Using email address as the login attribute for super tenant users" + For the super tenant users who are using the email address as a login attribute need to append the tenant domain + to the email address (Ex: `john@wso2.com@caron.super`) when login to a SaaS application. + +!!! info "Related Topics" + See the [Configuring Uniqueness of Claims](../../learn/configuring-uniqueness-of-claims) topic for more information. diff --git a/en/docs/learn/multi-factor-authentication-for-wso2-is-management-console.md b/en/docs/learn/multi-factor-authentication-for-wso2-is-management-console.md index 5e0917ff58..3b29c2a843 100644 --- a/en/docs/learn/multi-factor-authentication-for-wso2-is-management-console.md +++ b/en/docs/learn/multi-factor-authentication-for-wso2-is-management-console.md @@ -15,8 +15,8 @@ When configuring single-sign-on for Management Console, "Issuer" value of the SAML request is defaulted to **carbonServer** as mentioned above. You can change this value by adding following configuration to the `/repository/conf/deployment.toml` file. ```toml - [admin_console.authenticator.saml_sso_authenticator.config] - ServiceProviderID = "CustomCarbonServerIssuer" + [admin_console.authenticator.saml_sso_authenticator] + service_provider_id = "CustomCarbonServerIssuer" ``` @@ -81,7 +81,15 @@ priority="1" ``` -15. Save and close the `deployment.toml` file. +15. Set `assertion_consumer_service_url` and `identity_provider_sso_service_url`. + + ``` toml + [admin_console.authenticator.saml_sso_authenticator] + assertion_consumer_service_url = "https://localhost:9443/acs" + identity_provider_sso_service_url = "https://localhost:9443/samlsso" + ``` + +16. Save and close the `deployment.toml` file. ## Try it out diff --git a/en/docs/learn/multi-factor-authentication-using-fido.md b/en/docs/learn/multi-factor-authentication-using-fido.md index 4572794482..f349f62006 100644 --- a/en/docs/learn/multi-factor-authentication-using-fido.md +++ b/en/docs/learn/multi-factor-authentication-using-fido.md @@ -17,7 +17,7 @@ This section provides details on Fast IDentity Online (FIDO) and instructions on - Firefox (FIREFOX 60) - Edge (EDGE 17723) - To define the set of origin URLs where the WSO2 Identity Server User Portal will be hosted (e.g., `https://localhost:9443`): + To define the set of origin URLs where the WSO2 Identity Server **My Account** will be hosted (e.g., `https://localhost:9443`): 1. Open the `deployment.toml` file in the `/repository/conf` directory. 2. Add the following configuration. @@ -101,7 +101,7 @@ The instructions in this section enable you to successfully set up MFA using the ### Setting up an account for MFA -To associate a FIDO device with the user account, refer [Add security device](../learn/user-portal.md#add-security-device). +To associate a FIDO device with the user account, refer [Add security device](../learn/my-account.md#add-security-device). ### Configuring FIDO U2F as an authenticator diff --git a/en/docs/learn/mutual-tls-client-auth.md b/en/docs/learn/mutual-tls-client-auth.md index cbbe2270cd..680bfde193 100644 --- a/en/docs/learn/mutual-tls-client-auth.md +++ b/en/docs/learn/mutual-tls-client-auth.md @@ -214,7 +214,7 @@ curl -X POST \ -d token=9d109c6d-d42e-3b6e-9d93-ae3cb8f65ade ``` - ```tab="Sample Response" +```tab="Sample Response" { "nbf": 1586929210, "scope": "openid", @@ -228,4 +228,4 @@ curl -X POST \ "client_id": "h9gd1bLEgzUwftAhnrof0fZWcZwa", "username": "admin@carbon.super" } -``` \ No newline at end of file +``` diff --git a/en/docs/learn/my-account.md b/en/docs/learn/my-account.md index 90d3f5bb5c..f6a2b037f4 100644 --- a/en/docs/learn/my-account.md +++ b/en/docs/learn/my-account.md @@ -1,14 +1,14 @@ -# My Account +# **My Account** !!! note - The **User Portal** application has been renamed as **My Account** from this release onwards. + The ****My Account**** application has been renamed as ****My Account**** from this release onwards. ## Introduction -The new **WSO2 Identity Server**(WSO2 IS) **My Account** application is packed with a number of new +The new **WSO2 Identity Server**(WSO2 IS) ****My Account**** application is packed with a number of new components through which users can manage their user account-related preferences with more convenience. The latest set of features that will be -available with the new **My Account** includes: +available with the new ****My Account**** includes: - User profile management - Linked accounts @@ -24,9 +24,9 @@ This section briefly explains what each of the above-mentioned features are and --- -## Access My Account and its components +## Access **My Account** and its components -1. Go to the **My Account** URL: `https://(host name):(port name)/myaccount/`. For example, ``. +1. Go to the ****My Account**** URL: `https://(host name):(port name)/myaccount/`. For example, ``. 2. Enter the username and password and click **Sign In**. @@ -34,18 +34,18 @@ This section briefly explains what each of the above-mentioned features are and ## User Profile Management -Various elements of the **My Account** application can be managed by the users themselves by following the instructions given below. +Various elements of the ****My Account**** application can be managed by the users themselves by following the instructions given below. ### Add personal details -1. [Access **My Account**](#access-my-account-and-its-components). +1. [Access ****My Account****](#access-my-account-and-its-components). 2. Click the **Personal info** tab on the side panel. 3. Under the **Profile** sub section, click on the plus icon, aligning with the field that needs to be added. 4. Enter the value to the profile and click **Save**. ### Update personal details -1. [Access **My Account**](#access-my-account-and-its-components). +1. [Access ****My Account****](#access-my-account-and-its-components). 2. Click the **Personal info** tab on the side panel. 3. Click on the pencil icon aligning with the field that needs to be edited. 4. Update the new value in the profile and click **Save**. @@ -55,7 +55,7 @@ Various elements of the **My Account** application can be managed by the users t ### Add and update profile picture -1. [Access **My Account**](#access-my-account-and-its-components). +1. [Access ****My Account****](#access-my-account-and-its-components). 2. Click the **Personal info** tab on the side panel. 3. Hover over the profile picture or the placeholder and click on the camera icon. @@ -71,11 +71,11 @@ Various elements of the **My Account** application can be managed by the users t WSO2 IS allows linking multiple accounts that a user has and switching between accounts once the user links their accounts. WSO2 IS also allows to connect a user's federated user credentials with their WSO2 Identity Server account. -Users can link and manage local and federated accounts seamlessly using **My Account**. +Users can link and manage local and federated accounts seamlessly using ****My Account****. ### Link new accounts -1. [Access **My Account**](#access-my-account-and-its-components). +1. [Access ****My Account****](#access-my-account-and-its-components). 2. Click the **Personal info** tab on the side panel. 3. Under the linked account sub section, click **Add account**. @@ -87,7 +87,7 @@ Users can link and manage local and federated accounts seamlessly using **My Acc ### Delete linked accounts -1. [Access **My Account**](#access-my-account-and-its-components). +1. [Access ****My Account****](#access-my-account-and-its-components). 2. Click the **Personal info** tab on the side panel. 3. Click on the **delete** button aligning with the linked account that needs to be deleted. 4. Confirm the deletion of the linked account by clicking **OK** in the confirmation popup that appears. @@ -96,7 +96,7 @@ Users can link and manage local and federated accounts seamlessly using **My Acc ## Export user profile -Using the **export user profile** feature in **My Account**, a JSON file can be downloaded. This file includes the user's personal information, consents, and other claims allowing the user to extract the information that is being is recorded about them in WSO2 IS. +Using the **export user profile** feature in ****My Account****, a JSON file can be downloaded. This file includes the user's personal information, consents, and other claims allowing the user to extract the information that is being is recorded about them in WSO2 IS. !!! tip The consent receipts in the @@ -106,7 +106,7 @@ Using the **export user profile** feature in **My Account**, a JSON file can be existing receipts. To get an updated consent receipt that reflects the change, generate a new consent receipt by doing one of the following: - 1. Revoke the consent via **My Account** and go through the flow that prompts + 1. Revoke the consent via ****My Account**** and go through the flow that prompts the relevant consent again (i.e., revoke the given consent for an application in WSO2 IS, log out, then log back in. Now approve the consent again. A new consent receipt will be generated for that application consent). @@ -116,7 +116,7 @@ Using the **export user profile** feature in **My Account**, a JSON file can be You can export your profile by following the instructions given below. -1. [Access **My Account**](#access-my-account-and-its-components). +1. [Access ****My Account****](#access-my-account-and-its-components). 2. Click the **Personal info** tab on the side panel. 3. Under the **Export profile** sub section, click on the **Download as JSON** button. All the profile details will be downloaded to your local machine as a JSON file. @@ -126,9 +126,9 @@ You can export your profile by following the instructions given below. ## Reset password -As a security measure, it is recommended for users to reset their passwords regularly. Using **My Account**, the users can change their password without a hassle. In order to change the password using **My Account**, follow the instructions given below. +As a security measure, it is recommended for users to reset their passwords regularly. Using ****My Account****, the users can change their password without a hassle. In order to change the password using ****My Account****, follow the instructions given below. -1. [Access **My Account**](#access-my-account-and-its-components). +1. [Access ****My Account****](#access-my-account-and-its-components). 2. Click the **Security** tab on the side panel. 3. Under the **Change password** sub section, click **Change your password**. 4. Enter the current password, and the new password twice in order to confirm the new password. @@ -142,11 +142,11 @@ The account recovery feature implemented in WSO2 IS helps to recover the user ac The main part of account recovery is setting up security or challenge questions for user accounts. With the WSO2 IS, users can set up challenge questions in different languages. -**My Account** allows users to add and update their challenge questions and update the email address that they can use to recover their accounts when required. Follow the instructions given below to use the account recovery options available in **My Account** more effectively. +****My Account**** allows users to add and update their challenge questions and update the email address that they can use to recover their accounts when required. Follow the instructions given below to use the account recovery options available in ****My Account**** more effectively. ### Add security questions -1. [Access **My Account**](#access-my-account-and-its-components). +1. [Access ****My Account****](#access-my-account-and-its-components). 2. Click **Security tab** on the side panel. 3. Under the **Account recovery** sub section, click on the **add** button aligning with the **security questions** section. 4. Select two questions from the sets questions given in the dropdown list and enter a unique answer only known to you. Make sure to remember these answers as they will be used to recover the account when required. @@ -154,14 +154,14 @@ The main part of account recovery is setting up security or challenge questions ### Update security questions -1. [Access **My Account**](#access-my-account-and-its-components). +1. [Access ****My Account****](#access-my-account-and-its-components). 2. Click the **Security** tab on the side panel. 3. Under the **Account recovery** sub section, click on the edit icon aligning with the security question that needs to be updated. 4. Select a new question and add an answer, or just update the answer to the question that was previously chosen and click on **Save**. ### Add recovery email -1. [Access **My Account**](#access-my-account-and-its-components). +1. [Access ****My Account****](#access-my-account-and-its-components). 2. Click the **Security** tab on the side panel. 3. Click on the add button aligning with the **Email recovery** section. 4. Enter a preferred email address as the recovery email and click **update**. @@ -171,7 +171,7 @@ The main part of account recovery is setting up security or challenge questions ### Update recovery email -1. [Access **My Account**](#access-my-account-and-its-components). +1. [Access ****My Account****](#access-my-account-and-its-components). 2. Click the **Security** tab on the side panel. 3. Click on the **edit** button with the pencil icon aligning with the Email recovery section. 4. Edit the email address that has already been used as the recovery mail and click on the **update** button. @@ -185,11 +185,11 @@ The main part of account recovery is setting up security or challenge questions MFA creates a layered defense and makes it more difficult for an unauthorized person to access a target such as a physical location, computing device, web service, network, or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. WSO2 Identity Server allows configuring multi-step authentication where you can define an authentication chain containing different authenticators in different steps. For more information on MFA, see [Multi-factor Authentication](../../learn/multi-factor-authentication). -Using the latest **My Account** application, users can update their mobile numbers through which they can authenticate themselves using the one-time verification code. Also, they can add inherence factors like FIDO devices and fingerprint sensors. The following section will provide instructions on how to configure MFA options in WSO2 IS using **My Account**. +Using the latest ****My Account**** application, users can update their mobile numbers through which they can authenticate themselves using the one-time verification code. Also, they can add inherence factors like FIDO devices and fingerprint sensors. The following section will provide instructions on how to configure MFA options in WSO2 IS using ****My Account****. ### Via SMS -1. [Access **My Account**](#access-my-account-and-its-components). +1. [Access ****My Account****](#access-my-account-and-its-components). 2. Click the **Security** tab on the side panel. 3. Under the **Multi-factor authentication** section, click on the edit icon aligning with the **via SMS** section. 4. Enter the mobile number that needs to be added as the MFA factor and click **update**. @@ -204,7 +204,7 @@ Using the latest **My Account** application, users can update their mobile numbe #### Add security device -1. [Access **My Account**](#access-my-account-and-its-components). +1. [Access ****My Account****](#access-my-account-and-its-components). 2. Click the **Security** tab on the side panel. 3. Under the **Multi-factor authentication** section, click on the add icon aligning with the **via security device** section. 4. Select an option depending on whether to add a USB security key or a built-in sensor. @@ -257,26 +257,26 @@ Any security device registered under MFA can be simply removed by clicking the d ## Monitor active user sessions -The **Active user sessions** section in **My Account** enables users to view details related to the sessions of the different applications that are accessed via WSO2 IS. When the **show more** button aligning with a specific session is clicked, it will display a detailed view of the session including the operating system, ip address, applications list, login time, and the last accessed time. +The **Active user sessions** section in ****My Account**** enables users to view details related to the sessions of the different applications that are accessed via WSO2 IS. When the **show more** button aligning with a specific session is clicked, it will display a detailed view of the session including the operating system, ip address, applications list, login time, and the last accessed time. -Depending on the user’s preference, **My Account** allows the users either to terminate all the sessions at once or terminate sessions one by one. By clicking the **terminate all** button at the top right corner, users can terminate all the active sessions with a single button click. If they wish to terminate a specific session, they can click on **terminate session** in the **detailed view** section. +Depending on the user’s preference, ****My Account**** allows the users either to terminate all the sessions at once or terminate sessions one by one. By clicking the **terminate all** button at the top right corner, users can terminate all the active sessions with a single button click. If they wish to terminate a specific session, they can click on **terminate session** in the **detailed view** section. --- ## Consent management WSO2 IS provides a comprehensive consent management solution that can be used to manage consents related to Identity and Access Management (IAM), and also to manage consents that belong to third party applications. For more information, see [Consent Management](../../learn/consent-management). -**My Account** allows users to revoke or edit the consent given to applications registered in WSO2 IS. In order to edit or revoke application consents, refer to the instructions given below. +****My Account**** allows users to revoke or edit the consent given to applications registered in WSO2 IS. In order to edit or revoke application consents, refer to the instructions given below. ### Revoke consent -1. [Access **My Account**](#access-my-account-and-its-components). +1. [Access ****My Account****](#access-my-account-and-its-components). 2. Click the **Security** tab on the side panel. 3. Under the **Manage consent** section, click on the **Revoke** button aligning with the application for which consent needs to be revoked. ### Edit consent -1. [Access **My Account**](#access-my-account-and-its-components). +1. [Access ****My Account****](#access-my-account-and-its-components). 2. Click the **Security** tab on the side panel. 3. Under the **Manage consent** section, click on the edit icon aligning with the application for which the consent needs to be edited. 4. Click and disable the toggle button aligning with any claim to revoke your consent. @@ -284,19 +284,7 @@ WSO2 IS provides a comprehensive consent management solution that can be used to --- -## Review pending approvals - -WSO2 IS enables more control over the tasks that are executed using workflows. This is particularly useful in a scenario where user accounts need to be approved in WSO2 IS. Workflows provide the flexibility to configure this approval process in a way that suits the user's scenario. - -**My Account** allows you to review the workflow operations like adding users, updating user claims, deleting users, and approving or denying them. For the convenience of the users, pending approvals are categorized into three states namely, **ready, reserved and completed**. - -Whenever a user gets created in the system, that task will appear under the **ready** section waiting for approval. Whenever a task is reviewed and claimed, that task will be listed under the **reserved** section of approvals. Once the task is approved or denied, it will appear under the **completed** section. - -![pending-approvals-all](../assets/img/using-wso2-identity-server/user-portal/pending-approvals/pending-approvals-all.png) - ---- - !!! info "Related Topics" - - To change the look and feel of the My Account UI, see [Customizing the My Account UI](../../develop/customizing-my-account-ui). - - To set up My Account in a dev environment, see [Setting Up My Account in a Development Environment](../../develop/setting-up-my-account-in-a-dev-environment). - - To configure the My Account application and customize features, theme, etc., see [Configuring My Account Application](../../develop/configure-my-account) \ No newline at end of file + - To change the look and feel of the **My Account** UI, see [Customizing the **My Account** UI](../../develop/customizing-my-account-ui). + - To set up **My Account** in a dev environment, see [Setting Up **My Account** in a Development Environment](../../develop/setting-up-my-account-in-a-dev-environment). + - To configure the **My Account** application and customize features, theme, etc., see [Configuring **My Account** Application](../../develop/configure-my-account) diff --git a/en/docs/learn/oauth2-token-revocation.md b/en/docs/learn/oauth2-token-revocation.md index 203cc0a4ba..7dc9908df1 100644 --- a/en/docs/learn/oauth2-token-revocation.md +++ b/en/docs/learn/oauth2-token-revocation.md @@ -47,7 +47,7 @@ use of this **SOAP** endpoint is demonstrated by the WSO2 Identity Server’s dashboard under **Authorized Apps** ‘ for resource owners to login and revoke application authorization. -1. Go to the user portal URL: . +1. Go to the **My Account** URL: . 2. Click the **Login** button. 3. Enter your username and password and click the **Sign In** button. The dashboard appears. @@ -86,3 +86,9 @@ curl -X POST --basic -u ":" -H "Content-Type: applicat ``` The ` callback ` parameter is optional. + +!!! Note + When a session is terminated via rest api, WSO2 Identity Server will + revoke the mapped access token as well. There can be some instances where same access token is used across + multiple sessions. Therefore, it is always recommended to use sso-session binding if you are using the [session management + REST API](../develop/session-mgt-rest-api) to terminate the sessions. \ No newline at end of file diff --git a/en/docs/learn/passing-oidc-authentication-request-parameters-in-a-request-object.md b/en/docs/learn/passing-oidc-authentication-request-parameters-in-a-request-object.md index b34bec85bc..1d1e8f48a9 100644 --- a/en/docs/learn/passing-oidc-authentication-request-parameters-in-a-request-object.md +++ b/en/docs/learn/passing-oidc-authentication-request-parameters-in-a-request-object.md @@ -129,12 +129,12 @@ parameters in a request object via WSO2 IS: - Mark the claims given above as **Mandatory Claims**. This will ensure that the user will be prompted once again to provide consent for the newly added/changed claims. - - Log in to the user portal, revoke the consent reciept + - Log in to the **My Account**, revoke the consent reciept for the application, and then attempt to log in to the application again. Now you will be prompted to provide consent for all requested claims, including the newly added/changed claims. For more information on - revoking/accepting user consent, see [Consent management](../../learn/user-portal/#consent-management). + revoking/accepting user consent, see [Consent management](../learn/my-account.md#consent-management). 4. Click **Update**. diff --git a/en/docs/learn/password-recovery-via-user-preferred-notification-channel.md b/en/docs/learn/password-recovery-via-user-preferred-notification-channel.md index c4abe89257..49969c37de 100644 --- a/en/docs/learn/password-recovery-via-user-preferred-notification-channel.md +++ b/en/docs/learn/password-recovery-via-user-preferred-notification-channel.md @@ -5,7 +5,7 @@ forgotten password. !!! Note This feature is only available via Account Recovery REST APIs. Currently, WSO2 IS does not - support this feature via the User Portal. + support this feature via the **My Account**. **Password Recovery Flow** diff --git a/en/docs/learn/password-recovery.md b/en/docs/learn/password-recovery.md index 8960939df8..122fb27e27 100644 --- a/en/docs/learn/password-recovery.md +++ b/en/docs/learn/password-recovery.md @@ -4,19 +4,6 @@ This section guides you through setting up password recovery for users to recover a lost or forgotten password. There are two methods of password recovery: -!!! warning - From 5.3.0 onwards there is a new implementation for identity management - features. The steps given below in this document follows the new - implemenation which is the **recommended approach** for password - recovery. - - Alternatively, to see steps on how to enable this identity management - feature using the **old implementation**, see [Password Recovery - documentation in WSO2 IS - 5.2.0](https://docs.wso2.com/display/IS520/Password+Recovery). The old - implementation has been retained within the WSO2 IS pack for backward - compatitbility and can still be used if required. - !!! note WSO2 IS validates whether the user account is locked or disabled prior to account recovery. In addition, if any customization prior to account recovery such as checking the eligibility of the user for account recovery by validating certain conditions/ user claims is needed, WSO2 Identity Server provides an extension for that. @@ -37,27 +24,6 @@ notifications. The flow of this method is as follows: Follow the steps given below to set up and try out password recovery with email notification. -!!! tip "Before you begin" - - Ensure that the identity listener with the - ` priority=50 ` is set to **false** and that the Identity - Listeners with ` priority=95 ` and - ` priority=97 ` are set to **true** by adding the following configuration in the - ` /repository/conf/deployment.toml ` file. - - ``` java - [event.default_listener.identity_mgt] - priority= "50" - enable = false - [event.default_listener.governance_identity_mgt] - priority= "95" - enable = true - [event.default_listener.governance_identity_store] - priority= "97" - enable = true - ``` - - 1. Enable the email sending configurations of the WSO2 Identity Server as explained [here](../../setup/configuring-email-sending). @@ -138,7 +104,7 @@ with email notification. 2. Edit the user profile and enter an email address for the user. The email notification for password recovery is sent to the email address given. -3. Access the WSO2 Identity Server user portal using the following link: +3. Access the WSO2 Identity Server **My Account** using the following link: ` https://localhost:/user-portal `. 4. Click the **Forgot Password** link. 5. Enter the user's username and select **Recover with Mail**. Click @@ -208,7 +174,7 @@ To set up challenge questions or to manage the questions with different locales (languages), see [Managing Challenge Questions](../../learn/managing-challenge-questions). -#### Using the user portal +#### Using the **My Account** To try this out, first create a user in the Identity Server. @@ -220,10 +186,10 @@ To try this out, first create a user in the Identity Server. ![add-new-user](../assets/img/using-wso2-identity-server/add-new-user.png) 4. Log out of the Identity Server. -5. The URL for accessing user portal is the following if the hostname is +5. The URL for accessing **My Account** is the following if the hostname is localhost and the Identity Server is running on port 9443: - . Click this link to access the - user portal and log in using the credentials of the user you just + . Click this link to access the + **My Account** and log in using the credentials of the user you just created. ![enter-using-credentials](../assets/img/using-wso2-identity-server/enter-using-credentials.png) 6. Go to the **Security** tab. Click the **+** button near **Security questions** under the @@ -234,7 +200,7 @@ To try this out, first create a user in the Identity Server. set and give an answer for the question. ![answer-challenge-questions](../assets/img/using-wso2-identity-server/answer-challenge-questions.png) 8. Click **Save**. -9. Sign out of the user portal and click **Forgot Password** on the login +9. Sign out of the **My Account** and click **Forgot Password** on the login screen. ![choose-forgot-password](../assets/img/using-wso2-identity-server/choose-forgot-password.png) 10. Enter the username and select **Recover with Security Questions**. diff --git a/en/docs/learn/passwordless-authentication-using-fido2.md b/en/docs/learn/passwordless-authentication-using-fido2.md index 23efa456bc..30935e1ffb 100644 --- a/en/docs/learn/passwordless-authentication-using-fido2.md +++ b/en/docs/learn/passwordless-authentication-using-fido2.md @@ -26,7 +26,7 @@ The three major enablers of the FIDO2 flow are; - Firefox (FIREFOX 60) - Edge (EDGE 17723) - Follow the steps given below to define the set of origin URLs where the WSO2 Identity Server User Portal will be hosted (e.g., `https://localhost:9443`): + Follow the steps given below to define the set of origin URLs where the WSO2 Identity Server **My Account** will be hosted (e.g., `https://localhost:9443`): 1. Open the `deployment.toml` file in the `/repository/conf` directory. 2. Add the following configuration. diff --git a/en/docs/learn/pending-account-status.md b/en/docs/learn/pending-account-status.md new file mode 100644 index 0000000000..4065b995b7 --- /dev/null +++ b/en/docs/learn/pending-account-status.md @@ -0,0 +1,54 @@ +#Account Pending Status + +This feature places users in a pending status when the process of self registration, email verification +or ask password has been initiated and the confirmation mail has been sent, but the email has not been verified yet. +The status claim will be set depending on the flow. + +!!! Note + - For more details on self registration, see [Self-Registration and Account Confirmation](../../learn/self-registration-and-account-confirmation). + - For more details on ask password, see [Creating Users Using the Ask Password Option](../../learn/creating-users-using-the-ask-password-option). + + +With this improvement, in all these three features, self-registration, email verification and ask password, once a +confirmation email is sent, the users will be moved to a pending state. The status claim will be set depending on the flow. + +## Adding accountState claim +In order to keep track of the users’ account states, an identity claim (http://wso2.org/claims/identity/accountState) +is introduced. This stores the users’ account states. This claim is added by default to Identity Server from IS5.9.0 + +![account-state-claim](../assets/img/learn/account-pending-state.png) + +Refer this documentation on [how to add claim mapping with WSO2 Identity Server](../../learn/adding-claim-mapping). + +AccountState should be a readOnly claim. It cannot be updated even by the admin user. +In the older IS versions before IS5.7.0, Identity Server used to send two mails upon user self registration, ask password + and email verification if **Account Lock** feature is also **Enabled**. + - Confirmation mail + - Account Lock mail + +With this improvement, these flows will only send a confirmation mail if the `accountState` claim is engaged and the user is in +**PENDING** state (PENDING_AP, PENDING_EV,PENDING_SR,PENDING_LR). +Once the user confirms the email, the state will be moved to **UNLOCKED**. + +This account status can have the following values. + + 1. LOCKED + 2. PENDING_AP + 3. PENDING_EV + 4. PENDING_SR + 5. PENDING_LR + 6. DISABLED + 7. UNLOCKED + +Find the description of the status + +| State | Description | +| --------------------- | ------------------------------------------------------------ | +| LOCKED | Account is locked and not disabled. | +| PENDING_AP | Ask password email is sent and the email is not verified | +| PENDING_EV | Email Verification email is sent and the email is not verified | +| PENDING_SR | Self registration email is sent and the email is not verified yet | +| PENDING_LR | Lite User registration email is sent and the email is not verified yet| +| DISABLED | Account is disabled | +| UNLOCKED | Account is neither disabled nor locked | + diff --git a/en/docs/learn/prerequisites-to-publish-statistics.md b/en/docs/learn/prerequisites-to-publish-statistics.md index 1c918b949a..c2abe47a9d 100644 --- a/en/docs/learn/prerequisites-to-publish-statistics.md +++ b/en/docs/learn/prerequisites-to-publish-statistics.md @@ -61,7 +61,7 @@ Follow the steps below to enable event publishing in WSO2 IS. 

     
-    [identity_mgt.analyticsLoginDataPublisherV110] 

+    [identity_mgt.analytics_login_data_publisher] 

     enable=true
     
     
@@ -346,7 +346,13 @@ Follow the steps below to run WSO2 IS and WSO2 IS Analytics.
         -   If you are running WSO2 IS Analytics in a clustered setup, see
             [WSO2 Stream Processor Deployment
             Guide](https://docs.wso2.com/stream-processor/Deployment+Guide).
-    
+            The viable cluster types for WSO2 IS Analytics are [Minimum High Availability 
+            Deployment](https://docs.wso2.com/display/SP440/Minimum+High+Availability+Deployment) 
+            (recommended) and [Fully Distributed 
+            Deployment](https://docs.wso2.com/display/SP440/Fully+Distributed+Deployment).
+            For both types, database system state persistence need to be enabled and configured.
+            If required, the dashboard profile can be hosted outside the cluster with
+            the state persistence database of the cluster configured as a datasource.
 
     1.  Run the Worker node of WSO2 IS Analytics. For detailed
         instructions, see [WSO2 SP - Starting Worker
diff --git a/en/docs/learn/provisioning-users-to-hubspot.md b/en/docs/learn/provisioning-users-to-hubspot.md
index 9b7a37a642..5de7e201f0 100644
--- a/en/docs/learn/provisioning-users-to-hubspot.md
+++ b/en/docs/learn/provisioning-users-to-hubspot.md
@@ -123,7 +123,7 @@ users created in WSO2 Identity Server can also be provisioned to external system
 
 ## Try it out
 
-1. Access WSO2 Identity Server [User Portal](https://localhost:9443/user-portal/).
+1. Access WSO2 Identity Server [**My Account**](https://localhost:9443/myaccount).
 2. Click **Create Account**.
 
     ![sign-in](../assets/img/tutorials/sign-in.png)
@@ -145,7 +145,7 @@ users created in WSO2 Identity Server can also be provisioned to external system
 7. Login to HubSpot.
 8. On the navigation panel, click **contacts**. You will see that the user you created in WSO2 IS has also been created in 
 HubSpot.
-9. Then try to edit user details through the user portal as follows.
+9. Then try to edit user details through the **My Account** as follows.
 
     ![personal-info](../assets/img/tutorials/personal-info.png)
 
diff --git a/en/docs/learn/role-based-permissions.md b/en/docs/learn/role-based-permissions.md
index f7567d70aa..0b39b62972 100644
--- a/en/docs/learn/role-based-permissions.md
+++ b/en/docs/learn/role-based-permissions.md
@@ -159,7 +159,7 @@ follows:
diff --git a/en/docs/learn/self-registration-and-account-confirmation.md b/en/docs/learn/self-registration-and-account-confirmation.md index 334603c621..2295ad8585 100644 --- a/en/docs/learn/self-registration-and-account-confirmation.md +++ b/en/docs/learn/self-registration-and-account-confirmation.md @@ -192,7 +192,7 @@ Next, you can try out self-registration. ## Try out self-registration -1. Access the [WSO2 Identity Server user portal](https://localhost:9443/user-portal/). +1. Access the [WSO2 Identity Server **My Account**](https://localhost:9443/myaccount). 2. Click the **Create Account** link and then enter the new user's username. @@ -234,7 +234,7 @@ Next, you can try out self-registration. Follow the steps given below to resend the confirmation email. 1. Access the [WSO2 Identity Server - user portal](https://localhost:9443/user-portal/) and try to login with + **My Account**](https://localhost:9443/myaccount) and try to login with the user you just registered. The user account should not be activated for the user, which means you should not have confirmed the account. diff --git a/en/docs/learn/self-registration.md b/en/docs/learn/self-registration.md index a45b09e80b..22e4d884a7 100644 --- a/en/docs/learn/self-registration.md +++ b/en/docs/learn/self-registration.md @@ -147,7 +147,7 @@ You have now configured WSO2 Identity Server to enable self-registration. Let's ## Try out -1. Access WSO2 Identity Server User Portal at `https://localhost:9443/user-portal/`. +1. Access WSO2 Identity Server **My Account** at `https://localhost:9443/myaccount`. 2. Click **Create Account**. @@ -157,6 +157,12 @@ You have now configured WSO2 Identity Server to enable self-registration. Let's Start Signing Up form + !!! tip "Using special characters in the username" + + Note that the special characters `@`, `/`, `\`, `!`, `(`, `)`, `*`, `~`, `<`, `>`, and whitespaces are + not allowed in usernames as they have been reserved for other purposes. See [Usernames in WSO2 Identity Server + ](../references/usernames-in-identity-server.md) for more information on this. + The **Create New Account** screen appears. Create New screen @@ -181,7 +187,7 @@ You have now configured WSO2 Identity Server to enable self-registration. Let's Account Confirmation notification -6. Click **Close**. The WSO2 Identity Server User Portal Login screen appears. +6. Click **Close**. The WSO2 Identity Server **My Account** Login screen appears. 7. Log in with Alex's credentials and navigate to the Home screen. diff --git a/en/docs/learn/try-device-flow.md b/en/docs/learn/try-device-flow.md new file mode 100644 index 0000000000..357e46380b --- /dev/null +++ b/en/docs/learn/try-device-flow.md @@ -0,0 +1,217 @@ +# Try Device Authorization Grant + +The Device Authorization Grant is one of the grant types in the OAuth 2.0 +specification. For more information about this grant type, see +[Device Authorization Grant](../../learn/device-flow-grant). +This section guides you on how to try out the Device Authorization grant type. + +### Device Authorization Grant Configurations + +Following are the device authorization grant properties that are configurable. + +
When the Admin/Manage permission is selected, the following menus will be enabled in the management console:

- Main menu /Service Providers: See the topic on working with service providers for details on how to use this option.
- - Tools menu /SAML: See the topic on working with the SAML tool kit for more details.
+
- Additionally, all permissions listed under Admin/Manage in the permissions navigator will be enabled automatically.
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ Name + + Description + + Configuration +
+

Key length

+ 		+

The length of the user code.

+ 		+ key_length +
+

Expiry time

+ 		+

The expiry time of the user code in milliseconds.

+ 		+ expiry_time +
+

Polling interval

+ 		+

The minimum amount of time in seconds that the client should wait between polling requests to the + token endpoint in milliseconds.

+ 		+ polling_interval +
+

Key set

+ 		+

The set of characters that is used to generate the user code.

+ 		+ key_set +
+ +### Configuring Device Authorization Grant properties during deployment + +All the above parameters can be configured at the server level through the `deployment.toml` file. A sample configuration +is shown below. + +``` +[oauth.grant_type.device_code] +key_length = 7 +expiry_time = 60000 +polling_interval = 5000 +key_set = "BCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz23456789" +``` + + +1. Navigate to /bin and start the server by executing the following command on a terminal window. + + ``` java tab="Linux/MacOS" + sh wso2server.sh + ``` + + ``` java tab="Windows" + wso2server.bat run + ``` + +2. Access the [WSO2 Identity Server Management Console] (https://localhost:9443/carbon) and log in using your user + name and password. + +3. On the **Main** menu, click **Service Providers** > **Add**. + + ![register-service-provider](../assets/img/using-wso2-identity-server/register-service-provider.png) + + ![register-service-provider-name](../assets/img/using-wso2-identity-server/register-sp-name.jpg) + +4. Expand **Inbound Authentication Configuration** > **OAuth/OpenID Connect Configuration**. Click **Configure**. + + ![register-service-provider-oauth](../assets/img/using-wso2-identity-server/register-sp-oauth.jpg) + +5. Select `urn:ietf:params:oauth:grant-type:device_code` to enable using the device flow grant type. + + !!! info + Since these are public clients, ensure that the **Allow authentication without the client secret** option is checked. + +6. Next, click **Update** to save the service provider configurations. Note the generated OAuth client key and client + secret. + + ![consumer-key-service-provider-oauth](../assets/img/using-wso2-identity-server/get-oauth-consumer-key.jpg) + + !!! tip + When configuring with your device, configure the client ID as your OAuth client-key. + +7. Open a terminal window and run the following command to send a request to the `device_authorize` endpoint. + + The client (the device) is initiating this request to obtain a device + code, a user code, and a verification URI from the authorization server. + + + + + + + + + + + + +
Request +
+
+ Request +
+
+ +
+
+
+
+ Sample cURL +
+
+ +
+
Response
+
+ +
+
+ +8. Access the obtained verification_uri from your non input-constrained device. You can either enter + the user code there or access the verification_uri_complete obtained from the response. + + ![device-code-enter](../assets/img/using-wso2-identity-server/device-code-enter.jpg) + +12. Click Sign In. If the user code is correct, you will be prompted to enter your credentials. If you have entered the + wrong user code or an expired(user code is one time use code) one, it will ask to re-enter your user code. In that + case, get a new user code following the previous steps and enter the new user code along with your credentials. + + ![device-username-password](../assets/img/using-wso2-identity-server/device-username-password.jpg) + + ![device-scopes](../assets/img/using-wso2-identity-server/device-scopes.jpg) + +13. Upon successful authentication, you will be redirected to the configured callback URL of the service provider. + +14. To obtain an access token and a refresh token, the client must call the /token endpoint of the + authorization server. The client will poll the authorization server with the polling interval mentioned in the + response in step 7. + + Open a terminal window and run the following command to send a token request to the authorization server. + + + + + + + + + + + + +
Request +
+
+ Request +
+
+ +
+
+
+
+ Sample cURL +
+
+ +
+
Response
+
+ +
+
+ +14. To validate your token, use the introspection endpoint. [Invoke the OAuth Introspection Endpoint](../../learn/invoke-the-oauth-introspection-endpoint) diff --git a/en/docs/learn/user-registration-with-email-verification.md b/en/docs/learn/user-registration-with-email-verification.md index c075da4b55..9828de4aa5 100644 --- a/en/docs/learn/user-registration-with-email-verification.md +++ b/en/docs/learn/user-registration-with-email-verification.md @@ -101,7 +101,12 @@ You have now configured WSO2 Identity Server to send the user account confirmati ```curl curl -v -k --user admin:admin --data '{"schemas":[],"name":{"familyName":"Alex","givenName":"Roe"},"userName":"Alex","password":"password","emails":[{"primary":true,"value":""}],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{verifyEmail:"true"}}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users ``` - + !!! tip "Using special characters in the username" + + Note that the special characters `@`, `/`, `\`, `!`, `(`, `)`, `*`, `~`, `<`, `>`, and whitespaces are + not allowed in usernames as they have been reserved for other purposes. See [Usernames in WSO2 Identity + Server](../references/usernames-in-identity-server.md) for more information on this. + 2. An email requesting to confirm the user creation is sent to the given email address. Account Creation verification email diff --git a/en/docs/learn/user-registration-with-password-entry.md b/en/docs/learn/user-registration-with-password-entry.md index 7f2743ea4c..045254b011 100644 --- a/en/docs/learn/user-registration-with-password-entry.md +++ b/en/docs/learn/user-registration-with-password-entry.md @@ -110,9 +110,18 @@ Follow the steps below to configure WSO2 Identity Server to enable password entr - **Ask Password from user**: Selected - **Email Address**: Enter the email address to which you wish to receive the account confirmation email. - !!! tip "Using special characters in the email address" - - If you are using special characters such as `$` in your email address, see [Configuring Emails with Special Characters](../../learn/adding-email-special-characters). + !!! tip "Using special characters" + + - **In the username** + + Note that the special characters `@`, `/`, `\`, `!`, `(`, `)`, `*`, `~`, `<`, `>`, and + whitespaces are not allowed in usernames as they have been reserved for other purposes. See + [Usernames in WSO2 Identity Server](../references/usernames-in-identity-server.md) for more + information on this. + + - **In the email address** + + If you are using special characters such as `$` in your email address, see [Configuring Emails with Special Characters](../../learn/adding-email-special-characters). 4. Click **Finish**. diff --git a/en/docs/learn/username-recovery-via-user-preferred-notification-channel.md b/en/docs/learn/username-recovery-via-user-preferred-notification-channel.md index c33887e1c4..3932d0d628 100644 --- a/en/docs/learn/username-recovery-via-user-preferred-notification-channel.md +++ b/en/docs/learn/username-recovery-via-user-preferred-notification-channel.md @@ -4,7 +4,7 @@ WSO2 Identity Server enables recovering user accounts where the user has forgott !!! Note This feature is only available via Account Recovery REST APIs. Currently, WSO2 IS does not - support this feature via the User Portal. + support this feature via the **My Account**. **Username Recovery Flow** diff --git a/en/docs/learn/username-recovery.md b/en/docs/learn/username-recovery.md index e5e6208f8f..f8e2d9ae26 100644 --- a/en/docs/learn/username-recovery.md +++ b/en/docs/learn/username-recovery.md @@ -121,7 +121,7 @@ with the WSO2 IS. 2. Edit the user profile and enter an email address for the user. The email notification for password recovery is sent to the email address given here. -3. Access the [WSO2 Identity Server User Portal](https://localhost:9443/user-portal/). +3. Access the [WSO2 Identity Server **My Account**](https://localhost:9443/myaccount). 4. Click the **Forgot Username** link. 5. Enter the required fields and click **Submit**. ![enter-fields-dashboard](../assets/img/using-wso2-identity-server/enter-fields-userportal.png) diff --git a/en/docs/learn/validating-password-history.md b/en/docs/learn/validating-password-history.md index 4486ac0ecd..b3f117a417 100644 --- a/en/docs/learn/validating-password-history.md +++ b/en/docs/learn/validating-password-history.md @@ -80,7 +80,7 @@ Follow the steps below to define the password policy that Sam wants to enforce. 3. To change the password: - 1. Access WSO2 Identity Server user portal at `https://localhost:9443/user-portal/`. + 1. Access WSO2 Identity Server **My Account** at `https://localhost:9443/myaccount`. 2. Log in with the credentials of the user account that you created. diff --git a/en/docs/learn/workflow-management.md b/en/docs/learn/workflow-management.md index 4c8c97e2ad..8e0d077648 100644 --- a/en/docs/learn/workflow-management.md +++ b/en/docs/learn/workflow-management.md @@ -17,13 +17,6 @@ Consider a company where new employees are added to the system by HR but only af ![sample-for-workflow](../assets/img/using-wso2-identity-server/sample-for-workflow.png) -!!! info - - For more information about workflow usecases and a demo of workflow management using the WSO2 Identity Server Management console, watch the screencast video below. - - - - !!! info An embedded Business Process Management engine is included in WSO2 Identity Server to execute this feature. However, if you need more flexibility and more extensibility with this feature than what is currently provided, it is advisable to integrate WSO2 Identity Server with [WSO2 Enterprise Integrator](https://ei.docs.wso2.com/en/latest/). diff --git a/en/docs/learn/working-with-xacml.md b/en/docs/learn/working-with-xacml.md index 9568bc8de1..b75b5e987f 100644 --- a/en/docs/learn/working-with-xacml.md +++ b/en/docs/learn/working-with-xacml.md @@ -12,12 +12,11 @@ than it being just a fine grained authorization mechanism. For more information about XACML, see [Access Control and Entitlement Management](../../get-started/access-control-and-entitlement-management#introducing-xacml). -We generally uses the HTTPS transport for calling the Web Service API -that has been exposed by the PDP.  With WSO2 Identity Server, we can -also use **Thrift** protocal to communicate with PDP.  It is said that -thrift is more faster than the HTTP.  Therefore we hope that we can get -more performance and less response time by using thrift protocol with -WSO2 Identity Server. +We generally use the HTTPS transport protocol for calling a Web Service API +that has been exposed by the PDP ([Policy Decision Point](configuring-the-policy-decision-point.md)). +With WSO2 Identity Server, we can also use the **Thrift** protocol to communicate with the PDP. +Since is a well known fact that Thrift is faster than HTTP, we can get significantly higher performance along with less +response time by using thrift protocol with WSO2 Identity Server. diff --git a/en/docs/learn/x509certificate-authenticator.md b/en/docs/learn/x509certificate-authenticator.md index e2aa09ddbc..056933df27 100644 --- a/en/docs/learn/x509certificate-authenticator.md +++ b/en/docs/learn/x509certificate-authenticator.md @@ -149,7 +149,7 @@ Once you have done the above steps, you have the keystore (`localcrt.jks`), trus `/repository/conf/deployment.toml` file. ``` toml - [custom_trasport.x509.properties] + [custom_transport.x509.properties] protocols="HTTP/1.1" port="8443" maxThreads="200" @@ -333,9 +333,9 @@ Make note of the following points and configure your database to match your use case: - [Disabling Certificate Validation in an Unstarted WSO2 IS - Pack](#disabling-certificate-validation-in-an-unstarted-WSO2-IS-Pack) + Pack](#disabling-certificate-validation) - [Disabling Certificate Validation in an Already-started WSO2 IS - Pack](#Disabling-Certificate-Validation-in-an-Already-started-WSO2-IS-Pack) + Pack](#Disabling-Certificate-Validation) ## Deploying travelocity.com sample app diff --git a/en/docs/references/usernames-in-identity-server.md b/en/docs/references/usernames-in-identity-server.md new file mode 100644 index 0000000000..13d9346948 --- /dev/null +++ b/en/docs/references/usernames-in-identity-server.md @@ -0,0 +1,26 @@ +# Usernames in WSO2 Identity Server + +Selecting a good username is important as it is a prime link to your identity. Hence, make sure to adhere to + the following best practices when creating usernames. + +## Best practices for username creation + +- A username should be easy to remember and difficult to guess. +- Make sure the username does not give any hints to guess your password. +- It is better to avoid using combinations of special characters such as `'`, `"`, `,`, `.`, `:`, and `;` as they may be + difficult to distinguish when being read. + +## Restricted special characters in usernames + +The following is a list of characters that have been reserved for other purposes. These characters should not used in + usernames except for the intended purpose. + +| Character | Reserved Purpose | +|-----------|---------------------------------------------------------------| +| `@` | For specifying the tenant to which the user belongs | +| `/` | For specifying the userstore which holds the user's data | + +!!! warning "Unsupported special characters in usernames" + + Note that the use of special characters `\`, `!`, `(`, `)`, `*`, `~`, `<`, `>`, and whitespaces is + not supported in this version of WSO2 Identity Server. diff --git a/en/docs/setup/configuring-a-seperate-session-store.md b/en/docs/setup/configuring-a-seperate-session-store.md new file mode 100644 index 0000000000..f2748fb0e7 --- /dev/null +++ b/en/docs/setup/configuring-a-seperate-session-store.md @@ -0,0 +1,216 @@ +# Configuring a Separate JDBC Session Store + +WSO2 identity server uses the identity database as the session store. +This document will guide to you to configure a separate JDBC session store. +By default, the WSO2 Identity Server embedded H2 +database contains session store tables. + +##Configuring the internal database as session store + +Add the following configuration to `/repository/conf/deployment.toml`. + +``` toml +[session] +data_source="jdbc/WSO2SessionDB" +[datasource.WSO2SessionDB] +id = "WSO2SessionDB" +url = "jdbc:h2:./repository/database/WSO2IDENTITY_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000" +username = "wso2carbon" +password = "wso2carbon" +driver = "org.h2.Driver" +[datasource.WSO2SessionDB.pool_options] +defaultAutoCommit = true +maxActive = 50 +maxWait = 60000 +jmx_enable = false +validationInterval = 30000 +``` + +##Configuring an external database as JDBC user store. + +1. Create a database on [any supported RDBMS database](../../setup/working-with-databases). + +2. Following are the example configurations for each database type. + +??? example "PostgreSQL" + + 1. deployment.toml Configurations. + ``` + [session] + data_source="jdbc/WSO2SessionDB" + [datasource.WSO2SessionDB] + url = "jdbc:postgresql://localhost:5432/sessiondb" + username = "root" + password = "root" + driver = "org.postgresql.Driver" + ``` + + 2. Execute the database scripts. + + Navigate to `/dbscripts/identity/postgresql.sql`. Execute the scripts in the following tables. + IDN_AUTH_SESSION_STORE + IDN_AUTH_SESSION_APP_INFO + IDN_AUTH_SESSION_META_DATA + IDN_AUTH_TEMP_SESSION_STORE + IDN_AUTH_USER + IDN_AUTH_USER_SESSION_MAPPING + IDN_AUTH_WAIT_STATUS + + Execute the scripts related to following indexes. + + IDX_IDN_AUTH_SESSION_TIME + IDX_IDN_AUTH_TMP_SESSION_TIME + IDX_AUTH_USER_UN_TID_DN + IDX_AUTH_USER_DN_TOD + IDX_USER_ID + IDX_SESSION_ID + against the database created. + + 3. Download the PostgreSQL JDBC driver for the version you are using and + copy it to the `/repository/components/lib` folder. + +??? example "MySQL" + + 1. deployment.toml Configurations. + ``` + [session] + data_source="jdbc/WSO2SessionDB" + [datasource.WSO2SessionDB] + url = "jdbc:mysql://localhost:3306/sessiondb?useSSL=false" + username = "root" + password = "root" + driver = "com.mysql.jdbc.Driver" + ``` + + 2. Execute the database scripts. + + Navigate to `/dbscripts/identity/mysql.sql`. Execute the scripts in the following tables. + IDN_AUTH_SESSION_STORE + IDN_AUTH_SESSION_APP_INFO + IDN_AUTH_SESSION_META_DATA + IDN_AUTH_TEMP_SESSION_STORE + IDN_AUTH_USER + IDN_AUTH_USER_SESSION_MAPPING + IDN_AUTH_WAIT_STATUS + + Execute the scripts related to following indexes. + + IDX_IDN_AUTH_SESSION_TIME + IDX_IDN_AUTH_TMP_SESSION_TIME + IDX_AUTH_USER_UN_TID_DN + IDX_AUTH_USER_DN_TOD + IDX_USER_ID + IDX_SESSION_ID + against the database created. + + 3. Download the MySQL JDBC driver for the version you are using and + copy it to the `/repository/components/lib` folder. + +??? example "DB2" + + 1. deployment.toml Configurations. + ``` + [session] + data_source="jdbc/WSO2SessionDB" + [datasource.WSO2SessionDB] + url = "jdbc:db2://localhost:50000/sessiondb" + username = "root" + password = "root" + driver = "com.ibm.db2.jcc.DB2Driver" + ``` + 2. Execute the database scripts. + + Navigate to `/dbscripts/identity/db2.sql`. Execute the scripts in the following tables. + IDN_AUTH_SESSION_STORE + IDN_AUTH_SESSION_APP_INFO + IDN_AUTH_SESSION_META_DATA + IDN_AUTH_TEMP_SESSION_STORE + IDN_AUTH_USER + IDN_AUTH_USER_SESSION_MAPPING + IDN_AUTH_WAIT_STATUS + + Execute the scripts related to following indexes + + IDX_IDN_AUTH_SESSION_TIME + IDX_IDN_AUTH_TMP_SESSION_TIME + IDX_AUTH_USER_UN_TID_DN + IDX_AUTH_USER_DN_TOD + IDX_USER_ID + IDX_SESSION_ID + against the database created. + + 3. Download the DB2 JDBC driver for the version you are using and + copy it to the `/repository/components/lib` folder. + +??? example "MSSQL" + + 1. deployment.toml Configurations. + ``` + [session] + data_source="jdbc/WSO2SessionDB" + [datasource.WSO2SessionDB] + url = "jdbc:sqlserver://localhost:1433;databaseName=sessiondb;SendStringParametersAsUnicode=false" + username = "root" + password = "root" + driver = "com.microsoft.sqlserver.jdbc.SQLServerDriver" + ``` + 2. Execute the database scripts. + + Navigate to `/dbscripts/identity/mssql.sql`. Execute the scripts in the following tables. + IDN_AUTH_SESSION_STORE + IDN_AUTH_SESSION_APP_INFO + IDN_AUTH_SESSION_META_DATA + IDN_AUTH_TEMP_SESSION_STORE + IDN_AUTH_USER + IDN_AUTH_USER_SESSION_MAPPING + IDN_AUTH_WAIT_STATUS + + Execute the scripts related to following indexes + + IDX_IDN_AUTH_SESSION_TIME + IDX_IDN_AUTH_TMP_SESSION_TIME + IDX_AUTH_USER_UN_TID_DN + IDX_AUTH_USER_DN_TOD + IDX_USER_ID + IDX_SESSION_ID + against the database created. + + 3. Download the MSSQL JDBC driver for the version you are using and + copy it to the `/repository/components/lib` folder. + + +??? example "Oracle" + + 1. deployment.toml Configurations. + ``` + [session] + data_source="jdbc/WSO2SessionDB" + [datasource.WSO2SessionDB] + url = "jdbc:oracle:thin:@localhost:1521/sessiondb" + username = "root" + password = "root" + driver = "oracle.jdbc.OracleDriver" + ``` + 2. Execute the database scripts. + + Navigate to `/dbscripts/identity/oracle.sql`. Execute the scripts in the following tables. + IDN_AUTH_SESSION_STORE + IDN_AUTH_SESSION_APP_INFO + IDN_AUTH_SESSION_META_DATA + IDN_AUTH_TEMP_SESSION_STORE + IDN_AUTH_USER + IDN_AUTH_USER_SESSION_MAPPING + IDN_AUTH_WAIT_STATUS + + Execute the scripts related to following indexes. + + IDX_IDN_AUTH_SESSION_TIME + IDX_IDN_AUTH_TMP_SESSION_TIME + IDX_AUTH_USER_UN_TID_DN + IDX_AUTH_USER_DN_TOD + IDX_USER_ID + IDX_SESSION_ID + against the database created. + + 3. Download the Oracle JDBC driver for the version you are using and + copy it to the `/repository/components/lib` folder. diff --git a/en/docs/setup/deployment-guide.md b/en/docs/setup/deployment-guide.md index a4ac08d872..96e5ed53c6 100644 --- a/en/docs/setup/deployment-guide.md +++ b/en/docs/setup/deployment-guide.md @@ -251,7 +251,54 @@ WSO2 supports the following membership schemes for clustering consume this docker image to create a `Task Definition` and run a new `Service` or a `Task` on the `AWS ECS cluster` that you created. - + + ??? tip "Click to see the instructions for Kubernetes membership scheme" + When IS nodes are deployed in a clustered mode on Kubernetes, the Kubernetes Membership Scheme enables automatically discovering these servers. The Kubernetes Membership Scheme supports finding the pod IP addresses using the Kubernetes API. + + - If not already present, download and copy the [kubernetes-membership-scheme-1.x.x.jar](https://github.com/wso2/kubernetes-common/tags) to the `/repository/components/dropins/` directory. + + - Configure the `/repository/conf/deployment.toml` file with the following. + + + | Parameter | Description | Example | + |-----------------------------------------|------------------------------------------------------------------------------------------------------------|----------------| + | membershipScheme | This is the membership scheme that will be used to manage the membership of nodes in a cluster. | kubernetes | + | local_member_host | This is the hostname or the IP address of the member. Set it to the pod's local IP address. | 172.17.0.2 | + | local_member_port | This is the TCP port that is used by this member and through which other members will contact this member. | 4000 | + | membershipSchemeClassName | org.wso2.carbon.membership.scheme.kubernetes.KubernetesMembershipScheme | | + | KUBERNETES_NAMESPACE | This is the Kubernetes Namespace in which the pods are deployed, | wso2-is | + | KUBERNETES_SERVICES | These are the Kubernetes Services that belong in the cluster. | wso2is-service | + | KUBERNETES_MASTER_SKIP_SSL_VERIFICATION | This defines whether the SSL certificate verification of the Kubernetes API should be carried out or not. | true | + | USE_DNS | This configures the membership scheme to use Kubernetes API for pod IP resolution. Set this to false . | false | + + + ``` + [clustering] + membership_scheme = "kubernetes" + local_member_host = "172.17.0.2" + local_member_port = "4000" + + [clustering.properties] + membershipSchemeClassName = "org.wso2.carbon.membership.scheme.kubernetes.KubernetesMembershipScheme" + KUBERNETES_NAMESPACE = "wso2-is" + KUBERNETES_SERVICES = "wso2is-service" + KUBERNETES_MASTER_SKIP_SSL_VERIFICATION = true + USE_DNS = false + ``` + - In order to retrieve the pod IP addresses information from the Kubernetes apiserver, the Kubernetes membership scheme uses the pods service account. Hence, the pods need to be associated with a service account that has permission to read the "endpoints" resource. Make sure the Role you bind has the following permissions. + ``` + rules: + - apiGroups: [""] + verbs: ["get", "list"] + resources: ["endpoints"] + ``` + - Optionally, a Kubernetes token or basic authentication can be used to authenticate with the Kubernetes apiserver. The following properties can be set under `[clustering.properties]` accordingly. + - KUBERNETES_API_SERVER : This is the Kubernetes API endpoint,e.g., http://172.17.8.101:8080 . Alternatively, an https endpoint can be set via KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT_HTTPS. + - KUBERNETES_SERVICE_HOST : This is the Kubernetes API host name or IP address, e.g., kuberneteshostname + - KUBERNETES_SERVICE_PORT_HTTPS : This is the Kubernetes API https listening port. This must be an Integer value. + - KUBERNETES_API_SERVER_TOKEN : This is the Kubernetes Master token for authentication (optional), e.g., yourkubernetestoken. + - KUBERNETES_API_SERVER_USERNAME : This is the Kubernetes Master username (optional), e.g., admin. + - KUBERNETES_API_SERVER_PASSWORD : This is the Kubernetes Master password (optional). 2. Configure caching. @@ -441,14 +488,11 @@ To enable synchronization for runtime artifacts you must have a shared file syst Once you have chosen a file system, 1. Mount it in the nodes that are participating in the cluster. -2. Create two directories called `Deployment` and `Tenants` in the shared file system. -3. Create a symlink from the `/repository/deployment` path to the `Deployment` directory of the shared -file system that you created in step 2 of this section. -4. Create a symlink from the `/repository/tenants` path to the `Tenants` directory of the shared file -system that you created in step 2 of this section. +2. If the userstores need to be updated at runtime, create a directory called `Userstores` in the shared file system and create a symlink from the `/repository/deployment/server/userstores` path to the `Userstores` directory. +3. If multi-tenancy is required, create a directory called `Tenants` in the shared file system and create a symlink from the `/repository/tenants` path to the `Tenants` directory. !!! note - Instead of mounting the file system directly to the `/repository/deployment` and + Instead of mounting the file system directly to the `/repository/deployment/server/userstores` and `/repository/tenants` paths, a symlink is created to avoid issues that may occur if you delete the product to redeploy it, the file system would get mounted to a non-existing path. diff --git a/en/docs/setup/migrating-preparing-for-migration.md b/en/docs/setup/migrating-preparing-for-migration.md index 8daa9a8176..77e645cbdd 100644 --- a/en/docs/setup/migrating-preparing-for-migration.md +++ b/en/docs/setup/migrating-preparing-for-migration.md @@ -21,6 +21,117 @@ With WSO2 Identity Server 5.11.0, groups and roles are separated. For more information, see [What Has Changed in 5.11.0](../../setup/migrating-what-has-changed#group-and-role-separation). +## Groups and Roles Improvements Migration + +With WSO2 Identity Server 5.12.0, groups and roles improvements are introduced. For more information, see [What Has Changed in 5.11.0](../../setup/migrating-what-has-changed#Group and role separation Improvements). + +Please note that following abbreviations are used in the sections below. + +* Wso2.role claim = http://wso2.org/claims/role +* Wso2.roles claim = http://wso2.org/claims/roles +* Wso2.groups claim = http://wso2.org/claims/groups + +Please refer to the below sections related to this improvement. + +### Claim configuration changes + +Following changes are added to the product claims. + +* Wso2.role claim - Modified + * Remove `supported by default` + * Change display name to `Roles and groups` + * Change description to `Include both userstore groups and internal roles` +* Wso2.roles claim - New + * Display name : Roles + * AttributeID: roles + * Description: Roles + * Add `Supported by default` + * Add `read-only` +* Wso2.groups claim - Modified + * Add `supported by default` + * Add `read-only` +* OIDC group claim - Modified + * Change mapped local claim to wso2.groups claim +* OIDC roles claim - New + * Mapped to the local claim, wso2.roles +* SCIM2 roles.default claim - Modified + * Change mapped local claim to wso2.roles claim + +#### Migration preparation for claim changes +* All claim configurations are already configured OOTB in the fresh pack, and will be done via the + migration client for migrating deployments. No need to configure these manually. +* Any custom external claim mapped to the wso2.role claim should be mapped to either wso2.roles + or wso2.groups claim as per the requirement of the custom use case. +* Our recommendation is to fix any consuming client to become compatible with these changes. + But if somehow the above configs need to be reverted(possibly in a migrated deployment), it can + be done via calling IS server [Claim Management REST APIs](../develop/claim-management-rest-api.md). + +### Utilizing carbon kernel level support + +The following abstract userstore manager APIs: `getUserClaimValues()`, `getUsersClaimValues()`, +`getUserClaimValuesWithID()`, `getUsersClaimValuesWithID()` now support both wso2.roles +and wso2.groups claims properly. We recommend modifying custom extensions to request wso2.roles or wso2.groups +via above APIs rather depending on wso2.role claim. + +### Service provider role mapping and identity provider role mapping restrictions + +We recommend removing existing SP and IdP role mappings which use groups, and utilize roles to achieve the same functionality. + +### OIDC group claim return groups + +OIDC group claim does not return internal roles anymore. We recommend modifying applications and +custom extensions to utilize this behaviour. If roles are required, utilize the OIDC roles claim. + +### Obtaining roles via the SAML assertion + +We recommend applications and custom extensions to switch from wso2.role to the wso2.roles claim in +the SAML assertion. + +### SCIM2 roles.default claim returns roles and groups claim return groups + +Previously the roles.default claim in SCIM2 returned both groups and roles as it was mapped to +the wso2.roles claim. Going forward it is mapped to the wso2.roles claim, where only roles are +returned. In order to get groups, `urn:ietf:params:scim:schemas:core:2.0:User:groups` claim should +be used instead since with this improvement it is returning groups as intended. + +### Groups and roles in SCIM2 user response + +Previously users and roles in the SCIM2 user response returned as a comma separated single entity. +However, that has been changed, and now they return as separate complex entities. We recommend +modifying clients that consume this response. + +### Backward compatibility + +Groups and roles separation improvements brings enhanced clarity, and improved performance to the +product. However, it’s inevitable to bring all the goodness with zero compromises. Therefore, as +mentioned above, some applications, customizations, and integration flows might need some changes +to fully adapt to these improvements. + +Nevertheless, all of the above improvements and the behavioural changes are introduced in a way +that existing deployments can adapt to the new state as easily as possible. However, if it's +mandatory to preserve previous behaviour and avoid enabling the improvements mentioned above, the +following configuration option(enabled by default) can be used in the `/repository/conf/deployment.toml` file. + +```java +[authorization_manager.properties] +group_and_role_separation_improvements_enabled = false +``` + +But this configuration option only ensures that the code level logic is reverted to the previous behaviour. +If the improvements are already applied(fresh IS server pack and a migrated pack with group-role migration step completed), these +claim configuration changes needs to be reverted manually in both tenants and super-tenant prior setting the above config to false. To do this, +please refer to the claim changes introduced with this effort and revert them manually or via a script. + +In order to stop claim data migration related to the groups vs roles improvements during the +migration, open migration-configs.yaml file and remove the 5th step from 5.12.0 migration section prior to the migration. + +```java + - name: "ClaimDataMigrator" + order: 5 + parameters: + overrideExistingClaims: "true" + useOwnDataFile: "true" +``` ## Migrating custom components diff --git a/en/docs/setup/migrating-what-has-changed.md b/en/docs/setup/migrating-what-has-changed.md index 6dd505b3b9..43a660d8fd 100644 --- a/en/docs/setup/migrating-what-has-changed.md +++ b/en/docs/setup/migrating-what-has-changed.md @@ -72,6 +72,84 @@ From WSO2 Identity Server 5.11.0 onwards, this has been redesigned and groups an ![relationship-between-groups-and-roles](../../assets/img/setup/groups-roles-relationship.png) +## Group and role separation improvements + +Identity server 5.11.0 introduced group and role separation. + +However, only certain flows were making use of this separation, and it was not adopted throughout +the product flows. This release introduces changes to the product flows to adapt this separation. + +### Abbreviations + +* Wso2.role claim = http://wso2.org/claims/role +* Wso2.roles claim = http://wso2.org/claims/roles +* Wso2.groups claim = http://wso2.org/claims/groups + +### List of improvements + +Following are the improvements introduced with this effort. + +#### Carbon kernel level support + +`getUserClaimValues()`, `getUsersClaimValues()`, `getUserClaimValuesWithID()`, `getUsersClaimValuesWithID()` +are the APIs from carbon kernel which provide claim values of users at the OSGi level. Previously +these APIs specifically treated the wso2.role claim so that it would return both roles and groups. +Now in addition to that, both wso2.groups and wso2.roles (a new claim introduced with this effort) +claims return groups and roles respectively. + +#### The usage of wso2.role claim going forward. + +Wso2.role claim is no longer encouraged to be used in configurations(such as role mapping, +requested claims, etc), and with extensions. Therefore, following changes are made regarding the +wso2.role claim. + +* No longer a ‘supported by default’ claim +* Hidden from listing local claims(local claims section, requested claims section in service + providers, adding/editing external claims section, etc) +* Hidden from the user profile + +The following claims are the alternatives that must be utilized instead. + +* Wso2.roles claim + * A newly introduced claim URI. + * Treated similar to the wso2.role claim(read-only, supported by default, etc) + * Contain Internal roles of a user +* Wso2.groups claim + * Proper utilization of an existing claim URI. + * Treated similar to the wso2.role claim(read-only, supported by default, etc). + * Contain groups of a user + +#### Service provider role mapping and identity provider role mapping restrictions + +Previously IdP and SP role mappings supported mappings having both groups and roles. Further +explaining, earlier it was possible to add mappings with roles with or without the `Internal/` +domain prefixed. However, going forward only roles are supported for role mapping where entities +without `Internal/` domain prepended cannot be used. + +#### OIDC group claim return groups + +Previously OIDC groups claims returned both groups and roles as it was mapped to the wso2.role +claim. Now it is mapped to the wso2.groups claim, thus only returns user’s groups. + +#### A new OIDC claim for roles + +Now, since the OIDC groups claim will return groups only, applications cannot obtain roles from it. +Therefore, a new OIDC claim, `roles` is introduced. This claim is mapped to the local claim +`roles` and will contain roles of the user. + +#### Obtaining roles via the SAML assertion + +Previously the wso2.role was used as a requested claim and configured in the SAML attribute profile +to obtain roles or groups since this claim included both. Now instead of that, wso2.groups claim should be +used by applications to consume groups and wso2.roles claim should be used to consume roles. + +#### SCIM2 roles.default claim returns roles only + +Previously the roles.default claim in SCIM2 dialect returned both groups and roles as it was mapped to the +wso2.role claim. Going forward, it is mapped to the wso2.roles claim, where only roles are +returned. In order to get groups, `urn:ietf:params:scim:schemas:core:2.0:User:groups` claim should +be used instead, since with this improvement it is returning groups as intended. + ## Upgrade from OpenSAML2 to OpenSAML3 With 5.11.0, WSO2 IS has upgraded to OpenSAML 3. Follow the instructions given below to make sure this upgrade does not cause any issue. @@ -384,4 +462,3 @@ If this happens, do the following to manually change the following configuration 2. Click **Resident** under **Identity Providers**. 3. Expand **Inbound Authentication Configuration** and then expand **OAuth2/OpenID Connect Configuration**. 4. Remove the port number `:443` from the **Identity Provider Entity ID** URL. - diff --git a/en/docs/setup/working-with-product-observability.md b/en/docs/setup/working-with-product-observability.md index 882a5113b0..7010adc3b5 100644 --- a/en/docs/setup/working-with-product-observability.md +++ b/en/docs/setup/working-with-product-observability.md @@ -45,7 +45,7 @@ database calls. appender.CORRELATION.type = RollingFile appender.CORRELATION.name = CORRELATION appender.CORRELATION.fileName =${sys:carbon.home}/repository/logs/correlation.log - appender.CORRELATION.filePattern =${sys:carbon.home}/repository/logs/correlation-%d{MM-dd-yyyy}.log + appender.CORRELATION.filePattern =${sys:carbon.home}/repository/logs/correlation-%d{MM-dd-yyyy}.%i.log appender.CORRELATION.layout.type = PatternLayout appender.CORRELATION.layout.pattern = %d{yyyy-MM-dd HH:mm:ss,SSS}|%X{Correlation-ID}|%t|%mm%n appender.CORRELATION.policies.type = Policies diff --git a/en/docs/setup/writing-a-custom-user-store-manager.md b/en/docs/setup/writing-a-custom-user-store-manager.md index a264aa83da..363f9e780e 100644 --- a/en/docs/setup/writing-a-custom-user-store-manager.md +++ b/en/docs/setup/writing-a-custom-user-store-manager.md @@ -516,16 +516,15 @@ in your WSO2 product. directory. 2. Add the following configuration to the `/repository/conf/deployment.toml` file to use our custom implementation for user store management. - Although the existing `UniqueID` user stores are allowed by default, when adding a new user store, note that both existing user stores as well as new user stores must be configured as shown below. ```toml tab="Format" [user_store_mgt] - allowed_user_stores=[,""] + custom_user_stores=[""] ``` ```toml tab="Sample" [user_store_mgt] - allowed_user_stores=["org.wso2.carbon.user.core.jdbc.UniqueIDJDBCUserStoreManager", "org.wso2.carbon.user.core.ldap.UniqueIDActiveDirectoryUserStoreManager","org.wso2.carbon.user.core.ldap.UniqueIDReadOnlyLDAPUserStoreManager","org.wso2.carbon.user.core.ldap.UniqueIDReadWriteLDAPUserStoreManager","org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager"] + custom_user_stores=["com.wso2.custom.usermgt.CustomUserStoreManager"] ``` !!! tip diff --git a/en/docs/setup/wso2-identity-server-feature-deprecation.md b/en/docs/setup/wso2-identity-server-feature-deprecation.md index 93c26417a2..f332a92346 100644 --- a/en/docs/setup/wso2-identity-server-feature-deprecation.md +++ b/en/docs/setup/wso2-identity-server-feature-deprecation.md @@ -75,7 +75,8 @@ This feature is currently disabled in the product and can be enabled by adding t ```toml [[legacy_feature]] - id = "identity/connect/dcr" + id = "oauth" + version = "1.0" enable = true ```

@@ -106,6 +107,16 @@ Our recommendation is to migrate to OAuth 2.0 FUTURE + + Tenant Management REST API + + Tenant qualified URLs will not be supported for tenant management REST APIs. + + 5.12.0 + + 5.12.0 + + Please refer EOL dates of a product from here: [WSO2 Product Support Lifecycle](https://wso2.com/products/support-matrix/). diff --git a/en/mkdocs.yml b/en/mkdocs.yml index 21eaee3b75..76e509dde7 100644 --- a/en/mkdocs.yml +++ b/en/mkdocs.yml @@ -18,12 +18,12 @@ site_name: WSO2 Identity Server Documentation site_description: Documentation for WSO2 Identity Server site_author: WSO2 -site_url: https://is.docs.wso2.com/en/latest/ +site_url: https://is.docs.wso2.com/en/5.12.0/ # Repository repo_name: wso2/docs-is repo_url: https://github.com/wso2/docs-is -edit_uri: https://github.com/wso2/docs-is/edit/5.11.0/en/docs/ +edit_uri: https://github.com/wso2/docs-is/edit/master/en/docs/ # Copyright copyright: WSO2 Identity Server - Documentation @@ -37,7 +37,7 @@ theme: accent: deep-orange custom_dir: theme/material logo: images/logo.svg - favicon: images/favicon.png + favicon: assets/img/favicon.png highlightjs: true feature: tabs: true @@ -87,6 +87,7 @@ nav: - 'Admin-Initiated': learn/configuring-admin-initiated-account-locking.md - 'Failed Login Attempts': learn/configuring-account-locking-due-to-failed-login-attempts.md - 'Account Disabling': learn/configuring-account-disabling.md + - 'Pending Account Status': learn/pending-account-status.md - 'Single Sign-On': - 'SAML 2.0': learn/configuring-single-sign-on-saml.md - 'OpenID Connect/OAuth 2.0': learn/configuring-single-sign-on-oidc.md @@ -141,6 +142,7 @@ nav: - 'Configuring OAuth2-OpenID Connect Single-Sign-On': learn/configuring-oauth2-openid-connect-single-sign-on.md - 'Configuring OpenID Connect Single Logout': learn/configuring-openid-connect-single-logout.md - 'Configuring OpenID Connect Back-Channel Logout ': learn/configuring-openid-connect-back-channel-logout.md + - 'Configuring OIDC Federated Identity Provider Initiated Logout': learn/configuring-oidc-federated-idp-initiated-logout.md - 'Logging into WordPress using the Identity Server': learn/logging-in-to-wordpress-using-the-identity-server.md - 'Logging into OpenCart using the Identity Server': learn/logging-in-to-opencart-using-the-identity-server.md - 'Logging into Drupal using the Identity Server': learn/logging-into-drupal-using-the-identity-server.md @@ -353,6 +355,7 @@ nav: - 'Locking a Specific User Account': learn/locking-a-specific-user-account.md - 'Account Disabling': learn/account-disabling.md - 'Setting Up ReCaptcha': learn/setting-up-recaptcha.md + - 'Multi Attribute Login': learn/multi-attribute-login.md - 'Workflows': - 'Workflows': learn/workflow-management.md - 'Adding a workflow Engine': @@ -371,6 +374,7 @@ nav: - 'Creating and Managing Tenants': learn/creating-and-managing-tenants.md - 'Using Email Address as the Username': learn/using-email-address-as-the-username.md - 'Managing Consent Purposes': learn/managing-consent-purposes.md + - 'Configuring Uniqueness of Claims': learn/configuring-uniqueness-of-claims.md - 'Identity Bus': - 'Identity Bus': learn/identity-bus.md - 'Adding and Configuring a Service Provider': @@ -418,6 +422,7 @@ nav: - 'Refresh Token Grant': learn/refresh-token-grant.md - 'Kerberos Grant': learn/kerberos-grant.md - 'JWT Bearer Grant': learn/jwt-grant.md + - 'Device Authorization grant': learn/device-flow-grant.md - 'SAML2 Bearer Assertion Profile for OAuth 2.0': learn/saml2-bearer-assertion-profile-for-oauth-2.0.md - 'Setting Up OAuth Token Hashing': learn/setting-up-oauth-token-hashing.md - 'JWT Token Generation': learn/jwt-token-generation.md @@ -466,6 +471,7 @@ nav: - 'Prerequisites to Publish Statistics': - 'Prerequisites to Publish Statistics': learn/prerequisites-to-publish-statistics.md - 'Enabling Geolocation Based Statistics': learn/enabling-geolocation-based-statistics.md + - 'Creating Geo Location Data Set': learn/creating-geo-location-dataset.md - 'Analyzing the Authentication Operations': - 'Analyzing the Authentication Operations': learn/analyzing-the-authentication-operations.md - 'Accessing the Analytics Dashboard': learn/accessing-the-analytics-dashboard.md @@ -493,6 +499,7 @@ nav: - 'Try Password Grant': learn/try-password-grant.md - 'Try Request Path Authentication': learn/try-request-path-authentication.md - 'Setting up a SAML2 Bearer Assertion Profile for OAuth 2.0': learn/setting-up-a-saml2-bearer-assertion-profile-for-oauth-2.0.md + - 'Try Device Flow Grant': learn/try-device-flow.md - 'OpenIDConnect': - 'Basic Client Profile with Playground': learn/basic-client-profile-with-playground.md - 'Implicit Client Profile with Playground': learn/implicit-client-profile-with-playground.md @@ -575,6 +582,7 @@ nav: - 'Identity Governance': develop/identity-governance-rest-api.md - 'Identity Providers': develop/idp-rest-api.md - 'Keystore Management': develop/keystore-rest-api.md + - 'Notification Senders': develop/notification-sender-rest-api.md - 'Server Configurations': develop/configs-rest-api.md - 'OAuth2 Scope Management': develop/oauth2-scope-management-rest-apis.md - 'OpenID Connect Scope Management': develop/oidc-scope-management-rest-apis.md @@ -613,6 +621,7 @@ nav: - 'Managing Tenants with APIs': develop/managing-tenants-with-apis.md - 'Entitlement with APIs': - 'Entitlement with APIs': develop/entitlement-with-apis.md + - 'IdP Session Extending API': develop/idp-session-extender-endpoint.md - 'Re-branding User Interfaces': - 'Re-branding WSO2 Identity Server UIs': develop/customizing-identity-server-uis.md - 'Re-branding the Default Login Page for Your Application': develop/customizing-login-pages-for-service-providers.md @@ -668,6 +677,7 @@ nav: - 'Configuring the User Realm': setup/configuring-the-realm.md - 'Configuring the Authorization Manager': setup/configuring-the-authorization-manager.md - 'Configuring the System Administrator': setup/configuring-the-system-administrator.md + - 'Configuring a Separate JDBC Session Store': setup/configuring-a-seperate-session-store.md - 'Configuring User Stores': - 'Configuring User Stores': setup/configuring-user-stores.md - 'Configuring the Primary User Store': @@ -745,7 +755,6 @@ nav: - 'Identity Provider Related Tables': administer/identity-provider-related-tables.md - 'Using Tools': - 'Using Tools': administer/using-tools.md - - 'Using the SAML2 Toolkit': administer/using-the-saml2-toolkit.md - 'Using the XACML TryIt Tool': - 'Using the XACML TryIt Tool': administer/using-the-xacml-tryit-tool.md - 'Evaluating a XACML Policy': administer/evaluating-a-xacml-policy.md @@ -788,7 +797,9 @@ nav: - 'Adding Multiple Keys to the Primary Keystore': administer/adding-multiple-keys-to-the-primary-keystore.md - 'Symmetric Encryption': - 'Overview': administer/symmetric-overview.md - - 'Related Configurations': administer/using-symmetric-encryption.md + - 'Related Configurations': administer/using-symmetric-encryption.md + - 'Key Rotation': + - 'Symmetric Data Encryption Key Rotation': administer/blue-green-data-encryption-keyrotation.md - 'Mitigating Cross Site Request Forgery Attacks': administer/mitigating-cross-site-request-forgery-attacks.md - 'Mitigating Authorization Code Interception Attacks': administer/mitigating-authorization-code-interception-attacks.md - 'Mitigating Brute Force Attacks': administer/mitigating-brute-force-attacks.md @@ -815,6 +826,7 @@ nav: - 'Evolution of Identity Federation Standards': references/evolution-of-identity-federation-standards.md - 'Adaptive Authentication JS API Reference': references/adaptive-authentication-js-api-reference.md - 'Scopes Corresponding to Permissions Required to Invoke API Calls' : references/scopes-corresponding-to-api-permissions.md + - 'Usernames in WSO2 Identity Server' : references/usernames-in-identity-server.md - '': page-not-found.md @@ -863,7 +875,7 @@ extra: link: https://twitter.com/wso2 - type: linkedin link: https://www.linkedin.com/company/wso2 - site_version: 5.11.0 + site_version: 5.12.0 nav_list: - Home