Provisioning

ref Provisioning means Create, maintain and delete user accounts and related identities in one or more systems or applications.

ref

Inbound provisioning

Users coming from other applications - inbound. User is created in App1, if the IS want that user to be created in IS as well, then IS must be configured in inbound provisioning.

Using Resident indentity provider

Here you have to select the user store in which you wanted to store the user. You can send the scim request from your App1 to IS as follows

curl -v -k — user <user_name>:<password>— data “{“schemas”:[],”name”:{“familyName”:”kayal",”givenName”:”Nilasini"},”userName”:”nila",”password”:”nila2",”emails”:[{“primary”:true,”value”:”nilasini2@wso2.com”}]}” — header “Content-Type:application/json”

https://localhost:9443/wso2/scim/Users

Using service provider

When the application uses OAuth2, a service provider account should be created in the IS.

After that send the scim request (from App1 to IS) with the access token as follows.

curl -v -k — header “Authorization: Bearer <access_token>” — data ‘{“schemas”:[],”name”:{“familyName”:”fernando",”givenName”:”yohanna"},”userName”:”yohanna",”password”:”yohanna",”emails”:[{“primary”:true,”value”:”yohanna2@wso2.com”}]}’ — header “Content-Type:application/json”

https://localhost:9443/wso2/scim/Users

Outbound provisioning

Outbound provisioning means, when you create a user in identity server it must be created in the other application (name the application as APP2).

First I need to configure internal IS for outbound provisioning and then need to configure external IS for inbound provisioning discussed above.TO do that first I need two IS instances. I am going to use port off set to run two IS at the same time. To do that you need to execute the following command when executing external IS so that it will run on port 9444 while internal IS will run in the usual port 9443.

sh wso2server.sh -DportOffset=1

Configure internal IS for outbound provisioning

First thing you need to create an Identity provider (that identity provider is external IS) with following configuration.(You can add IP using “add” under the Identity provider in the left pane of WSO2).

This outbound provision connector has the endpoint and authentication details of the external IS.

Configure external IS for inbound provisioning

JIT provisioning

JIT provisioning which allows to create user accounts automatically for the sign-on users in the Identity Server.Just-in-time provisioning talks about how to provision users to the identity server — at the time of federated authentication.

SCIM

  1. Implemented as native feature from 5.6.0, earlier it was available as an extension, ref.

Configurations

Adding multiple callback URLs to the service provider

  1. Access the Management Console via https://localhost:9443/carbon/.
  2. Navigate to Service Providers > List and Edit the service provider that you created for the OAuth2 application.
  3. Edit the Callback URL field and enter a logout URL along with the callback URL that you defined when you created the service provider.
  4. regexp=(callback_url|logout_url)

You can specify multiple callback URLs using a regex pattern as follows: Example:

regexp=(http://localhost:8080/playground2/oauth2client|http://localhost:8080/playground2/logout)

Claim mapping when using multiple user stores

ref

When mail is mapped as claim, it will appear as comma seperated values of mail in string format.

APIs

All Rest APIs

APIs to manage Service providers

Applications

API’s to import and export application, service provider’s, configurations, and to manage applications(SP configurations). These API’s will also get all the related configuration of the application. Roles and Permissions can also be managed.

Roles and permission management

  1. “updateApplication” endpoint with “PermissionsAndRoleConfig” with config.

Permissions required to invoke Admin services

details

Scopes

ref

OpenID Scope

These are the scopes that bind to user attributes(WSO2 claims). You can use OIDC scopes to limit access user’s attributes. Managing openid scopes: list scopes asocciated and edit them, add or remove.

OAuth2 Scope

These are the scopes that bind to roles (DEFAULT) and permissions(PERMISSION). By default these scopes will be bind to roles, but if you want you can bind these to permissions as well. For now, in WSO2 Identity Server Permission binding is used in the internal purpose only

Inbound vs Outbound authentication?

Inbound -> authenticate locally Outbound -> use external IP to handle authentication.

https://buddhimawijeweera.wordpress.com/2021/07/25/introduction-to-wso2-identity-server/ Good definitions of vocabulary here.