Saturday, May 27, 2017

WSO2 APIM: Partioned Publisher Groups

WSO2 API manager publisher role allows anybody in that role to create, edit and delete APIs. Sometimes, it is a requirement that this functionality should be limited to organizational units of different functional groups. This can be easily achieved by defining roles and assigning these roles to the published APIs.

First define the roles in the API manager to represent different groups.
  • publisher_finance
  • publisher_hr
  • publisher _engineering

Then register an listener for API publishing. This can be done by writing an implementation of or governance registry LC executor. When the API is published by an user,
  1. Discover the roles of the user
  2. Allow only those role to edit and delete the API by modifying the permissions of the resource representing the API.

Sunday, January 15, 2017

WSO2 IS : How to do Conditional Authentication using Entitlement Policies?

WSO2 Identity Server 3.0 has a brand new feature that allows users to be authenticated based on a set of XACML policies.

Use case - Allow only users with customer-care role to login to Cloud Based Microsoft Dynamic server.

1 - Configure logging into Microsoft Dynamic server using SSO by following this link.

2 -  Make sure you have set the "Enable Authorization" tick in Service Provider > Local & Outbound Authentication Configuration.

3- Then Go to Entilement > Policy Administration in the left hand menu

4 - Select the authn_role_based_policy_template. Edit it to have the Service Provider name as "CRM" (or the name you have given to the Microsoft Dynamic Server.  Change the the role name as "customer-care" and publish it to My PDP.

That is it!