WSO2 Identity server - Restrict Inbound Authentication of service provider based on user's role

0
votes

I have created a tenant 'A' in wso2 IS and added my ldap user store in it. In the tenant 'A', I have configured a 'test' service provider with oauth2 as inbound authentication. As of now, I am successful with authenticating all the user in store with oauth2 service provider configuration.

But I could not find any configuration to restrict user from authentication against the service provider 'A' if the user does not have an specific role.

This question was asked about five years ago but it wasn't supported back then, and I would like to know how to accomplish this in WSO2 Identity Server 5.7.4

1
wso2wso2is

1 Answers

0
votes

Option1:

You can use adaptive script and restrict authentication based on Roles. Refer this doc to know how to configure role-based adaptive script for service provider A https://docs.wso2.com/display/IS570/Configuring+Role-Based+Adaptive+Authentication

Option2:

Use XACML scripts to control authentication based on roles. Refer this doc to understand XAML. https://docs.wso2.com/display/IS570/Working+with+XACML.

You can refer this doc to know about how to write XACML policies https://docs.wso2.com/display/IS570/Writing+XACML3+Policies+in+WSO2+Identity+Server. In the managment console, you can find a sample XACML script authn_role_based_policy_template. Modify that script according to your Service provider name and role. Then publish it. You can use this doc as well. https://docs.wso2.com/display/IS570/Configuring+Access+Control+Policy+for+a+Service+Provider