Configuring IWA Single Sign On for multiple Windows domains with WSO2 Identity Server

Configuring IWA Single Sign On for multiple Windows domains with WSO2 Identity Server

Integrated Windows Authentication (IWA) is a popular authentication mechanism that is used to authenticate users in Microsoft Windows servers. WSO2 Identity Server provides support for IWA from version 4.0.0 onward. This article gives a detailed guide to setup IWA authentication for a multiple windows domains environment with WSO2 Identity Server 5.2.0.

Let’s assume you have the WSO2 Identity Server on wso2.com domain and you have a user from abc.com domain.

First, you need to add a DNS host entry in the Active Directory (AD) to map the IP address of the WSO2 Identity Server to a hostname. You can follow the steps here.

When adding the DNS entry, generally the first part of the hostname is given. The AD will append the rest with its AD domain. For example, if the AD domain is wso2.com after you add a DNS host entry, the final result will be similar to the following:

idp.wso2.com

Then open the carbon.xml file found in the <IS_HOME>/repository/conf folder and set the hostname in the tag.

<HostName>idp.wso2.com</HostName>
<MgtHostName>idp.wso2.com</MgtHostName>

Configuring the Service Provider

Then start the server and configure the Travelocity app as a service provider. You can find the configuration steps from here.

Then you need to configure IWA as the local authentication.

  • Expand the Local & Outbound Authentication Configuration section and do the following.
  • Select Local Authentication.
  • Select IWA from the drop down list in the Local Authentication.

fireshot-capture-48-wso2-management-console_-https___localhost_9443_carbon_appl222

  • Click update once you have done all the configurations.

Now you need to configure domain trust between the two domains in order to make this work.

Configuring domain trust between two domains

You need to configure an external trust between wso2.com and abc.com domains in order to make NTLM token exchange work properly. You need do the following steps.

First, you need to add the IP address of wso2.com domain as a preferred DNS in abc.com domain and vice versa.

  • Right-click the Start menu and select Network Connections.

screen-shot-2015-08-04-at-1-35-34-pm

  • Right-click the network connection you’re using and select Properties.

screen-shot-2015-08-04-at-1-35-46-pm

  • Highlight ‘Internet Protocol Version 4 (TCP/IPv4)’ and click Properties.

screen-shot-2015-08-04-at-1-36-02-pm

  • Select Use the following DNS server addresses and type the appropriate IP address in the Preferred DNS server.

screen-shot-2015-08-04-at-1-34-27-pm

  • Click OK, then Close, then Close again. Finally, close the Network Connections window.

Now you can configure external trust between wso2.com and abc.com as below.

Now we need to Create a one-way, outgoing, external trust for both sides of the trust as below.

Create a One-Way, Outgoing, External Trust for Both Sides of the Trust

  1. Open Active Directory Domains and Trusts from the wso2.com Server Manager.
  2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.
  3. On the Trusts tab, click New Trust, and then click Next.
  4. On the Trust Name page, type the NetBIOS name of the domain, and then click Next. (You can find the NetBIOS name as here.)
  5. On the Trust Type page, click External trust, and then click Next.
  6. On the Direction of Trust page, click One-way: outgoing, and then click Next.
  7. For more information about the selections that are available on the Direction of Trust page, see “Direction of Trust” in here.
  8. On the Sides of Trust page, click Both this domain and the specified domain, and then click Next.
  9. For more information about the selections that are available on the Sides of Trust page, see “Sides of Trust” in here.
  10. On the User Name and Password page, type the user name and password for the appropriate administrator in the specified domain.
  11. On the Outgoing Trust Authentication Level–Local Domain page, do one of the following, and then click Next:
    1. Click Domain-wide authentication.
  12. On the Trust Selections Complete page, review the results, and then click Next.
  13. On the Trust Creation Complete page, review the results and then click Next.
  14. On the Confirm Outgoing Trust page, do one of the following:
    1. If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users.
    2. If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain.
  15. On the Completing the New Trust Wizard page, click Finish

You should be able to see abc.com domain has been added in outgoing trusts as below once you completed the above steps successfully. Also, wso2.com will be added automatically as an incoming trust in abc.com Active Directory Domain Trusts configurations.

iwsdomaintrust

Now you are almost done with configurations. In order to log into your app (eg: Travelocity) as a user in the abc.com domain, you need to add the hostname of IS Server to the host file on the client machine as below.

  • Open the Notepad as an Administrator. From Notepad, open the following file:
C:\Windows\System32\drivers\etc\hosts
  • Add the new host entry
Eg: 192.168.57.45      idp.wso2.com
  • Click File > Save to save your changes.

Also, make sure to configure the following browser settings before accessing your app.

Internet explorer

  • Go to “Tools → Internet Options” and in the “security” tab select local intranet.

iwa_ie1

  • Click the sites button. Then add the URL of WSO2 Identity Server there.

iwa_ie2

Firefox

  • Type “about:config” in the address bar, ignore the warning and continue, this will display the advanced settings of Firefox.
  • In the search bar, search for the key “network.negotiate-auth.trusted-uris” and add the WSO2 Identity Server URL there.
https://idp.wso2.com

iwa_for_firefox

Now you should be able to log into Travelocity using IWA as a user in abc.com domain.

travelocityiwa

You can find the latest release of WSO2 Identity Server from here and read more from following references.

References

  1. http://wso2.com/library/articles/2013/04/integrated-windows-authentication-wso2-identity-server
  2. https://docs.wso2.com/display/IS520/Configuring+Single+Sign-On
  3. https://docs.wso2.com/display/IS520/Configuring+IWA+Single-Sign-On
  4. https://docs.wso2.com/display/IS520/Integrated+Windows+Authentication
  5. https://technet.microsoft.com/en-us/library/cc794775(v=ws.10).aspx
  6. https://technet.microsoft.com/en-us/library/cc816837(v=ws.10).aspx
  7. https://technet.microsoft.com/en-us/library/cc794894(v=ws.10).aspx
  8. https://technet.microsoft.com/en-us/library/cc794933(v=ws.10).aspx
  9. https://en.wikipedia.org/wiki/Integrated_Windows_Authentication
  10. https://support.opendns.com/hc/en-us/articles/228007207-Windows-10-Configuration-Instructions

 

Anomaly detection with WSO2 Machine Learner

Anomaly detection with WSO2 Machine Learner

WSO2 Machine Learner (ML) provides a user friendly wizard like interface, which guides users through a set of steps to find and configure machine learning algorithms. The outcome of this process is a model that can be deployed in multiple WSO2 products, such as WSO2 Enterprise Service Bus (ESB), WSO2 Complex Event Processor (CEP), WSO2 Data Analytics Server (DAS) etc.

WSO2 ML 1.1.0 (new release) have the anomaly detection feature as well. It is implemented based on the K means clustering algorithm which is discussed on my previous article. In this article I will discuss the steps of building an anomaly detection model using WSO2 Machine Learner.

Step 1 – Create an analysis

For every model you have to first upload a dataset and create a new project. Then start a new analysis to build an anomaly detection model.

fig3

Step 2 – Algorithm selection

In the ‘Algorithm’ selection process there is a new category called ‘Anomaly Detection’. Under that category there are two algorithms. If your dataset is a labeled one you can select k-means with labeled data. Otherwise you can select k-means with unlabeled data. There are a few model configurations that you have to input in this step.

k-means anomaly detection with labeled data

  • Response variable
  • Normal label(s) values
  • Train data fraction
  • Prediction labels
  • Normalization option

fig4

k-means anomaly detection with unlabeled data

  • Prediction labels
  • Normalization option

fig5

If any categorical features other than the response variable exists in the dataset you will be asked to drop them when you proceed to the next step.

fig6

Step 3 – Hyper parameters

In the parameter selection step you have to input necessary hyper parameters for the model:

  • Maximum iterations
  • Number of normal clusters (since this anomaly detection algorithm is  implemented based on k-means clustering you have to input the number of normal clusters that should be built in the model)

fig7

Step 4 – Model building

Then after selecting the dataset version you can build the model.

fig8

Step 5 – Model summary

After successfully building the model you can view the model summary if you have built the model using k means with labeled data algorithm. The summary gives you an overall idea about the model. It will have useful information about the model such as its F1 score and some other important accuracy measures, confusion matrixes, cluster diagram, etc. So based on this information you will be able pick the best model.

The model is evaluated for the range of percentile values, i.e. for the range of cluster boundaries, to pick the best one. In the model summary, by default, you will see the measures with respect to best percentile value. You can see how the measures change according to the percentile by moving the percentile slider. Based on that you can form an idea about the best percentile value to use for your predictions.

By default we use the percentile range 80-100, but if you need a different range to evaluate the model you can change the range by entering minPercentile and maxPercentile as system properties when you start the server. Keep in mind that you need to input values between 0-100 as percentiles. You can input system properties when you start the server as shown below:

./wso2server.sh -DminPercentile=60 -DmaxPercentile=90

fig9

Step 6 – Prediction

This is where you can predict new data using the model. You need to input feature values of a new data point or you can give new data as a batch using a csv or tsv file. You should also input the percentile value to identify the cluster boundaries. The default value will already be there. You can keep it if you aren’t sure about it. If you had labeled data when building the model it will set the optimum value obtained from the model evaluation as the default value. After entering those values you will get the predictions for new data.

fig10

If you want to know more about WSO2 Machine Learner you can follow the documentation. You can download the product and try this out with your dataset and it is absolutely free!!!

Also you if you have more interesting ideas you can contribute to the product as well. You can find the source code of WSO2 ML from following repositories. wso2/carbon-ml, wso2/product-ml.