Understanding the Admin Services in WSO2 Carbon Products

Identity Server (or any Carbon products) exposes SOAP web services for management purposes. These service are known as admin services. There are lot of admin service can be found in the Identity Server (or Carbon products).

In Identity Server, User management and Entitlement well know admin services that i have explain in my earlier blog posts. There are several other SOAP based web services that are used for managing the OAuth, SAML2 SSO, WS-Trust, Claim management and etc (all authentication and authorization configurations).  Basically every actions that you are doing in the management console UI, can be done using by invoking admin services. Actually, management UI is also calling the admin services to get the work done. Therefore , If you need, you can write your own management UI for Identity Server by using admin services.

However, there are not much documentations of all these admin services. But the best way is to understand them by looking at the WSDL.

Let see how we can list all admin services and retrieve their WSDL.

Step 1. Start the server with OSGI console. Go to the <IS_HOME>/bin using command shell.

> sh wso2server.sh -DosgiConsole
> wso2server.bat -DosgiConsole

Step 2. After server is started,  type following

> listAdminServices

Now you should be able to see the list of Admin Service names with endpoint URLs that have been exposed via Identity Server.

 

Step 3. If you want to retrieve the WSDLs of admin services of Identity Server;

Go to IS_HOME/repository/conf directory and change the value of the “HideAdminServiceWSDLs” in “carbon.xml” file like below

<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>

If not, you can not see the WSDL of admin service and they are hidden by default.

Step 4 . Restart the server. Then you can retrieve the WSDLs by browsing the service by adding “?wsdl” option.

For example, if you can find entitlement service WSDL

https://{Hostname}:{port}/services/EntitlementService?wsdl

You can use any SOAP client to invoke these service. But admin services are secured with authentication and authorization.

1. To access the admin service, user must authenticate with the Identity Server. Default authentication mechanism is the Basic Authentication. SOAP client must send the username/password in HTTP Basic Auth header to authenticate to the Identity Server. This credential is validated with the user store that has been connected with Identity Server. By default, Identity Server has been corrected with Embedded LDAP server where credentials validation is happened.
However, you can use any other authentication mechanisms other than the Basic Authentication. You can find more details from here.

2. Authenticated user must have required permission to access to the admin service. Once user is authenticated with Identity Server, It checks for user’s permission and validate them with the required permission for the admin service. Identity Server uses RBAC model that user must be assigned to a role that permission contains. Roles can be defined inside the Identity Server or then can be mapped from the user store.

As an example,  By default to access all admin servers, user must have at least “login” permission. Therefore use must be assigned to a role that have “login” permission.

Say, if user want to access the RemoteUserStoreManagerService admin service, then user must have “security” permission as well.

Therefore user must be assigned to roles (or a role) that contains login and security permissions.  “admin”  user (who is assigned to “admin” role) have all permission for the Identity Server.

 

SOAP UI is very handy tool that you can invoke SOAP based admin service. I have attached the screenshot of invoking listUsers() method of RemoteUserStoreManagerService using SOAPUI