WSO2-IS - Set default value to a Claim - wso2

How can I set a default value to a claim when configuring a Service Provider on WSO2-IS carbon?
I'd like to set a default value to userDirectory according to environment that I've created to pass to Service Provider.
WSO2-IS 5.11.0

AFAIK there is not OOTB config you can achieve this. I can suggest two ways for you to try this.
You can do customization and get this capability. You can write a lister and subscribe to PostAddUser event or PostGetUser event. To do so you need to introduce a new claim as well.
IF you want to include this claim in the ID token, then you can implement a custom claim provider. Follow the blog for more details.
Edit:
AFAIU there is a 3rd option you can do that is explained in issue, where you can define a custom claim handler. With this approach, the claims will be added to all the assertions.

Related

WSO2 claim extention using custom claim handler

How can we add custom claims to the ID token of WSo2.(claims which are stored in the different tables of WSO2 database)?
explanation:
The requirement is to add some additional claim values which are specific to the organizational information of the user(which will be stored in other tables and not in the user attribute table).
how do we write a custom claim handler to do the same?
You can write a custom claim handler and inject the values from the claim handler. Please follow this documentation to know how to deploy a custom claim handler.
You can find a sample source code here.

WSO2 : application and users

I've created an application as "admin". Now, I create a "demo" user, and give him all roles and all permissions for this app. When I connect with "demo" I can't even see the application created by "admin".
Is this a feature ? or just a misconfiguration ? (but I don't see what config is left).
Yes, that's the default behavior. If you want to share applications/subscriptions among users, you have to enable the sharing feature. See Sharing Applications and Subscriptions docs for that.
Shared apps will be listed like this.
EDIT to make this the validated answer :
This whole paragraph from the documentation has to be written differently because it's wrong and very confusing. There is no "default" strategy of grouping, you have to alter the default configuration to activate it :
By default, the API Manager considers the organization name that you give at the time you sign up to the API Store as the group ID. It extracts the claim http://wso2.org/claims/organization of a user and uses the value specified in it as the group ID. This way, all users who specify the same organization name belong to the same group and therefore, can view each others' subscriptions and applications. The API Manager also provides flexibility to change this default authentication implementation

Can we extend PDP to add external logic in WSO2?

We have a project specific requirement like a user must belong to a particular location to execute some action. We want to extend WSO2 PDP functionality where we may provide connection details to local db and provide conditions when a user can execute an action.
Planning to implement PEP-PDP using ESB and IS. Is there a way in PDP that can do this ?
Yes, it is possible. Basically, you need to write a custom policy information point module. Please have a look at [1] on implementing a custom PIP (Policy Information Point) module
[1] http://xacmlinfo.org/2011/12/18/writing-jdbc-pip-module/

WSO2 Identity Server - Cannot Use Dialect I defined in Service Provider's Claim Configuration

I created my own dialect using the manaement console Configure-->Claim Management. After doing this, I wanted to configure my Service Provider to be associated with these claims, so I edited my SP and went to the Claim Configuration section. The issue I am running into is the only Local Claim claims which show up are the default wso2 ones. So you only ever see ones starting with http://wso2.org/claims/.
With that said, I don't believe choosing Define Custom Claim Dialect is an appropriate alternative since I defined a dialect already. It would make zero sense to go an map that back to the default dialect, so I'm assuming this would not be the route.
Is there some configuration setting to list values from other defined dialects? Besides the one I created, there a quite a few that come OOB anyway. Is this a bug? I would assume my dialect along with all the other OOB ones would be Local Claim Dialects.
The Claims Management in the docs is just way to general to discern is there's some funny requirement. https://docs.wso2.com/display/IS500/Claim+Management
WSO2 Identity Server 5.0.0
I created a workaround, which works for my situation.
Once again, this is with IS 5.0.0. In my situation, no claims or dialects preconfigured fit my needs and I want my own special URIs defined ONLY.
So here's what I did:
In the Management Console, went to Configure-->Claim Management.
Edited the "http://wso2.org/claims" dialect.
Added each claim I wanted to this dialect. I was able to enter whatever URI I pleased, even though the dialect had a different URI (that's a good thing!) along with the property name I wanted it associated with. e.g., http://example.com/claims/claimname1
Then I went to configure the claims / attributes I wanted to be communicated to a particular Service Provider by editing its Claim Configuration...
Selected "Use Local Dialect".
For each claim I wanted to add, clicked "Add Claim URI" at "Request Claims", and selected a URI I created.
(OPTIONAL) I deleted all non-custom URIs in the "http://wso2.org/claims" dialect, because I found in my custom user store that getUserPropertyValues() was still getting passed every single claim attribute to resolve. It was trying to resolve more than 20 properties at every login. Some performance help! :)

wso2is4.6 claim management

I am working on wso2is4.6.
I am new to wso2is. Maybe this is a stupid question, but I am still blocked.
The first question: when there are multiple claim dialect in system, which claim dialect will be used? Which conditions will make system to choose this dialect instead of another dialect?
The second question: I install wso2is4.6, and install apacheds 2.0 with default (no customization). where can I find corresponding claim mapping?
I know I need to correct the claim mapping, but I don't know how can I find the correct mapping. Can somebody provide the workable claim-mgt.xml base on wso2is4.6 and apache2.0?
Adding more info to Dulanja's answer,
Q1. In WSO2 Identity server, internally it always uses a claim dialect together with a claim URI to identity a unique claim. Different components uses different dialects to get its claims. Fr an example when adding a new user using management console, relevant(user-manager) component would use WSO2 default claim dialect mentioned above. Similarly if you are doing SCIM related operations, relevant components will use SCIM dialect.
Q2. As mentioned in Q1, makes the unique claim and where we store that claim's value can be configured in two ways.
i. You can use claim-config.xml in /repository/conf/ folder and you can edit claim-to-ldapAttribute mapping by changing <AttributeID> which is given under every element.
ii. Or you can change claim mappings at runtime using the Claim Management page in management console. Please refer [1] for more info.
[1] http://docs.wso2.org/display/IS460/Claim+Management
Thanks,
Question 1:
The default claim dialect of WSO2 products is http://wso2.org/claims. This is the underlying dialect of the User Profile view - currently you cannot change this to use a different dialect.
Other dialects are used in different scenarios. As an example http://schema.openid.net/2007/05/claims is used when IS acts as an OpenID Provider. OpenID relying parties (clients) requests attributes using the claim uris specified under this dialect. Other examples are SAMLSSO and Passive-STS flows. In them you have the option to select the dialect that you want to use to send back the attributes to the client.
Question 2:
Are you facing a claim-mapping related problem with the new ApacheDS 2.0 LDAP? As far as I know, since WSO2 IS embedded LDAP is also based on ApacheDS, if you point (via user-mgt.xml) to such an LDAP the existing claim-mapping should work without any problem