In SOAP Teanant API I can define my own tenantId (https://docs.wso2.com/display/IS530/Managing+Tenants+with+APIs#ManagingTenantswithAPIs-addTenant()), but in REST API this ability is not available. The reason I wanted to use custom tenantId is so that I can map multi-tenancy from WSO2 domain to my application domain, thus using id as a bridge. There is additonalClaims element in request JSON for addTenant endpoint, but this element is not returned in getTenant endpoint. Is there additional tenant property I can use to store custom information?
The Tenant creation REST API doesn't allow to input the tenant id. But you can use the returned tenant id for the mapping purpose.
Once a tenant is created successfully using API, It should return 201 Cretaed status code and you would be able to find the Location header in the response headers. The location header contains the location to the tenant. https://<Host>:<port>/t/<tenant-domain>/api/server/v1/tenants/<tenant-id>. From this value you can extract the tenant id.
For the second part of the question:
additonalClaims attribute belongs to tenant owners not to the core tenant object. When you execute GET /tenants or GET /tenants/ request, owner's id and username are returned.
"owners": [
{
"id": "af01d6cf-bf5d-440f-b99c-ac482f6dc89f",
"username": "kim"
}
]
If you check the tenant owner's profile via carbon console/console you should see the additional claims added via the request. Moreover, if that added local claim is mapped to a SCIM claim (eg: http://wso2.org/claims/mobile) you would view that user properties via SCIM GET User API.
eg: https://<host>:<port>/t/<tenant-domain>/scim2/Users/<tenant-ownser's-id>
Related
The WSO2 APIM version is 3.2.0.
Created a JBDC secondary userstore opera in WSO2 APIM and added some users say user1.
There was an application created in devportal - GUI_APP
When I try to access the token API with the user in opera, I'm getting the below error.
"Users in the tenant domain : opera do not have access to application admin_GUI_APP_PRODUCTION"
API details below:
Request URL:
https://{APIM_IP}:8243/token
Request Method:
POST
Request Headers:
Content-Type:application/x-www-form-urlencoded
Authorization:Basic (base64 encoded key:secret of GUI_APP)
Request Body:
grant_type:password
username:user1#opera
password:{pwd}
Kindly let me know what change needs to be done, to get the token for users in secondary user store .
The user store domain should be prepended to the username in the following format. The # symbol is used to append the tenant domain to the username.
UserStoreDomain/Username
Also, it is not mandatory to prepend the user store domain. When the user store domain is not prepended, it will first search the username in the PRIMARY and then search for all the secondary user stores.
In my WSO2 Identy Server (v5.8.0), i have added one custom attribute named XXX.
Then, in my web client application, I invoke /scim2/Users service to create new user inside IDS.
I successfully create user with correct name, surname, email, phone number and so on, but my custom field is not updated in my user content store.
By other hand, if I update field by data entry and read my user from IDS, I can see my custom attribute XXX correctly.
Can someone help me ?
One of the following reasons could be caused not to update custom attributes via scim2/Users endpoint.
Once you add a new local claim and if you want to access/modify its value using SCIM endpoint it should be mapped to scim claim dialect. Follow the steps in extending scim user claims doc in https://docs.wso2.com/display/IS580/Extending+SCIM+2.0+User+Schemas
If the above step is correctly configured, check the request payload whether the attribute is correctly defined in the payload. If the attribute is not defined in the expected format, WSO2 IS ignores those attributes.
When you trying to update the value via login to the management console and view the user profile through the management console doesn't involve the SCIM APIs. You are directly updating the local claim in the WSO2 local claim dialect. If you have followed the doc mention is step 1 and that attribute has a value, GET /scim2/Users/{user-id} should return the attribute in the response.
I need a way to put tenant domain info in JWT token (like a claim)?
I've to retrieve it in my java application
Believe you are talking about the ID Token of the OpenID connect spec.
Easier way to achieve this is to tick the Use tenant domain in local subject identifier option of your Service Provider application's Local and outbound configurations section. This will append the tenant domain at the end of the username in the sub field of the ID token as below. (Your Java application can process that extract the tenant domain)
"sub": "admin#carbon.super"
If you don't like that approach, you might want to write a custom ID token builder extending the default. Defined in the identity.xml file as <IDTokenBuilder>org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder>
I have configured ldap readonly user store and I can see the users from this US while using the admin panel.
But when I try to call the SCIM 2.0 API to get users, I always get an empty result. What might be the problem?
Request:
GET https://wso2:9443/scim2/Users/?domain=mydomain
Response:
{
"totalResults": 0,
"startIndex": 1,
"itemsPerPage": 0,
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}
Enable SCIM for the userstore
First of all, please make sure that you have enabled scim for that userstore. Bydefault, scim is not enabled for ReadOnly LDAP userstore. By adding the following config in deployment.toml file, you can enable scim.
[user_store]
scim_enabled = true
If the issue still persists after adding the above config, verify the following claim mapping.
Configure a mapped attribute for User ID claim.
For SCIM, we need a unique ID for each user to identify separately. When you are creating users from WSO2 IS on a SCIM enabled userstore, we create a random ID for the new users and store in the "http://wso2.org/claims/userid" claim which is mapped to "scimId" attribute.
I presume that you have plugged in a read-only LDAP userstore with an existing set of users. So you may not have values for "scimId" attribute on this particular user store. That may be a root cause of this issue. So this users might not have the scimId, hence does not have any unique User ID
Verify
Claims > List > "http://wso2.org/claims".
goto edit view of the claim named "User ID" Enable support by default for this claim.
Now go to the list users page and view the profile of a user who belongs to the LDAP userstore
Please check whether the attribute "User ID" is having a value or not.
Optionally, you can check are there any
values mapped for "http://wso2.org/claims/userid" directly from the
ReadOnlyLDAP side
If you have the above issue, (there is no any mapped attribute for "http://wso2.org/claims/userid" claim),
Solution
Find a unique attribute unique among the existing users from ReadOnly LDAP user store
You can go to the above-mentioned claim edit page and click on "Add Attribute Mapping" under "Mapped Attribute (s)*".
Then select the user store domain, enter the unique attribute name and update.
check whether now the User ID attribute of the user profile is not empty.
I'm using WSO2 5.1. The SCIM GET requests to retrieve users return responses that contain only a small number of attributes. How do I make it return additional attributes?
The documentation for the GET user request on WSO2's SCIM API page says "The response consists of all attributes that were sent." This doesn't make sense - how do you send attributes with this GET request?
Turns out, all attributes (or all LDAP attributes that are mapped to SCIM claims) will be returned ONLY IF the GET request filters by the user's SCIM ID (the guid string). I was doing a GET request using a filter on externalId which is why it didn't return all attributes.