We created a secondary user store based on:
org.wso2.sample.user.store.manager.CustomUserStoreManager
but when trying to login to:
/authenticationendpoint/login.do?client_id=...
this secondary store is not hit, the search for users in not happening there, but only in the primary store defined in:
user-mgt.xml.
The XML necessary for the user store is correctly generated in
\repository\deployment\server\userstores folder.
What can be the problem?
Thank you!
The problem was due to the connection with an internal service, which returned an error.
Related
In my WSO2 Identy Server (v5.8.0), i have added one custom attribute named XXX.
Then, in my web client application, I invoke /scim2/Users service to create new user inside IDS.
I successfully create user with correct name, surname, email, phone number and so on, but my custom field is not updated in my user content store.
By other hand, if I update field by data entry and read my user from IDS, I can see my custom attribute XXX correctly.
Can someone help me ?
One of the following reasons could be caused not to update custom attributes via scim2/Users endpoint.
Once you add a new local claim and if you want to access/modify its value using SCIM endpoint it should be mapped to scim claim dialect. Follow the steps in extending scim user claims doc in https://docs.wso2.com/display/IS580/Extending+SCIM+2.0+User+Schemas
If the above step is correctly configured, check the request payload whether the attribute is correctly defined in the payload. If the attribute is not defined in the expected format, WSO2 IS ignores those attributes.
When you trying to update the value via login to the management console and view the user profile through the management console doesn't involve the SCIM APIs. You are directly updating the local claim in the WSO2 local claim dialect. If you have followed the doc mention is step 1 and that attribute has a value, GET /scim2/Users/{user-id} should return the attribute in the response.
We have done WSO2 IS configurations with multiple LDAPs with multiple clients successfully before. This time with a new client we are getting an error as show in image. "Error occured while getting all user claims for ... in carbon.super.
The case is we have created a service and mapped custom claims to map to LDAP. The issue is with a field mapped with http://wso2.org/claims/role attribute . If we remove this attribute from the custom claims the error goes away.
But we are using roles in business logic(Internal roles created in WSO2) which we get as null in case we remove this attribute.
We want to know the solution. Is there some change required at LDAP side ? Or how we can achieve the roles without mapping as a claim with LDAP?
We are using WSO2 IS as our enterprise identity platform. One of our tenants must restrict the number of concurrent sessions per user for security reasons.
The expected behaviour is the following: when a user logs in, if he/she already has logged in previously and the session is still valid, the new session must overwrite the previous one, so the login ends ok and he/she gets logged out from the first device/browser. Summing up: the new session always invalidates the old one.
I've been researching sites like this or http://soasecurity.org/ searching for answers, but I couldn't find any.
I think that I need to store the WSO2 IS session id (the one that comes in the commonauthId cookie and gets stored in session cache/persistence store) in the user store, so I can check what's the current user session and log out the user if the cookie id and the store id don't match. But there are two main concerns:
Where do I store the user session id? My main user store is LDAP, but I'd like to avoid one extra attribute there, because it's shared with many other applications and promote changes like this could be difficult for many reasons. Is there any way to put this data into a secondary store?
What's the most appropiate extension point in WSO2 IS to add code for storing the session id in a user store? I've been looking through the authentication framework and found that the method concludeFlow in DefaultAuthenticationRequestHandler class is where new sessions are created when there isn't a previously cached one available. It seems a bit "tricky" to extend that method, but I couldn't find a better solution. Maybe you can customize the authenticator or the user store, but I think that's not a good point of extension inside the authentication flow, because the new sessions are created later, in the request handler.
Thanks in advance.
The WSO2 identity server actually doesn't care about the number of open sessions. IMHO the identity server is not the best enforcement point where to check for the open sessions. Once the user is already logged in, you don't have much control over the framework and the user assertions (or an Oauth token) are returned.
Where do I store the user session id?
If you enable the session persistence, the session information (user session, saml SP sessions, ...) are stored in the database. However - it is intended for internal use. If the user logs out or closes the browser, the records may be still there. There's no information about the user web session.
Just a hint - we've used a VPN proxy (Juniper SA as SP) and WSO2IS as IdP to enforce a unique user session (for a new session the old one is invalidated).
Have fun
I am developing an application in which users login in using different identity providers. Owin middleware create .AspNet.ApplicationCookies. I want to check whether it exist or not and its contains some data in it or not. How can I do this?
This cookie is encrypted by OWIN and is not easily accessible as a raw cookie data. However you can check if user is logged-in via HttpContext.Current.User.Identity.IsAuthenticated or just via User.Identity.IsAuthenticated if you are executing this in controller or a view.
If you put claims (that is the best way to add data into cookie) you can check list of claims for the currently logged user via ((ClaimsPrincipal)HttpContext.Current.User).Claims - this is basically a key-value list of strings. And name of identity provider will be stored there as well.
I maybe have a stupied question concerning WSO2 and SAML- attributes.
I have written a Service Provider which made it possible to login via WSO2.
With login- response / authentication- response, I get all SAML- Attributes which are defined in WSO2 as claims (attributes came from Active Directory)
If logged in, with an "org.opensaml.saml2.core.AuthnRequest", die SAML Attributes can be retrieved from WSO2 once again of the logged in user - for any reason.
This all works fine.
Now, I would need attributes of other persons (not the logged in one) in the Active Directory.
Therefore my question would be if it is possible to retrieve attributes of different persons than the logged in one from Active Directory over WSO2 and SAML without login of that different persons?
The reason is, that I have different AD- groups (each contains different person information) and I will show the attributes of the persons in my Service Provider.
Thanks a lot for your answers and help.
All the best and thanks.
Yes, you can do that. You can use the SOAP service https://host:port/services/RemoteUserStoreManagerService
HideAdminServiceWSDLs must be set to false - thanks a lot!!