WSO2 IS Claims configuration from secondary store - wso2

I'm using WSO2 Identity Server 5.10.0 configured in order to use ActiveDirectory as UserStore
I don't have the oportunity to add custom properties to the ActiveDirectory so I'm facing several issues in claims configuration.
To solve the issue I was thinking to user ActiveDirectory as primary UserStore and configure WSO2 claims in order to be stored and retrieved from a secondary userstore (a JDBC user store).
I configured all what I needed but I can't make it working. When I start the WSO IS ti complains because it can't find mapped claims.
More exactly I have:
system error while authenticating/authorizing user : cannot find suitable mapped attribute for local claim http://wso2.org/claims/userid
Once I slve userid it gives to me other claims till I return all to the primary user store.
I'm wondering if my idea is feasible. If I can select from where to take claims.. why do I get this kind of error?

Actually, configuring the Active Directory as the Primary userstore will not have any difference when it comes to attribute mappings. Because all the userstores in the system should to have correct mapped attributes for these meta claim set and other claims which are marked as "Supported by Default".
The solution would be updating the mapped attributes for local claims with correct exciting attributes from your active directory. If you are having multiple userstoes, you can have different mapped attributes for each userstore domain. Refer this document for more info.
You may find a list of mandatory meta claims which we must have correct mappings to create users in this document.

Related

How do you configure custom claim attributes for username recovery in wso2?

According to WSO2 documentation (https://docs.wso2.com/display/IS570/Username+Recovery) we can add additional attributes to the Username Recovery. I have selected an attribute and it displays on the Username Recovery form, but it does not appear to be used in the search filter to find the account.
The only field that it appears to use properly is email. Unfortunately, I need to include an additional attribute to distinguish between accounts.
What am I missing to get this to work?
If you are using a WSO2 identity server 5.7, it is a reported issue. It has been fixed in IS-5.9 onwards. You can patch the fix by applying the changes in 2, to get it to work in IS-5.7
1 -https://github.com/wso2/product-is/issues/6158
2 -https://github.com/wso2/carbon-identity-framework/pull/2380

WSO2 IS Secondary userstore from ldap explorer

I have wso2 IS 5.3.0 with several user stores. I want to connect my app to the embebed ldap and access the user in the secondary user stores, but I only see the users in the primary user store.
How I can see the user in the secondary user stores con connect an application to the WSO2 IS ldap?
The aim is to have serveral user stored merged in just one, the IS ldap, and connect legacy applications to that merged LDAP. Is this approach wrong?
Please follow this documentation[1] to configure multiple secondary user stores with WSO2 IS 5.3.0. Yes you can add multiple user stores to Identity Server and let the applications from outside see those as a single user store through Identity Server.
[1] https://docs.wso2.com/display/IS530/Configuring+Secondary+User+Stores
May I use some specific configuration to connect to the ldap to can see the whole set of users?
Multiple user stores are completely separate, their own users, realm name, etc. In theory - your application you could use WSOIS API to access user information (with the realm prefix, such as usenr identity is userstore_realm\username
But as it is already mentioned in the comments, you don't see multiple LDAP stores as a single LDAP
The aim is to have serveral user stored merged in just one, the IS ldap, and connect legacy applications to that merged LDAP. Is this approach wrong?
What could you do is "inbound" user provisioning. Effectively when a user is authenticated (using an external IS, secondary userstore, ...), the user could be provisionined ( imported ) to the primary userstore
Though it is possible, I won't recommend this approach as you will have duplicates out of control (e.g. when reseting the password)

Is it possible to generate dynamic claims based on attributes using WSO2 Identity Server?

I'm using WSO2 Identity Server 5.3.0 and several LDAP user stores.
I need to integrate AWS as a service provider and WSO2 IS as identity provider.
The situation is: I have lots of users stored in the user stores and some of them have specific roles that should be allowed to login to AWS service. So far I don't have the possibility to alter / update the current user stores.
That's why I'm trying to figure out a way to populate / generate / translate / calculate the value of a claim based on an already stored attribute in the user store.
I have a sort of table with the groups coming from LDAP's memberOf attribute a user could belong to and their equivalences to AWS attributes that should be stored in specific claims in order for AWS to allow that user to enter certain services.
The end user is willing to solve this situation within the WSO2 IS component without altering the stores content.
I'm wondering if the only way to do this is writing a custom User Store Manager or a Custom Claim Handler [1] to deal with this particular situation or there is a more standard way to accomplish this.
I will appreciate any input, thanks in advance
[1] http://pushpalankajaya.blogspot.ca/2014/07/adding-custom-claims-to-saml-response.html
I think Claim Handler is the right place to implement your logic. You can find a sample in https://github.com/mefarazath/CustomClaimHandler

Claims management in wso2 is troubleshoot

I am experiencing a problem with wso2 identity server (version 4.5.0) regarding some new claims (attributes) i have added. Specifically, i have added new attributes in http://wso2.org/claims but when i try to populate the corresponding fields to the user profiles, the following message appears:
Error while updating user profile of User. Error is: One or more attributes you are trying to add/update are not supported by underlying LDAP.
Any ideas?
Thank you in advance.
M
This can be due that, you have add a claim mapping which is not supported by under line user store (LDAP). When you are adding a claim, we need to provide claim mapping attribute. It is the map attribute with your LDAP user store. If there is no such attribute in the LDAP user store, this error can be occur. (Please note claim management component would not add new attribute to user store. It would map with the existing attributes in the LDAP user store)
I just would like to piggyback off of Aslea and Maria answer and add onto them. If you'd like to know what mapped claims you can use, you can find about them in this link. And if you'd like to add custom attributes directly to the LDAP server, please refer to this link.

WSO2 IS cannot add new profile from User Profile Management

When I go to "My Identity -> My Profiles", it does not give me the option to Add New Profile (as seen on the documentation for User Profile Management), but I can only edit the default profile.
I am using an external MySQL server as the JDBC user store, and creation and editing of users works fine.
I did not find any parameter in the xml files to enable this multiple profile feature. How should I proceed?
Thanks.
Yes. I also find the same. Adding multiple profile for user has been removed from UI. But with JDBC user store, I guess, we can add this using the web service API. Following is the API
https://{ip}:{port}/services/UserProfileMgtService?wsdl