I'm wondering if it's possible and how we would set custom attributes with a default value in G-Suite which automatically gets populated when we set-up a new user?
I can batch update in GAM tool, however this is extra steps which I want to try and automate.
gam update user [EMAIL HERE] PF_Talent_Management.TMIdpId_Live peoplefluent-prod
N/A
with GAM you can create the User and it's costum attribute too in the same time :
gam create user <email address>
[schemaname.fieldname <fieldvalue>]
[schemaname.multivaluefieldname multivalued <fieldvalue>]
check this URL for more infos:
https://github.com/jay0lee/GAM/wiki/GAM3DirectoryCommands#setting-custom-user-schema-fields-at-create-or-update
Related
I have made a custom userstore by overriding the UniqueIDJDBCUserStoreManager class, based on this article https://nishothan-17.medium.com/custom-user-store-manager-for-wso2-identity-server-5-11-0-6e23a4ddf1bb . My database has one table which has the username, password, email, name, and phone number.
I was able to authenticate successfully. However, I am unable to send the OTP to the users phone number. Can anyone please guide me on how to send OTP to the user? Which properties do I have to set or override? Any help would be highly appreciated.
I could not find any documentation on this so far.
In order to send the SMS OTP to the user, there should be a valid mobile number in the user's profile.
For that you need to update the mobile claim's mapped attribute accordingly.
Refer to https://is.docs.wso2.com/en/latest/guides/dialects/edit-claim-mapping/ and go to mobile claim configs. Then update the mapped attributes section.
If you connect the custom userstore as your PRIMARY userstore, change the Mapped Attribute to the DB table's column name(phone number as per the question) respective to the PRIMARY userstore domain.
If you are connecting this custom userstore as a secondary userstore, add another mapped attribute for the secondary userstore domain and put the DB table's column name.
NOTE: Since you have only one table in the userstore and mobile number is available as a column in that table I mentioned to use that column name as the mapped attribute. Then you have to add additional DB queries under advance configurations to retrieve that data from DB.
Then, you have to override public Map<String, String> getUserPropertyValuesWithID(String userID, String[] propertyNames, String profileName) throws UserStoreException method in your custom userstore manager. You have to invoke your custom DB query inside this overridden method to retrieve the user attributes.
Here is the reference to the default uniqueIDJDBCUserstoreManager's method implementation:
https://github.com/wso2/carbon-kernel/blob/09b67404ec8f4dc2e19d0d730f33c91441c1c63b/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/UniqueIDJDBCUserStoreManager.java#L437
Once http://wso2.org/claims/mobile claim value of the user is requested in SMS OTP flow, the Abstractuserstore manager resolves the mappend attribute of the claim and handed over to the relevant userstore manager to resolve the properly value.
I guess you are referring to the SMS-OTP as a second factor authentication. You can refer to this document [1].
And do you have any error trace to see if there are any specific issues to fix?
Refer:
[1] https://is.docs.wso2.com/en/latest/guides/mfa/2fa-sms-otp/
In my WSO2 Identy Server (v5.8.0), i have added one custom attribute named XXX.
Then, in my web client application, I invoke /scim2/Users service to create new user inside IDS.
I successfully create user with correct name, surname, email, phone number and so on, but my custom field is not updated in my user content store.
By other hand, if I update field by data entry and read my user from IDS, I can see my custom attribute XXX correctly.
Can someone help me ?
One of the following reasons could be caused not to update custom attributes via scim2/Users endpoint.
Once you add a new local claim and if you want to access/modify its value using SCIM endpoint it should be mapped to scim claim dialect. Follow the steps in extending scim user claims doc in https://docs.wso2.com/display/IS580/Extending+SCIM+2.0+User+Schemas
If the above step is correctly configured, check the request payload whether the attribute is correctly defined in the payload. If the attribute is not defined in the expected format, WSO2 IS ignores those attributes.
When you trying to update the value via login to the management console and view the user profile through the management console doesn't involve the SCIM APIs. You are directly updating the local claim in the WSO2 local claim dialect. If you have followed the doc mention is step 1 and that attribute has a value, GET /scim2/Users/{user-id} should return the attribute in the response.
I have configured ldap readonly user store and I can see the users from this US while using the admin panel.
But when I try to call the SCIM 2.0 API to get users, I always get an empty result. What might be the problem?
Request:
GET https://wso2:9443/scim2/Users/?domain=mydomain
Response:
{
"totalResults": 0,
"startIndex": 1,
"itemsPerPage": 0,
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}
Enable SCIM for the userstore
First of all, please make sure that you have enabled scim for that userstore. Bydefault, scim is not enabled for ReadOnly LDAP userstore. By adding the following config in deployment.toml file, you can enable scim.
[user_store]
scim_enabled = true
If the issue still persists after adding the above config, verify the following claim mapping.
Configure a mapped attribute for User ID claim.
For SCIM, we need a unique ID for each user to identify separately. When you are creating users from WSO2 IS on a SCIM enabled userstore, we create a random ID for the new users and store in the "http://wso2.org/claims/userid" claim which is mapped to "scimId" attribute.
I presume that you have plugged in a read-only LDAP userstore with an existing set of users. So you may not have values for "scimId" attribute on this particular user store. That may be a root cause of this issue. So this users might not have the scimId, hence does not have any unique User ID
Verify
Claims > List > "http://wso2.org/claims".
goto edit view of the claim named "User ID" Enable support by default for this claim.
Now go to the list users page and view the profile of a user who belongs to the LDAP userstore
Please check whether the attribute "User ID" is having a value or not.
Optionally, you can check are there any
values mapped for "http://wso2.org/claims/userid" directly from the
ReadOnlyLDAP side
If you have the above issue, (there is no any mapped attribute for "http://wso2.org/claims/userid" claim),
Solution
Find a unique attribute unique among the existing users from ReadOnly LDAP user store
You can go to the above-mentioned claim edit page and click on "Add Attribute Mapping" under "Mapped Attribute (s)*".
Then select the user store domain, enter the unique attribute name and update.
check whether now the User ID attribute of the user profile is not empty.
Once the cognito-id is created for a user logging via. google, how to find the email id of the user.
As shown in the above picture, I can find the cognito-id, but couldn't find any other information that google could have supplied when the user logged in.
Any help is appreciated.
Thanks in advance,
First make sure you provide email in scopes. Usually the scope is defined as profile email openid.
Next you have to "Configure attribute mapping" which is on the bottom right of the "Identity providers" section. There you can map Google's email attribute to the Email attribute of the user pool.
You'd probably have to remove users from the pool that logged in prior to the additional configuration to properly fetch the attributes. You can do this by clicking on the google user in the user pool then click "Disable" then "Delete". For example, I couldn't see the picture attribute of a google user until I removed my user from the pool and logged in again.
You should now be able to see the email attribute (and other properly configured) when you click on the user. You should also be able to see these attributes when you decode the id_token and when you call the <AUTH_DOMAIN>/oauth2/userInfo endpoint.
Cognito leverages these tokens to sign in users, but doesn't store any additional metadata against the user. It doesn't track any of it, so you won't see it there. To do so, you'd need to grab it from Google during sign in, and either store it in Cognito sync or in an external datastore (e.g. a dynamo table keyed by identity id).
I need to add the emailaddress which is stored in LDAP as part of the SAML Response. I read a few articles like http://sureshatt.blogspot.co.uk/2012/11/getting-user-claims-over-saml-sso-token.html
but could not get it working. I am using wso2 IS 5.0 version. Whenever I add the claim on the sp configuration save it and when I go back to the screen I could not find the claims that I added earlier. Please help.
Regards
Jay
In IS 5.0.0, configurations have been changed. Therefore you need to do some more things to return the attribute.
First please go to the user profile of the user and verify whether LDAP attribute is properly displayed there. Then we can sure that claim mappings are fine.
In SAML2 SSO SP configuration you need to enable attribute profile. Tick on Enable Attribute Profile Also make sure to tick on Include Attributes in the Response Always. Then you do not want to send the consumer index in SAML auth request.
Then please go to SP configuration page and configure the attributes (claims) that you want to send to the SP.
It is better, if you can go through this blog, It contains all details how you can configure it with IS 5.0.0