I'm new to using WSO2 (currently unsing v 5.8.0).
I am trying to change the default claim dialect of WSO2 Carbon (http://wso2.org/claims) to a freshly created claim dialect.
When changing the dialect, I would like the "user Profile" to change accordingly.
I've already changed 2 lines in the config file "Identity.xml", but It doesn't seems to do anything :
AttributesClaimDialect
ConsumerDialectURI
The default User Profile looks like this
I would like the new one to only use the claims attributed in the new Dialect.
I really hope there is a way to do this, and avoid using the default Claim Dialect.
The http://wso2.org/claims is the default claim Dialect which is used by the WSO2 server for the user-related operations. This name will be hardcoded in the codebase. So it is not possible to change it.
If you want to change "user Profile". Let's say if you want to show a new claim in the profile, you need to set that particular claim in http://wso2.org/claims as 'Supported by Default.
Related
I created my own dialect using the manaement console Configure-->Claim Management. After doing this, I wanted to configure my Service Provider to be associated with these claims, so I edited my SP and went to the Claim Configuration section. The issue I am running into is the only Local Claim claims which show up are the default wso2 ones. So you only ever see ones starting with http://wso2.org/claims/.
With that said, I don't believe choosing Define Custom Claim Dialect is an appropriate alternative since I defined a dialect already. It would make zero sense to go an map that back to the default dialect, so I'm assuming this would not be the route.
Is there some configuration setting to list values from other defined dialects? Besides the one I created, there a quite a few that come OOB anyway. Is this a bug? I would assume my dialect along with all the other OOB ones would be Local Claim Dialects.
The Claims Management in the docs is just way to general to discern is there's some funny requirement. https://docs.wso2.com/display/IS500/Claim+Management
WSO2 Identity Server 5.0.0
I created a workaround, which works for my situation.
Once again, this is with IS 5.0.0. In my situation, no claims or dialects preconfigured fit my needs and I want my own special URIs defined ONLY.
So here's what I did:
In the Management Console, went to Configure-->Claim Management.
Edited the "http://wso2.org/claims" dialect.
Added each claim I wanted to this dialect. I was able to enter whatever URI I pleased, even though the dialect had a different URI (that's a good thing!) along with the property name I wanted it associated with. e.g., http://example.com/claims/claimname1
Then I went to configure the claims / attributes I wanted to be communicated to a particular Service Provider by editing its Claim Configuration...
Selected "Use Local Dialect".
For each claim I wanted to add, clicked "Add Claim URI" at "Request Claims", and selected a URI I created.
(OPTIONAL) I deleted all non-custom URIs in the "http://wso2.org/claims" dialect, because I found in my custom user store that getUserPropertyValues() was still getting passed every single claim attribute to resolve. It was trying to resolve more than 20 properties at every login. Some performance help! :)
I am using wso2 IS 4.5.0. I recently modified the standard policy editor so as to use a new attribute but the modification doesn't seem to work. Specifically, when I select the attribute and hit Search, the attribute finder returns the message:
No entitlement data finder module is defined for this category
Has anyone an idea on how to resolve this? thanks in advance,
Maria
Yes.... It is the expected behavior with default implementation. Let me explain this further; Attributes are retrieved to this UI page, using an pluggable entitlement data finder modules. These modules can be plugged with WSO2IS. Attribute sources can be from databases, user stores or any... Default implementation is only retrieved roles from WSO2IS user store. But, if you want more to show in this UI, You can do it by extending default implementations. Please find the source fore default implementation from here. This would help you to get some idea.
I am working on wso2is4.6.
I am new to wso2is. Maybe this is a stupid question, but I am still blocked.
The first question: when there are multiple claim dialect in system, which claim dialect will be used? Which conditions will make system to choose this dialect instead of another dialect?
The second question: I install wso2is4.6, and install apacheds 2.0 with default (no customization). where can I find corresponding claim mapping?
I know I need to correct the claim mapping, but I don't know how can I find the correct mapping. Can somebody provide the workable claim-mgt.xml base on wso2is4.6 and apache2.0?
Adding more info to Dulanja's answer,
Q1. In WSO2 Identity server, internally it always uses a claim dialect together with a claim URI to identity a unique claim. Different components uses different dialects to get its claims. Fr an example when adding a new user using management console, relevant(user-manager) component would use WSO2 default claim dialect mentioned above. Similarly if you are doing SCIM related operations, relevant components will use SCIM dialect.
Q2. As mentioned in Q1, makes the unique claim and where we store that claim's value can be configured in two ways.
i. You can use claim-config.xml in /repository/conf/ folder and you can edit claim-to-ldapAttribute mapping by changing <AttributeID> which is given under every element.
ii. Or you can change claim mappings at runtime using the Claim Management page in management console. Please refer [1] for more info.
[1] http://docs.wso2.org/display/IS460/Claim+Management
Thanks,
Question 1:
The default claim dialect of WSO2 products is http://wso2.org/claims. This is the underlying dialect of the User Profile view - currently you cannot change this to use a different dialect.
Other dialects are used in different scenarios. As an example http://schema.openid.net/2007/05/claims is used when IS acts as an OpenID Provider. OpenID relying parties (clients) requests attributes using the claim uris specified under this dialect. Other examples are SAMLSSO and Passive-STS flows. In them you have the option to select the dialect that you want to use to send back the attributes to the client.
Question 2:
Are you facing a claim-mapping related problem with the new ApacheDS 2.0 LDAP? As far as I know, since WSO2 IS embedded LDAP is also based on ApacheDS, if you point (via user-mgt.xml) to such an LDAP the existing claim-mapping should work without any problem
I am experiencing a problem with wso2 identity server (version 4.5.0) regarding some new claims (attributes) i have added. Specifically, i have added new attributes in http://wso2.org/claims but when i try to populate the corresponding fields to the user profiles, the following message appears:
Error while updating user profile of User. Error is: One or more attributes you are trying to add/update are not supported by underlying LDAP.
Any ideas?
Thank you in advance.
M
This can be due that, you have add a claim mapping which is not supported by under line user store (LDAP). When you are adding a claim, we need to provide claim mapping attribute. It is the map attribute with your LDAP user store. If there is no such attribute in the LDAP user store, this error can be occur. (Please note claim management component would not add new attribute to user store. It would map with the existing attributes in the LDAP user store)
I just would like to piggyback off of Aslea and Maria answer and add onto them. If you'd like to know what mapped claims you can use, you can find about them in this link. And if you'd like to add custom attributes directly to the LDAP server, please refer to this link.
I added a new user attribute to my LDAP schema, and configured user-mgt.xml to support the new custom ObjectClass.
Then I used the Claim Management UI, and managed to succesfully set the new attribute to be displayed and Supported by default.
Now it all works: I checked that the new claim is correctly setup in the registry db, and whenever I edit a user profile I can view and edit the new custom attribute.
The question is: Can I set this straight up from some xml configuration file?
My problem is that even I edit claim-config.xml and change the parameters to the corresponding claim in the http://wso2.org/claims dialect to be Supported, and give it a DisplayOrder, it has no effect.
I would like not to depend much on the GUI and registry status, but rather rely on configuration files.
Thanks
You can not edit claim-config.xml file add new claims, if the server has been started once. Only 1st startup, it would populate all claims in to the database (you can delete the database and edit the file and start, then also it would populate). Then you can only edit or add them through management console UI. However, if you know about Identity Server, all these UI functions have been exposed via web service API. If you does not like UI, you can do it using automating web service call... Basically SOAPUI can be used for this purpose.