I'm using WSO2 v5.7, I added a custom claims namely "status" through Local claims and added a respective External claims too.
Local Claim:
External Claim:
WSO2 IS Portal: Shows the newly added claim namely Status
I triggered the SCIM2 End point https://localhost:9443/scim2/Users/ee02b02a-f601-4d7c-a34b-767a7bb4521f
But the newly created claims was missing in the response JSON data.I update the value for the said claim through WSO2 IS portal and its stored the value in the database table um_user_attribute as a key value pair.
Kindly assist me how to expose the locally created claims in SCIM2 endpoints.
Just adding claim configuration is not enough to get custom claim. You have to add them to SCIM 2.0 User schema by modifying scim2-schema-extension.config please refer [1] for exact steps given for SCIM 1.1
[1] https://docs.wso2.com/display/IS570/Extensible+SCIM+User+Schemas+With+WSO2+Identity+Server
Related
In my WSO2 Identy Server (v5.8.0), i have added one custom attribute named XXX.
Then, in my web client application, I invoke /scim2/Users service to create new user inside IDS.
I successfully create user with correct name, surname, email, phone number and so on, but my custom field is not updated in my user content store.
By other hand, if I update field by data entry and read my user from IDS, I can see my custom attribute XXX correctly.
Can someone help me ?
One of the following reasons could be caused not to update custom attributes via scim2/Users endpoint.
Once you add a new local claim and if you want to access/modify its value using SCIM endpoint it should be mapped to scim claim dialect. Follow the steps in extending scim user claims doc in https://docs.wso2.com/display/IS580/Extending+SCIM+2.0+User+Schemas
If the above step is correctly configured, check the request payload whether the attribute is correctly defined in the payload. If the attribute is not defined in the expected format, WSO2 IS ignores those attributes.
When you trying to update the value via login to the management console and view the user profile through the management console doesn't involve the SCIM APIs. You are directly updating the local claim in the WSO2 local claim dialect. If you have followed the doc mention is step 1 and that attribute has a value, GET /scim2/Users/{user-id} should return the attribute in the response.
I'm using WSO2 Identity Server version 5.10
I'm facing a strange behaviour. I configured some external IdPs (SAML2 based)
I configured claims returned by these IdPs with WSO2IS local claims. For example, let's suppose that my external IdP returns these SAML attribute name:
a, b and c I configured claim in this way:
External IdP Claim configuration
Identity Provider Claim URI
Local Claim URI
a
http://wso2.org/address
b
http://wso2.org/givenname
c
http://wso2.org/lastname
Then I defined a custom claim dialect in this way; let's call it custom_claim_dialect. I defined in it my claim mapping in this way:
Custom claim dialect
Dialect URI
Claim URI
Mapped Local Claim
custom_claim_dialect
a
http://wso2.org/address
custom_claim_dialect
b
http://wso2.org/givenname
custom_claim_dialect
c
http://wso2.org/lastname
Then I defined a Service Provider (Inbound configuration: SAML2 Web SSO) and I configured it by using these external IdPs
In my Service Provider I configured my claims by adding the custom dialectby specifying it in Service Provider Claim Dialect
Then I tried the access the access to the Service Provider. All worked pretty good just only the first time.
WSO2IS asks to me the consent for the claims and I can land on my authenticated page.
When I close the browser and clent cookies and I try again the access. All works good (no consent ask is showed by WSO2IS) but when I land on my private page no
attribute is contained in the SAML Response.
If i configure my ServiceProvider with WSO2IS local claims, all works good.
Is this correct? Am I missing anything?
Thank you
Angelo
UPDATE
I'm pretty sure it's a kind of bug.
I debugged till the class org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler
The org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler.handleClaimMappings(StepConfig, AuthenticationContext, Map<String, String>, boolean) returns the correct claims Map In fact I printed the following log:
INFO {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - Returning filtered claims {familyName=Surname, name=Example, dateOfBirth=1980-01-01, spidCode=ABCD123456789A, fiscalNumber=TINIT-SRNXPL80A41A662G, MultiAttributeSeparator=,} to SP mySP
In some point during the process WSO2 IS decides that this Map must not be used.
Any tip?
UPDATE 2
This picture shows how I configure my SP claims. As you can see I'm using a defined custom claim. When I define custom claim, I can't make claims mandatory
Did u try making these claims mandatory on the IS SP side? Making claims mandatory will ensure that u always receive the claim for the applications.
If caching is the problem then u can try to JIT provision the user[1]. This way we can save the claims from FIDP on the IS side. "Provision silently" is an easy option to check.
[1] https://is.docs.wso2.com/en/latest/learn/configuring-just-in-time-provisioning-for-an-identity-provider/
Document ref: wso2Is520-link-here
Followed the same in this document to setup the account enable/disable property for users.
However, using the RemoteUserStoreManagerService SOAP service, its not updating the claim :
http://wso2.org/claims/identity/accountDisabled
All other claims are updatable, is it a known issue or am I missing something ?
Are you using the setUserClaimValue?
The identity claims (which has the claim URI as "http://wso2.org/claims/identity/xxxxx") can't be updated by the setUserClaimValue method. They can only be updated with setUserClaimValues method.
I am attempting to configure our WSO2 Identity Server (5.1.0) to talk to our Shibboleth Identity Provider v3 (3.2.1) server.
When I attempt to authenticate, I get an error in my Shibboleth IdP logs which suggests to me that my metadata for the WSO2 server is wrong:
2016-06-30 15:24:48,564 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:334] - Metadata backing store does not contain any EntityDescriptors with the ID: MYENTITYID
2016-06-30 15:24:48,564 - DEBUG [org.opensaml.saml.metadata.resolver.impl.BasicRoleDescriptorResolver:198] - Metadata document did not contain a descriptor for entity MYENTITYID
2016-06-30 15:24:48,564 - DEBUG [org.opensaml.saml.metadata.resolver.impl.BasicRoleDescriptorResolver:281] - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity MYENTITYID
2016-06-30 15:24:48,564 - DEBUG [org.opensaml.saml.metadata.resolver.impl.BasicRoleDescriptorResolver:252] - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity MYENTITYID
I'm following documentation from the WSO2 site here:
https://docs.wso2.com/display/IS510/How+To%3A+Configure+Shibboleth+IdP+as+a+Trusted+Identity+Provider
I have the Shib IdP v3 working with other services, but a very new to that version and don't generally dig deep into Shibboleth anyway beyond setting up attribute resolution and release for relying parties.
Could someone with more experience in either the Shibboleth IdP arena or the WSO2 Identity Server arena point me in the direction of resolving this or at least narrowing down whether it's a general IdP configuration issue or a WSO2 metadata issue ?
The documentation from WSO2 site is based on Shib IdP v2.
You can still use it on v3, but you would need to enable v2 compatibility
https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGenerationConfiguration
There is no need though, the steps for v3 are quite similar.
AFAI can tell, Shibboleth does not support the unspecified name id format. It could be possible to tweak it to support it, but I have not found issues letting Shibboleth use the transient format. Likewise, I see reason to not use a persistent name id either. Thus, there is no need to modify the name id configuration.
The AttributeFilterPolicy is now defined on file /conf/attribute-filter.xml (or the attribute filter file loaded by /conf/services.xml). This policy specifies which attributes can be disclosed to each SP, so you need one entry for each of your SPs.
Since IS does not support metadata files yet, you need to tailor one and save it at /metadata/wso2is.xml The one in the WSO2 Site is a good start. Just keep in mind that the NameID Format does nothing if it requires the unspecified format, and that you might want to pass additional attributes in the SPSSODescriptor, in my case I had to add the following: AuthnRequestsSigned="true" WantAssertionsSigned="true". I also added the signing and encrypting x509 certificates that WSO2IS will use when sending requests to Shibboleth.
Next, you need to tell Shibboleth that you want to use that metadata file by adding something like the following to file /conf/metadata-providers.xml
<MetadataProvider id="wso2is"
xsi:type="FilesystemMetadataProvider"
metadataFile="%{idp.home}/metadata/wso2is.xml">
</MetadataProvider>
Now, when you configure the IdP on WSO2IS, you need to map the claims/attributes that Shibboleth shares with WSO2IS (as defined in Shibboleth by /conf/attribute-filter.xml) to the WSO2 IS dialect. To do that, you go to your IdP configuration, expand Claim Configuration, then expand Basic Claim Configuration, there you can add as many claim mappings as you need.This is an example of the Claims Mappings
I hope this helps.
We've Installed Pre-Packaged Identity Server 5.1.0 with API Manager 1.10.0 and use sqlserver as a data store.
We use OAUTH2 to authorize our API's and we want to map our local claims to a service provider (an application?). Behind the API we have a .Net Wcf Service with some logging where we read the header with WebOperationContext.Current.IncomingRequest.Headers["assertion"] and print the claims which are present.
The Claims which are returned are:
{"iss":"wso2.org/products/am"
"exp":1462357259751
"wso2url/claims/subscriber":"Sjaak"
"wso2url/claims/applicationid":"1003"
"wso2url/claims/applicationname":"DefaultApplication"
"wso2url/claims/applicationtier":"Medium"
"wso2url/claims/apicontext":"/Test/v1.0"
"wso2url/claims/version":"v1.0"
"wso2url/claims/tier":"Silver"
"wso2url/claims/keytype":"PRODUCTION"
"wso2url/claims/usertype":"APPLICATION"
"wso2url/claims/enduser":"Sjaak#carbon.super"
"wso2url/claims/enduserTenantId":"-1234"
"wso2url/claims/emailaddress":"sjakie#chocola.nl"
"wso2url/claims/givenname":"Sjakie"
"wso2url/claims/lastname":"van de Chocoladefabriek"
"wso2url/claims/role":"Internal/subscriber
Internal/everyone
Application/Sjaak_DefaultApplication_PRODUCTION"}
Where wso2url is http://wso2.org, but we cannot post this, because I don't have 10 reputation points...:(
The information in these claims is good, but only we want to use our own uri, so not wso2.org, but myorg.com. And we want to add other claims, with for example our own userId and some other stuff.
Among other things we have followed the guide for configuring claims for a service provider but had no success with this. We have made the assumption that an application is a service provider for which we can use the claims.
Has anyone got an idea what we are doing wrong? What do we need to do to add custom claims?
Thanks in advance!
[Added on 9th may]
Maybe this can point us in the right direction?
When we add a subscription to an application and we generate a new key than there is no new Service provider in the list:
The list of service provider without a new one for user Sjaak, so there is missing: Sjaak_CalculatorApp_PRODUCTION
But even when we do this for user admin the claims are not coming through. We have the following claim configuration and in my logging still the same claims as described above are there, no new ones, so no claim named accountnaam and no voogd.com uri:
Service Provider(SP) - It provides services to some end users and relies on a trusted Identity provider(IDP) to handle authentication and authorization for them. SP may use multiple protocols(Oauth2, SAML2, etc.) to communicate with IDP.
Claims are defined for SP, since same claims can be send over different protocols. In the default case, Identity server uses wso2 claim dialect(start with wos2.com) for claims. If you want a different claim dialect than this, use "Define Custom Claim Dialect" option in the service provider configuration. In there you can map wso2 claims(Local Claim) to your own claims(Service Provider Claim).