In WSO2 IS admin console, we are trying to set the user claims for a service provider under 'Claim Configuration'.
We selected the Claim mapping Dialect as 'Define Custom Claim Dialect' and added Local claims as :
http://wso2.org/claims/givenname
http://wso2.org/claims/lastname
http://wso2.org/claims/emailaddress
But when we perform a curl with /oauth2/userinfo, it just gives us last name and email. But first name is not being returned.
Returned User Info:
{"sub":"abc#carbon.super","family_name":"abcFN","email":"abc#abc.com"}
Any pointers for the issue will be helpful.
There is actually an error in the mapping of the given name attribute between the oidc claim and the wso2 claim :
In the management console, go to Home > Identity > Claims > List > claim.view
Click on http://wso2.org/oidc/claim in the Available Claims Dialect list
Change the mapping for given_name to Mapped Local Claim : http://wso2.org/claims/givenname
In order to get the first name through user info endpoint,you should have an OIDC claim mapping with http://wso2.org/claims/givenname.
Could you please check whether your given_name claim under oidc dialect has a mapping with http://wso2.org/claims/givenname.
Related
I'm using WSO2 Identity Server version 5.10
I'm facing a strange behaviour. I configured some external IdPs (SAML2 based)
I configured claims returned by these IdPs with WSO2IS local claims. For example, let's suppose that my external IdP returns these SAML attribute name:
a, b and c I configured claim in this way:
External IdP Claim configuration
Identity Provider Claim URI
Local Claim URI
a
http://wso2.org/address
b
http://wso2.org/givenname
c
http://wso2.org/lastname
Then I defined a custom claim dialect in this way; let's call it custom_claim_dialect. I defined in it my claim mapping in this way:
Custom claim dialect
Dialect URI
Claim URI
Mapped Local Claim
custom_claim_dialect
a
http://wso2.org/address
custom_claim_dialect
b
http://wso2.org/givenname
custom_claim_dialect
c
http://wso2.org/lastname
Then I defined a Service Provider (Inbound configuration: SAML2 Web SSO) and I configured it by using these external IdPs
In my Service Provider I configured my claims by adding the custom dialectby specifying it in Service Provider Claim Dialect
Then I tried the access the access to the Service Provider. All worked pretty good just only the first time.
WSO2IS asks to me the consent for the claims and I can land on my authenticated page.
When I close the browser and clent cookies and I try again the access. All works good (no consent ask is showed by WSO2IS) but when I land on my private page no
attribute is contained in the SAML Response.
If i configure my ServiceProvider with WSO2IS local claims, all works good.
Is this correct? Am I missing anything?
Thank you
Angelo
UPDATE
I'm pretty sure it's a kind of bug.
I debugged till the class org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler
The org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler.handleClaimMappings(StepConfig, AuthenticationContext, Map<String, String>, boolean) returns the correct claims Map In fact I printed the following log:
INFO {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - Returning filtered claims {familyName=Surname, name=Example, dateOfBirth=1980-01-01, spidCode=ABCD123456789A, fiscalNumber=TINIT-SRNXPL80A41A662G, MultiAttributeSeparator=,} to SP mySP
In some point during the process WSO2 IS decides that this Map must not be used.
Any tip?
UPDATE 2
This picture shows how I configure my SP claims. As you can see I'm using a defined custom claim. When I define custom claim, I can't make claims mandatory
Did u try making these claims mandatory on the IS SP side? Making claims mandatory will ensure that u always receive the claim for the applications.
If caching is the problem then u can try to JIT provision the user[1]. This way we can save the claims from FIDP on the IS side. "Provision silently" is an easy option to check.
[1] https://is.docs.wso2.com/en/latest/learn/configuring-just-in-time-provisioning-for-an-identity-provider/
I try to use https://myidentity/oauth2/userinfo for extract information about the logged user, but only returns one field
{
"sub": "username"
}
I have complete mapped fields from http://wso2.org/claims/photo to http://wso2.org/claims/oidc/photo
What can i do?
Since the claims that you are requesting are on the local claim dialect you can use the local claim dialect for requesting claims. Please refer to the official documentation for more information1
1.https://is.docs.wso2.com/en/5.9.0/learn/configuring-claims-for-a-service-provider/
I'm trying to config a service provider of WSO Identity Server v5.7.0 in order to export the UUID & roles of a user as part of JWT token. I've done like this but only roles are exported. UUID is not shown.
local claim:http://wso2.org/claims/userid. mandatory claim: yes
local claim:http://wso2.org/claims/role. mandatory claim: yes
Steps:
In wso2 is admin console->main tab->locate the service provider I've created.
In "claim configuration", I choose "use local claim dialect"; 3. In "Requested Claims" I Add Claim URI.
I've add "wso2.org/claims/userid" & "wso2.org/claims/role" and both of them are marked "mandatory claim"
After saving it. I use curl -u kbxx:Vyy -k -d "grant_type=password&username=youfa.mao&password=x&scope=openid" -H "Content-Type:application/x-www-form-urlencoded" xxx:yyy/oauth2/token to get the JWT token;
Only roles are in the token. The user UUID is not found
In WSO2 Identity Server password grant type issue id_token(JWT) by adhering to OIDC core specification. In order to get a user claim in JWT you should have a mapping between wso2 claims(http://wso2.org/claims) and OIDC claims ( http://wso2.org/oidc/claim ). For role claim this mapping is already there where http://wso2.org/role map to groups claim in OIDC dialect.
Please follow below steps in addition to what you did to get userid claim in id_token(JWT)
Add userid to OIDC claim dialect
Dialect URI: http://wso2.org/oidc/claim
Claim URI: userid
Mapped Local Claim: http://wso2.org/claim/userid
From management console UI "OIDC Scopes" add userid claim to openid scope.
You need to map wso2 claims to OIDC claims in order to achieve this. blog, blog section 6 with claim configuration will help you to understand how to add wso2 claim mappings.
I have added a local custom claim namely http://wso2.org/claims/fg_imprenditore to http://wso2.org/claims dialect and mapped it on a custom primary user store attribute (JDBC user store).
The custom claim appears in the user profile and I can set/update the value correctly.
I have defined a new service provider and added the custom claim in Claim Configuration -> Use Local Claim Dialect.
In addition I have edited /_system/config/oidc and modified the openid property to include the new claim as follows: sub,...,street,http://wso2.org/claims/fg_imprenditore
Now the issues.
I ask a JWT Token from a javascript client with the following request:
http://**********/?response_type=id_token&client_id=" + "f8SatEWpyi1qvPLVspsDfTbefm0a" + "&scope=openid&redirect_uri=http://localhost:3000/oauth_callback.html&nonce=" + nonce
After login the WSO2is server prompts the following message (even if the attribute is already present in the profile): You are trying to login to **** application, but it needs following information filled in the user profile. You can fill those below and proceed with the authentication. But it is advised to fill these information in your Identity Provider profile in order to avoid this step every time you login.
If I fill the field (correctly) labeled "http://wso2.org/claims/fg_imprenditore" I can proceed. In any case the claim is not returned in the JWT Token.
In addition if I go in the user profile the attribute is set correctly (with the new value!) but if I try to authenticate again I need to fill the attribute again..
Many thanks for the support.
If you don't mark the claim as mandatory on your Service Provider it shouldn't request it when you try to log in. Also, in order for the jwt to contain your custom claim you need to map the custom claim to a new custom claim under the oauth dialect, and then map the new oauth claim under the oidc scope you use. It took me a while to get it too as there isn't sufficient documentation describing these steps. Hope this solves your issue.
This happens because "http://wso2.org/claims/fg_imprenditore" claim is not mapped to any oidc claims in WSO2 IS. Do the following in get rid of the issue.
Go to List under Claims in IS Management Console Main tab.
Click on http://wso2.org/oidc/claim
Add new claim with the name fg_imprenditore in oidc claim dialect. You will see a drop down to select "Mapped Local Claim". Map it to http://wso2.org/claims/fg_imprenditore. (Check "Add External Claim" section in this)
Save new oidc claim and try again.
After performing the authentication against the WSO2 IS 5.0.0 and negotiating the access token, I perform a call to the userinfo endpoint:
https://:9443/oauth2/userinfo?schema=openid
It answers correctly with a JWT, but using always the dialect http://wso2.org/oidc/claim even if another dialect is configured in the in the identity.xml (for example http://wso2.org/claims)
It seems like the userinfo endpoint ignores the dialect configuration. Does anybody else has faced this problem?
Is it a bug or am I missing something?
I think this is not a bug. because by default Openid claim dialect returns userinfo(oidc) according to the Openid Specification.WSO2 uses default claim dialect to retrieve userinfo as wso2 calim dialect. But this wso2 claim dialect should be mapped with OpenID claim dialect (http://wso2.org/oidc/claim).
If you want to retrieve userinfo additional than default info, you need to map "http://wso2.org/claims" attributes with "http://wso2.org/oidc/claim”. Otherwise it returns by default mapped properties only ("phone_number", "email", "family_name" and "country").
Below steps are to retrieve ‘mobile’ as a claim though it is not configured as default
Go to the "Claim Management" under "Configure" tab.
Then click "http://wso2.org/oidc/claim" and check whether this "Mobile" claim is available or not.
If it is not available, you need to add New Claim mapping.
If this "Mobile" claim is already exist, you need to check whether that mapped attribute is equal with "http://wso2.org/claims/mobile" Mobile mapped attribute.
(Note:http://wso2.org/oidc/claim particular mapped attribute should be equal with your http://wso2.org/claims particular claim attribute).
Like this you can map "http://wso2.org/claims" particular claims with "http://wso2.org/oidc/claim" claims.