Wso2 Scim 2.0 Connector Authentication Attribute - wso2

While I am trying to authenticate so that I can use Wso2 either through the panel or through API call I get this error:
ERROR {org.wso2.carbon.core.services.authentication.AuthenticationAdmin}
- System error while Authenticating/Authorizing User :
org.wso2.carbon.user.core.UserStoreException: org.wso2.carbon.user.core.UserStoreException:
Mapped attribute cannot be found for claim :
urn:ietf:params:scim:schemas:core:2.0:User:active in user store : PRIMARY
I don't want to add an additional field at my user store just for this. Is it possible to change authentication so that it does not look for urn:ietf:params:scim:schemas:core:2.0:User:active in the user store?

I'm assuming you cannot login to the management console at all. Even as the admin user. Can you provide the following info.
What's the user store type (LDAP, JDBC, AD) ? Is it a read-only user store?
In the documentation there are 2 methods for configuring claims under Configure claim dialects section. Which method did you use ?

Related

Wso2 Identity Server 5.8.0: custom claim attribute in Create User by Scim service

In my WSO2 Identy Server (v5.8.0), i have added one custom attribute named XXX.
Then, in my web client application, I invoke /scim2/Users service to create new user inside IDS.
I successfully create user with correct name, surname, email, phone number and so on, but my custom field is not updated in my user content store.
By other hand, if I update field by data entry and read my user from IDS, I can see my custom attribute XXX correctly.
Can someone help me ?
One of the following reasons could be caused not to update custom attributes via scim2/Users endpoint.
Once you add a new local claim and if you want to access/modify its value using SCIM endpoint it should be mapped to scim claim dialect. Follow the steps in extending scim user claims doc in https://docs.wso2.com/display/IS580/Extending+SCIM+2.0+User+Schemas
If the above step is correctly configured, check the request payload whether the attribute is correctly defined in the payload. If the attribute is not defined in the expected format, WSO2 IS ignores those attributes.
When you trying to update the value via login to the management console and view the user profile through the management console doesn't involve the SCIM APIs. You are directly updating the local claim in the WSO2 local claim dialect. If you have followed the doc mention is step 1 and that attribute has a value, GET /scim2/Users/{user-id} should return the attribute in the response.

WSO2 Identity server - Unable to add new user with "error while persisting user : renault"

I created a user (testinguser) in WSO2 identity server version 5.10.0 and deleted them afterwards cause I had created them in the primary user store yet I wanted to add them to the secondary user store (MySQL).
However, when I try to add the user with any name, I am getting the error Could not add user wso2is/renault. Error: Error while persisting user : renault yet renault is not created as a user
I also see this in the logs
[2020-04-25 00:18:19,727] [2f2cdf35-4c34-447e-9ffa-c14490a7e101] ERROR {org.wso2.carbon.user.mgt.ui.UserAdminClient} - Error while persisting user : renault org.wso2.carbon.user.mgt.stub.UserAdminUserAdminException: UserAdminUserAdminException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAcc
You have used JDBCUserStoreManager as the User Store Manager Class when adding the new user store. Select UniqueIDJDBCUserStoreManager instead.
As described in the documentation,
From WSO2 IS 5.10.0 onwards, all user store managers have UniqueID included as part of the user store manager name.
The user store managers that do not have UniqueID as part of the user store manager name are only available for backward compatibility
purposes and can only be used if you are migrating from a previous
version of WSO2 Identity Server.
Refer: Configuring Secondary User Stores

Adding a user to WSO2 Identity Server

We're integrating our asp.net MVC client with WSO2's Identity Server v5.8.0.
Below are the steps we've followed:
1) Created a Service provider for our MVC application & configured Inbound authentication with OAuth/OpenID configuration, also configured Inbound provisioning with primary user store.
2) In our MVC application, we've set up a WSO2 configuration using OWIN's WSO2 NuGet package with the generated client-id & client-secret from the service provider.
3) We've configured MongoDB as our primary user store.
Now we're trying to add a user using SCIM2 API (https://localhost:9443/scim2/Users). Below is the response we're getting:
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Cannot add user through scim to user store . SCIM is not enabled for user store WSO2.COM","status":"500"}
I've even changed below config in user-mgt.xml
<Property name="SCIMEnabled">true</Property>
What else do we need to configure? Is there any other way to add user in WSO2 Identity server apart from using SCIM APIs?
It seems like you are having two user stores the primary user store and a secondary user store named wso2.com. By adding the
<Property name="SCIMEnabled">true</Property>
To the user-mgt.xml you are enabling SCIM2 to the primary user store. Not the secondary user store. But from the API you are adding the user to the secondary user store. Since you havent enabled SCIM in the secondary user store you are getting this error. You have two options.
1) Add the user to PRIMARY user store
By analyzing the error that you are getting the user name of the user that you are trying to add should be some thing like
WSO2.COM/Abhishek
Change this to
Abhishek
2) Enable SCIM2 in the secondary user store
Log in to the management console and click list in User Stores sub menu under identity menu.
The User Store Management page opens. There should be a user store named WSO2.COM
Click on edit. Click on advanced tick the enable scim
Reference: https://docs.wso2.com/display/IS580/Using+the+SCIM+2.0+REST+APIs

WSO2 IS v. 5.3.0 New Tenant can't be created

I have installed new version of WSO2 Identity Server v.5.3.0.
When I try to create new tenant I get exceptions:
TID: [-1234] [] [2017-01-19 16:54:17,102] ERROR {org.wso2.carbon.stratos.common.util.ClaimsMgtUtil} - Unable to retrieve the claim for the given tenant
org.wso2.carbon.user.core.UserStoreException: org.wso2.carbon.user.core.UserStoreException: Mapped attribute cannot be found for claim : http://wso2.org/claims/lastname in user store : PRIMARY
and
TID: [-1234] [] [2017-01-19 16:54:17,102] ERROR {org.wso2.carbon.stratos.common.util.ClaimsMgtUtil} - Unable to retrieve the claim for the given tenant
org.wso2.carbon.user.core.UserStoreException: org.wso2.carbon.user.core.UserStoreException: Mapped attribute cannot be found for claim : http://wso2.org/claims/lastname in user store : PRIMARY
These claims exist in DB. There is new structure in DB of claim tables.
In version 5.2 there weren't any problems in this part.
I suppose that new user (admin of tenant) can't be created.
A simple other user through "Add User" can be created properly.
We have different data sources for user management ant identities (WSO2_UM and WSO2_AM). New claims structure is in WSO2_AM. Maybe this is the reason of problems?
This problem is very, very important for us.
Maybe we have come back to version 5.2?
The problem was resolved. I'm very sorry for my mistakes.
There was one mistake in configuration files.

UserProfileMgtService is not able to find user in WSO2 IS 5.2.0

I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines). I am also using the so called WSO2 IS Admin services.
As mentioned in the heading I am consuming the UserProfileMgtService
(https://url:port/services/UserProfileMgtService?wsdl).
In combination with it I am using OAuth2TokenValidationService
(https://url:port/services/OAuth2TokenValidationService?wsdl).
If I pass valid access token to the OAuth2TokenValidationService I am able to fill in with data OAuth2TokenValidationResponseDTO object by using the Validate method of the OAuth2TokenValidationService. As result I am able to extract the authorizedUser and pass it to the getUserProfile method of the UserProfileMgtService. I am using the standard carbon.super domain and I am using the email as username. For example I am passing the following two parameters to the getUserProfile:
"admin#admin.com#carbon.super" as username
"default" as profileName
And as result I receive the following message:
UserNotFound: User admin#admin.com#carbon.superdoes not exist in: PRIMARY
If I remove the "#carbon.super" from the authorizedUser, everything is fine and I am able to get the user profile information. This is quite important for me since I am using multitenancy of the IS and there is a case that I might have the following users:
admin#admin.com#test.net
admin#admin.com#test2.net
I noticed that this service was not working this way in WSO2 IS 5.0.0. I started experiencing this issue after the upgrade.
Is this a desired behavior and is introduced because of the change in the API in IS 5.2.0? If so is there another way to be able to get the user profile using the "username"+"tenant-domain"(that is retrieved by the OAuth2TokenValidationService as authorized user when passing valid access token).
Is it possible that this is caused because of misconfiguration? If so which is the file that needs to updated and what exactly should be modified in it?
Is there a place where more information could be retrieved for the WSO2 IS 5.2.0 Admin Services?
Thanks in advance.
UserProfileMgtService in Identity Server is an Admin Service. In WSO2 Admin Services, the tenant domain is identified by authenticated user and it should not pass with username.
username should be tenant free username.
So, you can remove carbon.super portion from the username and then it will work.
In tenant setup, you need to authenticate with a tenant user (Ex admin#admin.com#test.net) in order to access these API. So, like in the super tenant, you can use tenant free username and then it will work.
For example, if you want to get user profile of user : testuser#admin.com in tenant domain test.net, your request should be like bellow image.
Thanks
Isura.