I am using wso2 Identity Server and creating custom claims in it. In a specific use case i need two claims to replicate the same value.
So while creating user if i have give "1234" to claim http://wso2.org/claims/store1/id1 than claim http://wso2.org/claims/store2/id2 should also have "1234".
Is there any way possible to achieve this.
One way to achieve this, is to overwrite method in user store manager. There you can put your custom logic to save and get claims.
Related
I had to create additional table in tenant user store to store some specific data. Now I need to fetch data from this table during authentication in authenticator. What possibilities do I have to make a sql query to this new table? I know I can create custom user store manager, but it looks like overengineering to me.
There are two ways that you can do this.
Write a custom authenticator
Write a custom user store manager
The above depends on the logic that you want to implement.
== Write a custom authenticator ==
Let's say you need to use these for username and password authentication. Then you can implement a custom authenticator by extending the existing authenticator. You can refer to this blog for more details.
== Writing a custom user store manager ==
You can easily extend the existing user store manager and overwrite the auth-related methods to suit your need. You will be able to find many documentation and medium articles related to this. I would like to recommend this approach since this is related to the user stores.
Also, you can see whether you can achieve this using the Pre-Post listeners (If possible then this would be the easiest approach). During the user store manager auth methods, UMs fire pre-authentication and post-authentication methods. If you add a new listener and subscribe that to any of those events you might be able to achieve this use case.
How can we add custom claims to the ID token of WSo2.(claims which are stored in the different tables of WSO2 database)?
explanation:
The requirement is to add some additional claim values which are specific to the organizational information of the user(which will be stored in other tables and not in the user attribute table).
how do we write a custom claim handler to do the same?
You can write a custom claim handler and inject the values from the claim handler. Please follow this documentation to know how to deploy a custom claim handler.
You can find a sample source code here.
I'm using WSO2 Identity Server 5.3.0 and several LDAP user stores.
I need to integrate AWS as a service provider and WSO2 IS as identity provider.
The situation is: I have lots of users stored in the user stores and some of them have specific roles that should be allowed to login to AWS service. So far I don't have the possibility to alter / update the current user stores.
That's why I'm trying to figure out a way to populate / generate / translate / calculate the value of a claim based on an already stored attribute in the user store.
I have a sort of table with the groups coming from LDAP's memberOf attribute a user could belong to and their equivalences to AWS attributes that should be stored in specific claims in order for AWS to allow that user to enter certain services.
The end user is willing to solve this situation within the WSO2 IS component without altering the stores content.
I'm wondering if the only way to do this is writing a custom User Store Manager or a Custom Claim Handler [1] to deal with this particular situation or there is a more standard way to accomplish this.
I will appreciate any input, thanks in advance
[1] http://pushpalankajaya.blogspot.ca/2014/07/adding-custom-claims-to-saml-response.html
I think Claim Handler is the right place to implement your logic. You can find a sample in https://github.com/mefarazath/CustomClaimHandler
We've deployed WSO2 API Manager 2.0 and are very happy with it.
Although, we've been looking in the documentation if it is possible to add a field to the user profile but haven't found anything yet, is this at all possible? Also, if this is possible can we show the field somewhere on the frontend? Or better yet, is it possible to send it to a backend webservice?
Our problem is that we have a backend with users that have a token, but we didn't want to send that token to the API Manager, we want it to be added without worrying the user. Is this at all possible? We know about sequence mediation and this can probably be achieved with it, the only complication is where we store the user token, for each user.
Thanks in advance!
Best Regards
You can introduce new user attributes to user profiles. APIM uses WSO2 identity server features internally. So you can refer this doc.
If you enabled Supported by Default property, it will be shown in user profile.
You can use JWT to send user claims to backend. You can find docs here.
Last part is not much clear to me.
I am working on wso2is4.6.
I am new to wso2is. Maybe this is a stupid question, but I am still blocked.
The first question: when there are multiple claim dialect in system, which claim dialect will be used? Which conditions will make system to choose this dialect instead of another dialect?
The second question: I install wso2is4.6, and install apacheds 2.0 with default (no customization). where can I find corresponding claim mapping?
I know I need to correct the claim mapping, but I don't know how can I find the correct mapping. Can somebody provide the workable claim-mgt.xml base on wso2is4.6 and apache2.0?
Adding more info to Dulanja's answer,
Q1. In WSO2 Identity server, internally it always uses a claim dialect together with a claim URI to identity a unique claim. Different components uses different dialects to get its claims. Fr an example when adding a new user using management console, relevant(user-manager) component would use WSO2 default claim dialect mentioned above. Similarly if you are doing SCIM related operations, relevant components will use SCIM dialect.
Q2. As mentioned in Q1, makes the unique claim and where we store that claim's value can be configured in two ways.
i. You can use claim-config.xml in /repository/conf/ folder and you can edit claim-to-ldapAttribute mapping by changing <AttributeID> which is given under every element.
ii. Or you can change claim mappings at runtime using the Claim Management page in management console. Please refer [1] for more info.
[1] http://docs.wso2.org/display/IS460/Claim+Management
Thanks,
Question 1:
The default claim dialect of WSO2 products is http://wso2.org/claims. This is the underlying dialect of the User Profile view - currently you cannot change this to use a different dialect.
Other dialects are used in different scenarios. As an example http://schema.openid.net/2007/05/claims is used when IS acts as an OpenID Provider. OpenID relying parties (clients) requests attributes using the claim uris specified under this dialect. Other examples are SAMLSSO and Passive-STS flows. In them you have the option to select the dialect that you want to use to send back the attributes to the client.
Question 2:
Are you facing a claim-mapping related problem with the new ApacheDS 2.0 LDAP? As far as I know, since WSO2 IS embedded LDAP is also based on ApacheDS, if you point (via user-mgt.xml) to such an LDAP the existing claim-mapping should work without any problem