I'm running the wso2is-4.6.0
I've created a policy like allowing a user with a specific role to access a resource.
When I TryIt, the wso2is manager just propose me a Subject Name (urn:oasis:names:tc:xacml:1.0:subject:subject-id). I've seen in previous version of wso2Is see here that it was possible to define a Subject Attribute Name (in my case it would be http://wso2.org/claims/role).
The result is that I can't test my request with the current version as the attributeId generated by wso2 tryIt tool refer to a subject-id where I need a http://wso2.org/claims/role
Any way to have this Tryit page more customizable ?
Thanks for your help and support
Regards
Vpl
TryIt is a simple tool that you can create the XACML request. It can not support all options that are available. However when its some to new version, It seems to be that attribute Id selection has been removed. But you can file the attribute values and create the sample XACML request in XML view. Then you would find that the attribute id of created XACML request would be urn:oasis:names:tc:xacml:1.0:subject:subject-id. Therefore you can easily modify it to http://wso2.org/claims/role and try out the policy.
Related
In my WSO2 Identy Server (v5.8.0), i have added one custom attribute named XXX.
Then, in my web client application, I invoke /scim2/Users service to create new user inside IDS.
I successfully create user with correct name, surname, email, phone number and so on, but my custom field is not updated in my user content store.
By other hand, if I update field by data entry and read my user from IDS, I can see my custom attribute XXX correctly.
Can someone help me ?
One of the following reasons could be caused not to update custom attributes via scim2/Users endpoint.
Once you add a new local claim and if you want to access/modify its value using SCIM endpoint it should be mapped to scim claim dialect. Follow the steps in extending scim user claims doc in https://docs.wso2.com/display/IS580/Extending+SCIM+2.0+User+Schemas
If the above step is correctly configured, check the request payload whether the attribute is correctly defined in the payload. If the attribute is not defined in the expected format, WSO2 IS ignores those attributes.
When you trying to update the value via login to the management console and view the user profile through the management console doesn't involve the SCIM APIs. You are directly updating the local claim in the WSO2 local claim dialect. If you have followed the doc mention is step 1 and that attribute has a value, GET /scim2/Users/{user-id} should return the attribute in the response.
Document ref: wso2Is520-link-here
Followed the same in this document to setup the account enable/disable property for users.
However, using the RemoteUserStoreManagerService SOAP service, its not updating the claim :
http://wso2.org/claims/identity/accountDisabled
All other claims are updatable, is it a known issue or am I missing something ?
Are you using the setUserClaimValue?
The identity claims (which has the claim URI as "http://wso2.org/claims/identity/xxxxx") can't be updated by the setUserClaimValue method. They can only be updated with setUserClaimValues method.
I have added a local custom claim namely http://wso2.org/claims/fg_imprenditore to http://wso2.org/claims dialect and mapped it on a custom primary user store attribute (JDBC user store).
The custom claim appears in the user profile and I can set/update the value correctly.
I have defined a new service provider and added the custom claim in Claim Configuration -> Use Local Claim Dialect.
In addition I have edited /_system/config/oidc and modified the openid property to include the new claim as follows: sub,...,street,http://wso2.org/claims/fg_imprenditore
Now the issues.
I ask a JWT Token from a javascript client with the following request:
http://**********/?response_type=id_token&client_id=" + "f8SatEWpyi1qvPLVspsDfTbefm0a" + "&scope=openid&redirect_uri=http://localhost:3000/oauth_callback.html&nonce=" + nonce
After login the WSO2is server prompts the following message (even if the attribute is already present in the profile): You are trying to login to **** application, but it needs following information filled in the user profile. You can fill those below and proceed with the authentication. But it is advised to fill these information in your Identity Provider profile in order to avoid this step every time you login.
If I fill the field (correctly) labeled "http://wso2.org/claims/fg_imprenditore" I can proceed. In any case the claim is not returned in the JWT Token.
In addition if I go in the user profile the attribute is set correctly (with the new value!) but if I try to authenticate again I need to fill the attribute again..
Many thanks for the support.
If you don't mark the claim as mandatory on your Service Provider it shouldn't request it when you try to log in. Also, in order for the jwt to contain your custom claim you need to map the custom claim to a new custom claim under the oauth dialect, and then map the new oauth claim under the oidc scope you use. It took me a while to get it too as there isn't sufficient documentation describing these steps. Hope this solves your issue.
This happens because "http://wso2.org/claims/fg_imprenditore" claim is not mapped to any oidc claims in WSO2 IS. Do the following in get rid of the issue.
Go to List under Claims in IS Management Console Main tab.
Click on http://wso2.org/oidc/claim
Add new claim with the name fg_imprenditore in oidc claim dialect. You will see a drop down to select "Mapped Local Claim". Map it to http://wso2.org/claims/fg_imprenditore. (Check "Add External Claim" section in this)
Save new oidc claim and try again.
I have created XACML plocies with Wso2 GUI.
I used Basic Policy Editor for the same. I gave following parameters
For policy (in first tab I only gave Resource Name, kept other fields blank):
Resource Names : https://www.xyz.com/blabla/
(in second tab)
Rule Effect: Permit
USer's : Role is equals Architect
Action Name : is equals Read
So the policy is generated with this condition:
Architect
here the attribute id is : AttributeId="http://wso2.org/claims/role"
Now while I am trying to test this poicy with Tryit tool, with passing parameter in GUI ,
the automatic request is being generated from WSO2 which has following attribute id for the Role:
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
And because, the policy attribute id doesn't mached with my test request attribute id is continuously giving Intermediate reply.
I read some blogs and understood that attributeId must be matched while sending the request.
I change the request manually and then its working fine.
The question here is , why WSO2 Identity server is creating request with different attributeID, while we already created the policy from the Same Wso2 identity server?
I think both should be matched while you are using the same editor to create it and test it with same parameters.
Or I m missing something here??
I think you mean you are getting Indeterminate instead of Intermediate. There is no such response w/ Intermediate in XACML.
Secondly the attribute ID "urn:oasis:names:tc:xacml:1.0:subject:subject-id" represents the user identity e.g. Alice, Bob, Carol. What your policy needs is the role. You can have a request that only contains the user identity in which case the PDP will have to resolve the role from an underlying source. That underlying source is called a PIP.
You can also directly pass in the role from the request but in that case you do have to make sure the attribute identifier matches the one used in your policy namely http://wso2.org/claims/role.
If you have issues with the UI, give ALFA a go. It gives you more visibility over which attributes are used.
Yes. http://wso2.org/claims/role is refer to user's roles in Identity Server. Then PDP know call the PIP with this claim uri. PIP would extract the roles of the user. Mostly in your case, Indeterminate can be due to that user's roles can be retrieved. Please refer this for get more understand about RBAC/ABAC with Identity Server
I am new to wso2is, and I'm trying to add the extended schema to SCIM user management as described in http://docs.wso2.org/display/IS460/Extensible+SCIM+User+Schemas+With+WSO2+Identity+Server
I was able to successfully enable the extended schema in the configuration file, do the claims mapping and even successfully create an user with extended claims, but the problem is that when I request the user information back through the /User/ or /Users endpoints, I can't find a way to have the extended attributes included in the result, which always contains only the standard SCIM schema attributes.
Any suggestions?
I think you have mapped your claims to http://wso2.org/claims dialect. But you need to map those claims under the urn:scim:schemas:core:1.0 dialect. Once you map these under the urn:scim:schemas:core:1.0 dialect, GET request populate the extended claims as well.
Regards,
Venura