I am working on wso2is4.6.
I am new to wso2is. Maybe this is a stupid question, but I am still blocked.
The first question: when there are multiple claim dialect in system, which claim dialect will be used? Which conditions will make system to choose this dialect instead of another dialect?
The second question: I install wso2is4.6, and install apacheds 2.0 with default (no customization). where can I find corresponding claim mapping?
I know I need to correct the claim mapping, but I don't know how can I find the correct mapping. Can somebody provide the workable claim-mgt.xml base on wso2is4.6 and apache2.0?
Adding more info to Dulanja's answer,
Q1. In WSO2 Identity server, internally it always uses a claim dialect together with a claim URI to identity a unique claim. Different components uses different dialects to get its claims. Fr an example when adding a new user using management console, relevant(user-manager) component would use WSO2 default claim dialect mentioned above. Similarly if you are doing SCIM related operations, relevant components will use SCIM dialect.
Q2. As mentioned in Q1, makes the unique claim and where we store that claim's value can be configured in two ways.
i. You can use claim-config.xml in /repository/conf/ folder and you can edit claim-to-ldapAttribute mapping by changing <AttributeID> which is given under every element.
ii. Or you can change claim mappings at runtime using the Claim Management page in management console. Please refer [1] for more info.
[1] http://docs.wso2.org/display/IS460/Claim+Management
Thanks,
Question 1:
The default claim dialect of WSO2 products is http://wso2.org/claims. This is the underlying dialect of the User Profile view - currently you cannot change this to use a different dialect.
Other dialects are used in different scenarios. As an example http://schema.openid.net/2007/05/claims is used when IS acts as an OpenID Provider. OpenID relying parties (clients) requests attributes using the claim uris specified under this dialect. Other examples are SAMLSSO and Passive-STS flows. In them you have the option to select the dialect that you want to use to send back the attributes to the client.
Question 2:
Are you facing a claim-mapping related problem with the new ApacheDS 2.0 LDAP? As far as I know, since WSO2 IS embedded LDAP is also based on ApacheDS, if you point (via user-mgt.xml) to such an LDAP the existing claim-mapping should work without any problem
Related
How can I set a default value to a claim when configuring a Service Provider on WSO2-IS carbon?
I'd like to set a default value to userDirectory according to environment that I've created to pass to Service Provider.
WSO2-IS 5.11.0
AFAIK there is not OOTB config you can achieve this. I can suggest two ways for you to try this.
You can do customization and get this capability. You can write a lister and subscribe to PostAddUser event or PostGetUser event. To do so you need to introduce a new claim as well.
IF you want to include this claim in the ID token, then you can implement a custom claim provider. Follow the blog for more details.
Edit:
AFAIU there is a 3rd option you can do that is explained in issue, where you can define a custom claim handler. With this approach, the claims will be added to all the assertions.
I'm new to using WSO2 (currently unsing v 5.8.0).
I am trying to change the default claim dialect of WSO2 Carbon (http://wso2.org/claims) to a freshly created claim dialect.
When changing the dialect, I would like the "user Profile" to change accordingly.
I've already changed 2 lines in the config file "Identity.xml", but It doesn't seems to do anything :
AttributesClaimDialect
ConsumerDialectURI
The default User Profile looks like this
I would like the new one to only use the claims attributed in the new Dialect.
I really hope there is a way to do this, and avoid using the default Claim Dialect.
The http://wso2.org/claims is the default claim Dialect which is used by the WSO2 server for the user-related operations. This name will be hardcoded in the codebase. So it is not possible to change it.
If you want to change "user Profile". Let's say if you want to show a new claim in the profile, you need to set that particular claim in http://wso2.org/claims as 'Supported by Default.
I'm using WSO2 Identity Server 5.3.0 and several LDAP user stores.
I need to integrate AWS as a service provider and WSO2 IS as identity provider.
The situation is: I have lots of users stored in the user stores and some of them have specific roles that should be allowed to login to AWS service. So far I don't have the possibility to alter / update the current user stores.
That's why I'm trying to figure out a way to populate / generate / translate / calculate the value of a claim based on an already stored attribute in the user store.
I have a sort of table with the groups coming from LDAP's memberOf attribute a user could belong to and their equivalences to AWS attributes that should be stored in specific claims in order for AWS to allow that user to enter certain services.
The end user is willing to solve this situation within the WSO2 IS component without altering the stores content.
I'm wondering if the only way to do this is writing a custom User Store Manager or a Custom Claim Handler [1] to deal with this particular situation or there is a more standard way to accomplish this.
I will appreciate any input, thanks in advance
[1] http://pushpalankajaya.blogspot.ca/2014/07/adding-custom-claims-to-saml-response.html
I think Claim Handler is the right place to implement your logic. You can find a sample in https://github.com/mefarazath/CustomClaimHandler
I am using wso2 Identity Server and creating custom claims in it. In a specific use case i need two claims to replicate the same value.
So while creating user if i have give "1234" to claim http://wso2.org/claims/store1/id1 than claim http://wso2.org/claims/store2/id2 should also have "1234".
Is there any way possible to achieve this.
One way to achieve this, is to overwrite method in user store manager. There you can put your custom logic to save and get claims.
I created my own dialect using the manaement console Configure-->Claim Management. After doing this, I wanted to configure my Service Provider to be associated with these claims, so I edited my SP and went to the Claim Configuration section. The issue I am running into is the only Local Claim claims which show up are the default wso2 ones. So you only ever see ones starting with http://wso2.org/claims/.
With that said, I don't believe choosing Define Custom Claim Dialect is an appropriate alternative since I defined a dialect already. It would make zero sense to go an map that back to the default dialect, so I'm assuming this would not be the route.
Is there some configuration setting to list values from other defined dialects? Besides the one I created, there a quite a few that come OOB anyway. Is this a bug? I would assume my dialect along with all the other OOB ones would be Local Claim Dialects.
The Claims Management in the docs is just way to general to discern is there's some funny requirement. https://docs.wso2.com/display/IS500/Claim+Management
WSO2 Identity Server 5.0.0
I created a workaround, which works for my situation.
Once again, this is with IS 5.0.0. In my situation, no claims or dialects preconfigured fit my needs and I want my own special URIs defined ONLY.
So here's what I did:
In the Management Console, went to Configure-->Claim Management.
Edited the "http://wso2.org/claims" dialect.
Added each claim I wanted to this dialect. I was able to enter whatever URI I pleased, even though the dialect had a different URI (that's a good thing!) along with the property name I wanted it associated with. e.g., http://example.com/claims/claimname1
Then I went to configure the claims / attributes I wanted to be communicated to a particular Service Provider by editing its Claim Configuration...
Selected "Use Local Dialect".
For each claim I wanted to add, clicked "Add Claim URI" at "Request Claims", and selected a URI I created.
(OPTIONAL) I deleted all non-custom URIs in the "http://wso2.org/claims" dialect, because I found in my custom user store that getUserPropertyValues() was still getting passed every single claim attribute to resolve. It was trying to resolve more than 20 properties at every login. Some performance help! :)