Claims management in wso2 is troubleshoot - wso2

I am experiencing a problem with wso2 identity server (version 4.5.0) regarding some new claims (attributes) i have added. Specifically, i have added new attributes in http://wso2.org/claims but when i try to populate the corresponding fields to the user profiles, the following message appears:
Error while updating user profile of User. Error is: One or more attributes you are trying to add/update are not supported by underlying LDAP.
Any ideas?
Thank you in advance.
M

This can be due that, you have add a claim mapping which is not supported by under line user store (LDAP). When you are adding a claim, we need to provide claim mapping attribute. It is the map attribute with your LDAP user store. If there is no such attribute in the LDAP user store, this error can be occur. (Please note claim management component would not add new attribute to user store. It would map with the existing attributes in the LDAP user store)

I just would like to piggyback off of Aslea and Maria answer and add onto them. If you'd like to know what mapped claims you can use, you can find about them in this link. And if you'd like to add custom attributes directly to the LDAP server, please refer to this link.

Related

How do you configure custom claim attributes for username recovery in wso2?

According to WSO2 documentation (https://docs.wso2.com/display/IS570/Username+Recovery) we can add additional attributes to the Username Recovery. I have selected an attribute and it displays on the Username Recovery form, but it does not appear to be used in the search filter to find the account.
The only field that it appears to use properly is email. Unfortunately, I need to include an additional attribute to distinguish between accounts.
What am I missing to get this to work?
If you are using a WSO2 identity server 5.7, it is a reported issue. It has been fixed in IS-5.9 onwards. You can patch the fix by applying the changes in 2, to get it to work in IS-5.7
1 -https://github.com/wso2/product-is/issues/6158
2 -https://github.com/wso2/carbon-identity-framework/pull/2380

WSO2 IS Claims configuration from secondary store

I'm using WSO2 Identity Server 5.10.0 configured in order to use ActiveDirectory as UserStore
I don't have the oportunity to add custom properties to the ActiveDirectory so I'm facing several issues in claims configuration.
To solve the issue I was thinking to user ActiveDirectory as primary UserStore and configure WSO2 claims in order to be stored and retrieved from a secondary userstore (a JDBC user store).
I configured all what I needed but I can't make it working. When I start the WSO IS ti complains because it can't find mapped claims.
More exactly I have:
system error while authenticating/authorizing user : cannot find suitable mapped attribute for local claim http://wso2.org/claims/userid
Once I slve userid it gives to me other claims till I return all to the primary user store.
I'm wondering if my idea is feasible. If I can select from where to take claims.. why do I get this kind of error?
Actually, configuring the Active Directory as the Primary userstore will not have any difference when it comes to attribute mappings. Because all the userstores in the system should to have correct mapped attributes for these meta claim set and other claims which are marked as "Supported by Default".
The solution would be updating the mapped attributes for local claims with correct exciting attributes from your active directory. If you are having multiple userstoes, you can have different mapped attributes for each userstore domain. Refer this document for more info.
You may find a list of mandatory meta claims which we must have correct mappings to create users in this document.

Is it possible to generate dynamic claims based on attributes using WSO2 Identity Server?

I'm using WSO2 Identity Server 5.3.0 and several LDAP user stores.
I need to integrate AWS as a service provider and WSO2 IS as identity provider.
The situation is: I have lots of users stored in the user stores and some of them have specific roles that should be allowed to login to AWS service. So far I don't have the possibility to alter / update the current user stores.
That's why I'm trying to figure out a way to populate / generate / translate / calculate the value of a claim based on an already stored attribute in the user store.
I have a sort of table with the groups coming from LDAP's memberOf attribute a user could belong to and their equivalences to AWS attributes that should be stored in specific claims in order for AWS to allow that user to enter certain services.
The end user is willing to solve this situation within the WSO2 IS component without altering the stores content.
I'm wondering if the only way to do this is writing a custom User Store Manager or a Custom Claim Handler [1] to deal with this particular situation or there is a more standard way to accomplish this.
I will appreciate any input, thanks in advance
[1] http://pushpalankajaya.blogspot.ca/2014/07/adding-custom-claims-to-saml-response.html
I think Claim Handler is the right place to implement your logic. You can find a sample in https://github.com/mefarazath/CustomClaimHandler

Blank Attribute Values in wso2 IS

I am using wso2 IS 4.5.0. I recently modified the standard policy editor so as to use a new attribute but the modification doesn't seem to work. Specifically, when I select the attribute and hit Search, the attribute finder returns the message:
No entitlement data finder module is defined for this category
Has anyone an idea on how to resolve this? thanks in advance,
Maria
Yes.... It is the expected behavior with default implementation. Let me explain this further; Attributes are retrieved to this UI page, using an pluggable entitlement data finder modules. These modules can be plugged with WSO2IS. Attribute sources can be from databases, user stores or any... Default implementation is only retrieved roles from WSO2IS user store. But, if you want more to show in this UI, You can do it by extending default implementations. Please find the source fore default implementation from here. This would help you to get some idea.

WSO2 IS cannot add new profile from User Profile Management

When I go to "My Identity -> My Profiles", it does not give me the option to Add New Profile (as seen on the documentation for User Profile Management), but I can only edit the default profile.
I am using an external MySQL server as the JDBC user store, and creation and editing of users works fine.
I did not find any parameter in the xml files to enable this multiple profile feature. How should I proceed?
Thanks.
Yes. I also find the same. Adding multiple profile for user has been removed from UI. But with JDBC user store, I guess, we can add this using the web service API. Following is the API
https://{ip}:{port}/services/UserProfileMgtService?wsdl