For user and role management in WSO2 products, it is important to understand how to manage the attributes of users within it. In the products, each user store attribute can be mapped as a claim. Therefore, you need to use the claim management functionality available in the product and properly map your LDAP/AD/JDBC user store attributes with the claim URIs defined by the product. You can also add different claim URIs and manage them using claim management.
The following topics provide instructions on how to manage user attributes in WSO2 products.
Managing the attributes of a user
The following are the three main ways to view, add, edit and delete attributes of a user in the product.
- By accessing the profile of the user and changing the attributes using the Management Console.
- Log into the product's Management Console.
- On the Configure tab in the Management Console, click Users and Roles.
- Click Users. This link is only visible to users with the Admin role.
- From the list of users that appear in the resulting page, identify the user whose attributes you want to modify and click User Profile.
- Click Update to save changes to the attributes.
You can use the
RemoteUserStoreManagerServiceAPI. This is a SOAP-based API and is very easy to use. Supposing you want to set a user attribute, you can call the following method.
Here “is the claim URI that has been mapped with the user store’s email attribute. The last parameter is profile, we can just pass “null”, as there is only one profile. You can retrieve the user attribute value as follows.
- You can use the REST Web service according to the SCIM provisioning specification.
Claim mapping when using multiple user stores
When you are using more than one user store, you must map the attributes correctly using claim management. Under “Mapped Attribute(s)” you need to follow the pattern.
However, for the default user store, you do not need to provide the domain name. As an example, if you have two user stores, one is default and other one with domain “LDAP” then the pattern would be as follows for “
Attributes with multiple values
If your user store supports having multiple values for attributes, the WSO2 product can view, add, update or delete them (normally LDAP/AD offer support for this). The following are the different ways you can do this.
In the product's Management Console, multiple attribute values are separated by comma. If you want to update two email addresses using the user profile UI, you must provide it as follows.
See the following screen for how this will look in the user interface of the product's Management Console.
When using the
RemoteUserStoreManagerServiceAPI, call it as follows.
The GET results are returned in the form of comma separated values for the attribute.
The following screen shows how this looks in the LDAP.
Writing custom attributes
Supposing the attributes of a user are stored in both the user store (LDAP) and another location (JDBC table), the product needs to retrieve/add the user’s attribute in both these places. In scenarios like this, some customization must be done. To customize this, you can simply extend the current user store manager implementation and write a custom implementation to do it. In the custom user store implementation, you only need to extend the following three methods that help to retrieve/add a user attribute. Other methods can be kept as they are.
Authentication using multiple attributes
In a user store, each user has different attributes such as uid, cn, email and so on. Some of the attributes can be unique. As an example, normally uid and mail can be unique attributes for user.
Once you connect your LDAP with an application, the application can use one of the unique attributes in LDAP to authenticate the user (as the user name of the user in that application). Considering our example, it can be the uid or mail attribute. Additionally, in some cases, the application can use both attributes. So end users can be authenticated in the application using both their uid or mail.
WSO2 products can be deployed with any LDAP based server and it can expose authentication via a Web Service API, SAML, OAuth, OpenID, etc. By default, WSO2 products configured to authenticate with only one user attribute in the LDAP. This topic provides instructions on how the products can be extended to authenticate users using more than one attribute.
For the purposes of this example, we assume that users need to be authenticated using both their uid and mail attributes in the LDAP.
- Configure the LDAP user store related configurations using the user-mgt.xml file found in the
UserNameSearchFilterthat helps to search for the user object in the LDAP using both mail and uid attributes.
UserDNPatternproperty, if it is currently enabled.
- The mail attribute has requirements that are unique. If you are using the mail attribute, you need to open the carbon.xml file found in the
<PRODUCT_HOME>/repository/confdirectory and uncomment the following.
If you want to work with multiple attributes (basically to retrieve internal roles with multiple attributes), you must add following property in the
- To test this, restart the product and try to log in to the Management Console by providing both the mail and uid with the same password.
Customizing the claim for the user attribute
If you are using multiple attribute authentication and want to customize the claim to be used for user name attribute, do the following.
Edit the following element in the
This will return the email address of the authenticated user. It can be configured to return any attribute by changing the '