When using the WSO2 Identity Server for user and role management, it is important to understand how to manage the attributes of users within it. In the Identity Server, each user store attribute can be mapped as a claim. Therefore, you need to use the claim management functionality available in the Identity Server and properly map your LDAP/AD/JDBC user store attributes with the claim URIs defined by the Identity Server. You can also add different claim URIs and manage them using claim management.
The following topics provide instructions on how to manage user attributes in the Identity Server.
Managing the attributes of a user
The following are the three main ways to view, add, edit and delete attributes of a user in the Identity Server.
- By accessing the profile of the user and changing the attributes using the management console.
- Log into the WSO2 Identity Server.
- On the Configure tab in the management console, click Users and Roles.
- Click Users. This link is only visible to users with the Admin role.
- From the list of users that appear in the resulting page, identify the user whose attributes you want to modify and click User Profile.
- Click Update to save changes to the attributes.
You can use the
RemoteUserStoreManagerServiceAPI. This is a SOAP-based API and is very easy to use. For more information on using this, see Managing Users and Roles with APIs. Supposing you want to set a user attribute, you can call the following method.
Here “ is the claim URI that has been mapped with the user store’s email attribute. The last parameter is profile, we can just pass “null”, as there is only one profile. You can retrieve the user attribute value as follows.
- You can use the REST Web service according to the SCIM provisioning specification. For more information on this, see WSO2 Identity Server as a SCIM Service Provider.
Claim mapping when using multiple user stores
When you are using more than one user store, you must map the attributes correctly using claim management. Under “Mapped Attribute(s)” you need to follow the pattern.
However, for the default user store, you do not need to provide the domain name. As an example, if you have two user stores, one is default and other one with domain “LDAP” then the pattern would be as follows for “
Attributes with multiple values
If your user store supports having multiple values for attributes, the WSO2 Identity Server can view, add, update or delete them (normally LDAP/AD offer support for this). The following are the different ways you can do this.
In the Identity Server management console, multiple attribute values are separated by comma. If you want to update two email addresses using the user profile UI, you must provide it as follows.
See the following screen for how this will look in the user interface of the Identity Server management console.
When using the
RemoteUserStoreManagerServiceAPI, call it as follows.
The GET results are returned in the form of comma separated values for the attribute.
The following screen shows how this looks in the LDAP.
Writing custom attributes
Supposing the attributes of a user are stored in both the user store (LDAP) and another location (JDBC table), the Identity Server needs to retrieve/add the user’s attribute in both these places. In scenarios like this, some customization must be done. To customize this, you can simply extend the current user store manager implementation and write a custom implementation to do it. In the custom user store implementation, you only need to extend the following three methods that help to retrieve/add a user attribute. Other methods can be kept as they are.
See Writing a Custom User Store Manager for more information on this.