When using the WSO2 Identity Server for user and role management, it is important to understand how to manage the attributes of users within it. In the Identity Server, each user store attribute can be mapped as a claim. Therefore, you need to use the claim management functionality available in the Identity Server and properly map your LDAP/AD/JDBC user store attributes with the claim URIs defined by the Identity Server. You can also add different claim URIs and manage them using claim management.
The following topics provide instructions on how to manage user attributes in the Identity Server.
Managing the attributes of a user
The following are the three main ways to view, add, edit and delete attributes of a user in the Identity Server.
- By accessing the profile of the user and changing the attributes using the Management Console.
- Log into the WSO2 Identity Server.
- On the Main tab in the Management Console, click List under Users and Roles.
- Click Users. This link is only visible to users with the Admin role.
- From the list of users that appear in the resulting page, identify the user whose attributes you want to modify and click User Profile.
- Click Update to save changes to the attributes.
You can use the
RemoteUserStoreManagerServiceAPI. This is a SOAP-based API and is very easy to use. For more information on using this, see Managing Users and Roles with APIs. Supposing you want to set a user attribute, you can call the following method.
Here “is the claim URI that has been mapped with the user store’s email attribute. The last parameter is profile, we can just pass “null”, as there is only one profile. You can retrieve the user attribute value as follows.
- You can use the REST Web service according to the SCIM provisioning specification. For more information on this, see SCIM 1.1 APIs.
Claim mapping when using multiple user stores
When you are using more than one user store, you must map the attributes correctly by adding a claim mapping. Under “Mapped Attribute(s)” you need to follow the pattern.
However, for the default user store, you do not need to provide the domain name. As an example, if you have two user stores, one is the default and another one with domain “DEMO” then the pattern would be as follows for “
Attributes with multiple values
If your user store supports having multiple values for attributes, the WSO2 Identity Server can view, add, update or delete them (normally LDAP/AD offer support for this). The following are the different ways you can do this.
In the Identity Server Management Console, multiple attribute values are separated by comma. If you want to update two email addresses using the user profile UI, you must provide it as follows.
See the following screen for how this will look in the user interface of the Identity Server Management Console.
When using the
RemoteUserStoreManagerServiceAPI, call it as follows.
The GET results are returned in the form of comma separated values for the attribute.
The following screen shows how this looks in the LDAP.
Writing custom attributes
Supposing the attributes of a user are stored in both the user store (LDAP) and another location (JDBC table), the Identity Server needs to retrieve/add the user’s attribute in both these places. In scenarios like this, some customization must be done. To customize this, you can simply extend the current user store manager implementation and write a custom implementation to do it. In the custom user store implementation, you only need to extend the following three methods that help to retrieve/add a user attribute. Other methods can be kept as they are.
See Writing a Custom User Store Manager for more information on this.
Authentication using multiple attributes
Multi attribute login is only supported for LDAP/AD user stores and is not supported for JDBC user stores.
WSO2 Identity Server can be deployed with any LDAP based server and it can expose authentication via a Web Service API, SAML, OAuth, OpenID, etc. By default, WSO2 IS is configured to authenticate with only one user attribute in the LDAP.
- In a user store, each user has different attributes such as
- Once you connect your LDAP with an application, generally, the application uses one of the unique attributes in LDAP to authenticate the user.
This is done by specifying the attribute in the following property in the
user-mgt.xmlfile found in the
<IS_HOME>/repository/confdirectory. For example, you can specify either the
In this case, the
uidvalue is used as the username to authenticate the user in that application.
It is also possible for the application to use both attributes to authenticate. This means that end users can be authenticated in the application using either their uid or mail attribute values. This section provides instructions on how the WSO2 IS can be extended to authenticate users using more than one attribute. For the purposes of this example, assume that users are given the flexibility to authenticate using either their uid and mail attributes in the LDAP.
- Configure the LDAP user store related configurations using the
user-mgt.xmlfile found in the
<IS_HOME>/repository/confdirectory. For more information on configuring user stores, see Configuring the Realm.
UserNameSearchFilterproperty as shown below to search for the user object in the LDAP using both mail and uid attributes.
UserDNPatternproperty if it is currently enabled.
carbon.xmlfile found in the
<IS_HOME>/repository/confdirectory and uncomment the following. For more information on email authentication, see Using Email Address as the Username.
If you want to work with multiple attributes (basically to retrieve internal roles with multiple attributes), do one of the following depending on which user store you want to configure this for:
Configuration for primary user store: Add the following property in the
<IS_HOME>/repository/conf/user-mgt.xmlfile under the relevant UserStoreManager tag of the user store definition you are using.
Configuration for secondary user store: Add the following property in the secondary user store configuration XML file.
- To test this, restart WSO2 IS and attempt to log in to the management console by providing either the
uidvalues with the same password.
Customizing the claim for the user attribute
If you are using multiple attribute authentication and want to customize the claim to be used for user name attribute, do the following.
Edit the following element in the
This will return the email address of the authenticated user. It can be configured to return any attribute by changing the '