This documentation is for WSO2 Identity Server 5.4.0 . View documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Property NameDisplay NameDescription
DomainNameDomainNameUnique name to identify the user store. This should only be configured for secondary user stores.
urlConnection URLConnection URL to the database which can include additional connection parameters as well
Sample values: jdbc:mysql://localhost:3306/wso2is
userNameConnection NameThe username used to connect to database and perform various operations. This user does not have to be an administrator in the database or have an administrator role in the WSO2 product that you are using, but this user MUST have privileges to do required operation.
passwordConnection PasswordPassword for the ConnectionName user.
driverNameDriver NameJDBC driver name which used to connect to the database. This driver should be available in the <PRODUCT_HOME>/repository/components/lib folder.
DisabledDisabledThis is to deactivate the user store. If you need to temporarily deactivate a user store, you can use this option. If you disable the user store from the disable option, it also will set this parameter. (Default: false)

Possible values:
true: Disable user store temporarily.
ReadOnlyRead-OnlyIndicates whether user store operates in the read-only mode or not.
Possible values:
true: Operates in read-only mode
false: Operates in read-write mode
ReadGroupsReadGroupsWhen WriteGroups is set to false, it Indicates whether groups should be read from the user store. If this is disabled by setting it to false, none of the groups in the user store can be read, and the following group configurations are NOT mandatory: GroupSearchBase, GroupNameListFilter, or GroupNameAttribute.

Possible values:
true: Read groups from user store
false: Do not read groups from user store
WriteGroupsWriteGroupsIndicates whether groups should be written to the user store.

Possible values:
true : Write groups to user store
false : Do not write groups to user store, so only internal roles can be created. Depending on the value of ReadGroups property, it will read existing groups from user store or not
UsernameJavaRegExUsername RegEx (Java)The regular expression used by the back-end components for username validation. By default, strings with non-empty characters have a length of 3 to 30 are allowed. You can provide ranges of alphabets, numbers and also ranges of ASCII values in the RegEx properties.
Default: [a-zA-Z0-9._-|//]{3,30}$
UsernameJavaScriptRegExUsername RegEx (Javascript)The regular expression used by the front-end components for username validation. Default: ^[\S]{3,30}$
UsernameJavaRegExViolationErrorMsgUsername RegEx Violation Error Message Error message when the Username is not matched with UsernameJavaRegEx
PasswordJavaRegExPassword RegEx (Java)The regular expression used by the back-end components for password validation. By default, strings with non-empty characters have a length of 5 to 30 are allowed. You can provide ranges of alphabets, numbers and also ranges of ASCII values in the RegEx properties.
Default: ^[\S]{5,30}$
PasswordJavaScriptRegExPassword RegEx (Javascript)The regular expression used by the front-end components for password validation.
Default: ^[\S]{5,30}$
PasswordJavaRegExViolationErrorMsgPassword RegEx Violation Error MessageError message when the Password is not matched with passwordJavaRegEx
RolenameJavaRegExRole Name RegEx (Java)The regular expression used by the back-end components for role name validation. By default, strings with non-empty characters have a length of 3 to 30 are allowed. You can provide ranges of alphabets, numbers and also ranges of ASCII values in the RegEx properties.
Default: [a-zA-Z0-9._-|//]{3,30}$
RolenameJavaScriptRegExRole Name RegEx (Javascript)The regular expression used by the front-end components for role name validation. Default: ^[\S]{3,30}$
CaseInsensitiveUsernameCase Insensitive Username

Indicates whether the user name should be case insensitive or not.
Default:

true

false

Possible values:

false

true: If you are not using

Case

case-sensitive

user names

usernames better to configure

this,

this. Please note that enabling this could lead to performance degradation when searching for users as the number of users increases.

SCIMEnabledEnable SCIMThis is to configure whether user store is supported for SCIM provisioning.

Possible values:
True : User store support for SCIM provisioning.
False : User does not store support for SCIM provisioning.
IsBulkImportSupportedBulk Import SupportDefine whether the userstore support for bulk user import operation
PasswordHashMethodPassword Hashing Algorithm

Specifies the Password Hashing Algorithm used the hash the password before storing in the user store.
Possible values:
SHA - Uses SHA digest method. SHA-1, SHA-256
MD5 - Uses MD 5 digest method.
PLAIN_TEXT - Plain text passwords.

If you just configure as SHA, It is considered as SHA-1, it is always better to configure an algorithm with higher bit value as digest bit size would be increased.

Most of the LDAP servers (such as OpenLdap, OpenDJ, AD, ApacheDS and etc..) are supported to store password as salted hashed values (SSHA).
Therefore, WSO2 Identity Server just needs to feed password into the connected user store as plain text value. Then LDAP user store can store them as salted hashed value. To feed the plain text into the LDAP server, you need to set PasswordHashMethod to “PLAIN_TEXT”

However, if your LDAP does not support storing user password as hashed values, you can configure the WSO2 Identity Server to hash the password and feed the hashed password into the LDAP server. Then you need to configure PasswordHashMethod property with SHA (SHA-1), SHA-256, SHA-512. Please note that WSO2 server cannot create a salted hashed password (SSHA) to feed into the LDAP.

MultiAttributeSeparatorMultiple Attribute SeparatorThis property is used to define a character to separate multiple attributes. This ensures that it will not appear as part of a claim value. Normally “,” is used to separate multiple attributes, but you can define ",,," or "..." or a similar character sequence
Default: “,”
StoreSaltedPasswordEnable Salted PasswordsIndicates whether to stores the password with salted value
Default: true
Possible values: false

It is recommended to store salted password because if it is salted, Dictionary and Brute Force Attacks against the passwords would be more difficult.
MaxUserNameListLengthMaximum User List LengthControls the number of users listed in the user store of a WSO2 product. This is useful when you have a large number of users and do not want to list them all. Setting this property to 0 displays all users. (Default: 100)

In some user stores, there are policies to limit the number of records that can be returned from a query. By setting the value to 0, it will list the maximum results returned by the user store. If you need to increase this number, you need to set it in the user store level.
Eg: Active directory has the MaxPageSize property with the default value of 1000.
MaxRoleNameListLengthMaximum Role List LengthControls the number of roles listed in the user store of a WSO2 product. This is useful when you have a large number of roles and do not want to list them all. Setting this property to 0 displays all roles. (Default: 100)

In some user stores, there are policies to limit the number of records that can be returned from a query. By setting the value to 0, it will list the maximum results returned by the user store. If you need to increase this number, you need to set it in the user store level.
Eg: Active directory has the MaxPageSize property with the default value of 1000.
UserRolesCacheEnabledEnable User Role Cache This is to indicate whether to cache the role list of a user. (Default: true)

Possible values:
false: Set it to false if the user roles are changed by external means and those changes should be instantly reflected in the Carbon instance.
TenantManager
Define the tenant manager class specific to each user store type. This is only used in primary user store since its shared among tenants.
JDBC : org.wso2.carbon.user.core.tenant.JDBCTenantManager
LDAP / AD : org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager
CountRetrieverClassCount Implementation

This defines the user /role count retriever implementation class (Only supported for)

Possible values:
JDBC : org.wso2.carbon.identity.user.store.count.jdbc.JDBCUserStoreCountRetriever

...