This documentation is for WSO2 Identity Server 5.4.0. View documentation for the latest release.
Page Comparison - Upgrading from the Previous Release (v.11 vs v.67) - Identity Server 5.4.0 - WSO2 Documentation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning

This document is work in progress and will be released with the 5.4.0 GA release.We recommend migrating directly to one of the latest stable releases of WSO2 Identity Server (i.e., version 5.6.0 or a later version). For instructions on migrating directly to a later version, see Upgrading From an Older Version of WSO2 IS.

The following instructions guide you through upgrading from WSO2 Identity Server 5.3.0 to WSO2 Identity Server 5.4.0. In this topic, <OLD_IS_HOME> is the directory that Identity Server 5.3.0 resides in and <NEW_IS_HOME> is the directory that Identity Server 5.4.0 resides in.

Tip
titleBefore you begin

This release is a WUM-only release. This means that there are no manual patches

and any

. Any further fixes or latest updates for this release can be updated through the WSO2 Update Manager (WUM).

  • If you are upgrading to this version to use this version in your production environment, use the WSO2 Update Manager and get the latest available updates for WSO2 IS 5.4.0. For more information on how to do this, see Updating WSO2 Products.
  • If you are upgrading to this version only to do an incremental upgrade to the next available version (e.g., if you are upgrading from WSO2 IS 5.3.0 - 5.5.0), you can skip this step and migrate to 5.4.0 by following the steps given in this document. You do not need to use WUM in this instance because the WUM updates available for this version will be included in the WSO2 IS pack of the next version.
  • If you have added any custom claims, expand the section below and follow the steps before migrating to WSO2 IS 5.3.0.

    Panel
    Expand
    titleClick to view vital information about custom claims
    1. Start the WSO2 IS server of IS 5.3.0 and login to the management console.
    2. Click on Add under Claims on the Main tab of the management console.
    3. Click Add New Claim and select the http://wso2.org/claims dialect.

    4. Enter the required information of the custom claim. For more information, see Adding Claim Mapping in IS 5.3.0.

    5. Click Add. The claim you created will be listed.
    6. Click on List under Claims on the Main tab of the management console again.
    7. Click on the claim dialect where you have your custom claim, and click on the Edit button of your custom claim.
    8. Map the local claim you just created to the custom claim by editing the Mapped Attribute(s) field.
    9. Click Update.
    Info

    This is required because all claims external to the WSO2 dialect in WSO2 IS 5.4.0 are mapped to the relevant claim in the WSO2 dialect and not to the underlying attribute in the user store. When there are custom claims, there is no claim in the WSO2 dialect that is mapped to that attribute. Therefore, follow the steps below to create a new claim in the WSO2 dialect and map your custom claim to the local claim (i.e., the new claim created in the WSO2 dialect).

    Note

    Note: Repeat the steps above for every custom claim you have created.

    Info
    titleMigrating the embedded LDAP user store

    It is not generally recommended to use the embedded LDAP user store that is shipped with WSO2 Identity Server in production setups. However, if migration of the embedded LDAP is required, follow the instructions below to migrate the existing IS 5.3.0 LDAP user store to IS 5.4.0.

    • Copy the <OLD_IS_HOME>/repository/data folder to <NEW_IS_HOME>/repository/data folder.
    • Restart the server to save the changes.
     

    To upgrade the version of WSO2 Identity Server, the user store database should be upgraded. Note that there are no registry schema changes between versions. 

    ...

    1. Download Identity Server 5.4.0 and unzip it in the <NEW_IS_HOME> directory.
    2. Take a backup of the existing database used by Identity Server 5.3.0. This backup is necessary in case the migration causes issues in the existing database.
    3. Make the following database script updates as indicated below.
      1. Download the migration resources and unzip it to a local directory. This folder is referred to as <IS5.4.0_MIGRATION_TOOL_HOME>.

      2. Copy

      3. the db script files in
      4. the 

      5. <IS5
      6. org.

      7. 3.0_MIGRATION_TOOL_HOME>/dbscripts/identity/ directory to the <NEW_IS_HOME>/dbscripts/identity/
      8. wso2.carbon.is.migration-5.

      9. 3
      10. 4.0

      11. _to_5.4.0/ directory.Copy the org.wso2.carbon.is.migrate.client-5.4.0.jar file in the <IS5.3.0
      12. .jar and snakeyaml-1.16.0.wso2v1.jar to the <NEW_IS_HOME>/repository/components/dropins directory. 

      13. Copy the <IS5.4.0_MIGRATION_TOOL_HOME>/

      14. dropins directory
      15. migration-resources folder to the

      16. <NEW
      17. <NEW_IS_

      18. HOME>/repository/components/dropins directory
      19. HOME> root folder

      20. Alternatively, if you are using Oracle database, you can either provide the database owner credentials in the datasource configurations (identity and user management databases) or pass the identity database owner name with -DidentityOracleUser and user management database owner name with ­-DumOracleUser.
      21. Ensure that the following property values are as follows in the migration-config.yaml file found in the <NEW_IS_HOME>/migration-resources folder. 

        Code Block
        migrationEnable: "true"
        
        currentVersion: "5.3.0"
        
        migrateVersion: "5.4.0"
    4. Copy any custom OSGI bundles that were added manually from the <OLD_IS_HOME>/repository/components/dropins folder and paste it in the <NEW_IS_HOME>/repository/components/dropins folder. 
    5. Copy any added JAR files from the <OLD_IS_HOME>/repository/components/lib folder and paste it in the <NEW_IS_HOME>/repository/components/lib folder. 

    6. Copy the .jks files from the <OLD_IS_HOME>/repository/resources/security folder and paste them in <NEW_IS_HOME>/repository/resources/security folder. 

    7. If you have created tenants in the previous WSO2 Identity Server version and if there are any resources in the <OLD_IS_HOME>/repository/tenants directory, copy the content to the <NEW_IS_HOME>/repository/tenants directory.
    8. If you have created secondary user stores in the previous WSO2 IS version, copy the content in the <OLD_IS_HOME>/repository/deployment/server/userstores directory to the <NEW_IS_HOME>/repository/deployment/server/userstores directory.

    9. The ClaimManagementService API is not recommended for use with WSO2 IS 5.3.0. If you are using the ClaimManagementService API and have written any clients using the service, convert the clients to the new and improved ClaimMetaDataManagementService API that is packaged with WSO2 IS 5.3.0. 

      Tip

      Tip: To enable admin services and view the WSDLs, set the <HideAdminServiceWSDLs> element to false in the <PRODUCT_HOME>/repository/conf/carbon.xml file. For more information, see Calling Admin Services.

      Code Block
      <HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
    10. You can use one of the following approaches to migrate depending on your production evironment. 

      • Migrating Migrate by updating the applying custom configurations to 5.4.0

        Panel

        This approach is recommended if:

        • You have done no custom changes in your previous version of WSO2 IS.
        • You have done very few custom changes in your previous version of WSO2 IS. These custom changes have been tracked and are easy to redo.  


        Steps:

        1. If you have done custom changes to the config files in your previous version of WSO2 IS, update the files in the <NEW_IS_HOME>/repository/conf folder with your custom configurations. 
        2. Proceed to step 11 to run the migration client.
      • Migrating Migrate by updating the new configurations existing configurations with what's new in 5.34.0

        <Property name="RolenameJavaRegEx">[a-zA-Z0-9._\-|//]{3,30}$</Property>
        Panel

        This approach is recommended if:

        • You have done many custom changes in your previous version of WSO2 IS.
        • These custom changes have not been tracked completely and/or are difficult to redo.  

        Steps:

        1. Make a copy of the <OLD_IS_HOME>/repository/conf folder. (Do not change the original configs. You may use it as a backup in case there are any issues)
        2. Copy the following configuration files from the <NEW_IS_HOME> and paste it in the copy of the <OLD_IS_HOME> in the relevant path.
          • <IS_HOME>/repository/conf/identity/charon-config.xml

          • <IS_HOME>/repository/conf/scim2-schema-extension.config

            Info

            The two configuration files mentioned above were added in IS 5.4.0 for the SCIM 2.0 connector. For more information about the SCIM 2.0 connector, see Configuring SCIM 2.0 Provisioning Connector in the ISConnectors documentation.

        3. The table below lists out all the configuration changes from IS 5.3.0 to IS 5.4.0. You can scroll through the table and change the relevant configurations according to the features you are using.

          Mandatory configuration
          Tip
          title

          Tip: Scroll left/right to view the entire table below.

          Info

          Note: The configuration changes listed below will not affect the existing system because these configurations are applied only at first start up and new tenant creation.
          If you wish to change the configurations for the existing tenants, configure it through the management console user interface.

          Panel
          borderColorblack
          bgColorwhite
          borderWidth2
          borderStylesolid
          Excerpt
          Expand
          titleConfiguration changes: Click here to view the table..
          Expand
          Configuration FileChanges

          carbon.xml file stored in the <IS_HOME>/repository/conf folder.

          Change the version property value to 5.4.0.

          Code Block
          <Version>5.4.0</Version>

          identity-event.properties file stored in the <IS_HOME>/repository/conf/identity folder.

          Add the following property

          shown at line number 2module.name.5=

          .

          Code Block
          linenumberstrue
          account.
          disable
          lock.handler
          account
          .
          disable
          notification.
          handler.enable=false account.disable.handler.subscription.1=PRE_AUTHENTICATION
          manageInternally=true
          Panel
          borderColorBlack
          bgColorWhite
          borderWidth1
          Expand
          titleClick for more information about the account.
          disable
          lock.handler.
          enable property

          To disable or switch off the account disable feature in WSO2 IS 5.3.0, the following code block has to be removed from the identity-event.properties file. Removing this disables the feature from all tenants.

          Code Block
          account.disable.handler.subscription.1=PRE_AUTHENTICATION
          account.disable.handler.subscription.2=PRE_SET_USER_CLAIMS
          account.disable.handler.subscription.3=POST_SET_USER_CLAIMS

          In WSO2 IS 5.4.0, the account.disable.handler.enable property has been added to enable/disable the feature. Setting this to true/false will enable/disable it only in the super tenant. To disable/enable it in other tenants, do the following:

          1. Start WSO2 Identity Server and login to the management console.
          2. Click List under Identity Providers and then click Resident Identity Provider.

          3. Expand Login Policies>Account Disabling and select/unselect the Enable Account Disbabling checkbox accordingly. account-disable.pngImage Removed
          notification.manageInternally property

          The property given above allows you to enable or disable sending emails
          via the WSO2 Identity Server when an account is locked or unlocked.

          identity.xml file stored in the <IS_HOME>/repository/conf/identity folder.

          Add the following property within the <SessionDataCleanUp> tag.

          Code Block
          <DeleteChunkSize>50000</DeleteChunkSize>
          Panel
          borderColorBlack
          bgColorWhite
          borderWidth1
          Expand
          titleClick for more information about the DeleteChunkSize property

          In a production environment, there is a possibility for a deadlock/database lock
          to occur when running a session data cleanup task in high load scenarios.
          To mitigate this, the property given above was introduced to clean data in chunks.
          Configure this property with the required chunk size. For more information, see Deployment Guidelines in Production.

          Remove the following property found within the <OperationDataCleanUp> tag.

          Code Block
           <CleanUpPeriod>720</CleanUpPeriod>
          Panel
          borderColorBlack
          bgColorWhite
          borderWidth1
          Expand
          titleClick for more information about the CleanUpPeriod property

          WSO2 IS 5.3.0 had two separate tasks for session data cleanup and operation data cleanup.
          This is now combined and done through one task.
          Therefore the property given above is no longer needed

          and can be removed

          .
          You can still configure the <CleanUpPeriod> property within the <SessionDataCleanUp> tag
          to specify the cleanup period for the combined task.

          Change the default value of the following property from 300 to 0.

          Warning

          You can skip this step if you have already configured the <TimestampSkew> property with your own value.

          Code Block
          <TimestampSkew>0</TimestampSkew>
          Panel
          borderColorBlack
          bgColorWhite
          borderWidth1
          Expand
          titleClick for more information about the TimestampSkew property

          The property given above specifies the maximum tolerance limit
          for the clock skewed between the sender and recipient.
          The default value was changed to 0 as the best practice is to assume
          that the sender and recipient clocks are synchronized and are in the same time stamp.
          Configure this accordingly if the clocks are not in the same timestamp.

          Add the following JWT bearer grant type within the <SupportedGrantTypes> tag.

          Code Block
          linenumberstrue
          <SupportedGrantType>
          <GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName>
          <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler</GrantTypeHandlerImplClass>
          <GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass>
          </SupportedGrantType>
          Panel
          borderColorBlack
          bgColorWhite
          borderWidth1
          Expand
          titleClick for more information about the JWT bearer grant type

          The JWT bearer grant type is supported out-of-the-box with WSO2 IS 5.4.0.
          For more information, see Configuring JWT Grant Type in the ISConnectors documentation.

          Update the <EmailVerification> code block with the following code.

          The properties shown below at line numbers 3,8,9,10 &

          10

          11 were added in 5.4.0.

          Warning

          This step is optional.

          Code Block
          linenumberstrue
          <EmailVerification>
              <Enable>false</Enable>
              <ExpiryTime>1440</ExpiryTime>
              <LockOnCreation>true</LockOnCreation>
              <Notification>
                  <InternallyManage>true</InternallyManage>
              </Notification>
              <AskPassword>
                  <ExpiryTime>1440</ExpiryTime>
                  <PasswordGenerator>org.wso2.carbon.user.mgt.common.DefaultPasswordGenerator</PasswordGenerator>
              </AskPassword>
          </EmailVerification>

          Update the following property found within the <SelfRegistration> tag to true.

          Warning

          This step is optional.

          Code Block
          <LockOnCreation>true</LockOnCreation>

          Add the following properties within the <SelfRegistration> tag.

          Warning

          This step is optional.

          Code Block
          linenumberstrue
          <VerificationCode>
            <ExpiryTime>1440</ExpiryTime>
          </VerificationCode>

          Add the following

          property

          properties within the

          <CacheManager>

          <Server> tag.

          Code Block
          <Cache name="OAuthScopeCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
          linenumberstrue
          <AuthenticationPolicy>
              <CheckAccountExist>false</CheckAccountExist>
          </AuthenticationPolicy>

          Change the default values within the <CacheManager> tag.

          Warning
          • If you have already configured all the properties within the <CacheManager> tag with your own values, skip this step.

          • If you have only configured some properties within the <CacheManager> tag with your own values,
            replace the properties that are not been changed/configured with the relevant default values shown below.

          • If you have not configured or changed any of the properties within the <CacheManager> tag with your own values,
            copy the entire code block below and replace the <CacheManager> tag in the identity.xml file with the code block given below.
          Code Block
          linenumberstrue
          <CacheManager name="IdentityApplicationManagementCacheManager">
              <Cache name="AppAuthFrameworkSessionContextCache" enable="
          false
          true" timeout="300" capacity="5000" isDistributed="false"
          />
              <Cache name="AuthenticationContextCache" enable="
          false
          true" timeout="300" capacity="5000" isDistributed="false"
          />
              <Cache name="AuthenticationRequestCache" enable="
          false
          true" timeout="300" capacity="5000" isDistributed="false"
          />
              <Cache name="AuthenticationResultCache"  enable="
          false
          true" timeout="300" capacity="5000" isDistributed="false"
          />
              <Cache name="AppInfoCache"               enable="true"  timeout="900" capacity="5000" isDistributed="false"
          />
              <Cache name="AuthorizationGrantCache"    enable="
          false
          true" timeout="300" capacity="5000" isDistributed="false"
          />
              <Cache name="OAuthCache"                 enable="true" timeout="300" capacity="5000" isDistributed="false"/>
              <Cache name="OAuthScopeCache"            enable="true"  timeout="300" capacity="5000" isDistributed="false"
          />
              <Cache name="OAuthSessionDataCache"      enable="
          false
          true" timeout="300" capacity="5000" isDistributed="false"
          />
              <Cache name="SAMLSSOParticipantCache"    enable="
          false
          true" timeout="300" capacity="5000" isDistributed="false"
          />
              <Cache name="SAMLSSOSessionIndexCache"   enable="
          false
          true" timeout="300" capacity="5000" isDistributed="false"
          />
              <Cache name="SAMLSSOSessionDataCache"    enable="
          false
          true" timeout="300" capacity="5000" isDistributed="false"
          />
              <Cache name="ServiceProviderCache"       enable="true"  timeout="900" capacity="5000" isDistributed="false"
          />
              <Cache name="ProvisioningConnectorCache" enable="true"  timeout="900" capacity="5000" isDistributed="false"
          />
              <Cache name="ProvisioningEntityCache"    enable="
          false
          true" timeout="900" capacity="5000" isDistributed="false"
          />
              <Cache name="ServiceProviderProvisioningConnectorCache" enable="true"  timeout="900" capacity="5000" isDistributed="false"
          />
              <Cache name="IdPCacheByAuthProperty"     enable="true"  timeout="900" capacity="5000" isDistributed="false"
          />
              <Cache name="IdPCacheByHRI"              enable="true"  timeout="900" capacity="5000" isDistributed="false"
          />
              <Cache name="IdPCacheByName"             enable="true"  timeout="900" capacity="5000" isDistributed="false"
          />
          </CacheManager>
          authenticators.

          Add the following property within the <CacheManager> tag if it does not already exist.

          Code Block
          <Cache name="OAuthScopeCache" enable="true"  timeout="300" capacity="5000" isDistributed="false"/>

          Add the following properties within the <OAuth> tag. The code comments explain the usage and applicable values for the properties.

          Code Block
          linenumberstrue
          <!-- Specify the Token issuer class to be used.
          Default: org.wso2.carbon.identity.oauth2.token.OauthTokenIssuerImpl.
          Applicable values: org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer-->
              <!--<IdentityOAuthTokenGenerator>org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer</IdentityOAuthTokenGenerator>-->
          
          <!-- This configuration is used to specify the access token value generator.
          Default: org.apache.oltu.oauth2.as.issuer.UUIDValueGenerator
          Applicable values: org.apache.oltu.oauth2.as.issuer.UUIDValueGenerator,
              org.apache.oltu.oauth2.as.issuer.MD5Generator,
              org.wso2.carbon.identity.oauth.tokenvaluegenerator.SHA256Generator -->
              <!--<AccessTokenValueGenerator>org.wso2.carbon.identity.oauth.tokenvaluegenerator.SHA256Generator</AccessTokenValueGenerator>-->
          
          <!-- This configuration is used to specify whether the Service Provider tenant domain should be used when generating
          access token.Otherwise user domain will be used.Currently this value is only supported by the JWTTokenIssuer. -->
              <!--<UseSPTenantDomain>True</UseSPTenantDomain>-->

          Add the following properties related to token persistence within the <OAuth> tag.

          Code Block
          linenumberstrue
          <TokenPersistence>
              <Enable>true</Enable>
              <PoolSize>0</PoolSize>
              <RetryCount>5</RetryCount>
          </TokenPersistence>

          Add the following property within the <OpenIDConnect> tag.

          Code Block
          <SignJWTWithSPKey>false</SignJWTWithSPKey>

          Replace the <OAuth2RevokeEPUrll> property with the following.

          Code Block
          <OAuth2RevokeEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/revoke</OAuth2RevokeEPUrl>

          Add the following event listener within the <EventListeners> tag. Uncomment this listener if you are using SCIM 2.0.

          Code Block
          linenumberstrue
          <!-- Uncomment the following event listener if SCIM2 is used. -->
          <!--EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener"
          name = "org.wso2.carbon.identity.scim2.common.listener.SCIMUserOperationListener"
          orderId = "93"
          enable = "true" /-->

          Add the following properties within the <ResourceAccessControl> tag. These properties specify the access levels and permissions for the SCIM 2.0 resources.

          Code Block
          linenumberstrue
          <Resource context="(.*)/scim2/Users" secured="true" http-method="POST">
              <Permissions>/permission/admin/manage/identity/usermgt/create</Permissions>
          </Resource>
          <Resource context="(.*)/scim2/Users" secured="true" http-method="GET">
              <Permissions>/permission/admin/manage/identity/usermgt/list</Permissions>
          </Resource>
          <Resource context="(.*)/scim2/Groups" secured="true" http-method="POST">
              <Permissions>/permission/admin/manage/identity/rolemgt/create</Permissions>
          </Resource>
          <Resource context="(.*)/scim2/Groups" secured="true" http-method="GET">
              <Permissions>/permission/admin/manage/identity/rolemgt/view</Permissions>
          </Resource>
          <Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="GET">
              <Permissions>/permission/admin/manage/identity/usermgt/view</Permissions>
          </Resource>
          <Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="PUT">
              <Permissions>/permission/admin/manage/identity/usermgt/update</Permissions>
          </Resource>
          <Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="PATCH">
              <Permissions>/permission/admin/manage/identity/usermgt/update</Permissions>
          </Resource>
          <Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="DELETE">
              <Permissions>/permission/admin/manage/identity/usermgt/delete</Permissions>
          </Resource>
          <Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="GET">
              <Permissions>/permission/admin/manage/identity/rolemgt/view</Permissions>
          </Resource>
          <Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="PUT">
              <Permissions>/permission/admin/manage/identity/rolemgt/update</Permissions>
          </Resource>
          <Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="PATCH">
              <Permissions>/permission/admin/manage/identity/rolemgt/update</Permissions>
          </Resource>
          <Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="DELETE">
              <Permissions>/permission/admin/manage/identity/rolemgt/delete</Permissions>
          </Resource>
          <Resource context="(.*)/scim2/Me" secured="true"    http-method="GET">
              <Permissions>/permission/admin/login</Permissions>
          </Resource>
          <Resource context="(.*)/scim2/Me" secured="true" http-method="DELETE">
              <Permissions>/permission/admin/manage/identity/usermgt/delete</Permissions>
          </Resource>
          <Resource context="(.*)/scim2/Me" secured="true"    http-method="PUT">
              <Permissions>/permission/admin/login</Permissions>
          </Resource>
          <Resource context="(.*)/scim2/Me" secured="true"   http-method="PATCH">
              <Permissions>/permission/admin/login</Permissions>
          </Resource>
          <Resource context="(.*)/scim2/Me" secured="true" http-method="POST">
              <Permissions>/permission/admin/manage/identity/usermgt/create</Permissions>
          </Resource>
          <Resource context="/scim2/ServiceProviderConfig" secured="false" http-method="all">
              <Permissions></Permissions>
          </Resource>
          <Resource context="/scim2/ResourceType" secured="false" http-method="all">
              <Permissions></Permissions>
          </Resource>
          <Resource context="/scim2/Bulk" secured="true"  http-method="all">
              <Permissions>/permission/admin/manage/identity/usermgt</Permissions>
          </Resource>
          <Resource context="(.*)/api/identity/oauth2/dcr/(.*)" secured="true" http-method="all">
              <Permissions>/permission/admin/manage/identity/applicationmgt</Permissions>
          </Resource>

          Add the following properties within the <TenantContextsToRewrite><WebApp> tag.

          Code Block
          <Context>/scim2</Context>
          <Context>/api/identity/oauth/dcr/v1.0</Context>

          Remove the following property found within the <OAuth> tag.

          Code Block
          <AppInfoCacheTimeout>-1</AppInfoCacheTimeout>
          <AuthorizationGrantCacheTimeout>-1</AuthorizationGrantCacheTimeout>
          <SessionDataCacheTimeout>-1</SessionDataCacheTimeout>
          <ClaimCacheTimeout>-1</ClaimCacheTimeout>

          Add the following commented property within the <OAuth> tag.

          Code Block
          <!-- True, if access token alias is stored in the database instead of access token.
          Eg.token alias and token is same when
          default AccessTokenValueGenerator is used.
          When JWTTokenIssuer is used, jti is used as the token alias
          Default: true.
          Applicable values: true, false-->
          
              <!--<PersistAccessTokenAlias>false</PersistAccessTokenAlias>-->

          Replace the <OAuth2DCREPUrl> property with the property value given below.

          Code Block
          <OAuth2DCREPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/api/identity/oauth2/dcr/v1.0/register</OAuth2DCREPUrl>

          Uncomment the following property and add line number 3 given below to the file.

          Code Block
          linenumberstrue
          <TokenValidators>
              <TokenValidator type="bearer" class="org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2TokenValidator" />
              <TokenValidator type="jwt" class="org.wso2.carbon.identity.oauth2.validators.OAuth2JWTTokenValidator" />
          </TokenValidators>

          Add the following commented property to the file. You can place it after the </EnableAssertions>closing tag.

          Code Block
          <!-- This should be true if subject identifier in the token validation response needs to adhere to the
          following SP configuration.
          
          - Use tenant domain in local subject identifier. - Use user store domain in local subject identifier.
          
          if the value is false, subject identifier will be set as the fully qualified username.
          
          Default value: false
          
          Supported versions: IS 5.4.0 beta onwards-->
              <!--<BuildSubjectIdentifierFromSPConfig>true</BuildSubjectIdentifierFromSPConfig>-->

          Uncomment the <UserType> property that has the value "Federated" and comment out the <UserType> property that has the value "Local" as seen below.
          The property can be found within the <SAML2Grant> tag.

          Code Block
          <SAML2Grant>
              <!--SAML2TokenHandler></SAML2TokenHandler-->
              <!-- UserType conifg decides whether the SAML assertion carrying user is local user or a federated user.
                      Only Local Users can access claims from local userstore. LEGACY users will have to have tenant domain appended username.
                      They will not be able to access claims from local userstore. To get claims by mapping users with exact same username from local
                      userstore (for non LOCAL scenarios) use mapFederatedUsersToLocal config -->
              <!--<UserType>LOCAL</UserType>-->
              <UserType>FEDERATED</UserType>
              <!--UserType>LEGACY</UserType-->
          </SAML2Grant>

          Remove the following properties found within the <SSOService> tag.

          Warning

          This step is optional.

          Code Block
          <PersistanceCacheTimeout>157680000</PersistanceCacheTimeout>
          <SessionIndexCacheTimeout>157680000</SessionIndexCacheTimeout>

          Add the following properties to the file. You can place the code block after the </SCIM> closing tag.

          Code Block
          <SCIM2>
              <!--Default value for UserEPUrl and GroupEPUrl are built in following format
                      https://<HostName>:<MgtTrpProxyPort except 443>/<ProxyContextPath>/<context>/<path>
                      If that doesn't satisfy uncomment the following config and explicitly configure the value-->
              <!--UserEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/scim2/Users</UserEPUrl-->
              <!--GroupEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/scim2/Groups</GroupEPUrl-->
          </SCIM2>

          Add the following properties to the file. You can place it after the </EnableAskPasswordAdminUI> closing tag.

          Code Block
          <EnableRecoveryEndpoint>true</EnableRecoveryEndpoint>
          <EnableSelfSignUpEndpoint>true</EnableSelfSignUpEndpoint>

          Add the following properties within the <ResourceAccessControl> tag.

          Code Block
          <Resource context="(.*)/api/identity/oauth2/dcr/v1.0/register(.*)" secured="true" http-method="POST">
              <Permissions>/permission/admin/manage/identity/applicationmgt/create</Permissions>
          </Resource>
          <Resource context="(.*)/api/identity/oauth2/dcr/v1.0/register(.*)" secured="true" http-method="DELETE">
              <Permissions>/permission/admin/manage/identity/applicationmgt/delete</Permissions>
          </Resource>
          <Resource context="(.*)/api/identity/oauth2/dcr/v1.0/register(.*)" secured="true" http-method="PUT">
              <Permissions>/permission/admin/manage/identity/applicationmgt/update</Permissions>
          </Resource>
          <Resource context="(.*)/api/identity/oauth2/dcr/v1.0/register(.*)" secured="true" http-method="GET">
              <Permissions>/permission/admin/manage/identity/applicationmgt/view</Permissions>
          </Resource>


          oidc-scope-config.xml file stored in the <IS_HOME>/repository/conf/identity folder.

          Replace the <Claim> tag within the <Scope id="openid"> tag with the following.

          Code Block
          <Claim>
              sub, email, email_verified, name, family_name, given_name, middle_name, nickname, preferred_username, profile,
          	picture, website, gender, birthdate, zoneinfo, locale, updated_at, phone_number, phone_number_verified,
              address,street_address,country, formatted, postal_code, locality, region 
          </Claim>

          Replace the <Claim> tag within the <Scope id="address"> tag with the following.

          Code Block
          <Claim>address,street</Claim>


          authenticators.xml file stored in the <IS_HOME>/repository/conf/security folder.

          Update the parameter name of the

          <JITUserProvisioning>

          JITUserProvisioning parameter to the following.

          Code Block
          <Parameter name="JITUserProvisioningEnabled">true</Parameter>

          Anchor
          web
          web
          web.xml file stored in the <IS_HOME>/repository/conf/tomcat folder.

          Add the following property under the <session-config> tag.

          Code Block
          <tracking-mode>COOKIE</tracking-mode>
          user-mgt.

          Add the following properties below the <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class> property.

          Code Block
          <init-param>
             <param-name>compilerSourceVM</param-name>
             <param-value>1.8</param-value>
          </init-param>
          <init-param>
             <param-name>compilerTargetVM</param-name>
             <param-value>1.8</param-value>
          </init-param>
          email-admin-config.xml file stored in the <IS_HOME>/repository/conf/email folder.
          Update the default value of the following properties as follows.

          Replace "https://localhost:9443" in all instances of the accountrecoveryendpoint URL with the {{carbon.product-url}} placeholder.
          The URL should look similiar to the URL shown in the code block below. The placeholder will retrieve the value configured in the carbon.xml file.

          Warning

          You can skip this step if you have already configured

          these properties

          this with your

          own RegEx

          load balancer URL.

          Code Block
        <Property name="UsernameJavaRegEx">[a-zA-Z0-9._\-|//]{3,30}$</Property>
        Code Block
        {{carbon.product-url}}/accountrecoveryendpoint/confirmregistration.do?confirmation={{confirmation-code}}&amp;userstoredomain={{userstore-domain}}&amp;username={{url:user-name}}&amp;tenantdomain={{tenant-domain}}
        cipher-tool.properties file stored in the <IS_HOME>/repository/conf folder.

        Add the following property.

        Code Block
        ThirftBasedEntitlementConfig.KeyStore.Password=repository/conf/identity/identity.xml//Server/EntitlementSettings/ThirftBasedEntitlementConfig/KeyStore/Password,true
        cipher-text.properties file stored in the <IS_HOME>/repository/conf folder.

        Add the following property.

        Code Block
        ThirftBasedEntitlementConfig.KeyStore.Password=[wso2carbon]
        claim-config.xml file stored in the <IS_HOME>/repository/conf folder.

        Add the following

        claim.

        claims within the <Dialect dialectURI="http://wso2.org/claims"> tag.

        Code Block
        linenumberstrue
        <Claim>
        
            <ClaimURI>http://wso2.org/claims/identity/phoneVerified</ClaimURI>
        
            <DisplayName>Phone Verified</DisplayName>
        
            <!-- Proper attribute Id in your user store must be configured for this -->
        
        <AttributeID>imSkype<
            <AttributeID>phoneVerified</AttributeID>
        
            <Description>Phone Verified</Description>
        </Claim>
        Change the following claim mappings.
        
        
        
        <Claim>
            <ClaimURI>http://wso2.org/claims/department</ClaimURI>
            <DisplayName>Department</DisplayName>
            <AttributeID>departmentNumber</AttributeID>
            <Description>Department</Description>
            <SupportedByDefault />
            <ReadOnly />
        </Claim>

        Add the following claims. This new claim dialect and the claims within it are required for SCIM 2.0.

        Expand
        titleClick to
        see the modified claim mappings

        Remove the property at line number 7 and add in the property at line number 8.

        view the SCIM 2 claims
        Code Block
        linenumberstrue
        <Claim> <ClaimURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone</ClaimURI> <DisplayName>Home Phone</DisplayName> <AttributeID>homePhone</AttributeID> <Description>Home Phone</Description> <SupportedByDefault />
        <Dialect dialectURI="urn:ietf:params:scim:schemas:core:2.0">
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:id</ClaimURI>
                <DisplayName>Id</DisplayName>
                <AttributeID>scimId</AttributeID>
                <Description>Id</Description>
                <Required />
                <DisplayOrder>1</DisplayOrder>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        country</MappedLocalClaim>
        userid</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:externalId</ClaimURI>
                <DisplayName>External Id</DisplayName>
                <AttributeID>externalId</AttributeID>
                <Description>External Id</Description>
                <Required />
                <DisplayOrder>1</DisplayOrder>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        phoneNumbers.home<
        externalid</MappedLocalClaim>
            </Claim>

        Remove the property at line number 7 and add in the property at line number 8.

        Code Block
        linenumberstrue
        <Claim> <ClaimURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier</ClaimURI> <AttributeID>privatePersonalIdentifier</AttributeID> <Description>PPID</Description> <Required /> <SupportedByDefault />
        
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:meta.created</ClaimURI>
                <DisplayName>Meta - Created</DisplayName>
                <AttributeID>createdDate</AttributeID>
                <Description>Meta - Created</Description>
                <Required />
                <DisplayOrder>1</DisplayOrder>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        country</MappedLocalClaim>
        created</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:meta.lastModified</ClaimURI>
                <DisplayName>Meta - Last Modified</DisplayName>
                <AttributeID>lastModifiedDate</AttributeID>
                <Description>Meta - Last Modified</Description>
                <Required />
                <DisplayOrder>1</DisplayOrder>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        im<
        modified</MappedLocalClaim>
            </Claim>

        Remove the property at line number 8 and add in the property at line number 9.

        Code Block
        linenumberstrue
        <Claim> <ClaimURI>timezone</ClaimURI> <DisplayName>Time Zone</DisplayName> <AttributeID>timeZone</AttributeID> <Description>Time Zone</Description> <DisplayOrder>9</DisplayOrder> <SupportedByDefault />
        
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:meta.location</ClaimURI>
                <DisplayName>Meta - Location</DisplayName>
                <AttributeID>location</AttributeID>
                <Description>Meta - Location</Description>
                <Required />
                <DisplayOrder>1</DisplayOrder>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        country</MappedLocalClaim>
        location</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:meta.resourceType</ClaimURI>
                <DisplayName>Meta - Location</DisplayName>
                <AttributeID>ref</AttributeID>
                <Description>Meta - Location</Description>
                <Required />
                <DisplayOrder>1</DisplayOrder>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        timeZone<
        resourceType</MappedLocalClaim>
            </Claim>

        Remove the property at line number 8 and add in the property at line number 9.

        Code Block
        linenumberstrue
        
            <Claim>
            
        <ClaimURI>postcode<
            <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:meta.version</ClaimURI>
            
        <DisplayName>Postalcode<
            <DisplayName>Meta - Version</DisplayName>
            
        <AttributeID>postalCode<
            <AttributeID>im</AttributeID>
            
        <Description>Postalcode<
            <Description>Meta - Version</Description>
            
        <DisplayOrder>4</
            <Required />
                <DisplayOrder>1</DisplayOrder>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        country<
        im</MappedLocalClaim>
            </Claim>
        </Dialect>
        <Dialect dialectURI="urn:ietf:params:scim:schemas:core:2.0:User">
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:userName</ClaimURI>
                <DisplayName>User Name</DisplayName>
                <AttributeID>uid</AttributeID>
                <Description>User Name</Description>
                <DisplayOrder>2</DisplayOrder>
                <Required />
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        postalcode<
        username</MappedLocalClaim>
            </Claim>

        Remove the property at line number 8 and add in the property at line number 9.

        Code Block
        linenumberstrue
        
            <Claim>
            
        <ClaimURI>language<
            <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:name.givenName</ClaimURI>
            
        <DisplayName>Language<
            <DisplayName>Name - Given Name</DisplayName>
            
        <AttributeID>prefferedLanguage<
            <AttributeID>givenName</AttributeID>
            
        <Description>Language<
            <Description>Given Name</Description>
            
        <DisplayOrder>7</
            <Required />
                <DisplayOrder>1</DisplayOrder>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        country<
        givenname</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:name.familyName</ClaimURI>
                <DisplayName>Name - Family Name</DisplayName>
                <AttributeID>sn</AttributeID>
                <Description>Family Name</Description>
                <DisplayOrder>2</DisplayOrder>
                <Required />
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        preferredLanguage<
        lastname</MappedLocalClaim>
            </Claim>

        Remove the property at line number 6 and add in the property at line number 7.

        Code Block
        linenumberstrue
        
            <Claim>
            
        <ClaimURI>http://axschema.org/pref/timezone</
            <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:name.formatted</ClaimURI>
            
        <DisplayName>Time Zone<
            <DisplayName>Name - Formatted Name</DisplayName>
            
        <AttributeID>timeZone<
            <AttributeID>formattedName</AttributeID>
            
        <Description>Time Zone<
            <Description>Formatted Name</Description>
                <DisplayOrder>2</DisplayOrder>
                <Required />
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        country<
        formattedName</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:name.middleName</ClaimURI>
                <DisplayName>Name - Middle Name</DisplayName>
                <AttributeID>middleName</AttributeID>
                <Description>Middle Name</Description>
                <DisplayOrder>2</DisplayOrder>
                <Required />
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        timeZone<
        middleName</MappedLocalClaim>
            </Claim>

        Remove the property at line number 6 and add in the property at line number 7.

        Code Block
        linenumberstrue
        
            <Claim>
            
        <ClaimURI>http://axschema.org/contact/postalCode/home</
            <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:name.honorificPrefix</ClaimURI>
            
        <DisplayName>Postalcode<
            <DisplayName>Name - Honoric Prefix</DisplayName>
            
        <AttributeID>postalCode<
            <AttributeID>honoricPrefix</AttributeID>
            
        <Description>Postalcode<
            <Description>Honoric Prefix</Description>
                <DisplayOrder>2</DisplayOrder>
                <Required />
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        country<
        honorificPrefix</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:name.honorificSuffix</ClaimURI>
                <DisplayName>Name - Honoric Suffix</DisplayName>
                <AttributeID>honoricSuffix</AttributeID>
                <Description>Honoric Suffix</Description>
                <DisplayOrder>2</DisplayOrder>
                <Required />
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        postalcode<
        honorificSuffix</MappedLocalClaim>
            </Claim>

        Remove the property at line number 7 and add in the property at line number 8.

        Code Block
        linenumberstrue
        
            <Claim>
            
        <ClaimURI>http://axschema.org/pref/language</
            <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:displayName</ClaimURI>
            
        <DisplayName>Language<
            <DisplayName>Display Name</DisplayName>
            
        <AttributeID>prefferedLanguage<
            <AttributeID>displayName</AttributeID>
            
        <Description>Language<
            <Description>Display Name</Description>
                <DisplayOrder>2</DisplayOrder>
                <Required />
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        country<
        displayName</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:nickName</ClaimURI>
                <DisplayName>Nick Name</DisplayName>
                <AttributeID>nickName</AttributeID>
                <Description>Nick Name</Description>
                <DisplayOrder>2</DisplayOrder>
                <Required />
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        preferredLanguage<
        nickname</MappedLocalClaim>
        
        </Claim

        Remove the property at line number 9 and add in the property at line number 10.

        Code Block
        linenumberstrue
            </Claim>
            <Claim>
            
        <ClaimURI>given_name<
            <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:profileUrl</ClaimURI>
            
        <DisplayName>Given Name<
            <DisplayName>Profile URL</DisplayName>
            
        <AttributeID>cn<
            <AttributeID>url</AttributeID>
            
        <AttributeID>givenName</AttributeID>
            <Description>Profile URL</Description>
            
        <Description>Given
         
        name(s)
         
        or
         
        first name(s) of the End-User. Note that in some cultures, people can have
         <DisplayOrder>2</DisplayOrder>
                <Required />
                <SupportedByDefault 
        multiple
        />
        
        given
         
        names;
         
        all
         
        can
         
        be
         
        present,
         
        with
         
        the names being separated by space characters.</
         <MappedLocalClaim>http://wso2.org/claims/url</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:title</ClaimURI>
                <DisplayName>Title</DisplayName>
                <AttributeID>title</AttributeID>
                <Description>Title</Description>
            
        <DisplayOrder>3<
            <DisplayOrder>2</DisplayOrder>
                <Required />
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        fullname<
        title</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:userType</ClaimURI>
                <DisplayName>User Type</DisplayName>
                <AttributeID>userType</AttributeID>
                <Description>User Type</Description>
                <DisplayOrder>2</DisplayOrder>
                <Required />
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        givenname<
        userType</MappedLocalClaim>
            </Claim>

        Remove the property at line number 8 and add in the property at line number 9.

        Code Block
        linenumberstrue
        
            <Claim>
            
        <ClaimURI>middle_name<
            <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:preferredLanguage</ClaimURI>
            
        <DisplayName>Middle Name<
            <DisplayName>Preferred Language</DisplayName>
            
        <AttributeID>middleName<
            <AttributeID>preferredLanguage</AttributeID>
            
        <Description>Middle
         
        name(s)
         
        of
         
        the
         
        End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.</
        <Description>Preferred Language</Description>
                <DisplayOrder>2</DisplayOrder>
                <Required />
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/preferredLanguage</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:locale</ClaimURI>
                <DisplayName>Locality</DisplayName>
                <AttributeID>localityName</AttributeID>
                <Description>Locality</Description>
            
        <DisplayOrder>5<
            <DisplayOrder>2</DisplayOrder>
                <Required />
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        country<
        local</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:timezone</ClaimURI>
                <DisplayName>Time Zone</DisplayName>
                <AttributeID>timeZone</AttributeID>
                <Description>Time Zone</Description>
                <DisplayOrder>2</DisplayOrder>
                <Required />
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        middleName<
        timeZone</MappedLocalClaim>
            </Claim>

        Remove the property at line number 8 and add in the property at line number 9.

        Code Block
        linenumberstrue
        
            <Claim>
            
        <ClaimURI>preferred_username<
            <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:active</ClaimURI>
            
        <DisplayName>Preferred
         
        Username<
           <DisplayName>Active</DisplayName>
            
        <AttributeID>cn<
            <AttributeID>active</AttributeID>
            
        <Description>Shorthand
         
        name
         
        by
         
        which
         
        the End-User wishes to be referred to at the RP, such as janedoe or j.doe.</Description>
        <Description>Active</Description>
                <DisplayOrder>2</DisplayOrder>
                <Required 
        <DisplayOrder>7<
        /
        DisplayOrder>
        >
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        fullname<
        active</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:emails.work</ClaimURI>
                <DisplayName>Emails - Work Email</DisplayName>
                <AttributeID>workEmail</AttributeID>
                <Description>Work Email</Description>
                <DisplayOrder>5</DisplayOrder>
                <SupportedByDefault />
                <RegEx>^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$</RegEx>
                <MappedLocalClaim>http://wso2.org/claims/
        displayName<
        emails.work</MappedLocalClaim>
            </Claim>

        Remove the property at line number 8 and add in the property at line number 9.

        Code Block
        linenumberstrue
        
            <Claim>
            
        <ClaimURI>picture<
            <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:emails.home</ClaimURI>
            
        <DisplayName>Picture<
            <DisplayName>Emails - Home Email</DisplayName>
            
        <AttributeID>image<
            <AttributeID>homeEmail</AttributeID>
            
        <Description>URL
         
        of
         
        the
         
        End-User's
         
        profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file)</
        <Description>Home Email</Description>
                <DisplayOrder>5</DisplayOrder>
                <SupportedByDefault />
                <RegEx>^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$</RegEx>
                <MappedLocalClaim>http://wso2.org/claims/emails.home</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:emails.other</ClaimURI>
                <DisplayName>Emails - Other Email</DisplayName>
                <AttributeID>otherEmail</AttributeID>
                <Description>Other Email</Description>
            
        <DisplayOrder>9<
            <DisplayOrder>5</DisplayOrder>
                <SupportedByDefault />
                <RegEx>^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$</RegEx>
                <MappedLocalClaim>http://wso2.org/claims/
        country<
        emails.other</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:phoneNumbers.mobile</ClaimURI>
                <DisplayName>Phone Numbers - Mobile Number</DisplayName>
                <AttributeID>mobile</AttributeID>
                <Description>Mobile Number</Description>
                <DisplayOrder>5</DisplayOrder>
                <SupportedByDefault />
                <RegEx>^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$</RegEx>
                <MappedLocalClaim>http://wso2.org/claims/
        photourl<
        mobile</MappedLocalClaim>
            </Claim>

        Remove the property at line number 6 and add in the property at line number 7.

        Code Block
        linenumberstrue
        
            <Claim>
            
        <ClaimURI>email_verified<
            <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:phoneNumbers.home</ClaimURI>
            
        <DisplayName>Email Verified<
            <DisplayName>Phone Numbers - Home Phone Number</DisplayName>
            
        <AttributeID>emailVerified<
            <AttributeID>homePhone</AttributeID>
            
        <Description>True
         
        if
         
        the
         
        End-User's e-mail address has been verified; otherwise false. </Description>
         <Description>Home Phone</Description>
                <DisplayOrder>5</DisplayOrder>
                <SupportedByDefault />
                <RegEx>^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$</RegEx>
                <MappedLocalClaim>http://wso2.org/claims/
        country<
        phoneNumbers.home</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:phoneNumbers.work</ClaimURI>
                <DisplayName>Phone Numbers - Work Phone Number</DisplayName>
                <AttributeID>workPhone</AttributeID>
                <Description>Work Phone</Description>
                <DisplayOrder>5</DisplayOrder>
                <SupportedByDefault />
                <RegEx>^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$</RegEx>
                <MappedLocalClaim>http://wso2.org/claims/
        identity
        phoneNumbers.work</
        emailVerified</
        MappedLocalClaim>
            </Claim>

        Remove the property at line number 6 and add in the property at line number 7.

        Code Block
        linenumberstrue
        
            <Claim>
            
        <ClaimURI>birthdate<
            <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:phoneNumbers.other</ClaimURI>
            
        <DisplayName>Birth Date<
            <DisplayName>Phone Numbers - Other</DisplayName>
            
        <AttributeID>birthDate<
            <AttributeID>otherPhoneNumber</AttributeID>
            
        <Description>End-User's
         
        birthday,
         
        represented
         
        as
         
        an
        <Description>Other 
        ISO 8601:2004 [ISO8601-2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed.</Description>
        Phone Number</Description>
                <DisplayOrder>5</DisplayOrder>
                <SupportedByDefault />
                <RegEx>^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$</RegEx>
                <MappedLocalClaim>http://wso2.org/claims/phoneNumbers.other</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:ims.gtalk</ClaimURI>
                <DisplayName>IM - Gtalk</DisplayName>
                <AttributeID>imGtalk</AttributeID>
                <Description>IM - Gtalk</Description>
                <DisplayOrder>5</DisplayOrder>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        country<
        gtalk</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:ims.skype</ClaimURI>
                <DisplayName>IM - Skype</DisplayName>
                <AttributeID>imSkype</AttributeID>
                <Description>IM - Skype</Description>
                <DisplayOrder>5</DisplayOrder>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        dob<
        skype</MappedLocalClaim>
            </Claim>

        Remove the property at line number 6 and add in the property at line number 7.

        Code Block
        linenumberstrue
        
            <Claim>
            
        <ClaimURI>zoneinfo<
            <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:photos.photo</ClaimURI>
            
        <DisplayName>Zone
         
        Info<
           <DisplayName>Photo</DisplayName>
            
        <AttributeID>zone<
            <AttributeID>photoUrl</AttributeID>
            
        <Description>String
         
        from
         
        zoneinfo
         
        time
         
        zone
        <Description>Photo</Description>
        
        database
         
        representing
         
        the
         
        End-User's
         
        time
         
        zone.
         
        For
         
        example,
         
        Europe
        <DisplayOrder>5</
        Paris
        DisplayOrder>
        
        or America/Los_Angeles.</Description>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        country<
        photourl</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:photos.thumbnail</ClaimURI>
                <DisplayName>Photo - Thumbnail</DisplayName>
                <AttributeID>thumbnail</AttributeID>
                <Description>Photo - Thumbnail</Description>
                <DisplayOrder>5</DisplayOrder>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        timeZone<
        thumbnail</MappedLocalClaim>
            </Claim>

        Remove the property at line number 6 and add in the property at line number 7.

        Code Block
        linenumberstrue
        
            <Claim>
            
        <ClaimURI>locale<
            <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:addresses.home</ClaimURI>
            
        <DisplayName>Locale<
            <DisplayName>Address - Home</DisplayName>
            
        <AttributeID>locale<
            <AttributeID>localityAddress</AttributeID>
            
        <Description>End-User's
         
        locale,
         
        For
         
        example,
         
        en-US or fr-CA, en_US<
        <Description>Address - Home</Description>
                <DisplayOrder>5</DisplayOrder>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        country<
        addresses.locality</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:addresses.work</ClaimURI>
                <DisplayName>Address - Work</DisplayName>
                <AttributeID>region</AttributeID>
                <Description>Address - Work</Description>
                <DisplayOrder>5</DisplayOrder>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        local<
        region</MappedLocalClaim>
            </Claim>

        Remove the property at line number 6 and add in the property at line number 7.

        Code Block
        linenumberstrue
        
            <Claim>
            
        <ClaimURI>phone_number_verified<
            <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:groups</ClaimURI>
            
        <DisplayName>Phone
         
        Number
         
        Verified<
          <DisplayName>Groups</DisplayName>
            
        <AttributeID>phoneVerififed<
            <AttributeID>groups</AttributeID>
            
        <Description>True
         
        if
         
        the
         
        End-User's phone number has been verified; otherwise false.</Description>
         <Description>Groups</Description>
                <DisplayOrder>5</DisplayOrder>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        country<
        groups</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:entitlements.default</ClaimURI>
                <DisplayName>Entitlements</DisplayName>
                <AttributeID>entitlements</AttributeID>
                <Description>Entitlements</Description>
                <DisplayOrder>5</DisplayOrder>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        identity
        entitlements</
        phoneVerified</
        MappedLocalClaim>
            </Claim>

        Remove the property at line number 6 and add in the property at line number 7.

        Code Block
        linenumberstrue
        
            <Claim>
            
        <ClaimURI>address<
            <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:roles.default</ClaimURI>
            
        <DisplayName>Address<
            <DisplayName>Roles</DisplayName>
            
        <AttributeID>address<
            <AttributeID>roles</AttributeID>
            
        <Description>True
         
        if
         
        the
         
        End-User's phone number has been verified; otherwise false. </Description>
         <Description>Roles</Description>
                <DisplayOrder>5</DisplayOrder>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        country<
        role</MappedLocalClaim>
            </Claim>
            <Claim>
                <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:x509Certificates.default</ClaimURI>
                <DisplayName>X509Certificates</DisplayName>
                <AttributeID>x509Certificates</AttributeID>
                <Description>X509Certificates</Description>
                <DisplayOrder>5</DisplayOrder>
                <SupportedByDefault />
                <MappedLocalClaim>http://wso2.org/claims/
        addresses<
        x509Certificates</MappedLocalClaim>
            </Claim>
    Anchorstep11step11Replace the <NEW_IS_
      1. 
        </Dialect>
        application-authentication.xml file stored in the <IS_HOME>/repository/conf
     folder with the modified copy of the <OLD_IS_HOME>/repository/conf folder.

    Start the Identity Server 5.4.0 with the following command to perform the data migration for all components. 

    Info

    See the notes below to perform migration for individual components or for active tenants only. 

  • Linux/Unix:

    Code Block
    languagebash
    sh wso2server.sh -Dmigrate -Dcomponent=identity 
  • Windows:

    Code Block
    languagebash
    wso2server.bat -Dmigrate -Dcomponent=identity 
    Note
    titleMigrate individual components

    Optional: To migrate certain components only, use the relevant commands in the table below.

    Warning

    Warning! Unless specifically required, it is recommended to perform the full data migration by executing the command given above. Component migration is intended for certain special cases only, and may cause errors due to incomplete migration, if done incorrectly.

    Expand
    titleClick here to view the commands
    Background Color
    colorwhite
    ComponentLinux/UnixWindowsIdentity Database Schema
    Code Block
    languagebash
    sh wso2server.sh -Dmigrate -Dcomponent
    =identity -DmigrateIdentityDB
    Code Block
    languagebash
    wso2server.bat -Dmigrate -Dcomponent
    =identity -DmigrateIdentityDB
    Claim Data
    Code Block
    languagebash
    sh wso2server.sh -Dmigrate -Dcomponent
    =identity -DmigrateClaimData
    Code Block
    languagebash
    wso2server.bat -Dmigrate -Dcomponent=
    identity -DmigrateClaimData
    Email Template Data
    Code Block
    languagebash
    sh wso2server.sh -Dmigrate -Dcomponent
    =identity -DmigrateEmailTemplateData
    Code Block
    languagebash
    wso2server.bat -Dmigrate -Dcomponent
    =identity -DmigrateEmailTemplateData
    Permission Data
    Code Block
    languagebash
    sh wso2server.sh -Dmigrate -Dcomponent
    =identity -DmigratePermissionData
    Code Block
    languagebash
    wso2server.bat -Dmigrate -Dcomponent
    =identity -DmigratePermissionData
    Challenge Question Data
      1. /identity folder.

        Add the following parameter within the FacebookAuthenticator tag.

        Code Block
        <!--<Parameter name="ClaimDialectUri">http://wso2.org/facebook/claims</Parameter>-->

        Add the following parameter within the relevant tags of the following authenticators:
        MobileConnectAuthenticator, EmailOTP, SMSOTP and totp

        Code Block
        <Parameter name="redirectToMultiOptionPageOnFailure">false</Parameter>
        entitlement.properties file stored in the <IS_HOME>/repository/conf/identity folder.

        WSO2 IS 5.4.0 introduces a set of new XACML policies that load at server startup when the PAP.Policy.Add.Start.Enable property is set to true.
        Therefore, when you upgrade to IS 5.4.0, follow one of the steps below depending on whether you want to add the new policies:

        • If you want to add the new policies on server startup, set both PDP.Balana.Config.Enable and PAP.Policy.Add.Start.Enable properties to true.
        • If you do not want to add the new policies on server startup, set both PDP.Balana.Config.Enable and PAP.Policy.Add.Start.Enable properties to false.
        Warning
        titleNote

        If you set the PDP.Balana.Config.Enable property to false, while the PAP.Policy.Add.Start.Enable property is set to true, the server does not look for the balana-config.xml file on startup. This results in an error as follows because the balana-config.xml file includes functions required by the new XACML policies:

        Code Block
        TID: [-1234] [] [2018-01-01 01:16:37,547] ERROR
        {org.wso2.carbon.identity.entitlement.EntitlementUtil}
        Error while adding sample XACML policies
        java.lang.IllegalArgumentException: Error while parsing start up policy
      2. Replace the <NEW_IS_HOME>/repository/conf folder with the modified copy of the <OLD_IS_HOME>/repository/conf folder.

      3. Proceed to step 11 to run the migration client.

      Anchor
      step11
      step11

  • Start the Identity Server 5.4.0 with the following command to perform the data migration for all components. 

    1. Linux/Unix:

      Code Block
      languagebash
      sh wso2server.sh -Dmigrate
      -Dcomponent =identity -DmigrateChallengeQuestionData
    2. Windows:

      OIDC Scope Data
      Code Block
      languagebash
      wso2server.bat -Dmigrate
      -Dcomponent =identity -DmigrateChallengeQuestionData
      Resident IdP MetaData
      Code Block
      languagebash
      sh wso2server.sh -Dmigrate -Dcomponent
      =identity -DmigrateResidentIdpMetaData
      Code Block
      languagebash
      wso2server.bat -Dmigrate -Dcomponent
      =identity -DmigrateResidentIdpMetaData
    Tip

    If you have updated your WSO2 IS 5.4.0 pack using WSO2 Update Manager (WUM) with WSO2 Carbon 4.4.X Update 2018-01-05, use this command to perform the data migration instead:

    1. Linux/Unix:

      Code Block
      languagebash
      sh wso2server.sh -Dmigrate -Dcomponent
    1. =identity 
    -DmigrateOIDCScopeData
    1. Windows:

      Code Block
      languagebash
      wso2server.bat -Dmigrate -Dcomponent
    1. =identity 
    -DmigrateOIDCScopeData
    Note
    titleMigrate active tenants only

    Optional: If you have any disabled/inactive tenants in your previous version of WSO2 IS that you do not want to bring forward to the next version, do a complete migration for all components with active tenants only.

    Expand
    titleClick here to view the command

    Start the server against the migration client jar located in the <IS_HOME>/repository/components/dropins directory using the -DmigrateActiveTenantsOnly flag, as shown below.

    Code Block
    sh wso2server.sh -Dmigrate -Dcomponent=identity -DmigrateActiveTenantsOnly
  • Once the migration is successful, stop the server and start using the appropriate command.
    1. Linux/Unix:

      Code Block
      languagexml
      sh wso2server.sh
    2. Windows:

      Code Block
      languagexml
      wso2server.bat
  • Tip

    If you have switched off the account disabling feature, open the identity.xml file and ensure that this property exists.

    If not, add the property to the file.

    Code Block
    module.name.5=account.disable.handler
    account.disable.handler.enable=false
    account.disable.handler.subscription.1=PRE_AUTHENTICATION

    As this property will only apply at first startup of the server or for new tenant creations, switch off the account disabling feature via the management console as well. For more information on how to do this, see Account Disabling.