Add the following property within the <SessionDataCleanUp>
tag.
<DeleteChunkSize>50000</DeleteChunkSize>
Click for more information about the DeleteChunkSize property
In a production environment, there is a possibility for a deadlock/database lock
to occur when running a session data cleanup task in high load scenarios.
To mitigate this, the property given above was introduced to clean data in chunks.
Configure this property with the required chunk size. For more information, see Deployment Guidelines in Production.
Remove the following property found within the <OperationDataCleanUp>
tag.
<CleanUpPeriod>720</CleanUpPeriod>
Click for more information about the CleanUpPeriod property
WSO2 IS 5.3.0 had two separate tasks for session data cleanup and operation data cleanup.
This is now combined and done through one task.
Therefore the property given above is no longer needed.
You can still configure the <CleanUpPeriod>
property within the <SessionDataCleanUp>
tag
to specify the cleanup period for the combined task.
Change the default value of the following property from 300 to 0.
<TimestampSkew>0</TimestampSkew>
Click for more information about the TimestampSkew property
The property given above specifies the maximum tolerance limit
for the clock skewed between the sender and recipient.
The default value was changed to 0 as the best practice is to assume
that the sender and recipient clocks are synchronized and are in the same time stamp.
Configure this accordingly if the clocks are not in the same timestamp.
Add the following JWT bearer grant type within the <SupportedGrantTypes>
tag.
<SupportedGrantType>
<GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName>
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler</GrantTypeHandlerImplClass>
<GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass>
</SupportedGrantType>
Click for more information about the JWT bearer grant type
The JWT bearer grant type is supported out-of-the-box with WSO2 IS 5.4.0.
For more information, see Configuring JWT Grant Type in the ISConnectors documentation.
Update the <EmailVerification>
code block with the following code.
The properties shown below at line numbers 3,8,9,10 & 11 were added in 5.4.0.
<EmailVerification>
<Enable>false</Enable>
<ExpiryTime>1440</ExpiryTime>
<LockOnCreation>true</LockOnCreation>
<Notification>
<InternallyManage>true</InternallyManage>
</Notification>
<AskPassword>
<ExpiryTime>1440</ExpiryTime>
<PasswordGenerator>org.wso2.carbon.user.mgt.common.DefaultPasswordGenerator</PasswordGenerator>
</AskPassword>
</EmailVerification>
Update the following property found within the <SelfRegistration>
tag to true.
<LockOnCreation>true</LockOnCreation>
Add the following properties within the <SelfRegistration>
tag.
<VerificationCode>
<ExpiryTime>1440</ExpiryTime>
</VerificationCode>
Add the following properties within the <Server>
tag.
<AuthenticationPolicy>
<CheckAccountExist>false</CheckAccountExist>
</AuthenticationPolicy>
Change the default values within the <CacheManager>
tag.
<CacheManager name="IdentityApplicationManagementCacheManager">
<Cache name="AppAuthFrameworkSessionContextCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
<Cache name="AuthenticationContextCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
<Cache name="AuthenticationRequestCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
<Cache name="AuthenticationResultCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
<Cache name="AppInfoCache" enable="true" timeout="900" capacity="5000" isDistributed="false"/>
<Cache name="AuthorizationGrantCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
<Cache name="OAuthCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
<Cache name="OAuthScopeCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
<Cache name="OAuthSessionDataCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
<Cache name="SAMLSSOParticipantCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
<Cache name="SAMLSSOSessionIndexCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
<Cache name="SAMLSSOSessionDataCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
<Cache name="ServiceProviderCache" enable="true" timeout="900" capacity="5000" isDistributed="false"/>
<Cache name="ProvisioningConnectorCache" enable="true" timeout="900" capacity="5000" isDistributed="false"/>
<Cache name="ProvisioningEntityCache" enable="true" timeout="900" capacity="5000" isDistributed="false"/>
<Cache name="ServiceProviderProvisioningConnectorCache" enable="true" timeout="900" capacity="5000" isDistributed="false"/>
<Cache name="IdPCacheByAuthProperty" enable="true" timeout="900" capacity="5000" isDistributed="false"/>
<Cache name="IdPCacheByHRI" enable="true" timeout="900" capacity="5000" isDistributed="false"/>
<Cache name="IdPCacheByName" enable="true" timeout="900" capacity="5000" isDistributed="false"/>
</CacheManager>
Add the following property within the <CacheManager>
tag if it does not already exist.
<Cache name="OAuthScopeCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
Add the following properties within the <OAuth>
tag. The code comments explain the usage and applicable values for the properties.
<!-- Specify the Token issuer class to be used.
Default: org.wso2.carbon.identity.oauth2.token.OauthTokenIssuerImpl.
Applicable values: org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer-->
<!--<IdentityOAuthTokenGenerator>org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer</IdentityOAuthTokenGenerator>-->
<!-- This configuration is used to specify the access token value generator.
Default: org.apache.oltu.oauth2.as.issuer.UUIDValueGenerator
Applicable values: org.apache.oltu.oauth2.as.issuer.UUIDValueGenerator,
org.apache.oltu.oauth2.as.issuer.MD5Generator,
org.wso2.carbon.identity.oauth.tokenvaluegenerator.SHA256Generator -->
<!--<AccessTokenValueGenerator>org.wso2.carbon.identity.oauth.tokenvaluegenerator.SHA256Generator</AccessTokenValueGenerator>-->
<!-- This configuration is used to specify whether the Service Provider tenant domain should be used when generating
access token.Otherwise user domain will be used.Currently this value is only supported by the JWTTokenIssuer. -->
<!--<UseSPTenantDomain>True</UseSPTenantDomain>-->
Add the following properties related to token persistence within the <OAuth>
tag.
<TokenPersistence>
<Enable>true</Enable>
<PoolSize>0</PoolSize>
<RetryCount>5</RetryCount>
</TokenPersistence>
Add the following property within the <OpenIDConnect>
tag.
<SignJWTWithSPKey>false</SignJWTWithSPKey>
Replace the <OAuth2RevokeEPUrll>
property with the following.
<OAuth2RevokeEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/revoke</OAuth2RevokeEPUrl>
Add the following event listener within the <EventListeners>
tag. Uncomment this listener if you are using SCIM 2.0.
<!-- Uncomment the following event listener if SCIM2 is used. -->
<!--EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener"
name = "org.wso2.carbon.identity.scim2.common.listener.SCIMUserOperationListener"
orderId = "93"
enable = "true" /-->
Add the following properties within the <ResourceAccessControl>
tag. These properties specify the access levels and permissions for the SCIM 2.0 resources.
<Resource context="(.*)/scim2/Users" secured="true" http-method="POST">
<Permissions>/permission/admin/manage/identity/usermgt/create</Permissions>
</Resource>
<Resource context="(.*)/scim2/Users" secured="true" http-method="GET">
<Permissions>/permission/admin/manage/identity/usermgt/list</Permissions>
</Resource>
<Resource context="(.*)/scim2/Groups" secured="true" http-method="POST">
<Permissions>/permission/admin/manage/identity/rolemgt/create</Permissions>
</Resource>
<Resource context="(.*)/scim2/Groups" secured="true" http-method="GET">
<Permissions>/permission/admin/manage/identity/rolemgt/view</Permissions>
</Resource>
<Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="GET">
<Permissions>/permission/admin/manage/identity/usermgt/view</Permissions>
</Resource>
<Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="PUT">
<Permissions>/permission/admin/manage/identity/usermgt/update</Permissions>
</Resource>
<Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="PATCH">
<Permissions>/permission/admin/manage/identity/usermgt/update</Permissions>
</Resource>
<Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="DELETE">
<Permissions>/permission/admin/manage/identity/usermgt/delete</Permissions>
</Resource>
<Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="GET">
<Permissions>/permission/admin/manage/identity/rolemgt/view</Permissions>
</Resource>
<Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="PUT">
<Permissions>/permission/admin/manage/identity/rolemgt/update</Permissions>
</Resource>
<Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="PATCH">
<Permissions>/permission/admin/manage/identity/rolemgt/update</Permissions>
</Resource>
<Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="DELETE">
<Permissions>/permission/admin/manage/identity/rolemgt/delete</Permissions>
</Resource>
<Resource context="(.*)/scim2/Me" secured="true" http-method="GET">
<Permissions>/permission/admin/login</Permissions>
</Resource>
<Resource context="(.*)/scim2/Me" secured="true" http-method="DELETE">
<Permissions>/permission/admin/manage/identity/usermgt/delete</Permissions>
</Resource>
<Resource context="(.*)/scim2/Me" secured="true" http-method="PUT">
<Permissions>/permission/admin/login</Permissions>
</Resource>
<Resource context="(.*)/scim2/Me" secured="true" http-method="PATCH">
<Permissions>/permission/admin/login</Permissions>
</Resource>
<Resource context="(.*)/scim2/Me" secured="true" http-method="POST">
<Permissions>/permission/admin/manage/identity/usermgt/create</Permissions>
</Resource>
<Resource context="/scim2/ServiceProviderConfig" secured="false" http-method="all">
<Permissions></Permissions>
</Resource>
<Resource context="/scim2/ResourceType" secured="false" http-method="all">
<Permissions></Permissions>
</Resource>
<Resource context="/scim2/Bulk" secured="true" http-method="all">
<Permissions>/permission/admin/manage/identity/usermgt</Permissions>
</Resource>
<Resource context="(.*)/api/identity/oauth2/dcr/(.*)" secured="true" http-method="all">
<Permissions>/permission/admin/manage/identity/applicationmgt</Permissions>
</Resource>
Add the following properties within the <TenantContextsToRewrite><WebApp>
tag.
<Context>/scim2</Context>
<Context>/api/identity/oauth/dcr/v1.0</Context>
Remove the following property found within the <OAuth>
tag.
<AppInfoCacheTimeout>-1</AppInfoCacheTimeout>
<AuthorizationGrantCacheTimeout>-1</AuthorizationGrantCacheTimeout>
<SessionDataCacheTimeout>-1</SessionDataCacheTimeout>
<ClaimCacheTimeout>-1</ClaimCacheTimeout>
Add the following commented property within the <OAuth>
tag.
<!-- True, if access token alias is stored in the database instead of access token.
Eg.token alias and token is same when
default AccessTokenValueGenerator is used.
When JWTTokenIssuer is used, jti is used as the token alias
Default: true.
Applicable values: true, false-->
<!--<PersistAccessTokenAlias>false</PersistAccessTokenAlias>-->
Replace the <
OAuth2DCREPUrl>
property with the property value given below.
<OAuth2DCREPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/api/identity/oauth2/dcr/v1.0/register</OAuth2DCREPUrl>
Uncomment the following property and add line number 3 given below to the file.
<TokenValidators>
<TokenValidator type="bearer" class="org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2TokenValidator" />
<TokenValidator type="jwt" class="org.wso2.carbon.identity.oauth2.validators.OAuth2JWTTokenValidator" />
</TokenValidators>
Add the following commented property to the file. You can place it after the </EnableAssertions>
closing tag.
<!-- This should be true if subject identifier in the token validation response needs to adhere to the
following SP configuration.
- Use tenant domain in local subject identifier. - Use user store domain in local subject identifier.
if the value is false, subject identifier will be set as the fully qualified username.
Default value: false
Supported versions: IS 5.4.0 beta onwards-->
<!--<BuildSubjectIdentifierFromSPConfig>true</BuildSubjectIdentifierFromSPConfig>-->
Uncomment the <UserType>
property that has the value "Federated" and comment out the <UserType>
property that has the value "Local" as seen below.
The property can be found within the <SAML2Grant>
tag.
<SAML2Grant>
<!--SAML2TokenHandler></SAML2TokenHandler-->
<!-- UserType conifg decides whether the SAML assertion carrying user is local user or a federated user.
Only Local Users can access claims from local userstore. LEGACY users will have to have tenant domain appended username.
They will not be able to access claims from local userstore. To get claims by mapping users with exact same username from local
userstore (for non LOCAL scenarios) use mapFederatedUsersToLocal config -->
<!--<UserType>LOCAL</UserType>-->
<UserType>FEDERATED</UserType>
<!--UserType>LEGACY</UserType-->
</SAML2Grant>
Remove the following properties found within the <SSOService>
tag.
<PersistanceCacheTimeout>157680000</PersistanceCacheTimeout>
<SessionIndexCacheTimeout>157680000</SessionIndexCacheTimeout>
Add the following properties to the file. You can place the code block after the </SCIM>
closing tag.
<SCIM2>
<!--Default value for UserEPUrl and GroupEPUrl are built in following format
https://<HostName>:<MgtTrpProxyPort except 443>/<ProxyContextPath>/<context>/<path>
If that doesn't satisfy uncomment the following config and explicitly configure the value-->
<!--UserEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/scim2/Users</UserEPUrl-->
<!--GroupEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/scim2/Groups</GroupEPUrl-->
</SCIM2>
Add the following properties to the file. You can place it after the </EnableAskPasswordAdminUI>
closing tag.
<EnableRecoveryEndpoint>true</EnableRecoveryEndpoint>
<EnableSelfSignUpEndpoint>true</EnableSelfSignUpEndpoint>
Add the following properties within the <ResourceAccessControl>
tag.
<Resource context="(.*)/api/identity/oauth2/dcr/v1.0/register(.*)" secured="true" http-method="POST">
<Permissions>/permission/admin/manage/identity/applicationmgt/create</Permissions>
</Resource>
<Resource context="(.*)/api/identity/oauth2/dcr/v1.0/register(.*)" secured="true" http-method="DELETE">
<Permissions>/permission/admin/manage/identity/applicationmgt/delete</Permissions>
</Resource>
<Resource context="(.*)/api/identity/oauth2/dcr/v1.0/register(.*)" secured="true" http-method="PUT">
<Permissions>/permission/admin/manage/identity/applicationmgt/update</Permissions>
</Resource>
<Resource context="(.*)/api/identity/oauth2/dcr/v1.0/register(.*)" secured="true" http-method="GET">
<Permissions>/permission/admin/manage/identity/applicationmgt/view</Permissions>
</Resource>