Claim mapping for a service provider involves mapping claims that are used by the service provider to the claims local to the WSO2 Identity Server. See the Identity Server Architecture for more information on how claim mapping fits in to the overall scheme of things.
- In the Claim Configuration form, select the claim mapping dialect by either choosing to use a local claim dialect or define your own custom claim dialect.
- If you choose to Use Local Claim Dialect, you need to fill in the following details.
- Fill in your requested claims by clicking the Add Claim URI button.
- Choose your Local Claim from the dropdown. Select whether this claim is a Mandatory Claim for the Service Provider using the checkbox.
- If you choose to Define Custom Claim Dialect, you need to do the following.
- Click to view vital information when configuring claims for an OpenID Connect Service Provider
To do this,
- Click on Browse under Registry on the Main tab of the management console.
- Navigate to /_system/config/ and click on the oidc file. Expand the Properties section.
Information on mapping claimsExpand for steps to test out mandatory claims
Testing mandatory claims
To test out mandatory claims,
Configure a few claims and select the checkbox for mandatory claims.
Run the travelocity sample and try the SAML login.
- Enter the username and password of the user who has a few mandatory claims missing and click Submit.
- You will be successfully logged in to the application.
Select the Subject Claim URI and the Role Claim URI (for custom claims) from the dropdown. The claims you mapped are listed in the dropdown and you can choose among these claims.
- When the authentication request comes into the Identity Server, the value of the claim specified as the Subject Claim URI is added to the authentication request. To expand more, when the user logs into the Identity Server, it identifies the user store that the user belongs to. The value of the claim specified as the Subject Claim URI can be found in this user store. This value corresponding to the claim is sent along with the authentication request.
- The Role Claim URI is used to identify the claim that equates to the role of the user. This is linked to the permissions that you can apply for specific user roles.