This documentation is for WSO2 Identity Server 5.3.0 . View documentation for the latest release.
Skip to end of metadata
Go to start of metadata

Federated users can be provisioned to WSO2 Idenity Server local user store using JIT provisioning. But the Identity Server cannot enforce end users to enter new attributes for provisioning. However, WSO2 Identity Server 5.3.0 contains new feature which enables the end users to fill out the mandatory attributes for given service provider.

Assume that federated IDP or local IDP does not contain the required end user’s attributes which a service provider is looking for, with this feature the end user can provide these attributes as user inputs. These provided attributes will be sent to the SP. But, they will not be provisioned by default with federated JIT provisioning.

Now, let us see we can provision them. This can be done via implementing an extension to WSO2 Identity Server.

Step 1. Extend the DefaultStepBasedSequenceHandler & implement a new sequence handler. Here, we need to extend only the “handleJitProvisioning()” method. A Sample code is given below:

protected void handleJitProvisioning(String subjectIdentifier, AuthenticationContext context, List<String> mappedRoles, Map<String, String> extAttributesValueMap)
        throws FrameworkException {
    subjectIdentifier = new StringBuilder().append(subjectIdentifier).append("@").append(context.getTenantDomain()).toString();
        String userStoreDomain = null;
        String provisioningClaimUri = context.getExternalIdP()
        String provisioningUserStoreId = context.getExternalIdP().getProvisioningUserStoreId();
        if (provisioningUserStoreId != null)
            userStoreDomain = provisioningUserStoreId;
        else if (provisioningClaimUri != null) {
            userStoreDomain = (String)extAttributesValueMap.get(provisioningClaimUri);
        ThreadLocalProvisioningServiceProvider serviceProvider = new ThreadLocalProvisioningServiceProvider();
        FrameworkUtils.getProvisioningHandler().handle(mappedRoles, subjectIdentifier, extAttributesValueMap, userStoreDomain, context
        UserProfileAdmin userProfileAdmin = UserProfileAdmin.getInstance();
        subjectIdentifier = MultitenantUtils.getTenantAwareUsername(subjectIdentifier);
            String associatedID = userProfileAdmin.getNameAssociatedWith(context.getExternalIdP().getIdPName(), subjectIdentifier);
            if ((associatedID == null) || (associatedID.trim().length() == 0)) {
                userProfileAdmin.associateID(context.getExternalIdP().getIdPName(), subjectIdentifier);
      "User association is created with the username");
        } catch (UserProfileException e) {
            throw new FrameworkException(new StringBuilder().append("Error while associating local user ID for ").append(subjectIdentifier).toString(), e);
    catch (FrameworkException e) {
        log.error("User provisioning failed!", e);
    } finally {

In the above implementation example, we are creating an association with the same IDP identifier (which is the username). But, you can also create associations with different attributes if needed.

Step 2. Deploy extended jar file in to <IS_HOME>/repository/components/lib directory.

Step 3. Register custom step handler in <IS_HOME>/repository/conf/identity/application-authentication.xml file.


Step 4. Restart the server

Step 5. Configure some mandatory claims in SP configuration as shown below. In this example, we have configured a single mandatory claim which is  “SOA Security Id”

Step 6. Tryout Federation

Step 7. Provide a SOA Security Id and click SUBMIT.

User would be provisioned (Signup) with end user provided claims.

  • No labels