This documentation is for WSO2 Identity Server 5.4.0 . View documentation for the latest release.
||
Skip to end of metadata
Go to start of metadata

Note that these instructions have been tested for migration from WSO2 IS 5.0.0 to 5.4.0 only with the ORACLE database.

The following sections provide instructions that enable you to upgrade from older versions of WSO2 Identity Server (from version 5.0.0 onwards) to the latest version of WSO2 Identity Server. In this topic, <OLD_IS_HOME> is the directory that the older version of WSO2 Identity Server resides in, and <NEW_IS_HOME> is the directory that the latest version of WSO2 Identity Server resides in.

Before you begin

This release is a WUM-only release. This means that there are no manual patches. Any further fixes or latest updates for this release can be updated through WSO2 Update Manager (WUM).

  • If you are upgrading to use this version in your production environment, use the WSO2 Update Manager to get the latest updates available for WSO2 IS. For more information on how to do this, see Updating WSO2 Products.

Migrating the embedded LDAP user store

It is not generally recommended to use the embedded LDAP user store that is shipped with WSO2 Identity Server in production setups. However, if migration of the embedded LDAP is required, follow the instructions below to migrate the existing WSO2 IS LDAP user store to the new version of WSO2 IS. 

  1. Copy the <OLD_IS_HOME>/repository/data folder to <NEW_IS_HOME>/repository/data folder.
  2. Restart the server to save the changes.

Migrating the configurations

You can use one of the following approaches to migrate depending on your production evironment. 

  • Migrating by updating the custom configurations

    This approach is recommended if:

    • You have done very few configuration changes in your previous version of WSO2 IS. These configuration changes have been tracked and are easy to redo.  

    Steps:

    1. If you have made configuration changes to the config files in your previous version of WSO2 IS, update the files in the <NEW_IS_HOME>/repository/conf folder with your own configurations. 
    2. Proceed to the Migrating the data section to run the migration client.
  • Migrating by updating the new configurations in 5.4.0

    This approach is recommended if:

    • You have done many configuration changes in your previous version of WSO2 IS.
    • These configurations have not been tracked completely and/or are difficult to redo.  

    Steps:

    1. Make a copy of the <OLD_IS_HOME>/repository/conf folder. (Do not change the original configurations. You may use it as a backup in case there are any issues)
    2. Copy the following configuration files from the <NEW_IS_HOME> and paste it in the copy of the <OLD_IS_HOME> in the relevant path.
      • <IS_HOME>/repository/conf/carbon.properties

      • <IS_HOME>/repository/conf/consent-mgt-config.xml

    3. The sections below list out all the configuration changes from IS 5.0.0 to IS 5.4.0. You can scroll through each table and change the relevant configurations according to the features you are using.

      Note: The configuration changes listed below will not affect the existing system because these configurations are applied only at first start up and new tenant creation.

      If you want to change the configurations for the existing tenants, configure it through the management console user interface.

      Tip: Scroll left/right to view the entire table below.

       Configuration changes: Click here to view the table..
      Configuration FileConfiguration Change
      axis2.xml file stored in the <PRODUCT_HOME>/repository/conf/axis2/ directory.The following new parameter was added: <parameter name="httpContentNegotiation">true</parameter>. When this is set to 'true' , the server will determine the contentType of responses to requests, by using the 'Accept header' of the request.
      identity.xml file stored in the <PRODUCT_HOME>/repository/conf/identity directory.
      1. The <TimeConfig> element was added. This element contains a global session timeout configuration. To configure session timeouts and remember me periods tenant wise, see Configuring Session Timeout.
      2. The <SessionTimeout> parameter under the <OpenID> element and the <SSOService> element was removed. This configuration is no longer a constant across all service providers. With Identity Server 5.1.0, you can define the session timeout and remember me period tenant wise using the management console. For more information on how to do this, see Configuring Session Timeout.
      tenant-axis2.xml stored in the <PRODUCT_HOME>/repository/conf/tomcat/ directory.The default value for the "httpContentNegotiation" parameter is set to 'true': <parameter name="httpContentNegotiation">true</parameter>.
      catalina-server.xml file stored in the <PRODUCT_HOME>/repository/conf/tomcat/ directory.
      1. Keystore parameters was added under the <Connector> element as shown below. This setting allows you to use separate keystore and security certificates to certify SSL connections. Note that the location and password of the default "wso2carbon.jks" keystore is given for these parameters by default.

        keystoreFile=location of the keystore file
        keystorePass=password for the keystore 
      2. The ciphers parameter under the <Connector> element was removed. Depending on the java version you are using, you can define ciphers using the Configuring Transport Level Security page as a guide.
      3. The clientAuth parameter setting under the <Connector> element was changed from clientAuth="false" to clientAuth="want". Setting this parameter to false makes the two-way SSL authentication optional and uses it in instances when it is possible i.e., if you need to disable the certification authentication in certain occasions (e.g., mobile applications). This is recommended since setting it to 'false' will simply disable certificate authentication completely and not use it even when it is possible.
      4. The <Host> element was removed. It was added to fix XSS and CSRF vulnarabilities in WSO2-CARBON-PATCH-4.2.0-1256. For information on how to fix these vulnerabilities in IS 5.1.0, see the following pages:
        1. Mitigating Cross Site Request Forgery (CSRF) Attacks 
        2. Mitigating Carriage Return Line Feed (CRLF)
        3. Mitigating Cross Site Scripting (XSS) Attacks
      master-datasources.xml file stored in the <PRODUCT_HOME>/repository/conf/datasources/ directory.Default auto-commit setting for a data source is set to false: <defaultAutoCommit>false</defaultAutoCommit>.
      carbon.xml file stored in the <PRODUCT_HOME>/repository/conf/ directory. 
      1. New parameters to define proxy context path as shown below;

        <MgtProxyContextPath></MgtProxyContextPath>
        <ProxyContextPath></ProxyContextPath>

        Proxy context path is a useful parameter to add a proxy path when a Carbon server is fronted by reverse proxy. In addition to the proxy host and proxy port this parameter allows you add a path component to external URLs. See Adding a Custom Proxy Path for details.

      2. The following port configurations was removed:

        <!-- Embedded Qpid broker ports →
        <EmbeddedQpid>
        <!-- Broker TCP Port →
        <BrokerPort>5672</BrokerPort>
        <!-- SSL Port →
        <BrokerSSLPort>8672</BrokerSSLPort>
        </EmbeddedQpid>
      3. In Carbon 4.2.0, the following registry keystore configuration was required for configuring the keystore keys that certify encrypting/decrypting meta data to the registry. From Carbon 4.3.0 onwards the primary keystore configuration shown below will be used for this purpose as well. Therefore, it is not necessary to use a separate registry keystore configuration for encrypting/decrypting meta data to the registry. Read more about keystore configurations in Carbon 4.3.0.

        <RegistryKeyStore>
                    <!-- Keystore file location-->
                    <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
                    <!-- Keystore type (JKS/PKCS12 etc.)-->
                    <Type>JKS</Type>
                    <!-- Keystore password-->
                    <Password>wso2carbon</Password>
                    <!-- Private Key alias-->
                    <KeyAlias>wso2carbon</KeyAlias>
                    <!-- Private Key password-->
                    <KeyPassword>wso2carbon</KeyPassword>
        </RegistryKeyStore>

      user-mgt.xml file stored in the<PRODUCT_HOME>/repository/conf/ directory.

      The following property was added under the <Configuration> tag. If you are connecting the database from a previous version of IS, set this property to false. 

      <Property name="isCascadeDeleteEnabled">true</Property>

      The following properties under the <UserStoreManager> tag were changed as follows:

      • The <BackLinksEnabled> property was added. If this property is set to 'true', it enables an object that has a reference to another object to inherit the attributes of the referenced object.
      • The following property was added. It provides flexibility to customize the error message.

        <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
                    <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>

         

      • The <IsBulkImportSupported> property was added. It specifies whether to enable or disable bulk user import.

      • The following properties were added. They provide flexibility to customize the connection pooling parameters.

        <Property name="ConnectionPoolingEnabled">false</Property>
                    <Property name="LDAPConnectionTimeout">5000</Property>
                    <Property name="ReadTimeout"/>
                    <Property name="RetryAttempts"/>
      registry.xml file stored in the <PRODUCT_HOME>/repository/conf/ directory.The default value was changed to 'false' for the following setting: <versionResourcesOnChange>false</versionResourcesOnChange>.
      authenticators.xml file stored in the <PRODUCT_HOME>/repository/conf/security directory.

      The following parameter was added under the <Authenticator> element to specify the AssertionConsumerServiceURL. This is an optional parameter and is used by the requesting party to build the request. For more information, see Authenticators Configuration.

      <Parameter name="AssertionConsumerServiceURL">https://localhost:9443/acs</Parameter>

       API changes: Click here to view the steps..

      The following section describes changes made to admin services in IS 5.1.0 which may affect your migration depending on your client's usage of the admin service.

      1. Removed authorization and changed input parameters of the changePasswordByUser operation exposed through the userAdmin service

        Changes to the changePasswordByUser operation

        Make the following change to the client side:

        1. Remove the username and password as authentication headers in the request and send the username, old password and new password inside the SOAP body instead. A sample of the request is shown below.

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
           <soapenv:Header/>
           <soapenv:Body>
              <xsd:changePasswordByUser>
                 <!--Optional:-->
                 <xsd:userName>admin</xsd:userName>
                 <!--Optional:-->
                 <xsd:oldPassword>adminpassword</xsd:oldPassword>
                 <!--Optional:-->
                 <xsd:newPassword>adminnewpassword</xsd:newPassword>
              </xsd:changePasswordByUser>
           </soapenv:Body>
        </soapenv:Envelope>

        How it used to be

        This operation was previously an admin service where the user had to be authenticated before running the operation (i.e, only a user with login permissions could perform a password change). In that case, the user had to use an authentication mechanism (his/her username and current password) to execute the operation and the input parameters were as follows:

        1. old password

        2. new password

        How it is now

        Authentication is no longer required for this operation, which means all users (including those without login permissions) can perform this operation. Therefore, the input parameters are now as follows:

        1. username (username of the user whose password needs to be changed)

        2. old password

        3. new password

      Recommended: See the WSO2 IS 5.1.0 migration guide for more information.

      Note that the following files located in the <IS_HOME>/repository/conf/ folder in 5.0.0 have been moved to the <IS_HOME>/repository/conf/identity/ folder in 5.1.0 onwards:

      • provisioning-config.xml

      • identity.xml
      • /security/identity-mgt.properties

       Behavioral changes: Click here to view

      Due to a fix done in this release, the effective default value of the system property org.apache.xml.security.ignoreLineBreaks has been changed from “true” to “false”. Due to this change, you will observe line breaks in SAML responses.

      However, if the SAML response consuming client applications have used a standard library such as OpenSAML and use canonicalization when processing the response, this should not cause any problems. Therefore, our recommendation is to use a standard library to process SAML responses on consuming applications.

      If you have any concerns about this behavioral change or if the SAML response consuming client applications does not use canonicalization when processing the response and the client cannot be updated to do so, add the following jvm parameter to the server startup script located in the <IS_HOME>/bin/ folder to revert back to the previous behavior.

      -Dorg.apache.xml.security.ignoreLineBreaks=true
       Configuration changes: Click here to view the table..
      Configuration FileChanges
      oidc-scope-config.xml file stored in the <PRODUCT_HOME>/repository/conf/identity/ directory.The following configuration file was added to enable grouping claims that are bound to a scope value in OpenID Connect (OIDC). When requesting for an OIDC token, you can specify a scope value that is bound to a set of claims in the oidc-scope-config.xml file. When sending that OIDC token to the userinfo endpoint, only the claims that are common to both the oidc-scope-config and the service provider claim configuration, will be returned.
      identity-mgt.properties file stored in the <PRODUCT_HOME>/repository/conf/identity/ directory.

      The following parameters were added:

      # Whether to use hash of username when storing codes. 
      # Enable this if Registry is used to store the codes and if username may contain non alphanumeric characters.
      
      UserInfoRecovery.UseHashedUserNames=false
      UserInfoRecovery.UsernameHashAlg=SHA-1

      If you have enabled the using email address as the username option, the confirmation codes are retained after they are used, due to the special character '@' contained in the email address. To resolve this, you can set the UserInfoRecovery.UseHashedUserNames parameter to true so that the registry resources will be saved by hash of username instead of the email address username which contains the '@' sign.


      The following properties were added to support notification sending for account enabling and disabling:

      Notification.Sending.Enable.Account.Disable=false
      Notification.Sending.Enable.Account.Enable=false

      For more information, see User Account Locking and Account Disabling.


      The following property was added to check if the account has been locked, at the point of authentication.

      Authentication.Policy.Check.Account.Disable=false

      EndpointConfig.properties file stored in the <PRODUCT_HOME>/repository/conf/identity/ directory.

      The following properties were replaced:

      Old configuration
      identity.server.host=localhost
      identity.server.port=9443
      identity.server.serviceURL=/services/

      The properties above were replaced with the following:

      New configuration
      #identity.server.serviceURL=https://localhost:9443/services/ 

      entitlement.properties file stored in the <PRODUCT_HOME>/repository/conf/identity/ directory.

      When policy sets are used with entitlements, the default policy set cache size is 100. This may cause frequent cache eviction if there are more than 100 policies in the set. To avoid this, configure the following property. It will cause the cache size to increase depending on the policy set size for better performance.
       

      PDP.References.MaxPolicyEntries=3000

      identity.xml file stored in the <PRODUCT_HOME>/repository/conf/identity/ directory.

      Session data persistence is enabled by default from IS 5.2.0 onwards.

       Click to see the code block
      <SessionDataPersist>
          <Enable>true</Enable>
          <Temporary>true</Temporary>
          <PoolSize>0</PoolSize>
          <SessionDataCleanUp>
              <Enable>true</Enable>
              <CleanUpTimeout>20160</CleanUpTimeout>
              <CleanUpPeriod>1140</CleanUpPeriod>
          </SessionDataCleanUp>
          <OperationDataCleanUp>
              <Enable>true</Enable>
              <CleanUpPeriod>720</CleanUpPeriod>
          </OperationDataCleanUp>
      </SessionDataPersist>

      The following properties were removed:

      <!--SessionContextCache>
       	<Enable>true</Enable> 
       	<Capacity>100000</Capacity> 
      </SessionContextCache-->

      The following property was added to the <SSOService> and <PassiveSTS> elements:

      <SLOHostNameVerificationEnabled>true</SLOHostNameVerificationEnabled>

      For more information on configuring hostname verification, see the info note at the bottom of the Configuring WS-Federation page.


      Listeners and properties related to analytics in WSO2 Identity Server were added. For more information, see Prerequisites to Publish Statistics.

      Listeners
      <EventListener type="org.wso2.carbon.identity.core.handler.AbstractIdentityMessageHandler" name="org.wso2.carbon.identity.data.publisher.application.authentication.impl.DASLoginDataPublisherImpl" orderId="10" enable="false" />
      <EventListener type="org.wso2.carbon.identity.core.handler.AbstractIdentityMessageHandler" name="org.wso2.carbon.identity.data.publisher.application.authentication.impl.DASSessionDataPublisherImpl" orderId="11" enable="false" />
      <EventListener type="org.wso2.carbon.identity.core.handler.AbstractIdentityMessageHandler" name="org.wso2.carbon.identity.data.publisher.application.authentication.AuthnDataPublisherProxy" orderId="11" enable="true" />
      Properties
      <ISAnalytics>
              <DefaultValues>
                  <userName>NOT_AVAILABLE</userName>
                  <userStoreDomain>NOT_AVAILABLE</userStoreDomain>
                  <rolesCommaSeperated>NOT_AVAILABLE</rolesCommaSeperated>
                  <serviceprovider>NOT_AVAILABLE</serviceprovider>
                  <identityProvider>NOT_AVAILABLE</identityProvider>
              </DefaultValues>
          </ISAnalytics>

      The security element was updated:

      <!-- Security configurations-->
      <Security>
          <!-- The directory under which all other KeyStore files will be stored-->
          <KeyStoresDir>${carbon.home}/conf/keystores</KeyStoresDir>
          <KeyManagerType>SunX509</KeyManagerType> 
          <TrustManagerType>SunX509</TrustManagerType> 
      </Security>

      The following elements were added under the <OAuth> element:

       Click to see the code block
      <OIDCCheckSessionEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oidc/checksession</OIDCCheckSessionEPUrl>
      <OIDCLogoutEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oidc/logout</OIDCLogoutEPUrl>
      <OIDCConsentPage>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/oauth2_consent.do</OIDCConsentPage>
      <OIDCLogoutConsentPage>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/oauth2_logout_consent.do</OIDCLogoutConsentPage>
      <OIDCLogoutPage>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/oauth2_logout.do</OIDCLogoutPage>
      
      <EnableOAuthCache>false</EnableOAuthCache>

      Caching Recommendation

      It is recommended to keep the OAuth2 local cache and the distributed cache disabled as it may cause out-of-memory issues.
      However, if you want to enable the OAuth2 local cache, you have to enable the distributed cache as well.

      To enable the OAuth2 local cache and distributed cache, set the <EnableOAuthCache> property and isDistributed to true.

      <EnableOAuthCache>true</EnableOAuthCache>
      <Cache name="OAuthCache" enable="true" timeout="1" capacity="5000" isDistributed="true"/>

      The following elements were removed from the <OAuth><OpenIDConnect> element:

      <IDTokenSubjectClaim>http://wso2.org/claims/givenname</IDTokenSubjectClaim>
      <UserInfoEndpointClaimDialect>http://wso2.org/claims</UserInfoEndpointClaimDialect>

      The following code was updated. To add audiences to the JWT token, use the code block below. For more information, see JWT Token Generation.

       Click here to expand...
      <OpenIDConnect>
          <IDTokenBuilder>org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder>
          <!-- Comment out to add Audience values to the JWT token (id_token)-->
          <!--Audiences>
              <Audience>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token</Audience>
          </Audiences-->
          <!--Default value for IDTokenIssuerID, is OAuth2TokenEPUrl.If that doesn't satisfy uncomment the following config and explicitly configure the value-->
          <IDTokenIssuerID>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token</IDTokenIssuerID>
      
        ...
        
      </OpenIDConnect>

      The <CacheConfig> was replaced:

       Click to see the code block
      <CacheConfig>
          <CacheManager name="IdentityApplicationManagementCacheManager">
              <Cache name="AppAuthFrameworkSessionContextCache" enable="false" timeout="1" capacity="5000" isDistributed="false" />
              <Cache name="AuthenticationContextCache" enable="false" timeout="1" capacity="5000" isDistributed="false" />
              <Cache name="AuthenticationRequestCache" enable="false" timeout="1" capacity="5000" isDistributed="false" />
              <Cache name="AuthenticationResultCache" enable="false" timeout="1" capacity="5000" isDistributed="false" />
              <Cache name="AppInfoCache" enable="true" timeout="1" capacity="5000" isDistributed="false" />
              <Cache name="AuthorizationGrantCache" enable="false" timeout="1" capacity="5000" isDistributed="false" />
              <Cache name="OAuthCache" enable="false" timeout="1" capacity="5000" isDistributed="false" />
              <Cache name="OAuthSessionDataCache" enable="false" timeout="1" capacity="5000" isDistributed="false" />
              <Cache name="SAMLSSOParticipantCache" enable="false" timeout="1" capacity="5000" isDistributed="false" />
              <Cache name="SAMLSSOSessionIndexCache" enable="false" timeout="1" capacity="5000" isDistributed="false" />
              <Cache name="SAMLSSOSessionDataCache" enable="false" timeout="1" capacity="5000" isDistributed="false" />
              <Cache name="ServiceProviderCache" enable="true" timeout="1" capacity="5000" isDistributed="false" />
              <Cache name="ProvisioningConnectorCache" enable="true" timeout="1" capacity="5000" isDistributed="false" />
              <Cache name="ProvisioningEntityCache" enable="false" timeout="1" capacity="5000" isDistributed="false" />
              <Cache name="ServiceProviderProvisioningConnectorCache" enable="true" timeout="1" capacity="5000" isDistributed="false" />
              <Cache name="IdPCacheByAuthProperty" enable="true" timeout="1" capacity="5000" isDistributed="false" />
              <Cache name="IdPCacheByHRI" enable="true" timeout="1" capacity="5000" isDistributed="false" />
              <Cache name="IdPCacheByName" enable="true" timeout="1" capacity="5000" isDistributed="false" />
          </CacheManager>
      </CacheConfig>

      • context.xml file stored in the <PRODUCT_HOME>/repository/conf/tomcat/carbon/META-INF/ directory.
         
      • context.xml file stored in the <PRODUCT_HOME>/repository/conf/tomcat/ directory.
         
      • web.xml file stored in the <PRODUCT_HOME>/repository/conf/tomcat/carbon/WEB-INF/ directory.
       The entire file was replaced.
      carbon.xml file stored in the <PRODUCT_HOME>/repository/conf/ directory.

      The following elements were added under the <Security> tag:

      <STSCallBackHandlerName>org.wso2.carbon.identity.provider.AttributeCallbackHandler</STSCallBackHandlerName>
      
      <XSSPreventionConfig>
          <Enabled>true</Enabled>
          <Rule>allow</Rule>
          <Patterns>
              <!--Pattern></Pattern-->
          </Patterns>
      </XSSPreventionConfig>

      The following elements were removed:

      <!--Configurations to avoid Cross Site Request Forgery vulnerabilities-->
      <CSRFPreventionConfig>
          <!--CSRFPreventionFilter configurations that adopts Synchronizer Token Pattern-->
          <CSRFPreventionFilter>
          <!-- Set below to true to enable the CSRFPreventionFilter-->
          <Enabled>false</Enabled>
          <!--Url Pattern to skip application of CSRF protection-->
          <SkipUrlPattern > (.*)(/images|/css | /js|/docs)(.*) </SkipUrlPattern> 
          </CSRFPreventionFilter> 
      </CSRFPreventionConfig>
      
      <!-- Configuration to enable or disable CR and LF sanitization filter-->
      <CRLFPreventionConfig>
          <!--Set below to true to enable the CRLFPreventionFilter-->
          <Enabled>true</Enabled> 
      </CRLFPreventionConfig
      claim-config.xml file stored in the <PRODUCT_HOME>/repository/conf/ directory.

      The following claims were added. For more information on configuring these, see Configuring Users or User Account Locking and Account Disabling depending on the claim you want to configure.

      <Claim>
          <ClaimURI>http://wso2.org/claims/identity/lastLoginTime</ClaimURI>
          <DisplayName>Last Login</DisplayName>
          <!-- Proper attribute Id in your user store must be configured for this -->
          <AttributeID>carLicense</AttributeID>
          <Description>Last Login Time</Description>
      </Claim>
      <Claim>
          <ClaimURI>http://wso2.org/claims/identity/lastPasswordUpdateTime</ClaimURI>
          <DisplayName>Last Password Update</DisplayName>
          <!-- Proper attribute Id in your user store must be configured for this -->
          <AttributeID>businessCategory</AttributeID>
          <Description>Last Password Update Time</Description>
      </Claim>
      <Claim>
          <ClaimURI>http://wso2.org/claims/identity/accountDisabled</ClaimURI>
          <DisplayName>Account Disabled</DisplayName>
          <!-- Proper attribute Id in your user store must be configured for this -->
          <AttributeID>ref</AttributeID>
          <Description>Account Disabled</Description>
      </Claim>
      • data-agent-config.xml file stored in the  <PRODUCT_HOME>/repository/conf/data-bridge/ directory.
      • event-processor.xml file stored in the  <PRODUCT_HOME>/repository/conf/ directory.


      The file was newly added.
      metrics-datasources.xml file stored in the  <PRODUCT_HOME>/repository/conf/datasources/ directory.

      Set the <defaultAutocommit> property to true.

       Click to see the code block
       <datasource>
                  <name>WSO2_METRICS_DB</name>
                  <description>The default datasource used for WSO2 Carbon Metrics</description>
                  <jndiConfig>
                      <name>jdbc/WSO2MetricsDB</name>
                  </jndiConfig>
                  <definition type="RDBMS">
                      <configuration>        <url>jdbc:h2:repository/database/WSO2METRICS_DB;DB_CLOSE_ON_EXIT=FALSE;AUTO_SERVER=TRUE</url>
                          <username>wso2carbon</username>
                          <password>wso2carbon</password>
                          <driverClassName>org.h2.Driver</driverClassName>
                          <maxActive>50</maxActive>
                          <maxWait>60000</maxWait>
                          <testOnBorrow>true</testOnBorrow>
                          <validationQuery>SELECT 1</validationQuery>
                          <validationInterval>30000</validationInterval>
                          <defaultAutoCommit>true</defaultAutoCommit>
                      </configuration>
                  </definition>
              </datasource>
      application-authentication.xml file stored in the <PRODUCT_HOME>/repository/conf/identity/ directory.
       Click to see the code block
      <AuthenticatorConfig name="EmailOTP" enabled="true">
          <Parameter name="GmailClientId">gmailClientIdValue</Parameter>
          <Parameter name="GmailClientSecret">gmailClientSecretValue</Parameter>
          <Parameter name="SendgridAPIKey">sendgridAPIKeyValue</Parameter>
          <Parameter name="GmailRefreshToken">gmailRefreshTokenValue</Parameter>
          <Parameter name="GmailEmailEndpoint">https://www.googleapis.com/gmail/v1/users/[userId]/messages/send</Parameter>
          <Parameter name="SendgridEmailEndpoint">https://api.sendgrid.com/api/mail.send.json</Parameter>
          <Parameter name="accessTokenRequiredAPIs">Gmail</Parameter>
          <Parameter name="apiKeyHeaderRequiredAPIs">Sendgrid</Parameter>
          <Parameter name="SendgridFormData">sendgridFormDataValue</Parameter>
          <Parameter name="SendgridURLParams">sendgridURLParamsValue</Parameter>
          <Parameter name="GmailAuthTokenType">Bearer</Parameter>
          <Parameter name="GmailTokenEndpoint">https://www.googleapis.com/oauth2/v3/token</Parameter>
          <Parameter name="SendgridAuthTokenType">Bearer</Parameter>
      </AuthenticatorConfig>
      
      <AuthenticatorConfig name="x509CertificateAuthenticator" enabled="true">
          <Parameter name="AuthenticationEndpoint">https://localhost:8443/x509-certificate-servlet</Parameter>
      </AuthenticatorConfig>
      
      <AuthenticatorConfig name="totp" enabled="true">
          <Parameter name="encodingMethod">Base32</Parameter>
          <Parameter name="timeStepSize">30</Parameter>
          <Parameter name="windowSize">3</Parameter>
          <Parameter name="enableTOTP">false</Parameter>
      </AuthenticatorConfig>
      metrics.xml file stored in the <PRODUCT_HOME>/repository/conf/ directory.

      The following elements were added:

       Click to see the code block
      <Metrics xmlns="http://wso2.org/projects/carbon/metrics.xml">
          <Reporting>
              <Console>
                  <Enabled>false</Enabled>
                  <!-- Polling Period in seconds.
                      This is the period for polling metrics from the metric registry and
                      printing in the console -->
                  <PollingPeriod>60</PollingPeriod>
              </Console>
      
              <DAS>
                  <Enabled>false</Enabled>
                  <!-- Source of Metrics, which will be used to
                      identify each metric sent in the streams -->
                  <!-- Commented to use the hostname
                      <Source>Carbon</Source>
                  -->
                  <!-- Polling Period in seconds.
                      This is the period for polling metrics from the metric registry and
                      sending events via the Data Publisher -->
                  <PollingPeriod>60</PollingPeriod>
                  <!-- The type used with Data Publisher -->
                  <Type>thrift</Type>
                  <!-- Data Receiver URL used by the Data Publisher -->
                  <ReceiverURL>tcp://localhost:7611</ReceiverURL>
                  <!-- Authentication URL for the Data Publisher -->
                  <!-- <AuthURL>ssl://localhost:7711</AuthURL> -->
                  <Username>admin</Username>
                  <Password>admin</Password>
                  <!-- Path for Data Agent Configuration -->
                  <DataAgentConfigPath>repository/conf/data-bridge/data-agent-config.xml</DataAgentConfigPath>
              </DAS>
      output-event-adapters.xml file stored in the <PRODUCT_HOME>/repository/conf/ directory.

      The following adapter configurations were added:

       Click to see the code block
      <adapterConfig type="http">
          <!-- Thread Pool Related Properties -->
          <property key="minThread">8</property>
          <property key="maxThread">100</property>
          <property key="keepAliveTimeInMillis">20000</property>
          <property key="jobQueueSize">10000</property>
          <!-- HTTP Client Pool Related Properties -->
          <property key="defaultMaxConnectionsPerHost">50</property>
          <property key="maxTotalConnections">1000</property>
      </adapterConfig>
      
      <adapterConfig type="jms">
          <!-- Thread Pool Related Properties -->
          <property key="minThread">8</property>
          <property key="maxThread">100</property>
          <property key="keepAliveTimeInMillis">20000</property>
          <property key="jobQueueSize">10000</property>
      </adapterConfig>
      
      <adapterConfig type="mqtt">
          <!-- Thread Pool Related Properties -->
          <property key="minThread">8</property>
          <property key="maxThread">100</property>
          <property key="keepAliveTimeInMillis">20000</property>
          <property key="jobQueueSize">10000</property>
          <property key="connectionKeepAliveInterval">60</property>
      </adapterConfig>
      
      <adapterConfig type="kafka">
          <!-- Thread Pool Related Properties -->
          <property key="minThread">8</property>
          <property key="maxThread">100</property>
          <property key="keepAliveTimeInMillis">20000</property>
          <property key="jobQueueSize">10000</property>
      </adapterConfig>
      
      <adapterConfig type="email">
          <!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust
              based authentication rather username/password authentication -->
          <property key="mail.smtp.from">abcd@gmail.com</property>
          <property key="mail.smtp.user">abcd</property>
          <property key="mail.smtp.password">xxxx</property>
          <property key="mail.smtp.host">smtp.gmail.com</property>
          <property key="mail.smtp.port">587</property>
          <property key="mail.smtp.starttls.enable">true</property>
          <property key="mail.smtp.auth">true</property>
          <!-- Thread Pool Related Properties -->
          <property key="minThread">8</property>
          <property key="maxThread">100</property>
          <property key="keepAliveTimeInMillis">20000</property>
          <property key="jobQueueSize">10000</property>
      </adapterConfig>
      
      <adapterConfig type="ui">
          <property key="eventQueueSize">30</property>
          <!-- Thread Pool Related Properties -->
          <property key="minThread">8</property>
          <property key="maxThread">100</property>
          <property key="keepAliveTimeInMillis">20000</property>
          <property key="jobQueueSize">10000</property>
      </adapterConfig>
      
      <adapterConfig type="websocket-local">
          <!-- Thread Pool Related Properties -->
          <property key="minThread">8</property>
          <property key="maxThread">100</property>
          <property key="keepAliveTimeInMillis">20000</property>
          <property key="jobQueueSize">10000</property>
      </adapterConfig>
      
      <adapterConfig type="websocket">
          <!-- Thread Pool Related Properties -->
          <property key="minThread">8</property>
          <property key="maxThread">100</property>
          <property key="keepAliveTimeInMillis">20000</property>
          <property key="jobQueueSize">10000</property>
      </adapterConfig>
      
      <adapterConfig type="soap">
          <!-- Thread Pool Related Properties -->
          <property key="minThread">8</property>
          <property key="maxThread">100</property>
          <property key="keepAliveTimeInMillis">20000</property>
          <property key="jobQueueSize">10000</property>
          <!-- Axis2 Client Connection Related Properties -->
          <property key="axis2ClientConnectionTimeout">10000</property>
          <property key="reuseHTTPClient">true</property>
          <property key="autoReleaseConnection">true</property>
          <property key="maxConnectionsPerHost">50</property>
      </adapterConfig>
      registry.xml file stored in the <PRODUCT_HOME>/repository/conf/ directory.

      The following elements were added:

       Click to see the code block
      <indexingConfiguration>
          <startIndexing>false</startIndexing>
          <startingDelayInSeconds>35</startingDelayInSeconds>
          <indexingFrequencyInSeconds>5</indexingFrequencyInSeconds>
          <!--number of resources submit for given indexing thread -->
          <batchSize>40</batchSize>
          <!--number of worker threads for indexing -->
          <indexerPoolSize>40</indexerPoolSize>
          <!-- location storing the time the indexing took place-->
          <lastAccessTimeLocation>/_system/local/repository/components/org.wso2.carbon.registry/indexing/lastaccesstime</lastAccessTimeLocation>
          <!-- the indexers that implement the indexer interface for a relevant media type/(s) -->
          <indexers>
              <indexer class="org.wso2.carbon.registry.indexing.indexer.MSExcelIndexer" mediaTypeRegEx="application/vnd.ms-excel" />
              <indexer class="org.wso2.carbon.registry.indexing.indexer.MSPowerpointIndexer" mediaTypeRegEx="application/vnd.ms-powerpoint" />
              <indexer class="org.wso2.carbon.registry.indexing.indexer.MSWordIndexer" mediaTypeRegEx="application/msword" />
              <indexer class="org.wso2.carbon.registry.indexing.indexer.PDFIndexer" mediaTypeRegEx="application/pdf" />
              <indexer class="org.wso2.carbon.registry.indexing.indexer.XMLIndexer" mediaTypeRegEx="application/xml" />
              <indexer class="org.wso2.carbon.registry.indexing.indexer.XMLIndexer" mediaTypeRegEx="application/(.)+\+xml" />
              <indexer class="org.wso2.carbon.registry.indexing.indexer.PlainTextIndexer" mediaTypeRegEx="application/swagger\+json" />
              <indexer class="org.wso2.carbon.registry.indexing.indexer.PlainTextIndexer" mediaTypeRegEx="application/(.)+\+json" />
              <indexer class="org.wso2.carbon.registry.indexing.indexer.PlainTextIndexer" mediaTypeRegEx="text/(.)+" />
              <indexer class="org.wso2.carbon.registry.indexing.indexer.PlainTextIndexer" mediaTypeRegEx="application/x-javascript" />
          </indexers>
          <exclusions>
              <exclusion pathRegEx="/_system/config/repository/dashboards/gadgets/swfobject1-5/.*[.]html" />
              <exclusion pathRegEx="/_system/local/repository/components/org[.]wso2[.]carbon[.]registry/mount/.*" />
          </exclusions>
      </indexingConfiguration>
      user-mgt.xml file stored in the <PRODUCT_HOME>/repository/conf/ directory.

      The following LDAP/AD property was added:

      <Property name="AnonymousBind">false</Property>

      Recommended: See the WSO2 IS 5.2.0 migration guide for more information.

      Note that the following new configuration files have been added from 5.2.0 onwards.

      • repository/conf/event-processor.xml
      • repository/conf/security/Owasp.CsrfGuard.Carbon.properties
      • repository/conf/tomcat/carbon/WEB-INF/web.xml
      • repository/conf/identity/oidc-scope-config.xml
       Behavioral changes: Click here to view

      Due to a fix done in this release, the effective default value of the system property org.apache.xml.security.ignoreLineBreaks has been changed from “true” to “false”. Due to this change, you will observe line breaks in SAML responses.

      However, if the SAML response consuming client applications have used a standard library such as OpenSAML and use canonicalization when processing the response, this should not cause any problems. Therefore, our recommendation is to use a standard library to process SAML responses on consuming applications.

      If you have any concerns about this behavioral change or if the SAML response consuming client applications does not use canonicalization when processing the response and the client cannot be updated to do so, add the following jvm parameter to the server startup script located in the <IS_HOME>/bin/ folder to revert back to the previous behavior.

      -Dorg.apache.xml.security.ignoreLineBreaks=true
       Configuration changes: Click here to view the table..
      Configuration FileRequiredChanges

      The carbon.xml file stored in the <PRODUCT_HOME>/repository/conf/ directory.

      Mandatory

      Add the following property to the config file.

      <HideMenuItemIds>
      <HideMenuItemId>claim_mgt_menu</HideMenuItemId>
      <HideMenuItemId>identity_mgt_emailtemplate_menu</HideMenuItemId>
      <HideMenuItemId>identity_security_questions_menu</HideMenuItemId>
      </HideMenuItemIds>

      Update the following property value to 5.3.0.

      <Version>5.3.0</Version>

      The entitlement.properties file stored in the <PRODUCT_HOME>/repository/conf/identity/ directory.

      Optional

      If you are using the service provider authorization feature, add the following property to the config file.

      If you have any other AttributeDesignators configured with the number 2, use the smallest unused number instead of 2 when adding the property below.

      PIP.AttributeDesignators.Designator.2=org.wso2.carbon.identity.application.authz.xacml.pip.AuthenticationContextAttributePIP

      The application-authentication.xml file stored in the <PRODUCT_HOME>/repository/conf/identity/ directory.

      Mandatory

      Add the following property under the <Extensions> tag.

      <AuthorizationHandler>org.wso2.carbon.identity.application.authz.xacml.handler.impl.XACMLBasedAuthorizationHandler</AuthorizationHandler>

      The application-authentication.xml file stored in the <PRODUCT_HOME>/repository/conf/identity/ directory.

      Optional

      If you are using the mobile connect authenticator feature, add the following element under the <AuthenticatorConfigs> tag.

      <AuthenticatorConfig name="MobileConnectAuthenticator" enabled="true">
          <Parameter name="MobileConnectKey">mobileConnectClientId</Parameter>
          <Parameter name="MobileConnectSecret">mobileConnectClientSecret</Parameter>
      </AuthenticatorConfig>

      The Owasp.CsrfGuard.Carbon.properties stored in the <PRODUCT_HOME>/repository/conf/security/ directory.

      Mandatory

      Find the following line.

      Old configuration
      org.owasp.csrfguard.unprotected.authiwa=%servletContext%/commonauth/iwa/*

      Update the line as follows.

      New Configuration
      org.owasp.csrfguard.unprotected.oauthiwa=%servletContext%/commonauth/iwa/*

      Add the following property.

      org.owasp.csrfguard.unprotected.mex=%servletContext%/mexut/*

      The user-mgt.xml file stored in the <PRODUCT_HOME>/repository/conf/ directory.

      Mandatory

      Add the following element under the <Realm> <Configuration> tag.

      <Property name="initializeNewClaimManager">true</Property>

      The email-admin-config.xml file stored in the <PRODUCT_HOME>/repository/conf/ directory.

      Mandatory

      If you have not made any custom changes to this file in your previous version of WSO2 IS:

        • Copy the <NEW_IS_HOME>/repository/conf/email/email-admin-config.xml file and replace the existing one.

      If you have made custom changes to this file in your previous version:

        1. Locate the templates you have updated that differ from the default config file. You can use a diff tool to compare your <OLD_IS_HOME>/repository/conf/email/email-admin-config.xml file with the default file to identify the custom changes you have made. Note these changes/updates.
        2. Copy the file from <NEW_IS_HOME>/repository/conf/email/email-admin-config.xml to <OLD_IS_HOME>/repository/conf/email/ directory and rename it to email-"admin-config-new.xml".
        3. For each template you have modified, do the following:

          Note: If you opt to migrate to the new identity management implementation, follow all the steps below. If you wish to continue with the old identity management implementation, skip steps iii and iv.

          1. Locate the relevant template configuration in the old email-admin-config-new.xml file by searching for ‘<configuration type="xxxxx" where “xxxxx” is the type at email-admin-config.xml.

          2. Update the subject, body, and footer in the new config file with the values from the existing configuration.

          3. [OPTIONAL] Update the placeholders so that they are enclosed with double braces (E.g., {user-name} -> {{user-name}} )

          4. [OPTIONAL] Update the user’s attribute related placeholders to follow the {{user.claim.yyyy}} format where yyyy is the attribute name (E.g., {first-name} -> {{user.claim.givenname}})
        1. Delete the <OLD_IS_HOME>/repository/conf/email/email-admin-config.xml file and rename the email-admin-config-new.xml file to "email-admin-config.xml” to finish the update.

      For more information about this feature, see Email Templates.

      The output-event-adapters.xml file stored in the <PRODUCT_HOME>/repository/conf/ directory.

      Optional

      Add the following properties under the <outputEventAdaptersConfig> tag.

      <adapterConfig type="wso2event">
          <property key="default.thrift.tcp.url">tcp://localhost:7612</property  
          <property key="default.thrift.ssl.url">ssl://localhost:7712</property>
          <property key="default.binary.tcp.url">tcp://localhost:9612</property>
          <property key="default.binary.ssl.url">ssl://localhost:9712</property>
      </adapterConfig>
      The identity.xml file stored in the <PRODUCT_HOME>/repository/conf/identitydirectory.Mandatory

      Add the following event listeners as child elements under the <EventListeners> tag.

      <EventListeners>
      	....
      	....
      	<EventListener 
        	type="org.wso2.carbon.user.core.listener.UserOperationEventListener" 
        	name="org.wso2.carbon.identity.governance.listener.IdentityStoreEventListener"
        	orderId="97" enable="true">
          <Property name="Data.Store">org.wso2.carbon.identity.governance.store.JDBCIdentityDataStore</Property>
      	</EventListener>
                  
      	<EventListener 
        	type="org.wso2.carbon.user.core.listener.UserOperationEventListener" 
        	name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener" 
        	orderId="95" 
        	enable="true"/>
      	....
      </EventListeners>

      Add the following properties under the <OAuth> tag.

      <OIDCWebFingerEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/.well-known/webfinger</OIDCWebFingerEPUrl>
      
      <!-- For tenants below urls will be modified as https://<hostname>:<port>/t/<tenant domain>/<path>-->
      <OAuth2DCREPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/identity/connect/register</OAuth2DCREPUrl>
      <OAuth2JWKSPage>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/jwks</OAuth2JWKSPage>
      <OIDCDiscoveryEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/oidcdiscovery</OIDCDiscoveryEPUrl>

      Add the following property under the <SSOService> tag.

      <!--<SAMLSSOAssertionBuilder>org.wso2.carbon.identity.sso.saml.builders.assertion.ExtendedDefaultAssertionBuilder</SAMLSSOAssertionBuilder>-->

      Add the following properties at the top level.

       Click here to view the properties...
      <!--Recovery>
              <Notification>
                  <Password>
                      <Enable>false</Enable>
                  </Password>
                  <Username>
                      <Enable>false</Enable>
                  </Username>
                  <InternallyManage>true</InternallyManage>
              </Notification>
              <Question>
                  <Password>
                      <Enable>false</Enable>
                      <NotifyStart>true</NotifyStart>
                      <Separator>!</Separator>
                      <MinAnswers>2</MinAnswers>
                      <ReCaptcha>
                          <Enable>true</Enable>
                          <MaxFailedAttempts>3</MaxFailedAttempts>
                      </ReCaptcha>
                  </Password>
              </Question>
              <ExpiryTime>3</ExpiryTime>
              <NotifySuccess>true</NotifySuccess>
              <AdminPasswordReset>
                  <Offline>false</Offline>
                  <OTP>false</OTP>
                  <RecoveryLink>false</RecoveryLink>
              </AdminPasswordReset>
          </Recovery>
      
          <EmailVerification>
              <Enable>false</Enable>
              <LockOnCreation>false</LockOnCreation>
              <Notification>
                  <InternallyManage>true</InternallyManage>
              </Notification>
          </EmailVerification>
      
      	<SelfRegistration>
          <Enable>false</Enable>
          <LockOnCreation>false</LockOnCreation>
          <Notification>
              <InternallyManage>true</InternallyManage>
          </Notification>
          <ReCaptcha>false</ReCaptcha>
          </SelfRegistration-->

      Remove the following section:

      <ISAnalytics>
              <DefaultValues>
                  <userName>NOT_AVAILABLE</userName>
                  <userStoreDomain>NOT_AVAILABLE</userStoreDomain>
                  <rolesCommaSeperated>NOT_AVAILABLE</rolesCommaSeperated>
                  <serviceprovider>NOT_AVAILABLE</serviceprovider>
                  <identityProvider>NOT_AVAILABLE</identityProvider>
              </DefaultValues>
          </ISAnalytics>

      Add the following properties to the top level.

       Click here to view the properties...
      <ResourceAccessControl>
              <Resource context="(.*)/api/identity/user/(.*)" secured="true" http-method="all"/>
              <Resource context="(.*)/api/identity/recovery/(.*)" secured="true" http-method="all"/>
              <Resource context="(.*)/.well-known(.*)" secured="true" http-method="all"/>
              <Resource context="(.*)/identity/register(.*)" secured="true" http-method="all">
                  <Permissions>/permission/admin/manage/identity/applicationmgt/delete</Permissions>
              </Resource>
              <Resource context="(.*)/identity/connect/register(.*)" secured="true" http-method="all">
                  <Permissions>/permission/admin/manage/identity/applicationmgt/create</Permissions>
              </Resource>
              <Resource context="(.*)/oauth2/introspect(.*)" secured="true" http-method="all">
                  <Permissions>/permission/admin/manage/identity/applicationmgt/view</Permissions>
              </Resource>
              <Resource context="(.*)/api/identity/entitlement/(.*)" secured="true" http-method="all">
                  <Permissions>/permission/admin/manage/identity/pep</Permissions>
              </Resource>
          </ResourceAccessControl>
      
          <ClientAppAuthentication>
              <Application name="dashboard" hash="66cd9688a2ae068244ea01e70f0e230f5623b7fa4cdecb65070a09ec06452262"/>
          </ClientAppAuthentication>
      
          <TenantContextsToRewrite>
              <WebApp>
                  <Context>/api/identity/user/v0.9</Context>
                  <Context>/api/identity/recovery/v0.9</Context>
                  <Context>/oauth2</Context>
                  <Context>/api/identity/entitlement</Context>
              </WebApp>
              <Servlet>
                  <Context>/identity/(.*)</Context>
              </Servlet>
          </TenantContextsToRewrite>
      The web.xml file stored in the <PRODUCT_HOME>/repository/conf/tomcat/carbon/WEB_INF directory.Optional

      Add the following properties after the CsrfGuardHttpSessionListener.

      <filter>
            <filter-name>CaptchaFilter</filter-name>
            <filter-class>org.wso2.carbon.identity.captcha.filter.CaptchaFilter</filter-class>
          </filter>
      
          <filter-mapping>
            <filter-name>CaptchaFilter</filter-name>
            <url-pattern>/samlsso</url-pattern>
            <url-pattern>/oauth2</url-pattern>
            <url-pattern>/commonauth</url-pattern>
            <dispatcher>FORWARD</dispatcher>
            <dispatcher>REQUEST</dispatcher>
          </filter-mapping>
      The catalina-server.xml file stored in the <PRODUCT_HOME>/repository/conf/tomcat/ directory.Mandatory

      Add the following valves under the <Host> tag.

      <!-- Authentication and Authorization valve for the rest apis and we can configure context for this in identity.xml  -->
                      <Valve className="org.wso2.carbon.identity.auth.valve.AuthenticationValve"/>
                      <Valve className="org.wso2.carbon.identity.authz.valve.AuthorizationValve"/>
                      <Valve className="org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve"/>
      The carbonxml file stored in the <PRODUCT_HOME>/repository/conf/ directory.Optional

      Add the following properties after the </Security> tag.

      <HideMenuItemIds>
      <HideMenuItemId>identity_mgt_emailtemplate_menu</HideMenuItemId>
      <HideMenuItemId>identity_security_questions_menu</HideMenuItemId>
      </HideMenuItemIds>
      The log4j.properties file stored in the <PRODUCT_HOME>/repository/conf/ directory.Optional

      Add the following property.

      log4j.logger.org.springframework=WARN
      The data-agent-config.xml filestored in the <NEW_IS_HOME>/repository/conf/data-bridge directory.Mandatory

      Add the following properties under the <Agent> ThriftDataEndpoint and under the <Agent>BinaryDataEndpoint tags.

      <!--<sslEnabledProtocols>TLSv1,TLSv1.1,TLSv1.2</sslEnabledProtocols>-->
      <!--<ciphers>SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES
      _128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL
      _RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_
      3DES_EDE_CBC_SHA</ciphers>-->
      The claim-config.xml file stored in the <NEW_IS_HOME>/repository/conf/ directoryMandatory

      Replace the following attribute found under the <Claim> <ClaimURI>http://wso2.org/claims/locality> tag.

      Replace this attribute:
      <AttributeID>localityName</AttributeID>
       
      with this:
      <AttributeID>local</AttributeID>

      Modify the following claims as follows.

       Click here to see the modified claims...
      <Claim>
        <ClaimURI>http://wso2.org/claims/userid</ClaimURI>
        <DisplayName>User ID</DisplayName>
        <AttributeID>scimId</AttributeID>
        <Description>Unique ID of the user</Description>
        <ReadOnly/>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/externalid</ClaimURI>
        <DisplayName>External User ID</DisplayName>
        <AttributeID>externalId</AttributeID>
        <Description>Unique ID of the user used in external systems</Description>
        <ReadOnly/>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/created</ClaimURI>
        <DisplayName>Created Time</DisplayName>
        <AttributeID>createdDate</AttributeID>
        <Description>Created timestamp of the user</Description>
        <ReadOnly/>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/modified</ClaimURI>
        <DisplayName>Last Modified Time</DisplayName>
        <AttributeID>lastModifiedDate</AttributeID>
        <Description>Last Modified timestamp of the user</Description>
        <ReadOnly/>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/location</ClaimURI>
        <DisplayName>Location</DisplayName>
        <AttributeID>location</AttributeID>
        <Description>Location</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/formattedName</ClaimURI>
        <DisplayName>Name - Formatted Name</DisplayName>
        <AttributeID>formattedName</AttributeID>
        <Description>Formatted Name</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/middleName</ClaimURI>
        <DisplayName>Middle Name</DisplayName>
        <AttributeID>middleName</AttributeID>
        <Description>Middle Name</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/honorificPrefix</ClaimURI>
        <DisplayName>Name - Honoric Prefix</DisplayName>
        <AttributeID>honoricPrefix</AttributeID>
        <Description>Honoric Prefix</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/honorificSuffix</ClaimURI>
        <DisplayName>Name - Honoric Suffix</DisplayName>
        <AttributeID>honoricSuffix</AttributeID>
        <Description>Honoric Suffix</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/userType</ClaimURI>
        <DisplayName>User Type</DisplayName>
        <AttributeID>userType</AttributeID>
        <Description>User Type</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/preferredLanguage</ClaimURI>
        <DisplayName>Preferred Language</DisplayName>
        <AttributeID>preferredLanguage</AttributeID>
        <Description>Preferred Language</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/local</ClaimURI>
        <DisplayName>Local</DisplayName>
        <AttributeID>local</AttributeID>
        <Description>Local</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/timeZone</ClaimURI>
        <DisplayName>Time Zone</DisplayName>
        <AttributeID>timeZone</AttributeID>
        <Description>Time Zone</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/emails.work</ClaimURI>
        <DisplayName>Emails - Work Email</DisplayName>
        <AttributeID>workEmail</AttributeID>
        <Description>Work Email</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/emails.home</ClaimURI>
        <DisplayName>Emails - Home Email</DisplayName>
        <AttributeID>homeEmail</AttributeID>
        <Description>Home Email</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/emails.other</ClaimURI>
        <DisplayName>Emails - Other Email</DisplayName>
        <AttributeID>otherEmail</AttributeID>
        <Description>Other Email</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/phoneNumbers</ClaimURI>
        <DisplayName>Phone Numbers</DisplayName>
        <AttributeID>phoneNumbers</AttributeID>
        <Description>Phone Numbers</Description>
        <RegEx>^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$</RegEx>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/phoneNumbers.home</ClaimURI>
        <DisplayName>Phone Numbers - Home Phone Number</DisplayName>
        <AttributeID>homePhone</AttributeID>
        <Description>Home Phone</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/phoneNumbers.work</ClaimURI>
        <DisplayName>Phone Numbers - Work Phone Number</DisplayName>
        <AttributeID>workPhone</AttributeID>
        <Description>Work Phone</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/phoneNumbers.fax</ClaimURI>
        <DisplayName>Phone Numbers - Fax Number</DisplayName>
        <AttributeID>fax</AttributeID>
        <Description>Fax Number</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/phoneNumbers.pager</ClaimURI>
        <DisplayName>Phone Numbers - Pager Number</DisplayName>
        <AttributeID>pager</AttributeID>
        <Description>Pager Number</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/phoneNumbers.other</ClaimURI>
        <DisplayName>Phone Numbers - Other</DisplayName>
        <AttributeID>otherPhoneNumber</AttributeID>
        <Description>Other Phone Number</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/gtalk</ClaimURI>
        <DisplayName>IM - Gtalk</DisplayName>
        <AttributeID>imGtalk</AttributeID>
        <Description>IM - Gtalk</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/skype</ClaimURI>
        <DisplayName>IM - Skype</DisplayName>
        <AttributeID>imSkype</AttributeID>
        <Description>IM - Skype</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/photos</ClaimURI>
        <DisplayName>Photo</DisplayName>
        <AttributeID>photos</AttributeID>
        <Description>Photo</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/photourl</ClaimURI>
        <DisplayName>Photo URIL</DisplayName>
        <AttributeID>photoUrl</AttributeID>
        <Description>Photo URL</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/thumbnail</ClaimURI>
        <DisplayName>Photo - Thumbnail</DisplayName>
        <AttributeID>thumbnail</AttributeID>
        <Description>Photo - Thumbnail</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/addresses</ClaimURI>
        <DisplayName>Address</DisplayName>
        <AttributeID>addresses</AttributeID>
        <Description>Address</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/addresses.formatted</ClaimURI>
        <DisplayName>Address - Formatted</DisplayName>
        <AttributeID>formattedAddress</AttributeID>
        <Description>Address - Formatted</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/streetaddress</ClaimURI>
        <DisplayName>Address - Street</DisplayName>
        <AttributeID>streetAddress</AttributeID>
        <Description>Address - Street</Description>
        <DisplayOrder>5</DisplayOrder>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/addresses.locality</ClaimURI>
        <DisplayName>Address - Locality</DisplayName>
        <AttributeID>localityAddress</AttributeID>
        <Description>Address - Locality</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/groups</ClaimURI>
        <DisplayName>Groups</DisplayName>
        <AttributeID>groups</AttributeID>
        <Description>Groups</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/identity/verifyEmail</ClaimURI>
        <DisplayName>Verify Email</DisplayName>
        <AttributeID>manager</AttributeID>
        <Description>Temporary claim to invoke email verified feature</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/identity/askPassword</ClaimURI>
        <DisplayName>Ask Password</DisplayName>
        <AttributeID>postOfficeBox</AttributeID>
        <Description>Temporary claim to invoke email ask Password feature</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/identity/adminForcedPasswordReset</ClaimURI>
        <DisplayName>Force Password Reset</DisplayName>
        <AttributeID>departmentNumber</AttributeID>
        <Description>Temporary claim to invoke email force password feature</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/entitlements</ClaimURI>
        <DisplayName>Entitlements</DisplayName>
        <AttributeID>entitlements</AttributeID>
        <Description>Entitlements</Description>
      </Claim>
      <Claim>
        <ClaimURI>urn:scim:schemas:core:1.0:roles</ClaimURI>
        <DisplayName>Roles</DisplayName>
        <AttributeID>roles</AttributeID>
        <Description>Roles</Description>
        <DisplayOrder>5</DisplayOrder>
        <SupportedByDefault />
        <MappedLocalClaim>http://wso2.org/claims/role</MappedLocalClaim>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/x509Certificates</ClaimURI>
        <DisplayName>X509Certificates</DisplayName>
        <AttributeID>x509Certificates</AttributeID>
        <Description>X509Certificates</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/identity/failedPasswordRecoveryAttempts</ClaimURI>
        <DisplayName>Failed Password Recovery Attempts</DisplayName>
        <AttributeID>postalCode</AttributeID>
        <Description>Number of consecutive failed attempts done for password recovery</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/identity/emailVerified</ClaimURI>
        <DisplayName>Email Verified</DisplayName>
        <!-- Proper attribute Id in your user store must be configured for this -->
        <AttributeID>postalAddress</AttributeID>
        <Description>Email Verified</Description>
      </Claim>
      <Claim>
        <ClaimURI>http://wso2.org/claims/identity/failedLoginLockoutCount</ClaimURI>
        <DisplayName>Failed Lockout Count</DisplayName>
        <!-- Proper attribute Id in your user store must be configured for this -->
        <AttributeID>employeeNumber</AttributeID>
        <Description>Failed Lockout Count</Description>
      </Claim>

      Remove the following claim.

      <Claim>
        <ClaimURI>http://wso2.org/claims/identity/lastLoginTime</ClaimURI>
        <DisplayName>Last Login</DisplayName>
        <!-- Proper attribute Id in your user store must be configured for this -->
        <AttributeID>carLicense</AttributeID>
        <Description>Last Login Time</Description>
      </Claim>

      Add the following claim.

      <ClaimURI>http://wso2.org/claims/identity/lastLogonTime</ClaimURI>
      <DisplayName>Last Logon</DisplayName>
      <!-- Proper attribute Id in your user store must be configured for this -->
      <AttributeID>carLicense</AttributeID>
      <Description>Last Logon Time</Description>
      </Claim>

      Replace the following attribute from under the <Claim> <ClaimURI> http://wso2.org/claims/challengeQuestion1 </ClaimURI> tag.


      Replace this attribute:
      <AttributeID>localityName</AttributeID>
       
      with this:
      <AttributeID>firstChallenge</AttributeID>

      Replace the following attribute from under the the <Claim> <ClaimURI> http://wso2.org/claims/challengeQuestion2 </ClaimURI>


      Replace this attribute:
      <AttributeID>localityName</AttributeID>
       
      with this:
      <AttributeID>secondChallenge</AttributeID>

      Modify this claim as follows:

      <Claim>
        <ClaimURI>http://wso2.org/claims/active</ClaimURI>
        <DisplayName>Active</DisplayName>
        <AttributeID>active</AttributeID>
        <Description>Status of the account</Description>
      </Claim>

      Recommended: See the WSO2 IS 5.3.0 migration guide for more information.

       Configuration changes: Click here to view the table..
      Configuration FileChanges

      carbon.xml file stored in the <IS_HOME>/repository/conf folder.

      Change the version property value to 5.4.0.

      <Version>5.4.0</Version>

      identity-event.properties file stored in the <IS_HOME>/repository/conf/identity folder.

      Add the following property.

      account.lock.handler.notification.manageInternally=true
       Click for more information about the account.lock.handler.notification.manageInternally property

      The property given above allows you to enable or disable sending emails
      via the WSO2 Identity Server when an account is locked or unlocked.

      identity.xml file stored in the <IS_HOME>/repository/conf/identity folder.

      Add the following property within the <SessionDataCleanUp> tag.

      <DeleteChunkSize>50000</DeleteChunkSize>
       Click for more information about the DeleteChunkSize property

      In a production environment, there is a possibility for a deadlock/database lock
      to occur when running a session data cleanup task in high load scenarios.
      To mitigate this, the property given above was introduced to clean data in chunks.
      Configure this property with the required chunk size. For more information, see Deployment Guidelines in Production.

      Remove the following property found within the <OperationDataCleanUp> tag.

       <CleanUpPeriod>720</CleanUpPeriod>
       Click for more information about the CleanUpPeriod property

      WSO2 IS 5.3.0 had two separate tasks for session data cleanup and operation data cleanup.
      This is now combined and done through one task.
      Therefore the property given above is no longer needed.
      You can still configure the <CleanUpPeriod> property within the <SessionDataCleanUp> tag
      to specify the cleanup period for the combined task.

      Change the default value of the following property from 300 to 0.

      You can skip this step if you have already configured the <TimestampSkew> property with your own value.

      <TimestampSkew>0</TimestampSkew>
       Click for more information about the TimestampSkew property

      The property given above specifies the maximum tolerance limit
      for the clock skewed between the sender and recipient.
      The default value was changed to 0 as the best practice is to assume
      that the sender and recipient clocks are synchronized and are in the same time stamp.
      Configure this accordingly if the clocks are not in the same timestamp.

      Add the following JWT bearer grant type within the <SupportedGrantTypes> tag.

      <SupportedGrantType>
      <GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName>
      <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler</GrantTypeHandlerImplClass>
      <GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass>
      </SupportedGrantType>
       Click for more information about the JWT bearer grant type

      The JWT bearer grant type is supported out-of-the-box with WSO2 IS 5.4.0.
      For more information, see Configuring JWT Grant Type in the ISConnectors documentation.

      Update the <EmailVerification> code block with the following code.

      The properties shown below at line numbers 3,8,9,10 & 11 were added in 5.4.0.

      This step is optional.

      <EmailVerification>
          <Enable>false</Enable>
          <ExpiryTime>1440</ExpiryTime>
          <LockOnCreation>true</LockOnCreation>
          <Notification>
              <InternallyManage>true</InternallyManage>
          </Notification>
          <AskPassword>
              <ExpiryTime>1440</ExpiryTime>
              <PasswordGenerator>org.wso2.carbon.user.mgt.common.DefaultPasswordGenerator</PasswordGenerator>
          </AskPassword>
      </EmailVerification>

      Update the following property found within the <SelfRegistration> tag to true.

      This step is optional.

      <LockOnCreation>true</LockOnCreation>

      Add the following properties within the <SelfRegistration> tag.

      This step is optional.

      <VerificationCode>
        <ExpiryTime>1440</ExpiryTime>
      </VerificationCode>

      Add the following properties within the <Server> tag.

      <AuthenticationPolicy>
          <CheckAccountExist>false</CheckAccountExist>
      </AuthenticationPolicy>

      Change the default values within the <CacheManager> tag.

      • If you have already configured all the properties within the <CacheManager> tag with your own values, skip this step.

      • If you have only configured some properties within the <CacheManager> tag with your own values,
        replace the properties that are not been changed/configured with the relevant default values shown below.

      • If you have not configured or changed any of the properties within the <CacheManager> tag with your own values,
        copy the entire code block below and replace the <CacheManager> tag in the identity.xml file with the code block given below.
      <CacheManager name="IdentityApplicationManagementCacheManager">
          <Cache name="AppAuthFrameworkSessionContextCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
          <Cache name="AuthenticationContextCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
          <Cache name="AuthenticationRequestCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
          <Cache name="AuthenticationResultCache"  enable="true" timeout="300" capacity="5000" isDistributed="false"/>
          <Cache name="AppInfoCache"               enable="true"  timeout="900" capacity="5000" isDistributed="false"/>
          <Cache name="AuthorizationGrantCache"    enable="true" timeout="300" capacity="5000" isDistributed="false"/>
          <Cache name="OAuthCache"                 enable="true" timeout="300" capacity="5000" isDistributed="false"/>
          <Cache name="OAuthScopeCache"            enable="true"  timeout="300" capacity="5000" isDistributed="false"/>
          <Cache name="OAuthSessionDataCache"      enable="true" timeout="300" capacity="5000" isDistributed="false"/>
          <Cache name="SAMLSSOParticipantCache"    enable="true" timeout="300" capacity="5000" isDistributed="false"/>
          <Cache name="SAMLSSOSessionIndexCache"   enable="true" timeout="300" capacity="5000" isDistributed="false"/>
          <Cache name="SAMLSSOSessionDataCache"    enable="true" timeout="300" capacity="5000" isDistributed="false"/>
          <Cache name="ServiceProviderCache"       enable="true"  timeout="900" capacity="5000" isDistributed="false"/>
          <Cache name="ProvisioningConnectorCache" enable="true"  timeout="900" capacity="5000" isDistributed="false"/>
          <Cache name="ProvisioningEntityCache"    enable="true" timeout="900" capacity="5000" isDistributed="false"/>
          <Cache name="ServiceProviderProvisioningConnectorCache" enable="true"  timeout="900" capacity="5000" isDistributed="false"/>
          <Cache name="IdPCacheByAuthProperty"     enable="true"  timeout="900" capacity="5000" isDistributed="false"/>
          <Cache name="IdPCacheByHRI"              enable="true"  timeout="900" capacity="5000" isDistributed="false"/>
          <Cache name="IdPCacheByName"             enable="true"  timeout="900" capacity="5000" isDistributed="false"/>
      </CacheManager>

      Add the following property within the <CacheManager> tag if it does not already exist.

      <Cache name="OAuthScopeCache" enable="true"  timeout="300" capacity="5000" isDistributed="false"/>

      Add the following properties within the <OAuth> tag. The code comments explain the usage and applicable values for the properties.

      <!-- Specify the Token issuer class to be used.
      Default: org.wso2.carbon.identity.oauth2.token.OauthTokenIssuerImpl.
      Applicable values: org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer-->
          <!--<IdentityOAuthTokenGenerator>org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer</IdentityOAuthTokenGenerator>-->
      
      <!-- This configuration is used to specify the access token value generator.
      Default: org.apache.oltu.oauth2.as.issuer.UUIDValueGenerator
      Applicable values: org.apache.oltu.oauth2.as.issuer.UUIDValueGenerator,
          org.apache.oltu.oauth2.as.issuer.MD5Generator,
          org.wso2.carbon.identity.oauth.tokenvaluegenerator.SHA256Generator -->
          <!--<AccessTokenValueGenerator>org.wso2.carbon.identity.oauth.tokenvaluegenerator.SHA256Generator</AccessTokenValueGenerator>-->
      
      <!-- This configuration is used to specify whether the Service Provider tenant domain should be used when generating
      access token.Otherwise user domain will be used.Currently this value is only supported by the JWTTokenIssuer. -->
          <!--<UseSPTenantDomain>True</UseSPTenantDomain>-->

      Add the following properties related to token persistence within the <OAuth> tag.

      <TokenPersistence>
          <Enable>true</Enable>
          <PoolSize>0</PoolSize>
          <RetryCount>5</RetryCount>
      </TokenPersistence>

      Add the following property within the <OpenIDConnect> tag.

      <SignJWTWithSPKey>false</SignJWTWithSPKey>

      Replace the <OAuth2RevokeEPUrll> property with the following.

      <OAuth2RevokeEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/revoke</OAuth2RevokeEPUrl>

      Add the following event listener within the <EventListeners> tag. Uncomment this listener if you are using SCIM 2.0.

      <!-- Uncomment the following event listener if SCIM2 is used. -->
      <!--EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener"
      name = "org.wso2.carbon.identity.scim2.common.listener.SCIMUserOperationListener"
      orderId = "93"
      enable = "true" /-->

      Add the following properties within the <ResourceAccessControl> tag. These properties specify the access levels and permissions for the SCIM 2.0 resources.

      <Resource context="(.*)/scim2/Users" secured="true" http-method="POST">
          <Permissions>/permission/admin/manage/identity/usermgt/create</Permissions>
      </Resource>
      <Resource context="(.*)/scim2/Users" secured="true" http-method="GET">
          <Permissions>/permission/admin/manage/identity/usermgt/list</Permissions>
      </Resource>
      <Resource context="(.*)/scim2/Groups" secured="true" http-method="POST">
          <Permissions>/permission/admin/manage/identity/rolemgt/create</Permissions>
      </Resource>
      <Resource context="(.*)/scim2/Groups" secured="true" http-method="GET">
          <Permissions>/permission/admin/manage/identity/rolemgt/view</Permissions>
      </Resource>
      <Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="GET">
          <Permissions>/permission/admin/manage/identity/usermgt/view</Permissions>
      </Resource>
      <Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="PUT">
          <Permissions>/permission/admin/manage/identity/usermgt/update</Permissions>
      </Resource>
      <Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="PATCH">
          <Permissions>/permission/admin/manage/identity/usermgt/update</Permissions>
      </Resource>
      <Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="DELETE">
          <Permissions>/permission/admin/manage/identity/usermgt/delete</Permissions>
      </Resource>
      <Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="GET">
          <Permissions>/permission/admin/manage/identity/rolemgt/view</Permissions>
      </Resource>
      <Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="PUT">
          <Permissions>/permission/admin/manage/identity/rolemgt/update</Permissions>
      </Resource>
      <Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="PATCH">
          <Permissions>/permission/admin/manage/identity/rolemgt/update</Permissions>
      </Resource>
      <Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="DELETE">
          <Permissions>/permission/admin/manage/identity/rolemgt/delete</Permissions>
      </Resource>
      <Resource context="(.*)/scim2/Me" secured="true"    http-method="GET">
          <Permissions>/permission/admin/login</Permissions>
      </Resource>
      <Resource context="(.*)/scim2/Me" secured="true" http-method="DELETE">
          <Permissions>/permission/admin/manage/identity/usermgt/delete</Permissions>
      </Resource>
      <Resource context="(.*)/scim2/Me" secured="true"    http-method="PUT">
          <Permissions>/permission/admin/login</Permissions>
      </Resource>
      <Resource context="(.*)/scim2/Me" secured="true"   http-method="PATCH">
          <Permissions>/permission/admin/login</Permissions>
      </Resource>
      <Resource context="(.*)/scim2/Me" secured="true" http-method="POST">
          <Permissions>/permission/admin/manage/identity/usermgt/create</Permissions>
      </Resource>
      <Resource context="/scim2/ServiceProviderConfig" secured="false" http-method="all">
          <Permissions></Permissions>
      </Resource>
      <Resource context="/scim2/ResourceType" secured="false" http-method="all">
          <Permissions></Permissions>
      </Resource>
      <Resource context="/scim2/Bulk" secured="true"  http-method="all">
          <Permissions>/permission/admin/manage/identity/usermgt</Permissions>
      </Resource>
      <Resource context="(.*)/api/identity/oauth2/dcr/(.*)" secured="true" http-method="all">
          <Permissions>/permission/admin/manage/identity/applicationmgt</Permissions>
      </Resource>

      Add the following properties within the <TenantContextsToRewrite><WebApp> tag.

      <Context>/scim2</Context>
      <Context>/api/identity/oauth/dcr/v1.0</Context>

      Remove the following property found within the <OAuth> tag.

      <AppInfoCacheTimeout>-1</AppInfoCacheTimeout>
      <AuthorizationGrantCacheTimeout>-1</AuthorizationGrantCacheTimeout>
      <SessionDataCacheTimeout>-1</SessionDataCacheTimeout>
      <ClaimCacheTimeout>-1</ClaimCacheTimeout>

      Add the following commented property within the <OAuth> tag.

      <!-- True, if access token alias is stored in the database instead of access token.
      Eg.token alias and token is same when
      default AccessTokenValueGenerator is used.
      When JWTTokenIssuer is used, jti is used as the token alias
      Default: true.
      Applicable values: true, false-->
      
          <!--<PersistAccessTokenAlias>false</PersistAccessTokenAlias>-->

      Replace the <OAuth2DCREPUrl> property with the property value given below.

      <OAuth2DCREPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/api/identity/oauth2/dcr/v1.0/register</OAuth2DCREPUrl>

      Uncomment the following property and add line number 3 given below to the file.

      <TokenValidators>
          <TokenValidator type="bearer" class="org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2TokenValidator" />
          <TokenValidator type="jwt" class="org.wso2.carbon.identity.oauth2.validators.OAuth2JWTTokenValidator" />
      </TokenValidators>

      Add the following commented property to the file. You can place it after the </EnableAssertions>closing tag.

      <!-- This should be true if subject identifier in the token validation response needs to adhere to the
      following SP configuration.
      
      - Use tenant domain in local subject identifier. - Use user store domain in local subject identifier.
      
      if the value is false, subject identifier will be set as the fully qualified username.
      
      Default value: false
      
      Supported versions: IS 5.4.0 beta onwards-->
          <!--<BuildSubjectIdentifierFromSPConfig>true</BuildSubjectIdentifierFromSPConfig>-->

      Uncomment the <UserType> property that has the value "Federated" and comment out the <UserType> property that has the value "Local" as seen below.
      The property can be found within the <SAML2Grant> tag.

      <SAML2Grant>
          <!--SAML2TokenHandler></SAML2TokenHandler-->
          <!-- UserType conifg decides whether the SAML assertion carrying user is local user or a federated user.
                  Only Local Users can access claims from local userstore. LEGACY users will have to have tenant domain appended username.
                  They will not be able to access claims from local userstore. To get claims by mapping users with exact same username from local
                  userstore (for non LOCAL scenarios) use mapFederatedUsersToLocal config -->
          <!--<UserType>LOCAL</UserType>-->
          <UserType>FEDERATED</UserType>
          <!--UserType>LEGACY</UserType-->
      </SAML2Grant>

      Remove the following properties found within the <SSOService> tag.

      This step is optional.

      <PersistanceCacheTimeout>157680000</PersistanceCacheTimeout>
      <SessionIndexCacheTimeout>157680000</SessionIndexCacheTimeout>

      Add the following properties to the file. You can place the code block after the </SCIM> closing tag.

      <SCIM2>
          <!--Default value for UserEPUrl and GroupEPUrl are built in following format
                  https://<HostName>:<MgtTrpProxyPort except 443>/<ProxyContextPath>/<context>/<path>
                  If that doesn't satisfy uncomment the following config and explicitly configure the value-->
          <!--UserEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/scim2/Users</UserEPUrl-->
          <!--GroupEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/scim2/Groups</GroupEPUrl-->
      </SCIM2>

      Add the following properties to the file. You can place it after the </EnableAskPasswordAdminUI> closing tag.

      <EnableRecoveryEndpoint>true</EnableRecoveryEndpoint>
      <EnableSelfSignUpEndpoint>true</EnableSelfSignUpEndpoint>

      Add the following properties within the <ResourceAccessControl> tag.

      <Resource context="(.*)/api/identity/oauth2/dcr/v1.0/register(.*)" secured="true" http-method="POST">
          <Permissions>/permission/admin/manage/identity/applicationmgt/create</Permissions>
      </Resource>
      <Resource context="(.*)/api/identity/oauth2/dcr/v1.0/register(.*)" secured="true" http-method="DELETE">
          <Permissions>/permission/admin/manage/identity/applicationmgt/delete</Permissions>
      </Resource>
      <Resource context="(.*)/api/identity/oauth2/dcr/v1.0/register(.*)" secured="true" http-method="PUT">
          <Permissions>/permission/admin/manage/identity/applicationmgt/update</Permissions>
      </Resource>
      <Resource context="(.*)/api/identity/oauth2/dcr/v1.0/register(.*)" secured="true" http-method="GET">
          <Permissions>/permission/admin/manage/identity/applicationmgt/view</Permissions>
      </Resource>


      oidc-scope-config.xml file stored in the <IS_HOME>/repository/conf/identity folder.

      Replace the <Claim> tag within the <Scope id="openid"> tag with the following.

      <Claim>
          sub, email, email_verified, name, family_name, given_name, middle_name, nickname, preferred_username, profile,
      	picture, website, gender, birthdate, zoneinfo, locale, updated_at, phone_number, phone_number_verified,
          address,street_address,country, formatted, postal_code, locality, region 
      </Claim>

      Replace the <Claim> tag within the <Scope id="address"> tag with the following.

      <Claim>address,street</Claim>


      authenticators.xml file stored in the <IS_HOME>/repository/conf/security folder.

      Update the parameter name of the JITUserProvisioning parameter to the following.

      <Parameter name="JITUserProvisioningEnabled">true</Parameter>

      web.xml file stored in the <IS_HOME>/repository/conf/tomcat folder.

      Add the following property under the <session-config> tag.

      <tracking-mode>COOKIE</tracking-mode>

      Add the following properties below the <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class> property.

      <init-param>
         <param-name>compilerSourceVM</param-name>
         <param-value>1.8</param-value>
      </init-param>
      <init-param>
         <param-name>compilerTargetVM</param-name>
         <param-value>1.8</param-value>
      </init-param>
      email-admin-config.xml file stored in the <IS_HOME>/repository/conf/email folder.

      Replace "https://localhost:9443" in all instances of the accountrecoveryendpoint URL with the {{carbon.product-url}} placeholder.
      The URL should look similiar to the URL shown in the code block below. The placeholder will retrieve the value configured in the carbon.xml file.

      You can skip this step if you have already configured this with your load balancer URL.

      {{carbon.product-url}}/accountrecoveryendpoint/confirmregistration.do?confirmation={{confirmation-code}}&amp;userstoredomain={{userstore-domain}}&amp;username={{url:user-name}}&amp;tenantdomain={{tenant-domain}}
      cipher-tool.properties file stored in the <IS_HOME>/repository/conf folder.

      Add the following property.

      ThirftBasedEntitlementConfig.KeyStore.Password=repository/conf/identity/identity.xml//Server/EntitlementSettings/ThirftBasedEntitlementConfig/KeyStore/Password,true
      cipher-text.properties file stored in the <IS_HOME>/repository/conf folder.

      Add the following property.

      ThirftBasedEntitlementConfig.KeyStore.Password=[wso2carbon]
      claim-config.xml file stored in the <IS_HOME>/repository/conf folder.

      Add the following claims within the <Dialect dialectURI="http://wso2.org/claims"> tag.

      <Claim>
          <ClaimURI>http://wso2.org/claims/identity/phoneVerified</ClaimURI>
          <DisplayName>Phone Verified</DisplayName>
          <!-- Proper attribute Id in your user store must be configured for this -->
          <AttributeID>phoneVerified</AttributeID>
          <Description>Phone Verified</Description>
      </Claim>
      
      
      <Claim>
          <ClaimURI>http://wso2.org/claims/department</ClaimURI>
          <DisplayName>Department</DisplayName>
          <AttributeID>departmentNumber</AttributeID>
          <Description>Department</Description>
          <SupportedByDefault />
          <ReadOnly />
      </Claim>

      Add the following claims. This new claim dialect and the claims within it are required for SCIM 2.0.

       Click to view the SCIM 2 claims
      <Dialect dialectURI="urn:ietf:params:scim:schemas:core:2.0">
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:id</ClaimURI>
              <DisplayName>Id</DisplayName>
              <AttributeID>scimId</AttributeID>
              <Description>Id</Description>
              <Required />
              <DisplayOrder>1</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/userid</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:externalId</ClaimURI>
              <DisplayName>External Id</DisplayName>
              <AttributeID>externalId</AttributeID>
              <Description>External Id</Description>
              <Required />
              <DisplayOrder>1</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/externalid</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:meta.created</ClaimURI>
              <DisplayName>Meta - Created</DisplayName>
              <AttributeID>createdDate</AttributeID>
              <Description>Meta - Created</Description>
              <Required />
              <DisplayOrder>1</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/created</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:meta.lastModified</ClaimURI>
              <DisplayName>Meta - Last Modified</DisplayName>
              <AttributeID>lastModifiedDate</AttributeID>
              <Description>Meta - Last Modified</Description>
              <Required />
              <DisplayOrder>1</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/modified</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:meta.location</ClaimURI>
              <DisplayName>Meta - Location</DisplayName>
              <AttributeID>location</AttributeID>
              <Description>Meta - Location</Description>
              <Required />
              <DisplayOrder>1</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/location</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:meta.resourceType</ClaimURI>
              <DisplayName>Meta - Location</DisplayName>
              <AttributeID>ref</AttributeID>
              <Description>Meta - Location</Description>
              <Required />
              <DisplayOrder>1</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/resourceType</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:meta.version</ClaimURI>
              <DisplayName>Meta - Version</DisplayName>
              <AttributeID>im</AttributeID>
              <Description>Meta - Version</Description>
              <Required />
              <DisplayOrder>1</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/im</MappedLocalClaim>
          </Claim>
      </Dialect>
      <Dialect dialectURI="urn:ietf:params:scim:schemas:core:2.0:User">
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:userName</ClaimURI>
              <DisplayName>User Name</DisplayName>
              <AttributeID>uid</AttributeID>
              <Description>User Name</Description>
              <DisplayOrder>2</DisplayOrder>
              <Required />
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/username</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:name.givenName</ClaimURI>
              <DisplayName>Name - Given Name</DisplayName>
              <AttributeID>givenName</AttributeID>
              <Description>Given Name</Description>
              <Required />
              <DisplayOrder>1</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/givenname</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:name.familyName</ClaimURI>
              <DisplayName>Name - Family Name</DisplayName>
              <AttributeID>sn</AttributeID>
              <Description>Family Name</Description>
              <DisplayOrder>2</DisplayOrder>
              <Required />
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/lastname</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:name.formatted</ClaimURI>
              <DisplayName>Name - Formatted Name</DisplayName>
              <AttributeID>formattedName</AttributeID>
              <Description>Formatted Name</Description>
              <DisplayOrder>2</DisplayOrder>
              <Required />
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/formattedName</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:name.middleName</ClaimURI>
              <DisplayName>Name - Middle Name</DisplayName>
              <AttributeID>middleName</AttributeID>
              <Description>Middle Name</Description>
              <DisplayOrder>2</DisplayOrder>
              <Required />
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/middleName</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:name.honorificPrefix</ClaimURI>
              <DisplayName>Name - Honoric Prefix</DisplayName>
              <AttributeID>honoricPrefix</AttributeID>
              <Description>Honoric Prefix</Description>
              <DisplayOrder>2</DisplayOrder>
              <Required />
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/honorificPrefix</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:name.honorificSuffix</ClaimURI>
              <DisplayName>Name - Honoric Suffix</DisplayName>
              <AttributeID>honoricSuffix</AttributeID>
              <Description>Honoric Suffix</Description>
              <DisplayOrder>2</DisplayOrder>
              <Required />
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/honorificSuffix</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:displayName</ClaimURI>
              <DisplayName>Display Name</DisplayName>
              <AttributeID>displayName</AttributeID>
              <Description>Display Name</Description>
              <DisplayOrder>2</DisplayOrder>
              <Required />
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/displayName</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:nickName</ClaimURI>
              <DisplayName>Nick Name</DisplayName>
              <AttributeID>nickName</AttributeID>
              <Description>Nick Name</Description>
              <DisplayOrder>2</DisplayOrder>
              <Required />
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/nickname</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:profileUrl</ClaimURI>
              <DisplayName>Profile URL</DisplayName>
              <AttributeID>url</AttributeID>
              <Description>Profile URL</Description>
              <DisplayOrder>2</DisplayOrder>
              <Required />
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/url</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:title</ClaimURI>
              <DisplayName>Title</DisplayName>
              <AttributeID>title</AttributeID>
              <Description>Title</Description>
              <DisplayOrder>2</DisplayOrder>
              <Required />
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/title</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:userType</ClaimURI>
              <DisplayName>User Type</DisplayName>
              <AttributeID>userType</AttributeID>
              <Description>User Type</Description>
              <DisplayOrder>2</DisplayOrder>
              <Required />
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/userType</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:preferredLanguage</ClaimURI>
              <DisplayName>Preferred Language</DisplayName>
              <AttributeID>preferredLanguage</AttributeID>
              <Description>Preferred Language</Description>
              <DisplayOrder>2</DisplayOrder>
              <Required />
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/preferredLanguage</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:locale</ClaimURI>
              <DisplayName>Locality</DisplayName>
              <AttributeID>localityName</AttributeID>
              <Description>Locality</Description>
              <DisplayOrder>2</DisplayOrder>
              <Required />
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/local</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:timezone</ClaimURI>
              <DisplayName>Time Zone</DisplayName>
              <AttributeID>timeZone</AttributeID>
              <Description>Time Zone</Description>
              <DisplayOrder>2</DisplayOrder>
              <Required />
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/timeZone</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:active</ClaimURI>
              <DisplayName>Active</DisplayName>
              <AttributeID>active</AttributeID>
              <Description>Active</Description>
              <DisplayOrder>2</DisplayOrder>
              <Required />
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/active</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:emails.work</ClaimURI>
              <DisplayName>Emails - Work Email</DisplayName>
              <AttributeID>workEmail</AttributeID>
              <Description>Work Email</Description>
              <DisplayOrder>5</DisplayOrder>
              <SupportedByDefault />
              <RegEx>^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$</RegEx>
              <MappedLocalClaim>http://wso2.org/claims/emails.work</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:emails.home</ClaimURI>
              <DisplayName>Emails - Home Email</DisplayName>
              <AttributeID>homeEmail</AttributeID>
              <Description>Home Email</Description>
              <DisplayOrder>5</DisplayOrder>
              <SupportedByDefault />
              <RegEx>^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$</RegEx>
              <MappedLocalClaim>http://wso2.org/claims/emails.home</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:emails.other</ClaimURI>
              <DisplayName>Emails - Other Email</DisplayName>
              <AttributeID>otherEmail</AttributeID>
              <Description>Other Email</Description>
              <DisplayOrder>5</DisplayOrder>
              <SupportedByDefault />
              <RegEx>^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$</RegEx>
              <MappedLocalClaim>http://wso2.org/claims/emails.other</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:phoneNumbers.mobile</ClaimURI>
              <DisplayName>Phone Numbers - Mobile Number</DisplayName>
              <AttributeID>mobile</AttributeID>
              <Description>Mobile Number</Description>
              <DisplayOrder>5</DisplayOrder>
              <SupportedByDefault />
              <RegEx>^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$</RegEx>
              <MappedLocalClaim>http://wso2.org/claims/mobile</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:phoneNumbers.home</ClaimURI>
              <DisplayName>Phone Numbers - Home Phone Number</DisplayName>
              <AttributeID>homePhone</AttributeID>
              <Description>Home Phone</Description>
              <DisplayOrder>5</DisplayOrder>
              <SupportedByDefault />
              <RegEx>^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$</RegEx>
              <MappedLocalClaim>http://wso2.org/claims/phoneNumbers.home</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:phoneNumbers.work</ClaimURI>
              <DisplayName>Phone Numbers - Work Phone Number</DisplayName>
              <AttributeID>workPhone</AttributeID>
              <Description>Work Phone</Description>
              <DisplayOrder>5</DisplayOrder>
              <SupportedByDefault />
              <RegEx>^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$</RegEx>
              <MappedLocalClaim>http://wso2.org/claims/phoneNumbers.work</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:phoneNumbers.other</ClaimURI>
              <DisplayName>Phone Numbers - Other</DisplayName>
              <AttributeID>otherPhoneNumber</AttributeID>
              <Description>Other Phone Number</Description>
              <DisplayOrder>5</DisplayOrder>
              <SupportedByDefault />
              <RegEx>^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$</RegEx>
              <MappedLocalClaim>http://wso2.org/claims/phoneNumbers.other</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:ims.gtalk</ClaimURI>
              <DisplayName>IM - Gtalk</DisplayName>
              <AttributeID>imGtalk</AttributeID>
              <Description>IM - Gtalk</Description>
              <DisplayOrder>5</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/gtalk</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:ims.skype</ClaimURI>
              <DisplayName>IM - Skype</DisplayName>
              <AttributeID>imSkype</AttributeID>
              <Description>IM - Skype</Description>
              <DisplayOrder>5</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/skype</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:photos.photo</ClaimURI>
              <DisplayName>Photo</DisplayName>
              <AttributeID>photoUrl</AttributeID>
              <Description>Photo</Description>
              <DisplayOrder>5</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/photourl</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:photos.thumbnail</ClaimURI>
              <DisplayName>Photo - Thumbnail</DisplayName>
              <AttributeID>thumbnail</AttributeID>
              <Description>Photo - Thumbnail</Description>
              <DisplayOrder>5</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/thumbnail</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:addresses.home</ClaimURI>
              <DisplayName>Address - Home</DisplayName>
              <AttributeID>localityAddress</AttributeID>
              <Description>Address - Home</Description>
              <DisplayOrder>5</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/addresses.locality</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:addresses.work</ClaimURI>
              <DisplayName>Address - Work</DisplayName>
              <AttributeID>region</AttributeID>
              <Description>Address - Work</Description>
              <DisplayOrder>5</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/region</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:groups</ClaimURI>
              <DisplayName>Groups</DisplayName>
              <AttributeID>groups</AttributeID>
              <Description>Groups</Description>
              <DisplayOrder>5</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/groups</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:entitlements.default</ClaimURI>
              <DisplayName>Entitlements</DisplayName>
              <AttributeID>entitlements</AttributeID>
              <Description>Entitlements</Description>
              <DisplayOrder>5</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/entitlements</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:roles.default</ClaimURI>
              <DisplayName>Roles</DisplayName>
              <AttributeID>roles</AttributeID>
              <Description>Roles</Description>
              <DisplayOrder>5</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/role</MappedLocalClaim>
          </Claim>
          <Claim>
              <ClaimURI>urn:ietf:params:scim:schemas:core:2.0:User:x509Certificates.default</ClaimURI>
              <DisplayName>X509Certificates</DisplayName>
              <AttributeID>x509Certificates</AttributeID>
              <Description>X509Certificates</Description>
              <DisplayOrder>5</DisplayOrder>
              <SupportedByDefault />
              <MappedLocalClaim>http://wso2.org/claims/x509Certificates</MappedLocalClaim>
          </Claim>
      </Dialect>
      application-authentication.xml file stored in the <IS_HOME>/repository/conf/identity folder.

      Add the following parameter within the FacebookAuthenticator tag.

      <!--<Parameter name="ClaimDialectUri">http://wso2.org/facebook/claims</Parameter>-->

      Add the following parameter within the relevant tags of the following authenticators:
      MobileConnectAuthenticator, EmailOTP, SMSOTP and totp

      <Parameter name="redirectToMultiOptionPageOnFailure">false</Parameter>
      entitlement.properties file stored in the <IS_HOME>/repository/conf/identity folder.

      WSO2 IS 5.4.0 introduces a set of new XACML policies that load at server startup when the PAP.Policy.Add.Start.Enable property is set to true.
      Therefore, when you upgrade to IS 5.4.0, follow one of the steps below depending on whether you want to add the new policies:

      • If you want to add the new policies on server startup, set both PDP.Balana.Config.Enable and PAP.Policy.Add.Start.Enable properties to true.
      • If you do not want to add the new policies on server startup, set both PDP.Balana.Config.Enable and PAP.Policy.Add.Start.Enable properties to false.

      Note

      If you set the PDP.Balana.Config.Enable property to false, while the PAP.Policy.Add.Start.Enable property is set to true, the server does not look for the balana-config.xml file on startup. This results in an error as follows because the balana-config.xml file includes functions required by the new XACML policies:

      TID: [-1234] [] [2018-01-01 01:16:37,547] ERROR
      {org.wso2.carbon.identity.entitlement.EntitlementUtil}
      Error while adding sample XACML policies
      java.lang.IllegalArgumentException: Error while parsing start up policy

      Recommended: See the WSO2 IS 5.4.0 migration guide for more information.

    4. Replace the <NEW_IS_HOME>/repository/conf folder with the modified copy of the <OLD_IS_HOME>/repository/conf folder.

    5. Proceed to the Migrating the data section to run the migration client.

Migrating the custom components

Any custom OSGI bundles which were added manually should be recompiled with new dependency versions that are relevant to the new WSO2 IS version. All custom OSGI components reside in the <OLD_IS_HOME>/repository/components/dropins directory.

  1. Get the source codes of the custom OSGI components located in the dropins directory.
  2. Change the dependency versions in the relevant POM files according to the WSO2 IS version that you are upgrading to, and compile them. The compatible dependency versions for each release of WSO2 IS is given below.

  3. If you come across any compile time errors, refer to the WSO2 IS code base and make the necessary changes related to that particular component version.

  4. Add the compiled JAR files to the <NEW_IS_HOME>/repository/components/dropins directory.
  5. If there were any custom OSGI components in <OLD_IS_HOME>/repository/components/lib directory, add newly compiled versions of those components to the <NEW_IS_HOME>/repository/components/lib directory.

Migrating the data

To upgrade the version of WSO2 Identity Server, the user store database should be upgraded. Note that there are no registry schema changes between versions. 

Follow the steps below as needed to complete the migration process.

Download the latest version of WSO2 Identity Server and unzip it in the <NEW_IS_HOME> directory.

  1. Take a backup of the existing database used by the <OLD_IS>. This backup is necessary in case the migration causes issues in the existing database.
    Make the following database updates as indicated below.
    1. Download the migration resources and unzip it to a local directory. This folder is referred to as <IS_MIGRATION_TOOL_HOME>.

    2. Copy the org.wso2.carbon.is.migration-5.x.x.jar and the snakeyaml-1.16.0.wso2v1.jar found in the <IS_MIGRATION_TOOL_HOME> folder, and paste it in the <NEW_IS_HOME>/repository/components/dropins directory. 

    3. Copy migration-resources folder to the <NEW_IS_HOME> root folder. 

    4. Set the following property values accordingly in the migration-config.yaml file found in the <NEW_IS_HOME>/migration-resources folder. Specify the current WSO2 Identity Server version as the currentVersion value and specify the new version of WSO2 Identity Server that you want to migrate to, as the  migrateVersion.

      migrationEnable: "true"
      
      currentVersion: "5.x.x"
      
      migrateVersion: "5.x.x"
  2. Copy any custom OSGI bundles that were added manually from the <OLD_IS_HOME>/repository/components/dropins folder and paste it in the <NEW_IS_HOME>/repository/components/dropins folder. 
  3. Copy any added JAR files from the <OLD_IS_HOME>/repository/components/lib folder and paste it in the <NEW_IS_HOME>/repository/components/lib folder. 

  4. Copy the .jks files from the <OLD_IS_HOME>/repository/resources/security folder and paste them in <NEW_IS_HOME>/repository/resources/security folder. 

  5. If you have created tenants in the previous WSO2 Identity Server version and if there are any resources in the <OLD_IS_HOME>/repository/tenants directory, copy the content to the <NEW_IS_HOME>/repository/tenants directory.
  6. If you have created secondary user stores in the previous WSO2 IS version, copy the content in the <OLD_IS_HOME>/repository/deployment/server/userstores directory to the <NEW_IS_HOME>/repository/deployment/server/userstores directory.

    Note: If your current version is 5.0.0, run the following queries on the database that is referenced in the identity.xml file in order to identify if there is any corrupted data.


    SELECT * FROM IDN_OAUTH2_ACCESS_TOKEN WHERE AUTHZ_USER LIKE '% @%' AND TOKEN_STATE='ACTIVE';
    SELECT * FROM IDN_OAUTH2_ACCESS_TOKEN WHERE AUTHZ_USER NOT LIKE '%@%' AND TOKEN_STATE='ACTIVE';
  7. Start WSO2 Identity Server with the following command to perform the data migration for all components. 

    1. Linux/Unix:

      sh wso2server.sh -Dmigrate -Dcomponent=identity
    2. Windows:

      wso2server.bat -Dmigrate -Dcomponent=identity
  8. Once the migration is successful, stop the server and remove the following files and folders from the <NEW_IS_HOME>/repository/components/dropins directory.

    1.  org.wso2.carbon.is.migration-5.x.x.jar

    2. snakeyaml-1.16.0.wso2v1.jar 

    3. migration-resources directory

  • No labels