Managing User Attributes With WSO2 Identity Server

If you are using Identity Server for user and role management,You may wonder how we could manage user’s attributes with it.  In identity server, each user store attribute can be mapped as a claim. Therefore you need to go through claim management and properly map your LDAP/AD/JDBC user store attributes with the claim uris defined by the Identity Server. You can also add different claim uri and manage them using claim management. Please go through more detail from here

Get/add/update/delete user’s attributes

There are three ways that you can do it.

1. User profile feature in management console

2. You can use remote user store manager web service API. It is SOAP base API and very easy to use. Please refer more detail from here.

Say, You want to set a user attribute, You can call following method. Here “http://wso2.org/claims/emailaddress” is claim uri that has been mapped with user store’s email attribute. Last parameter is profile, we can just pass “null”, as there is only one profile.

setUserClaimValue("username", "http://wso2.org/claims/emailaddress", "[email protected]", null)

You can retrieve user attribute value as follow

getUserClaimValue("username", "http://wso2.org/claims/emailaddress", null)

3. REST web service according to the SCIM provisioning specification. More details can be found from here.

Claim Mapping with Multiple user stores

When you are using more than one use stores, you need to map the attributes correctly using claim management. Under “Mapped Attribute (s)” you need to follow the pattern.

{domain_name/attribute_Name};{domain_name/attribute_Name}; {domain_name/attribute_Name};

But for default user store, you do not want to provide the domain name. As an example, if you have two user stores, one is default and other one with domain “LDAP” then patter would be as follows for “http://wso2.org/claims/emailaddress”

email;LDAP/mail

Mullti value attributes

If your user store supports for mullti values attribute, Identity Server can get/add/update/delete them (Normally LDAP/AD are supported). In Identity Server multiple attribute values are separated by comma. If you want to update two email using user profile UI, you need to provide it as follows.


In API,

setUserClaimValue("username", "http://wso2.org/claims/emailaddress", "[email protected],[email protected]", null)

GET result also returned with comma separated values as following

"[email protected],[email protected]"

In LDAP,  you would find

 

Custom attributes

Say, user’s attribute can be in both user store (LDAP) and some other place (JDBC table). Then Identity Server needs to retrieve/add the user’s attribute in to two places. It seems to be some customization must be done. Yes… You can simply extend the current user store manager implementation and write a custom implementation to do it. In the custom user store implementation , you only need to extend following three methods which helps to retrieve/add user attribute. Other methods can be keep as it is.

 public Map<String, String> getUserPropertyValues(String userName, String[] propertyNames, String profileName) throws UserStoreException
 protected abstract void doSetUserClaimValue(String userName, String claimURI, String claimValue, String profileName) throws UserStoreException;
 protected abstract void doSetUserClaimValues(String userName, Map<String, String> claims, String profileName) throws UserStoreException;

You can follow the steps of writing a custom user store manager from here