Email Username with WSO2 Identity Server

In my previous post, we discussed how we can configure Identity Server (connected with LDAP) to authenticate users with multiple attributes. But I have seen that there are some conflict around using email user name with Identity Server. Let me explain them in briefly.

Why is it not possible to authenticate with email attribute with Identity Server by default?

  • Identity Server supports for multi-tenancy and “@” is used to separate the tenant aware username from tenant domain.
  • If user “bar” is from “foo.com” tenant in Identity Server. Fully qualified user name would be “[email protected]
  • Then, If you use email such as “[email protected]” to authenticate with Identity Server, Identity Server thinks “soasecurity.org” as a tenant. This would generate an issue.
  • If there is no tenant as “soasecurity.org”, you would be following error
[2014-10-07 16:26:50,617] ERROR {org.wso2.carbon.authenticator.proxy.AuthenticationAdminClient} - Error occurred while logging in
org.apache.axis2.AxisFault: Invalid domain or unactivated tenant login
 at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:531)
  • If there is a tenant as “soasecurity.org”, then your authentication request is dispatch to “soasecurity.org” not to the super tenant.

How we can avoid above behavior?

There are two ways.

Approach 1. You can avoid this by configuring following property in carbon.xml file

<EnableEmailUserName>true</EnableEmailUserName>

Then, you can login with “[email protected]” email and you would be dispatched to super tenant. If user with any other attribute (without @), also would be dispatched to super tenant.

Note: If you are using the JDBC based user stores in user-mgt.xml file “org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager”.  You need to add following property under the JDBC user store configuration.  If you did not add this, users who has no email username would fail to authenticate.  You do not want to add this property for LDAP based user stores.

<Property name="UsernameWithEmailJavaScriptRegEx">[a-zA-Z0-9@._-|//]{3,30}$</Property>

 If you are using the LDAP based user stores,  Please make sure that you have modified the  “UserNameSearchFilter” and disable the  UserDNPattern as following

<Property name="UserNameSearchFilter">(&(objectClass=person)(|(mail=?)(uid=?)))</Property>
<!--Property name="UserDNPattern">uid={0},ou=Users,dc=wso2,dc=org</Property-->

Approach 2. You can use without enabling EnableEmailUserName property. Use the user name always with the tenant domain. You can add super tenant domain to your email user name and try out. Then it would work fine.

[email protected]@carbon.super

If user with any other attribute (without @), also would be dispatched to super tenant.

Does above apply for tenant users as well? There can be users who want to login with email and some other attributes?

There are two approaches

Approach 1. If following property is configured in carbon.xml file

<EnableEmailUserName>true</EnableEmailUserName>

Then,

  • If user in the super tenant can login with email attribute -> [email protected]
  • If user in the super tenant can login with any other attribute -> bob
  • If user in the “foo” tenant can login with email attribute -> [email protected]@foo.com
  • If user in the “foo” tenant can login with any other attribute -> CAN NOT

Then, all tenant users must use email as their user name. If any tenant user uses some other user name, tenant users would always be dispatched to super tenant domain. So, you can not use any other attribute to login when email user name (in carbon.xml file) has been enabled.

Approach 2. Without configuring Email User name property in carbon.xml.

Then,

  • If user in the super tenant can login with email attribute -> [email protected]@carbon.super
  • If user in the super tenant can login with any other attribute -> bob
  • If user in the “foo” tenant can login with email attribute -> [email protected]@foo.com
  • If user in the “foo” tenant can login with any other attribute -> [email protected]

User who has email in super tenant domain must login with by appending the super tenant domain ( “@carbon.super”) name in to user’s email

How to create user with email username

 

  • When WSO2IS is connected with LDAP  based user store

If Identity Server has been connected with LDAP/AD, you can create users with email user names. You need to modify following properties in the user store configurations.

  • You need to configure following user store property.
<Property name="UserNameAttribute">mail</Property>
  • Then DN would be created with mail attribute such as following and th mail attribute of user would be added with given user name (email address)
[email protected], ou=users, dc=wso2, dc=com
  • You need to configure proper regexp for this and also search filer must contain the mail attribute such as following
<Property name="UsernameJavaRegEx">[a-zA-Z0-9@._-|//]{3,30}$</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(mail=?))</Property>
  • If you enable “EnableEmailUserName” in carbon.xml file regexp would be govern by following property not the “UsernameJavaRegEx” as mentioned in above. Therefore, you need to configure new property called UsernameWithEmailJavaScriptRegEx  as following
<Property name="UsernameWithEmailJavaScriptRegEx">[a-zA-Z0-9@._-|//]{3,30}$</Property>
  • Please note in above approach DN would be created with mail attribute. However, you can use any attribute to create the DN by configuring following property
<Property name="UserNameAttribute">mail</Property>
  • Say, you want to use CN in your DN and create a user with mail attribute.You can simply user Web Service API or SCIM. You can find more detail about Web Service API from here. If you are using management console, you need to create the user and then update the user profile to add the email attribute.
  • When WSO2IS is connected with JDBC  based user store (Existing WSO2 schema)

If Identity Server has been connected with JDBC , you can create users with email user names. You need to modify following properties in the user store configurations.

  • You need to configure proper regexp for this and also search filer must contain the mail attribute such as following
<Property name="UsernameJavaRegEx">[a-zA-Z0-9@._-|//]{3,30}$</Property>
  • If you enable “EnableEmailUserName” in carbon.xml file regexp would be govern by following property not the “UsernameJavaRegEx” as mentioned in above. Therefore, you need to configure new property called UsernameWithEmailJavaScriptRegEx  as following
<Property name="UsernameWithEmailJavaScriptRegEx">[a-zA-Z0-9@._-|//]{3,30}$</Property>