What is the correct way of linking local user account to federated user in WSO2 Identity server 5.10.0
Question
I am using Google authenticator (Oauth2 client) as an Identity provider in WSO2 5.10.0. I created a Service provider which uses this google authenticator as Federated authentication .
When the user login for the first time using google credentials(gmail), I am able to make a local user by storing user in local user store through Just-In-Time Provisioning in Identity provider. https://is.docs.wso2.com/en/latest/learn/configuring-just-in-time-provisioning-for-an-identity-provider/
After the first login i assign roles to the local user manually.
Now when the user login again using federated(google) authentication, the roles that i provided to the local user does not get link with the federated user.
I read of Associating user account https://is.docs.wso2.com/en/latest/learn/associating-user-accounts/ using WSO2 user-portal
I tried adding
[user.association] enable_for_federated_users = true
in deployment.toml . But when i open user-portal, i only see the option of linking local user account to another local user account.
I want to link user account with federated user such that when the federated user logs in, it takes the roles provided to the local user earlier and pass through the XACML role based policy.
XAMCL policy
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="role_based_login_policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied.</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_Name</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticate</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/identity/identity-action/action-name" Category="http://wso2.org/identity/identity-action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="permit_by_roles">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny_others"></Rule>
</Policy>
1 answers
solution1
2 2020-05-13 06:38:15
In the latest versions of the Identity Server (including 5.10.0), when the Just-In-Time provisioning is enabled, federated users and local users are associated automatically. So you don't need to enable the config you have mentioned and as the documentation has mentioned, it is not recommended.
So if you want to send the attributes of the local provisioned user to the application, you have to enable Assert identity using mapped local subject identifier configuration for the application.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.