Consider about a scenarios that enterprise user’s details can be found in two place. User credentials may be kept in one user store and User’s attribute may be stored in another user store. Lets see how WSO2 Identity Server can be used to merge these two user stores and retrieve the user’s details in unique manager.
WSO2 Identity Server has great extension capabilities, therefore any type use cases can be easily supported by writing simple extension point. Please refer my previous blog post to learn more about the user management extensions.
First, lets take an example,
There are four LDAP based user stores, LDAP-1 and LDAP-3 are mainly considered as credentials stores which user’s credentials have been stored. LDAP-2 and LDAP-4 are attribute stores of the users which user details are stored. LDAP-1’s corresponding attribute store is LDAP-2. It means that all the users in LDAP-1 can be found in LDAP-2 as well. But LDAP-2 may not contain the credentials of the user and it contains the user’s attributes or some additional attributes other than in the LDAP-1. Same way, LDAP-3’s corresponding attribute store is LDAP-4.
Step 1. Configure all four user store with WSO2IS. Lets configure LDAP-1 as primary user store of the WSO2IS. Primary user store can be configured using the user-mgt.xml file. Then lets configure the the other user stores as secondary user stores from the UI.
When you are configuring the Attribute User store, you need to follow special notation for domain name.
Two simple rules
1. Domain must be same as the corresponding credentials store
2. Domain name must be qualified with a post prefix called “-ATTRIBUTE-STORE”
As an example,
We have configured LDAP-1 as primary user store. Therefore its domain name is PRIMARY. So, LDAP-2 must be configured as domain name with PRIMARY-ATTRIBUTE-STORE
Say, we have configured the LDAP-3 with domain name XACMLINFO.COM Then corresponding attribute store which is LDAP-4 must be configured with domain name XACMLINFO.COM-ATTRIBUTE-STORE
Now, you have properly configured multiple user stores.
Step 2. Download and Copy the custom extension which can be found at here in to the <WSO2IS_HOME>/repository/components/dropins directory .
You can find Maven project for the custom extension from here. It is simple java project that has been implemented using extending a listener interface. You can modify and do anything as you like.
Step 3. Restart the server.
Step 4. Try out.
You can not authenticate by providing the attribute user store domain
When you retrieve attribute for given user in credential store, you would receive the attributes from corresponding attribute stores.
You can configure WSO2IS as SAML2 SSO IDP and try out this easily, Please refer more details for here.
Thanks for reading…!!!