I am creating ID provider through OpenAM, I get the user details in the SAML assertion returned, but I also want to get the user group details in the assertion,how can I get it. Thnx in advance
There are several approaches ...
1) create custom attribute mapper which allows to put group info into assertion
2) create post auth plugin which puts group info in session property and use default attribute mapper
3) leverage data store and data store config
This depends on your data store being used
If the data store (e.g. LDAP based Directory Server) provides an (operational) attribute which shows group info at the user entry then you can map this as attribute in data store config and use default attribute mapper.
E.g. OpenDJ provides 'isMemberOf' , but you will see real group DNs as values for the mapped attribute
Related
Question: Using Microsoft Graph how do we display the manager of a user? For example, using Microsoft Graph Explorer you can get a signed-in user profile info by calling https://graph.microsoft.com/v1.0/me. But this call does not return all the fields - specifically not the manager field.
I tried https://graph.microsoft.com/v1.0/me?$select=manager but it still did not return manager.
In the Relationships section of user resource type you see a manager field for a user's manager. And the Json representation of that Relationships shows manager field as follows:
"manager": { "#odata.type": "microsoft.graph.directoryObject" }
But I am not sure how do we use it to get he manager of a user.
UPDATE:
Following is a screenshot of just a portion of result from the query from the user #CarlShao. In fact it is returning tons of attributes for manager object. But I'm showing just current screen of my laptop:
If you need to expand the user's organizational relationship, you should use the $expand parameter, which supports expanding the user's directReports, manager and memberOf relationships.
GET https://graph.microsoft.com/v1.0/me?$expand=manager
referenceļ¼list manager and expand parameter.
Update:
You can specify $select inside $expand to select the individual manager's properties: $expand=manager($levels=max;$select=displayName)
https://graph.microsoft.com/v1.0/me?$expand=manager($levels=max;$select=displayName)&$count=true
Don't forget to add request header: ConsistencyLevel=eventual
I wonder if anyone can help. I am working on a project that requires the use of wso2is and openldap together on linux. I am quite new to both technologies, so there may be some things I dont quite understand properly.
I have set openldap up as a secondary user store in wso2is. In openldap, using ldif files I have managed to create groups, and some dummy users. These entries can be read and displayed successfully by wso2is. The good user entries follow the format below
In wso2is I can create new users for the secondary data store and it lookks like I can assign them to the different roles. The problem is that when I create a new user in wso2, it seems to be lacking certain attributes such as password, and mail. When I view users created in wso2 (using ldap admin) they are different to users created manually using ldif. I dont know how to add the extra attributes such as email to new users created using wso2 (The extra attributes are necessary for ldap to log into another program).
The image below for user "bob" does not have the correct attributes.
The other things I dont understand is that in wso2is if I set 'cn' as the username attribute and try to view the extra attribute fields for users I created in wso2, I get an 'error reading metadata screen'. However if I set 'uid' as the username attribute and try to view extra attributes, I am allowed to see them (most are blank), but if I try to populate those fields such as surname or mail, I then get an error message saying they are not supported by the underlying ldap.
Maybe Im missing something fundamental but I dont know what it is, apparently it almost does what I want.
When you configure an external LDAP, you need to map its attributes to the WSO2 local Claims. Because with in WSO2 Identity Server all user attributes are considered as claims. Hence please try mapping secondary userstore attributes to the each local claim in the user profile. For example http://wso2.org/claims/emailaddress claim can be mapped your secondary user-store attribute as shown in the image.
Moreover, Hope you have added User Search Base, User Search Filter and User List filter properly in the secondary userstore configurations.
I developed a custom authentication module in OpenAM, and when user logins with this module.
I have to set "User Profile" to be ignored for a successful login. Otherwise it fails with error User Requires Profile to Login
OpenAM is correct because the logged-user does not exist in its OpenDJ datastore.
My question is:
How to create the profile dynamically on login?
It should be done in auth module or post-auth module?
Do I need write to OpenDJ datastore directly? or is there some helper class to do this?
Thanks in advance
It's possible to let OpenAM dynamically create user accounts if the user profile doesn't already exist in the configured data stores. To do so, you'll need to change the User Profile mode to Dynamic (see picture above).
If you want to control the attributes used to populate the freshly created user, then you will need to call #setUserAttributes with a Map<String, Set<String>> in AMLoginModule, and those values will be obeyed. The username used by OpenAM will be the name that you return in the #getPrincipal method.
I noticed the operation metadata page shows the "Rest user defined endpoint" even if not explicitly added as DTO attribute, but defined within the AppHost.Configure method.
I wonder if it would be possible to show within the metadata page, among other operation details, if a given operation(DTO) requires authentication (defined at operation or service level) and all the required authorizations(roles and permissions) if any.
This has now been added on the Metadata index page which will display a yellow key for Services which require authentication, e.g:
When you mouse over the key it will also show which permissions or roles the Service needs.
It's also added on the metadata detail page which will list which permissions/roles are required (if any), e.g:
This feature is available from v4.0.43+ which is now available on MyGet.
I am trying to generate a http cookie for succesfull user login in openam.
The cookie is expected to be populated with a ldap attribute name 'commerce' which is a boolean attribute.
In order to achieve this I have done settings under --
access control --top level realm --agent -- configured policy agent --Profile Attributes Processing
Over here I have created a map with key as commerce and value of commerce, now ideally after a succesfull login it should generate a cookie with name --HTTP_COMMERCE with value of attribute, but this is not working as expected.
Can some one help me out in resolving what I may be missing over here.
When using Profile Attributes Processing it is probably important to know that the attributes are retrieved from the configured data stores, hence you should probably make sure that the data store has correctly configured in OpenAM.
Most likely you are just missing the "commerce" attribute from the "LDAP User Attributes" setting.