[Architecture] Conditional authentication - Improvements to access user details from a previous step

Wed, 18 Apr 2018 23:48:49 -0700 

Hi All,

We have few use cases for IS 5.6.0 conditional authentication feature where
we need to get the details of the authenticated user in a previous
authentication step. Following are the details required,

For users authenticated with local IdP,

   - Username
   - Tenant domain
   - Userstore domain
   - Claims

For users authenticated with a federated IdP,

   - Subject Identifier
   - Claims by federated IdP's dialect
   - Claims by local dialect (If claim mappings configured)
   - Associated local user (If available)

To retrieve the above details, we'll be changing the way we access the
claims as below,

*Local claims (current) :*
var myClaimValueX = context.subject.claims.local['http://wso2.org/claims/
<x>'];

*Local claims (suggested) :*
var myClaimValueX = context.steps[<n>].subject.localClaims['
http://wso2.org/claims/<x>'];

Note: This will return the mapped remote claim's value from IdP for
federated IdPs. E.g. If wso2 claim "http://wso2.org/claims/emailaddress"; is
mapped to federated IDP claim "mail", call to
context.steps[1].subject.localClaims['http://wso2.org/claims/emailaddress];
will
give the value of 'mail' claim from IdP

*Remote claims (current) :*
var myClaimValueX = context.subject.claims.remote['
http://some.domain.you/claims/<x>'];

*Remote claims (suggested) :*
var myClaimValueX = context.steps[<n>].subject.remoteClaims['
http://some.domain.you/claims/<x>'];

Note: This will return null for local IdP

*Few more examples:*

context.steps[<n>].subject.username - Return the username/subject
identitfier of step 'n'
context.steps[<n>].subject.tenantDomain - Return the tenant domain of user
of step 'n'
context.steps[<n>].subject.userStoreDomain - Return the userstore domain of
user of step 'n'
context.steps[<n>].subject.userStoreDomain - Return the userstore domain of
user of step 'n'

context.steps[<n>].subject.mappedLocalUser.tenantDomain - Return the tenant
domain of the mapped local user if there is an association for the user.


Please let us know any suggestions or concerns.
-- 
*Pulasthi Mahawithana*
Associate Technical Lead
WSO2 Inc., http://wso2.com/
Mobile: +94-71-5179022
Blog: https://medium.com/@pulasthi7/

<https://wso2.com/signature>

_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Reply via email to