Hi Kanapriya,
On Tue, Oct 24, 2017 at 11:46 AM, Kanapriya Kuleswararajan < kanapr...@wso2.com> wrote: > Hi Malithi, > > Please find the comments in line. > >> >> I was using $subject to associate federated identity over google and >> facebook to the local user while configuring SMSOTP and TOTP as the second >> factor authentication mechanism. >> >> As I noted, for this to work I had to configure the federated claim, as >> the userAttribute in the authenticator configuration, from which the >> respective local user will be mapped. >> Ex: >> Added below in Google and Facebook case >> <Parameter name="userAttribute">email</Parameter> >> >> 1. The first question is what will happen when multi-option >> authentication is configured as the first step? >> I tried with Google and Facebook configured as muti-option in the first >> step while having 'email' configured as the 'userAttribute'. That worked >> because in both, there is a federated claim as 'email'. But, what if some >> other authenticator is configured which will not have 'email' claim and >> mail address of the user is received over a different claim format ? >> As I see, the local claim (wso2 claim) should be configured in the >> authenticator configuration and during the authentication flow, local claim >> configured in the authenticator config should be picked, and the claim >> value should be resolved after transforming federated claims received to >> local dialect (wso2 dialect). >> >> When multi-option configured as first step (Google and Facebook) , and > say, if the cliams (email) is different format in both authenticator , then > you can have separate config with authenticator name in authentication.xml > file as follow. > > *<AuthenticatorConfig name="FacebookAuthenticator" enabled="true">* > * <Parameter name="totp-userAttribute">mailaddress</Parameter>* > * <Parameter name="SMSOTP-userAttribute">mailaddress</Parameter>* > *</AuthenticatorConfig**>* > > You can have similar config as above for Google authenticator as well. > > 2. Noted, that in each authenticator an additional parameter needs to be >> configured to denote 'userAttribute' mapping. Is this how (1) above is >> achieved ? >> However, the respective configurations in SMSOTP and TOTP with this >> regard are not consistent. Moreover, I feel transforming back to the local >> dialect and using that to retrieve the attribute to be mapped is the way to >> do. With that this becomes a redundant config. >> > > For the userAttribute usecase, you can use the parameter name for TOTP, > SMSOTP as I mentioned in the above config with the prefix of the > authenticator name which is configured as second step. This leads the > configurations more consistent. All these things documented in [1]. > > [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+ > Authenticator#ConfiguringTOTPAuthenticator-Configuringtheser > viceproviderConfiguringtheserviceprovider > Yes. This is what I highlighted in point (2). To achieve case 1 another parameter needs to be configured per each authenticator. But, what I'm suggesting is to use claim transformation to resolve the local claim. In that case, there is no need to configure a separate parameter per each authenticator. Wondering if this approach is not chosen due to any other complications on resolving back to local claim. Moreover, as I feel the parameter configuration per each authenticator is not well explained in documentation. Also, when it comes to TOTP there is another authenticator config parameter being mentioned in the doc as 'federatedEmailAttributeKey'. What is this for ? It's not explained at all. > >> 3. For the mapping to happen the claim value resolved should always be >> the local username. Why not mapping can happen over another unique claim >> like email ? >> As I see, we can easily configure this for an ldap, by configuring the >> 'UserNameSearchFilter' to search users over several attributes. >> >> Thanks, >> Malithi >> -- >> >> *Malithi Edirisinghe* >> Associate Technical Lead >> WSO2 Inc. >> >> Mobile : +94 (0) 718176807 >> malit...@wso2.com >> > > -- *Malithi Edirisinghe* Associate Technical Lead WSO2 Inc. Mobile : +94 (0) 718176807 malit...@wso2.com
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
