Hi all, Currently when managing users in Active Directory user store with SCIM, we have mapped the SCIM core attributes to different attributes[1, 2] supported by SCIM.
e.g. urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute)-> http://wso2.org/claims/userid (local claim) -> homePostalAddress (Active Directory attribute) However, there are a set of attributes maintained by Active Directory which we can use to map some of core SCIM attributes. We have considered the following attributes for the moment. 1. objectGuid (AD maintained attribute) -> urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute) 2. whenCreated (AD maintained attribute) -> urn:ietf:params:scim:schemas:core:2.0:created (SCIM attribute) 3. whenModified (AD maintained attribute)- -> urn:ietf:params:scim:schemas:core:2.0:lastModified (SCIM attribute) We need to handle the mapping of these attributes in two scenarios. 1. When reading values from the user store. 2. When writing values to the user store. When reading from the user store we can introduce a hook to handle the mapping of these special attributes. We can implement the hook in AbstractUserStoreManager since local claim to user store property mapping is done in that[3] level. When the attributes are mapped we may need to do a conversion between data types for some attributes (e.g. objectGuid property is stored in AD as an octetSting [3]). This hook will be a method with the following signature. protected void processRetrievedSpecialClaims (Map<String, String> specialClaims) However, when writing values to the user store, we need to handle the special claims in the user store level [5]. We can do data type conversion for special claim values here as well if required. We will introduce an abstract hook in the AbstractUserStoreManager level but will provide separate implementations in the user store level. This hook will be a method with the following signature. protected void processSpecialClaimsForUpdating (Map<String, String> specialClaims) Note that the above mentioned new behaviour will only be executed if a specific user store property is enabled. Please let us know if you have any concerns regarding this approach. Best Regards, Gayashan [1] https://docs.wso2.com/display/IS570/Configuring+Active+Directory+User+Stores+for+SCIM+2.0+based+Inbound+Provisioning [2] http://www.kouti.com/tables/userattributes.htm [3] https://docs.microsoft.com/en-us/windows/win32/adschema/s-string-octet [4] https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L5388 [5] https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/ActiveDirectoryUserStoreManager.java#L616 -- *Gayashan Bombuwala* Software Engineer | WSO2 Email: [email protected] Phone: +94770548334 [image: https://wso2.com/signature] <https://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
