Hi Gayashan, This would be a very valuable addition to the product.
On Wed, Dec 4, 2019 at 12:20 AM Gayashan Bombuwala <[email protected]> wrote: > Hi all, > > Currently when managing users in Active Directory user store with SCIM, we > have mapped the SCIM core attributes to different attributes[1, 2] > supported by SCIM. > > e.g. urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute)-> > http://wso2.org/claims/userid (local claim) -> homePostalAddress (Active > Directory attribute) > > However, there are a set of attributes maintained by Active Directory > which we can use to map some of core SCIM attributes. We have considered > the following attributes for the moment. > > 1. objectGuid (AD maintained attribute) -> > urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute) > 2. whenCreated (AD maintained attribute) -> > urn:ietf:params:scim:schemas:core:2.0:created (SCIM attribute) > 3. whenModified (AD maintained attribute)- -> > urn:ietf:params:scim:schemas:core:2.0:lastModified (SCIM attribute) > > We need to handle the mapping of these attributes in two scenarios. > > 1. When reading values from the user store. > 2. When writing values to the user store. > > > When reading from the user store we can introduce a hook to handle the > mapping of these special attributes. We can implement the hook in > AbstractUserStoreManager since local claim to user store property mapping > is done in that[3] level. When the attributes are mapped we may need to do > a conversion between data types for some attributes (e.g. objectGuid > property is stored in AD as an octetSting [3]). This hook will be a method > with the following signature. > > protected void processRetrievedSpecialClaims (Map<String, String> > specialClaims) > I suppose this will transform user store level values to SCIM required format. User store level value (format) can differ based on underlying user store so what would be the default implementation ? > > However, when writing values to the user store, we need to handle the > special claims in the user store level [5]. We can do data type conversion > for special claim values here as well if required. > Can we just ignore them since AD handle special attributes itself ? > We will introduce an abstract hook in the AbstractUserStoreManager level > but will provide separate implementations in the user store level. This > hook will be a method with the following signature. > > protected void processSpecialClaimsForUpdating (Map<String, String> > specialClaims) > > Note that the above mentioned new behaviour will only be executed if a > specific user store property is enabled. > Please let us know if you have any concerns regarding this approach. > > Best Regards, > Gayashan > > [1] > https://docs.wso2.com/display/IS570/Configuring+Active+Directory+User+Stores+for+SCIM+2.0+based+Inbound+Provisioning > [2] http://www.kouti.com/tables/userattributes.htm > [3] https://docs.microsoft.com/en-us/windows/win32/adschema/s-string-octet > [4] > https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L5388 > [5] > https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/ActiveDirectoryUserStoreManager.java#L616 > > -- > *Gayashan Bombuwala* > Software Engineer | WSO2 > > Email: [email protected] > Phone: +94770548334 > > [image: https://wso2.com/signature] <https://wso2.com/signature> > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- Gayan
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
