Hi Gayashan, Is this implemented in the product now? If so can you share details on the final approach you took.
Thanks, On Thu, Jan 2, 2020 at 9:37 AM Johann Nallathamby <[email protected]> wrote: > Hi Gayashan, > > On Tue, Dec 3, 2019 at 6:54 PM Gayashan Bombuwala <[email protected]> > wrote: > >> Hi all, >> >> Currently when managing users in Active Directory user store with SCIM, >> we have mapped the SCIM core attributes to different attributes[1, 2] >> supported by SCIM. >> >> e.g. urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute)-> >> http://wso2.org/claims/userid (local claim) -> homePostalAddress (Active >> Directory attribute) >> >> However, there are a set of attributes maintained by Active Directory >> which we can use to map some of core SCIM attributes. We have considered >> the following attributes for the moment. >> >> 1. objectGuid (AD maintained attribute) -> >> urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute) >> 2. whenCreated (AD maintained attribute) -> >> urn:ietf:params:scim:schemas:core:2.0:created (SCIM attribute) >> 3. whenModified (AD maintained attribute)- -> >> urn:ietf:params:scim:schemas:core:2.0:lastModified (SCIM attribute) >> >> We need to handle the mapping of these attributes in two scenarios. >> >> 1. When reading values from the user store. >> 2. When writing values to the user store. >> >> >> When reading from the user store we can introduce a hook to handle the >> mapping of these special attributes. We can implement the hook in >> AbstractUserStoreManager since local claim to user store property mapping >> is done in that[3] level. When the attributes are mapped we may need to do >> a conversion between data types for some attributes (e.g. objectGuid >> property is stored in AD as an octetSting [3]). This hook will be a method >> with the following signature. >> >> protected void processRetrievedSpecialClaims (Map<String, String> >> specialClaims) >> > > Why do we need to have "special" in the method name? Shouldn't all > attribute processing go through this method? Why limit this to certain > claims? We don't need to decide beforehand what claims have to go through > this method. If someone wants to handle certain claim in special way later > on they can extend this particular method. > > Regards, > Johann. > > >> >> However, when writing values to the user store, we need to handle the >> special claims in the user store level [5]. We can do data type conversion >> for special claim values here as well if required. >> We will introduce an abstract hook in the AbstractUserStoreManager level >> but will provide separate implementations in the user store level. This >> hook will be a method with the following signature. >> >> protected void processSpecialClaimsForUpdating (Map<String, String> >> specialClaims) >> >> Note that the above mentioned new behaviour will only be executed if a >> specific user store property is enabled. >> Please let us know if you have any concerns regarding this approach. >> >> Best Regards, >> Gayashan >> >> [1] >> https://docs.wso2.com/display/IS570/Configuring+Active+Directory+User+Stores+for+SCIM+2.0+based+Inbound+Provisioning >> [2] http://www.kouti.com/tables/userattributes.htm >> [3] >> https://docs.microsoft.com/en-us/windows/win32/adschema/s-string-octet >> [4] >> https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L5388 >> [5] >> https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/ActiveDirectoryUserStoreManager.java#L616 >> >> -- >> *Gayashan Bombuwala* >> Software Engineer | WSO2 >> >> Email: [email protected] >> Phone: +94770548334 >> >> [image: https://wso2.com/signature] <https://wso2.com/signature> >> > > > -- > *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | > WSO2 Inc. > (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] > [image: Signature.jpg] > -- Regards, *Darshana Gunawardana*Technical Lead WSO2 Inc.; http://wso2.com *E-mail: [email protected] <[email protected]>* *Mobile: +94718566859*Lean . Enterprise . Middleware
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
