One question about the claim, if two different user store return an attribute with the same name, and i map that attribute to a claim uri.
for example: two database both return user's "phone" attribute, and in i add a new claim with uri=http://example.com/claim/phone mapping to the "phone" attribute.
what will it return when i use the claim uri as attributeId in XACML Policy?
P.S.: i tried to run wso2 is locally, but failed.
In XACML policy you can define this claim uri as an attribute id in
subjectcategory. Then PIP would fire for when XACML request is received.<AttributeDesignator AttributeId="http://example.com/claim/phone" Category="urn:oasis:names:tc:xacml:3.0:attribute-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>If XACML request contains the username without domain name
bobor withPRIMARY/bob. Attribute would search in thePRIMARYuser store (which user store has been configured inuser-mgt.xmlfile)If XACML request contains the username with domain name,
Domain/bob, It would search user's attribute,phonefrom the secondary user store defined by theDomain.Idea is that, when you are using XACML with multiple user stores, you need to send the username with the domain name. I think it is fine, because authorization happened after the authentication. When authenticating, somehow, user's domain name (user store which user has been authenticated) can be known.
If different user stores are exposed different attributes for same claim uri, you can configure it as well, as mentioned in here