WSO2 is: What happens when more than one user store return an attribute with the same name?

306 views Asked by At

One question about the claim, if two different user store return an attribute with the same name, and i map that attribute to a claim uri.

for example: two database both return user's "phone" attribute, and in i add a new claim with uri=http://example.com/claim/phone mapping to the "phone" attribute.

what will it return when i use the claim uri as attributeId in XACML Policy?

P.S.: i tried to run wso2 is locally, but failed.

1

There are 1 answers

0
Asela On

In XACML policy you can define this claim uri as an attribute id in subject category. Then PIP would fire for when XACML request is received.

<AttributeDesignator AttributeId="http://example.com/claim/phone" Category="urn:oasis:names:tc:xacml:3.0:attribute-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>

If XACML request contains the username without domain name bob or with PRIMARY/bob. Attribute would search in the PRIMARY user store (which user store has been configured in user-mgt.xml file)

If XACML request contains the username with domain name, Domain/bob , It would search user's attribute, phone from the secondary user store defined by the Domain.

Idea is that, when you are using XACML with multiple user stores, you need to send the username with the domain name. I think it is fine, because authorization happened after the authentication. When authenticating, somehow, user's domain name (user store which user has been authenticated) can be known.

If different user stores are exposed different attributes for same claim uri, you can configure it as well, as mentioned in here