CODEWITHSUNDEEP
wso2wso2-identity-server
Greg Whitten
Greg Whitten

Reputation: 33

How can I use the claims given in a SAML response to populate user attributes during JIT Provisioning in WSO2 IS?

I have an identity provider (A) setup in WSO2IS 5.7.0 which uses an external SAML2 IdP as a federated authenticator. I also have identity provider A configured to use JIT Provisioning to the primary user store.

There are a series of Service Providers which use OpenId Connect in the Inbound Authentication Configuration and identity provider A in the Local & Outbound Authentication Configuration.

When I try to login using one of the service providers everything goes as expected and a user is created in the user store with a username and first name corresponding to the value of the oasis:names:tc:SAML:2.0:nameid-format:persistent NameIdentifier of the SAML response from the external IdP. The problem is all of the other attributes of the user are blank.

What I want is to have the user provisioned using the values of the SAML attributes (claims) present in the SAML response for first/last name, dob, email address, etc.

I've tried adding the claims that I want to use in the Provisioning Claim Filter section of Advanced Claim Configuration for identity provider A, assuming that the claims that are mapped to the attributes would populate those attributes. However, that would only store whatever I put in for a default value.

I've configured the external IdP to return claims that are using the wso2.org/claims namespace thinking that would help, but no luck.

This is my first time trying to configure and use WSO2 so any help would be appreciated.

EDIT

Here is a sample of my SAML response coming back from my WSO2 server's commonauth before the flow goes to the oauth athorize and consent portion of the flow:

<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:Lifetime>
    <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2019-02-26T15:30:56.820Z</wsu:Created>
    <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2019-02-26T16:30:56.820Z</wsu:Expires>
</t:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
        <wsa:Address>|endpointAddress|></wsa:Address>
    </wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
    <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_|guid|" Issuer="|issuer address|" IssueInstant="2019-02-26T15:30:56.820Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
        <saml:Conditions NotBefore="2019-02-26T15:30:56.820Z" NotOnOrAfter="2019-02-26T16:30:56.820Z">
            <saml:AudienceRestrictionCondition>
                <saml:Audience>|audienceAddress|</saml:Audience>
            </saml:AudienceRestrictionCondition>
        </saml:Conditions>
        <saml:AttributeStatement>
            <saml:Subject>
                <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="ISSUERNAME">67c3a3e0c379ee2341e9ce3ac58dfcff9a01284eaf7a362caa68e9ea7fac64</saml:NameIdentifier>
                <saml:SubjectConfirmation>
                    <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
                </saml:SubjectConfirmation>
            </saml:Subject>
            <saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://wso2.org/claims" a:OriginalIssuer="ISSUERNAME" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>[email protected]</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="dob" AttributeNamespace="http://wso2.org/claims" a:OriginalIssuer="ISSUERNAME" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>1980-01-01</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="gender" AttributeNamespace="http://wso2.org/claims" a:OriginalIssuer="ISSUERNAME" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>1</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="identityLOA" AttributeNamespace="http://wso2.org/claims" a:OriginalIssuer="ISSUERNAME" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>http://cyber-auth.gc.ca/assurance/loa1</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="postalcode" AttributeNamespace="http://wso2.org/claims" a:OriginalIssuer="ISSUERNAME" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>T1T 1T1</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="country" AttributeNamespace="http://wso2.org/claims" a:OriginalIssuer="ISSUERNAME" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>CA</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="region" AttributeNamespace="http://wso2.org/claims" a:OriginalIssuer="ISSUERNAME" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>CA-AB</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="locality" AttributeNamespace="http://wso2.org/claims" a:OriginalIssuer="ISSUERNAME" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>Edmonton</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="addresses" AttributeNamespace="http://wso2.org/claims" a:OriginalIssuer="ISSUERNAME" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>123 My Street</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="lastname" AttributeNamespace="http://wso2.org/claims" a:OriginalIssuer="ISSUERNAME" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>Mitten</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="givenname" AttributeNamespace="http://wso2.org/claims" a:OriginalIssuer="ISSUERNAME" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>Craig</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="x-ms-client-user-agent" AttributeNamespace="http://schemas.microsoft.com/2012/01/requestcontext/claims" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="x-ms-endpoint-absolute-path" AttributeNamespace="http://schemas.microsoft.com/2012/01/requestcontext/claims" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>/adfs/ls/</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="insidecorporatenetwork" AttributeNamespace="http://schemas.microsoft.com/ws/2012/01" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue b:type="tn:boolean" xmlns:tn="http://www.w3.org/2001/XMLSchema" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">true</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="client-request-id" AttributeNamespace="http://schemas.microsoft.com/2012/01/requestcontext/claims" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>e629313b-3de0-0000-0000-000000000000</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="relyingpartytrustid" AttributeNamespace="http://schemas.microsoft.com/2012/01/requestcontext/claims" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>https://|wsoaddress|/commonauth</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="x-ms-client-ip" AttributeNamespace="http://schemas.microsoft.com/2012/01/requestcontext/claims" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>|clientIP|</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="userip" AttributeNamespace="http://schemas.microsoft.com/2014/09/requestcontext/claims" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>|userIP|</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="anchorclaimtype" AttributeNamespace="http://schemas.microsoft.com/ws/2014/01/identity/claims">
                <saml:AttributeValue>http://schemas.microsoft.com/ws/2014/01/unknown</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
        <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" AuthenticationInstant="2019-02-26T15:30:56.000Z">
            <saml:Subject>
                <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="ISSUERNAME">67c3a3e0c379ee2341e9ce3ac58dfcff9a01284eaf7a362caa68e9ea7fac64</saml:NameIdentifier>
                <saml:SubjectConfirmation>
                    <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
                </saml:SubjectConfirmation>
            </saml:Subject>
        </saml:AuthenticationStatement>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#_|guid|">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>|digest value|</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>|signatureValue|</ds:SignatureValue>
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>|X509Certificate|</X509Certificate>
                </X509Data>
            </KeyInfo>
        </ds:Signature>
    </saml:Assertion>
</t:RequestedSecurityToken>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>

EDIT 2

Here are the screens of my identity provider claims setup, my service provider claims setup, and my user profile screen after it's provisioned. In my Identity Provider claims I've tried with no advnaced claim setup, and the setup shown in the picture with no difference in the results.

Identity Provider Claims setup

Service Provider Claims setup

User profile

EDIT 3 So I've gone into the debugger during provisioning, and for some reason I only have two claims, even though the SAML response has almost 20. Available claims at provisioning time

Upvotes: 0

Views: 1036

Answers (1)

Gayan
Gayan

Reputation: 799

Have a look AttributeStatement of SAML response.

<saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://wso2.org/claims" a:OriginalIssuer="ISSUERNAME" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>[email protected]</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="dob" AttributeNamespace="http://wso2.org/claims" a:OriginalIssuer="ISSUERNAME" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>1980-01-01</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="gender" AttributeNamespace="http://wso2.org/claims" a:OriginalIssuer="ISSUERNAME" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>1</saml:AttributeValue>
            </saml:Attribute>

Check AttributeName emailaddress, dob, gender. Based on AttributeName do Identity Provider-A claim configuration as below.

enter image description here

After that do service provider claim configurations as below

enter image description here

Upvotes: 0

Related Questions