Hi all, This new feature, provided with IS 5.3.0, allows to define mandatory attributes for an application during the Service Provider configuration time. When a user tries to access the application, during authentication, IS will check whether the user has mandatory attributes requested by the application. If any mandatory attribute is missing, IS will prompt a page where user can provide mandatory claims for that application.
Current implementation is to check the missing mandatory claims at the authentication framework as a post authentication task. *DefaultStepBasedSequenceHandler* handles the authentication from the steps configured for the application. Once all the steps are successfully completed, *handlePostAuthentication() *method is fired. This method gets the user attributes from attribute step and adds them to *AuthenticatedUser* object which will be used to send user details to the application. Handling of missing mandatory attributes, is implemented as a post authentication extension. Post authentication extension is called at the end of *handlePostAuthentication().* After post authentication is done, following additional steps are implemented for the feature. 1. Post authentication extension compares mandatory attributes defined in Service Provider configuration with the user attributes found in AuthenticatedUser object. ( If no attributes are missing, it proceeds with Authentication Complete state) (If one or more attributes are missing) 2. Authentication and sequence is set to "Incomplete" state. A property is set in Authentication Context to identify that post authentication extension triggered an action. 3. User is redirected to a page which requests missing attributes. 4. Once user submits values in the page, a post request is made to the authentication framework (commonauth servlet) with attribute values and context identifier (sent from the framework). 5. Authentication framework identifies the authenticated context from the context identifier. Framework will skip authentication steps since it's already authenticated and set the sequence state to "completed" and then call *handlePostAuthentication().* 6. In *handlePostAuthentication()*, it checks the property set in step 2 and identifies this as the response of post authentication extension task therefore calls the post authentication extension. 7. Response handler in post authentication extension, reads the attributes from request, sets them as user attributes in AuthenticatedUser object and completes the authentication. So application will receive all the mandatory attributes for that. this is the current implementation of this feature. thank you Nuwandi -- Best Regards, Nuwandi Wickramasinghe Software Engineer WSO2 Inc. Web : http://wso2.com Mobile : 0719214873
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
