Hi Malithi, Please find the comments in line.
> > I was using $subject to associate federated identity over google and > facebook to the local user while configuring SMSOTP and TOTP as the second > factor authentication mechanism. > > As I noted, for this to work I had to configure the federated claim, as > the userAttribute in the authenticator configuration, from which the > respective local user will be mapped. > Ex: > Added below in Google and Facebook case > <Parameter name="userAttribute">email</Parameter> > > 1. The first question is what will happen when multi-option authentication > is configured as the first step? > I tried with Google and Facebook configured as muti-option in the first > step while having 'email' configured as the 'userAttribute'. That worked > because in both, there is a federated claim as 'email'. But, what if some > other authenticator is configured which will not have 'email' claim and > mail address of the user is received over a different claim format ? > As I see, the local claim (wso2 claim) should be configured in the > authenticator configuration and during the authentication flow, local claim > configured in the authenticator config should be picked, and the claim > value should be resolved after transforming federated claims received to > local dialect (wso2 dialect). > > When multi-option configured as first step (Google and Facebook) , and say, if the cliams (email) is different format in both authenticator , then you can have separate config with authenticator name in authentication.xml file as follow. *<AuthenticatorConfig name="FacebookAuthenticator" enabled="true">* * <Parameter name="totp-userAttribute">mailaddress</Parameter>* * <Parameter name="SMSOTP-userAttribute">mailaddress</Parameter>* *</AuthenticatorConfig**>* You can have similar config as above for Google authenticator as well. 2. Noted, that in each authenticator an additional parameter needs to be > configured to denote 'userAttribute' mapping. Is this how (1) above is > achieved ? > However, the respective configurations in SMSOTP and TOTP with this regard > are not consistent. Moreover, I feel transforming back to the local dialect > and using that to retrieve the attribute to be mapped is the way to do. > With that this becomes a redundant config. > For the userAttribute usecase, you can use the parameter name for TOTP, SMSOTP as I mentioned in the above config with the prefix of the authenticator name which is configured as second step. This leads the configurations more consistent. All these things documented in [1]. [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+ Authenticator#ConfiguringTOTPAuthenticator-ConfiguringtheserviceproviderC onfiguringtheserviceprovider > > 3. For the mapping to happen the claim value resolved should always be the > local username. Why not mapping can happen over another unique claim like > email ? > As I see, we can easily configure this for an ldap, by configuring the > 'UserNameSearchFilter' to search users over several attributes. > > Thanks, > Malithi > -- > > *Malithi Edirisinghe* > Associate Technical Lead > WSO2 Inc. > > Mobile : +94 (0) 718176807 > [email protected] >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
