Hi all,

Currently when managing users in Active Directory user store with SCIM, we
have mapped the SCIM core attributes to different attributes[1, 2]
supported by SCIM.

e.g. urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute)->
http://wso2.org/claims/userid (local claim) -> homePostalAddress (Active
Directory attribute)

However, there are a set of attributes maintained by Active Directory which
we can use to map some of core SCIM attributes. We have considered the
following attributes for the moment.

   1. objectGuid (AD maintained attribute) ->
   urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute)
   2. whenCreated (AD maintained attribute) ->
   urn:ietf:params:scim:schemas:core:2.0:created (SCIM attribute)
   3. whenModified (AD maintained attribute)- ->
   urn:ietf:params:scim:schemas:core:2.0:lastModified (SCIM attribute)

We need to handle the mapping of these attributes in two scenarios.

   1. When reading values from the user store.
   2. When writing values to the user store.

When reading from the user store we can introduce a hook to handle the
mapping of these special attributes. We can implement the hook in
AbstractUserStoreManager since local claim to user store property mapping
is done in that[3] level. When the attributes are mapped we may need to do
a conversion between data types for some attributes (e.g. objectGuid
property is stored in AD as an octetSting [3]). This hook will be a method
with the following signature.

protected void processRetrievedSpecialClaims (Map<String, String>

However, when writing values to the user store, we need to handle the
special claims in the user store level [5]. We can do data type conversion
for special claim values here as well if required.
We will introduce an abstract hook in the AbstractUserStoreManager level
but will provide separate implementations in the user store level. This
hook will be a method with the following signature.

protected void processSpecialClaimsForUpdating (Map<String, String>

Note that the above mentioned new  behaviour will only be executed if a
specific user store property is enabled.
 Please let us know if you have any concerns regarding this approach.

Best Regards,

[2] http://www.kouti.com/tables/userattributes.htm
[3] https://docs.microsoft.com/en-us/windows/win32/adschema/s-string-octet

*Gayashan Bombuwala*
Software Engineer | WSO2

Email: gayash...@wso2.com
Phone: +94770548334

[image: https://wso2.com/signature] <https://wso2.com/signature>
Dev mailing list

Reply via email to