Hi Gayashan, On Tue, Dec 3, 2019 at 6:54 PM Gayashan Bombuwala <[email protected]> wrote:
> Hi all, > > Currently when managing users in Active Directory user store with SCIM, we > have mapped the SCIM core attributes to different attributes[1, 2] > supported by SCIM. > > e.g. urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute)-> > http://wso2.org/claims/userid (local claim) -> homePostalAddress (Active > Directory attribute) > > However, there are a set of attributes maintained by Active Directory > which we can use to map some of core SCIM attributes. We have considered > the following attributes for the moment. > > 1. objectGuid (AD maintained attribute) -> > urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute) > 2. whenCreated (AD maintained attribute) -> > urn:ietf:params:scim:schemas:core:2.0:created (SCIM attribute) > 3. whenModified (AD maintained attribute)- -> > urn:ietf:params:scim:schemas:core:2.0:lastModified (SCIM attribute) > > We need to handle the mapping of these attributes in two scenarios. > > 1. When reading values from the user store. > 2. When writing values to the user store. > > > When reading from the user store we can introduce a hook to handle the > mapping of these special attributes. We can implement the hook in > AbstractUserStoreManager since local claim to user store property mapping > is done in that[3] level. When the attributes are mapped we may need to do > a conversion between data types for some attributes (e.g. objectGuid > property is stored in AD as an octetSting [3]). This hook will be a method > with the following signature. > > protected void processRetrievedSpecialClaims (Map<String, String> > specialClaims) > Why do we need to have "special" in the method name? Shouldn't all attribute processing go through this method? Why limit this to certain claims? We don't need to decide beforehand what claims have to go through this method. If someone wants to handle certain claim in special way later on they can extend this particular method. Regards, Johann. > > However, when writing values to the user store, we need to handle the > special claims in the user store level [5]. We can do data type conversion > for special claim values here as well if required. > We will introduce an abstract hook in the AbstractUserStoreManager level > but will provide separate implementations in the user store level. This > hook will be a method with the following signature. > > protected void processSpecialClaimsForUpdating (Map<String, String> > specialClaims) > > Note that the above mentioned new behaviour will only be executed if a > specific user store property is enabled. > Please let us know if you have any concerns regarding this approach. > > Best Regards, > Gayashan > > [1] > https://docs.wso2.com/display/IS570/Configuring+Active+Directory+User+Stores+for+SCIM+2.0+based+Inbound+Provisioning > [2] http://www.kouti.com/tables/userattributes.htm > [3] https://docs.microsoft.com/en-us/windows/win32/adschema/s-string-octet > [4] > https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L5388 > [5] > https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/ActiveDirectoryUserStoreManager.java#L616 > > -- > *Gayashan Bombuwala* > Software Engineer | WSO2 > > Email: [email protected] > Phone: +94770548334 > > [image: https://wso2.com/signature] <https://wso2.com/signature> > -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] [image: Signature.jpg]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
