Had an offline discussion with Gayashan and understood why we had to configure the immutable attributes per user store since I was a little confused. The reason is that in order to read those immutable attributes we still have to configure the mappings to them. However, we should avoid writing to them. Though there is a property called "read-only" it is configurable only at a claim level; we can't configure that at a user store level. We need it to be at a user store level since we can have multiple types of users stores in a deployment.
Thanks & Regards, Johann. On Wed, Mar 25, 2020 at 10:25 AM Gayashan Bombuwala <[email protected]> wrote: > Hi Johann, > > We used to map[1] SCIM core attributes/claims like lastModifiedTIme > createdTIme, scimId to some random attributes available from Active > Directory such as homePostalAddress, streetAddress, pager, etc. > However, Active Directory also has user attributes which are maintained by > Active Directory itself such as whenChanged, whenCreated, objectGuid. > Hence, we can make use of these Active Directory maintained attributes > when mapping SCIM attributes/claims to AD attributes, instead of randomly > mapping to some available attribute. > Ex: the whenChanged attribute will be automatically updated by AD > whenever we change a user attribute. > See the following example mapping. > > CLAIM URI > MAPPED ATTRIBUTE > urn:scim:schemas:core:2.0:id objectGuid > urn:scim:schemas:core:2.0:meta.created whenCreated > urn:scim:schemas:core:2.0:meta.lastModified whenChanged > > > However,* these Active Directory maintained user attributes are also > immutable.* > Hence, *we should make sure that we don't update the values of those > attributes when performing SCIM operations *such when creating or > updating a user. > That's why we have introduced the "immutable attributes" property[2], so > that we can keep track of which user store attributes should not be updated > when performing SCIM operations. > > [1] > https://docs.wso2.com/display/IS500/Provisioning+Users+to+Active+Directory+User+Store+Using+SCIM > [2] > https://is.docs.wso2.com/en/5.10.0/setup/configuring-a-read-write-active-directory-user-store/ > > Thanks, > Gayashan > > On Wed, Mar 25, 2020 at 9:57 AM Johann Nallathamby <[email protected]> > wrote: > >> Hi Gayanshan, >> >> What is the purpose of defining the immutable attributes of Active >> Directory in the "Immutable Attributes" property? How is this property used? >> >> Regards, >> Johann. >> >> On Sat, Feb 1, 2020 at 11:04 PM Gayashan Bombuwala <[email protected]> >> wrote: >> >>> Hi Johann, Darshana, >>> >>> This was implemented in the product in [1]. >>> In this implementation, we introduced two hooks for processing user >>> attributes in the AbstarctUserStoreManager level. >>> >>> 1. To handle the processing of the user attributes after reading from >>> the user store [2]. >>> 2. To handle the processing of the user attributes before writing to the >>> user store [3]. >>> >>> A unique ID variant [4], [5] of each of the above methods [2], [3] was >>> introduced as well in order to comply with the new unique ID user store >>> implementations. >>> >>> The behaviour of these hooks can be decided in a specific user store >>> level. >>> As per the implementation [1], we have implemented the behaviour of >>> these hooks in UniqueIDActiveDirecotryUserStoreManager and >>> ActiveDirectoryUserStoreManager [6], [7]. >>> >>> We have introduced two new user store properties to support the >>> implementation. >>> 1. Immutable Attributes >>> 2. Timestamp Attributes >>> >>> Immutable Attributes property is used to identify the user store >>> maintained immutable attributes in Active Directory such as objectGuid, >>> whenChanged, whenCreated. >>> Timestamp Attributes property is used to identify the attributes in >>> Active Directory which belong to the "Generalized Time" data type and need >>> to be converted to the standard date format before used within WSO2 iS >>> (e.g. whenChanged, whenCreated). >>> The usage of these two user store properties is documented in [8]. >>> >>> [1] https://github.com/wso2/carbon-kernel/pull/2514 >>> [2] >>> https://github.com/wso2/carbon-kernel/blob/b5048093ea69a24a24a71e99e62e4b1dfc412796/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L7488 >>> [3] >>> https://github.com/wso2/carbon-kernel/blob/b5048093ea69a24a24a71e99e62e4b1dfc412796/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L7500 >>> [4] >>> https://github.com/wso2/carbon-kernel/blob/b5048093ea69a24a24a71e99e62e4b1dfc412796/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L7512 >>> [5] >>> https://github.com/wso2/carbon-kernel/blob/b5048093ea69a24a24a71e99e62e4b1dfc412796/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L7524 >>> [6] >>> https://github.com/wso2/carbon-kernel/blob/b5048093ea69a24a24a71e99e62e4b1dfc412796/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/UniqueIDActiveDirectoryUserStoreManager.java#L912 >>> [7] >>> https://github.com/wso2/carbon-kernel/blob/b5048093ea69a24a24a71e99e62e4b1dfc412796/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/UniqueIDActiveDirectoryUserStoreManager.java#L935 >>> [8] >>> https://is.docs.wso2.com/en/latest/setup/configuring-a-read-write-active-directory-user-store/#properties-used-in-read-write-active-directory-userstore-manager >>> >>> Best Regards, >>> Gayashan >>> >>> On Sat, Feb 1, 2020 at 9:13 PM Darshana Gunawardana <[email protected]> >>> wrote: >>> >>>> Hi Gayashan, >>>> >>>> Is this implemented in the product now? If so can you share details on >>>> the final approach you took. >>>> >>>> Thanks, >>>> >>>> On Thu, Jan 2, 2020 at 9:37 AM Johann Nallathamby <[email protected]> >>>> wrote: >>>> >>>>> Hi Gayashan, >>>>> >>>>> On Tue, Dec 3, 2019 at 6:54 PM Gayashan Bombuwala <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> Currently when managing users in Active Directory user store with >>>>>> SCIM, we have mapped the SCIM core attributes to different attributes[1, >>>>>> 2] >>>>>> supported by SCIM. >>>>>> >>>>>> e.g. urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute)-> >>>>>> http://wso2.org/claims/userid (local claim) -> homePostalAddress >>>>>> (Active Directory attribute) >>>>>> >>>>>> However, there are a set of attributes maintained by Active Directory >>>>>> which we can use to map some of core SCIM attributes. We have considered >>>>>> the following attributes for the moment. >>>>>> >>>>>> 1. objectGuid (AD maintained attribute) -> >>>>>> urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute) >>>>>> 2. whenCreated (AD maintained attribute) -> >>>>>> urn:ietf:params:scim:schemas:core:2.0:created (SCIM attribute) >>>>>> 3. whenModified (AD maintained attribute)- -> >>>>>> urn:ietf:params:scim:schemas:core:2.0:lastModified (SCIM >>>>>> attribute) >>>>>> >>>>>> We need to handle the mapping of these attributes in two scenarios. >>>>>> >>>>>> 1. When reading values from the user store. >>>>>> 2. When writing values to the user store. >>>>>> >>>>>> >>>>>> When reading from the user store we can introduce a hook to handle >>>>>> the mapping of these special attributes. We can implement the hook in >>>>>> AbstractUserStoreManager since local claim to user store property mapping >>>>>> is done in that[3] level. When the attributes are mapped we may need to >>>>>> do >>>>>> a conversion between data types for some attributes (e.g. objectGuid >>>>>> property is stored in AD as an octetSting [3]). This hook will be a >>>>>> method >>>>>> with the following signature. >>>>>> >>>>>> protected void processRetrievedSpecialClaims (Map<String, String> >>>>>> specialClaims) >>>>>> >>>>> >>>>> Why do we need to have "special" in the method name? Shouldn't all >>>>> attribute processing go through this method? Why limit this to certain >>>>> claims? We don't need to decide beforehand what claims have to go through >>>>> this method. If someone wants to handle certain claim in special way later >>>>> on they can extend this particular method. >>>>> >>>>> Regards, >>>>> Johann. >>>>> >>>>> >>>>>> >>>>>> However, when writing values to the user store, we need to handle the >>>>>> special claims in the user store level [5]. We can do data type >>>>>> conversion >>>>>> for special claim values here as well if required. >>>>>> We will introduce an abstract hook in the AbstractUserStoreManager >>>>>> level but will provide separate implementations in the user store level. >>>>>> This >>>>>> hook will be a method with the following signature. >>>>>> >>>>>> protected void processSpecialClaimsForUpdating (Map<String, String> >>>>>> specialClaims) >>>>>> >>>>>> Note that the above mentioned new behaviour will only be executed if >>>>>> a specific user store property is enabled. >>>>>> Please let us know if you have any concerns regarding this approach. >>>>>> >>>>>> Best Regards, >>>>>> Gayashan >>>>>> >>>>>> [1] >>>>>> https://docs.wso2.com/display/IS570/Configuring+Active+Directory+User+Stores+for+SCIM+2.0+based+Inbound+Provisioning >>>>>> [2] http://www.kouti.com/tables/userattributes.htm >>>>>> [3] >>>>>> https://docs.microsoft.com/en-us/windows/win32/adschema/s-string-octet >>>>>> [4] >>>>>> https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L5388 >>>>>> [5] >>>>>> https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/ActiveDirectoryUserStoreManager.java#L616 >>>>>> >>>>>> -- >>>>>> *Gayashan Bombuwala* >>>>>> Software Engineer | WSO2 >>>>>> >>>>>> Email: [email protected] >>>>>> Phone: +94770548334 >>>>>> >>>>>> [image: https://wso2.com/signature] <https://wso2.com/signature> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Johann Dilantha Nallathamby* | Associate Director/Solutions >>>>> Architect | WSO2 Inc. >>>>> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] >>>>> [image: Signature.jpg] >>>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> >>>> *Darshana Gunawardana*Technical Lead >>>> WSO2 Inc.; http://wso2.com >>>> >>>> *E-mail: [email protected] <[email protected]>* >>>> *Mobile: +94718566859*Lean . Enterprise . Middleware >>>> >>> >>> >>> -- >>> *Gayashan Bombuwala* >>> Software Engineer | WSO2 >>> >>> Email: [email protected] >>> Phone: +94770548334 >>> >>> [image: https://wso2.com/signature] <https://wso2.com/signature> >>> >> >> >> -- >> *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | >> WSO2 Inc. >> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] >> [image: Signature.jpg] >> > > > -- > *Gayashan Bombuwala* > Software Engineer | WSO2 > > Email: [email protected] > Phone: +94770548334 > > [image: https://wso2.com/signature] <https://wso2.com/signature> > -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] [image: Signature.jpg]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
