SETTING UP A SEPARATE USER ATTRIBUTE STORE— WSO2 IDENTITY SERVER

An attribute store is a user store that stores the user’s attributes(eg: email, mobile, address, etc). This kind of scenario comes in when we have the users’ credentials store in one user store(credential store) and the user attribute details store in the attribute store. So all the authentication, claim handling are not mapped into one user store.

Let's take a scenario like below.

For the demonstration purpose, I‘ll use two secondary LDAP user stores.

  • LDAP : This will act as the credential store where the credentials of the user stored.
  • LDAP-ATTRIBUTE-STORE : This will be the attribute store where the user attributes stored.

I‘ll use two identity servers that run on two different ports. You can set up this by downloading the identity server zip archive from here. After clicking the “TRY IT NOW” button, click the ZIP ARCHIVE option. Then what we need to do is to extract that zip as three instances(three extractions).

If you already have a WSO2IS instance, only need another two extractions. Then run it on different ports using the below command to run two other instances in different ports.

Now we need to add these two embedded LDAP servers as secondary user stores. Log in to the management console running on the 9443 port and add configurations.

I will name the LDAP server running on 10390 as LDAP and the server running on 10391 as LDAP-ATTRIBUTE-STORE. The suffix of the attribute store name can be used to identify the particular user store is an attribute store or not at the code level.

As we use a separate user store for attributes we need to implement functionality to retrieve and set the user claims to our attribute store.

We can do this by extending the functionality of AbstractIdentityUserOperationEventListener . If you not already read about extending user operation event listeners, check out my previous article.

Now it is time to discuss what functionalities should we need to extend.

  1. Setting up the user claims
  2. Retrieving the user claims

The implemented sample scenario can be found below.

In this codebase, I have already implemented some extended functionalities like,

  • skip the user authentication from the attribute user stores.
  • Add the user to the attribute user store when creating a new user in the credential user store.
  • Delete the user in the attribute user store when deleting a user from the credential user store.
  • Remove the names of the users in the attribute user stores when listing the users in all user stores.

Make sure to build the extension and put the jar file in <IS_HOME>/repository/components/dropins directory. Then restart the server running on the 9443 port.

I hope you got an idea about how to configure an attribute store in the WSO2 Identity Server. Thank you for reading.

Associate Software Engineer @ WSO2 | https://dimuthukasunwp.github.io/Articles/