Sunday, October 20, 2013

Tricky way to modify the userName SCIM claim in WSO2 Identity Server ( IS )

SCIM is an open standard for Identity Provisioning. In simple words SCIM is designed to create, maintain (read,update) and deactivate (delete) user accounts and related identities which reside in one or more systems/applications.

In this blog post, I'm going to explain a tricky way to modify the userName claim. Why I said a tricky way is because you will not be able to simply update it via a curl command as userName claim in carbon user stores is immutable. If you have ever tried updating the userName claim, you might have ended up with an error like this.

{"Errors":[{"description":"User name is immutable in carbon user store.","code":"500"}]}

In order to test this, start a WSO2 IS (tested with IS 4.5.0) connected to Active Directory as back-end data store. (You can do it by modifying the user-mgt.xml to connect to a AD instance.)

And then go to Configure --> Claim Management and select urn:scim:schemas:core:1.0

Now we have to map the SCIM claims to the existing attributes of the Active Directory. Because when we add a user via SCIM, apart from the userName SCIM claim there are four other SCIM attributes that is being added behind the scene.
( Make sure that you map String type attributes from the AD with the SCIM claims. You can find the AD attributes here. )

CLAIM URIAD Attribute
urn:scim:schemas:core:1.0:userName mail
urn:scim:schemas:core:1.0:meta.location streetAddress
urn:scim:schemas:core:1.0:meta.created homePhone
urn:scim:schemas:core:1.0:meta.lastModified pager
urn:scim:schemas:core:1.0:id homePostalAddress

Apart from the above mapping add the following mappings as well. (This is for better explanation of this post.)

CLAIM URIAD Attribute
urn:scim:schemas:core:1.0:name.givenName givenName
urn:scim:schemas:core:1.0:name.familyName company

First of all let's Create a user via SCIM. 

curl -v -k --user username:password --data "{"schemas":[],"name":{"familyName":"Madurapperuma", "givenName":"Tani"},"userName":"tanya@wso2.com","password":"testing123@"}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users

You will get a response payload as follows.

{"id":"5c05a64c-4f9b-44c7-9092-27cd4dc15640","schemas":["urn:scim:schemas:core:1.0"],"name":{"familyName":"Madurapperuma","givenName":"Tani"},"userName":"tanya@wso2.com","meta":{"lastModified":"2013-10-20T09:47:35","location":"https://localhost:9443/wso2/scim/Users/5c05a64c-4f9b-44c7-9092-27cd4dc15640","created":"2013-10-20T09:47:35"}}

As I have mentioned above, you will not be able to update the userName SCIM claim after the creation of the user since the userName claim is immutable in carbon user store.

So with this tricky method you will be able to modify it.
Map the AD attribute that you have mapped to the userName claim to another SCIM claim and try modifying the newly mapped claim

In our case we have mapped AD attribute "mail" to SCIM claim "userName". So we will map it to SCIM claim "Emails" as well.

Now we have the following additional mapping as well.

CLAIM URI
AD Attribute
urn:scim:schemas:core:1.0:emails
mail

Now let's try updating SCIM claim "emails".

curl -v -k --user username:password -X PUT -d "{"schemas":[],"userName":"tanya@wso2.com", "emails":"tani@wso2.com"}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users/5c05a64c-4f9b-44c7-9092-27cd4dc15640

At this point, you might be worrying that it did not work seeing the response payload. Wait !!! The response payload that I got is as follows. 

{"id":"5c05a64c-4f9b-44c7-9092-27cd4dc15640","schemas":["urn:scim:schemas:core:1.0"],"userName":"tanya@wso2.com","emails":"tani@wso2.com","meta":{"lastModified":"2013-10-20T09:54:20","location":"https://localhost:9443/wso2/scim/Users/5c05a64c-4f9b-44c7-9092-27cd4dc15640","created":"2013-10-20T09:47:35"}} 

So hasn't the trick worked ? 

Let's get the updated user and see what has happenned.

curl -v -k --user username:password https://localhost:9443/wso2/scim/Users/5c05a64c-4f9b-44c7-9092-27cd4dc15640

Response payload is as follows. 

{"id":"5c05a64c-4f9b-44c7-9092-27cd4dc15640","schemas":["urn:scim:schemas:core:1.0"],"name":{"familyName":"Madurapperuma","givenName":"Tani"},"userName":"tani@wso2.com","emails":["tani@wso2.com"],"phoneNumbers":[{"value":"2013-10-01T09:54:20","type":"pager"},{"value":"2013-10-01T09:47:35","type":"home"}],"addresses":[{"value":"https://localhost:9443/wso2/scim/Users/5c05a64c-4f9b-44c7-9092-27cd4dc15640","type":"streetAddress"}],"meta":{"lastModified":"2013-10-20T09:54:20","created":"2013-10-20T09:47:35","location":"https://localhost:9443/wso2/scim/Users/5c05a64c-4f9b-44c7-9092-27cd4dc15640"}}

No more worries :) It has worked. You may notice that it is the same user that we created a while ago. See the familyName and the giveName values if you are not sure. 

So in summing up, all you have to do is just map the AD attribute that you mapped to SCIM claim userName to another AD attribute that is mutable.


Acknlowlegement
  • Venura and Ishara at WSO2 
  • Two blog posts by Hasini and Suresh

3 comments:

  1. Hi Tanya,

    Following your approach I'm able to update the username of a given user. Getting the user with SCIM I can see the updated username.

    However if I go to the Identity Server admin console users are still listed with their old usernames. Also, I can not create a new user with a previous username (the username that was replaced) using SCIM (I get an error saying that the username already exists).

    Any help is welcome. My requirement is to have emails as usernames but being able to change the email/username later.

    Thanks!

    ReplyDelete
    Replies
    1. Hi,

      Sorry for the late reply. With which version of IS did you tried? This is tested with IS 4.5.0 and since this is a tricky way, in new versions this might have been fixed.

      Thanks.

      Delete
    2. Hello Tanya
      I am using WSO2 5.11.0 version. What steps need to follow for this same issue>

      Delete