Wednesday, November 21, 2012

Identity management feature with WSO2 Identity Server

Identity management feature is a separate feature that is shipped as carbon feature that can be installed with WSO2 Identity server.  This is one of powerful feature that shows the extensibility of  WSO2 Carbon platform.  i.e.  This feature is an implementation of a listener interface in carbon user kernel. These listener implementations would be executed before of after a user kernel action is done such as adding user,  authentication and so on.    

Before going in to more implementation details,  In this blog post, let see what is supported by this feature by default. But always you can extend these as you wish.

Some of the features that is included...

1. User account verification methods
2. Password recovery methods
3. User account recovery methods.
4. Account locking / unlocking

Let see how we can install Identity management feature with WSO2 Identity Server 4.0.0

Lets Start from a fresh pack of WSO2 Identity Server 4.0.0 release which can be found at here

Step1 : Start server by running wso2server script file and login to management console 

Step2 : Go to feature manager UI and configure P2 repository which is available online

Step3 : Search for identity management feature 

Step4 : Install it by going through required steps. 

Step5 : Restart the server.

However due to following error, P2 installation would not work out of the box which would probably be fixed in next release.

Therefore you need to go through following additional step to get this work. 

1. Do proper attribute mapping with your user store 
2. Delete current database and create new one and start server with -Dsetup option (Basically you need to point to a new registry and user mgt database)
3. Uninstall SCIM feature from WSO2 Identity server. 

After this installation,  you would see new UI links with WSO2 Identity Server.  But most important thing is the APIs. There are two web service API, that has been deployed with identity management feature. These two API can be used by external application to implement identify management use cases.

Also there are some new configurations that you need to know in following configuration files

user-mgt.xml file

     Email and Captcha are used for account and password recovery processes. Therefore actual applications (may be application that uses WSO2 Identity Server API) can handle email sending and capatcha management as they like. Or else it can be delegated to WSO2 Identity server using following properties   
<Property name="emailSendingInternallyManaged">true</Property>
<Property name="captchaVerificationInternallyManaged">true</Property>

     After maximum number of failed login attempts, user account must be locked.  No of attempts can be configured. 

<Property name="maxFailedLoginAttempt">3</Property>

    When using temporary or one time password to create a user account, password can be configured as follows

<Property name="defaultPassword">123456</Property>


There are new user attribute values that have been introduced with this feature. We need to properly configure those


If email is sent by WSO2 Identity Server, we need to configure the contain of it.  By using this file, we can configure it for different use cases. 


  If email is sent by WSO2 Identity Server, you need to configure axis2 email sender configurations 


No comments:

Post a Comment