Saturday, January 5, 2019

User Attribute Manipulation with WSO2 Identity Server Adaptive Authentication

WSO2 Identity Server Script Based Adaptive Authentication offers you a wide range of functionality other than "adapting" the authentication flow dynamically. In the post, we will manipulate some claims coming from the identity provider, before sending to the service provider. As an example, we will build "full name" of the user combining to "first name" and "last name" provided by the identity provider.

First, configure your federated identity provider as described in the documentation. Now configure your application in Identity Server and add the inbound authentication configuration as described in this documentation.

Now we are ready to configure the script based adaptive authentication for this service provider. Go to the "Local & Outbound Authentication Configuration" section of the service provider configuration and click on the "Advanced Authentication" button.

From the "Authentication Step Configuration" section add an authentication step, and add the configured federated identity provider as the authentication option. Now in the "Script Based Adaptive Authentication" in the editor, add below script.

function onLoginRequest(context) {
    executeStep(1, {
        onSuccess: function (context) {
            var user = context.steps[1].subject;
            if (user.remoteClaims !== null) {
                var firstNameClaim = user.remoteClaims.first_name;
                var lastNameClaim = user.remoteClaims.last_name;
                user.remoteClaims.full_name = firstNameClaim + " " + lastNameClaim;
            }
        }
    });
}

This script is self-explanatory. It will execute the first authentication step, which is your federated identity provider. Upon success, it will check if the "remoteClaims" (which are the user attributes provided by the federated identity provider) is not null. If so it will get the first_name and the last_name and create the full_name and add to the remoteClaims. More about the API reference for the above script is in here.

Now the whole configuration would look like below.


Now save the configs and try the login flow. After successful login application will get the user's full name which was built by combining the user's first name and the last name. Similarly, you can achieve functionality like below.

  • Calculate the user's age based on the birthday.
  • Send static user attributes to the service provider