Add info on how it works when multiple user stores are configured #3929
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| # Configure the user store preference order | ||
|
|
||
| From WSO2 Identity server 5.9.0 onwards, admins can configure the user store preference order for a service provider during the authentication. | ||
|
|
||
| This guide helps you to configure the user store preference order for a service provider. | ||
|
|
||
| ## Initial set up | ||
|
|
||
| To set up the WSO2 identity Server to configure the user store preference order: | ||
|
|
||
| 1. Implement the `UserStorePreferenceOrderSupplier` interface with your own logic to retrieve the user store order. | ||
|
|
||
| Use the provided template to implement the [UserStorePreferenceOrderSupplier interface](https://github.com/wso2/carbon-kernel/blob/feeae3e4668b805c8d6d5e8c115897fa93b8a856/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/config/UserStorePreferenceOrderSupplier.java?source=post_page-----cdadf43f9366--------------------------------). | ||
|
There was a problem hiding this comment. Let's validate these links. Seems there are some query parameters. Is it intentional? |
||
|
|
||
| 2. Extend the `CallBackHandlerFactory` interface and create an object of your custom `UserStorePreferenceOrderSupplier`. | ||
|
|
||
| Use the provided template to extend the [CallBackHandlerFactory interface](https://github.com/wso2/carbon-identity-framework/blob/master/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/request/CallBackHandlerFactory.java?source=post_page-----cdadf43f9366--------------------------------). | ||
|
|
||
| 3. Add the following configuration to the `<IS-HOME>/repository/conf/deployment.toml` file to configure the `CallBackHandlerFactory` interface. | ||
|
|
||
| ``` | ||
| [authentication.framework.extensions] | ||
| callback_factory = "org.wso2.carbon.identity.custom.callback.userstore.CustomUserStoreOrderCallbackFactory" | ||
| ``` | ||
|
|
||
| 4. Restart the WSO2 Identity Server if it's already running. | ||
|
There was a problem hiding this comment. This seems to be missing few steps where it instructs to build and patch the custom jar. Refer this for the complete guide. |
||
|
|
||
| ## Update the preference order | ||
|
|
||
| To update the preference order: | ||
|
|
||
| 1. On the WSO2 Identity Server Management Console, go to **Main** > **Registry** > **Browse** | ||
|
There was a problem hiding this comment. we should validate whether these aligns with the latest IS versions |
||
| 2. Navigate to **_system** > **config** and click on `userstore-metadata.xml` file. | ||
| 3. Go to **Properties** and click `+`. The table shows the values obtained from the Following are the details represented in the table. | ||
|
|
||
| | Parameter | Description | | ||
| |-----------|---------------| | ||
| | Name | Name of the service provider to which the user store preference order is applied. | | ||
| | Value | The user store preference order in which the WSO2 Identity Server will authenticate the users logging into the specified service provider. | | ||
|
|
||
| 4. Click **Edit** to modify the values. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -1,57 +1,71 @@ | ||||||
| # Configure User stores | ||||||
|
|
||||||
| WSO2 Identity Server allows configuring multiple user stores to your system that are used to store users and their roles (Groups). Out of the box, the WSO2 Identity Server supports JDBC, LDAP, and Active Directory user stores with the capability of configuring custom user stores. Different user store adapters called **Userstore managers** are used to connect with these user store types. | ||||||
|
There was a problem hiding this comment.
Suggested change
I think we can directly say groups here since now we have group role separation. This might get confused with the roles feature in latest IS versions |
||||||
|
|
||||||
| There are two types of user stores: | ||||||
|
|
||||||
| - [Primary user store (Mandatory)](#primary-user-store) | ||||||
| - [Secondary user stores (Optional)](#secondary-user-store) | ||||||
|
|
||||||
| All the supported user stores can be configured under these two types. | ||||||
|
|
||||||
| { width:"350"} | ||||||
|
|
||||||
| --- | ||||||
|
|
||||||
| ## Primary user store | ||||||
|
|
||||||
| This is the main user store that is shared among all the [tenants]({{base_path}}/references/concepts/introduction-to-multitenancy/) in the system. Only one user store should be configured as the primary | ||||||
| user store, and it is configured in the `<IS_HOME>/repository/conf/deployment.toml` file. The WSO2 Identity Server uses the embedded H2 database as the primary user store by default. It is recommended to change this default configuration in the production system. | ||||||
|
|
||||||
| Learn more on how to [configure the primary serstore]({{base_path}}/deploy/configure-the-primary-user-store). | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| --- | ||||||
|
|
||||||
| ## Secondary user store | ||||||
|
|
||||||
| You can easily set up any number of secondary user stores for your system. These user stores are specific to the created tenant and are not shared among multiple tenants. You can use the management console to create secondary user stores or manually create them. These will be stored in an XML file with the configurations corresponding to the secondary store. | ||||||
|
There was a problem hiding this comment.
Suggested change
We shouldn't mention above management console in latest versions right? |
||||||
|
|
||||||
| Learn more on how to [configure a secondary userstore]({{base_path}}/deploy/configure-secondary-user-stores) | ||||||
|
|
||||||
| --- | ||||||
|
|
||||||
| ## Userstore manager | ||||||
|
|
||||||
| Userstore Managers are adapters used to connect with different user stores. By default, there are user store managers for JDBC, LDAP, and Active Directory user stores. | ||||||
|
|
||||||
| If you need to add a new user store implementation, see [write a custom userstore manager]({{base_path}}/references/extend/write-a-custom-user-store-manager) for more information. When configuring the userstore, you must set the userstore manager class name. | ||||||
|
|
||||||
| !!! info | ||||||
| The permissions attached to roles are always stored in an RDBMS. With the default configurations, permissions are stored in the embedded H2 database. For information on how to set up an RDBMS repository for storing permission, see [configure the authorization manager]({{base_path}}/deploy/configure-the-authorization-manager) | ||||||
|
|
||||||
| ## How it works | ||||||
|
|
||||||
| When users try to log in to an application with multiple user stores integrated, the following flows happen depending on the method the user provides the username. | ||||||
|
|
||||||
| - **If the user specifies the user store domain**: | ||||||
|
|
||||||
| 1. The user tries to log into the application by providing credentials with the user store name. | ||||||
|
|
||||||
| Example: Username: `PRIMARY/johnd` | ||||||
|
|
||||||
| 2. WSO2 Identity Server checks the specified user stores for the availability of the user and authenticates the user. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| Once the user credentials are validated, the user will be able to access the application. | ||||||
|
|
||||||
| - **If the user doesn't specify the user store domain**: | ||||||
|
|
||||||
| 1. The user tries to log into the application by providing credentials without the user store name. | ||||||
|
|
||||||
| Example: Username: `johnd` | ||||||
|
|
||||||
| 2. WSO2 Identity Server checks the user stores for the availability of the user and authenticates the user. | ||||||
|
|
||||||
| 1. Initially, the identity server checks the user's credentials against the PRIMARY user store, which is the first verification line. | ||||||
|
|
||||||
| 2. If the credentials are not validated in the PRIMARY user store, the identity server proceeds to verify the credentials against the configured secondary user stores. | ||||||
|
|
||||||
| Once the user credentials are validated, the user will be able to access the application. | ||||||
|
|
||||||
| !!! note | ||||||
| Refer to [configure user store preference order]({{base_path}}/deploy/configure-user-store-preference-order.md) if you need to configure a preference order for the user stores when authenticating the users. | ||||||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check for the ideal case here