Skip to content
Advertisement

Search user by custom claim filter

I need to search user in identity server by using custom claim i.e. ‘cnic’ as a filter. I’m sending the following request packet in postman for this purpose but it gives me error. I’m using version 5.11.0 of identity server. Description of custom claim mapping is attached below. custom claim mapping

postman request-response

Advertisement

Answer

Though you have created a local claim as cinc, in order to manage that claim value through SCIM APIs, you should have a mapping between a SCIM claim and the local claim.

  1. Open the scim2-schema-extension.config file located in the <IS_HOME>/repository/conf/ and add the scim attribute definition before the last element of the JSON array (i.e. urn:ietf:params:scim:schemas:extension:enterprise:2.0:User should be the last JSON object) It would be as follow. You can change the metadata appropriately.
{
"attributeURI":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:cnic",
"attributeName":"cnic",
"dataType":"string",
"multiValued":"false",
"description":"National Identity Number.",
"required":"false",
"caseExact":"false",
"mutability":"readWrite",
"returned":"default",
"uniqueness":"none",
"subAttributes":"null",
"canonicalValues":[],
"referenceTypes":[]
}
  1. Add the attributeName of the above-added attribute into scim2-schema-extension.config file, as a subAttribute of the urn:ietf:params:scim:schemas:extension:enterprise:2.0:User attribute (which is the last one in the file) Then it would look likes follows.
"subAttributes":"verifyEmail askPassword employeeNumber costCenter organization division department manager pendingEmails accountLocked accountState emailOTPDisabled emailVerified failedEmailOTPAttempts failedLoginAttempts failedLoginAttemptsBeforeSuccess failedLoginLockoutCount failedPasswordRecoveryAttempts failedSMSOTPAttempts failedTOTPAttempts isLiteUser lastLoginTime lastLogonTime lastPasswordUpdateTime lockedReason phoneVerified preferredChannel smsOTPDisabled tenantAdminAskPassword unlockTime accountDisabled dateOfBirth isReadOnlyUser pendingMobileNumber forcePasswordReset oneTimePassword verifyMobile country cnic",
  1. Restart the IS and login into the management console. Navigate to Main menu-> Identity tab -> Claims . Click Add under Claims. Click Add External Claim and enter the following values. Then click on Add.
Dialect URI: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
External Claim URI: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:cnic (Attribute URI defined in the previous step)
Mapped Local Claim: http://wso2.org/claims/cnic

enter image description here

  1. Then you can invoke the SCIM search as follows.
curl --location --request POST 'https://localhost:9443/scim2/Users/.search' 
--header 'Authorization: Basic YWRtaW46YWRtaW4=' 
--header 'Content-Type: application/json' 
--data-raw '{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:SearchRequest"
    ],
    "attributes": [
        "userName"
    ],
    "filter": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:cnic eq 123456",
    "domain": "PRIMARY",
    "startIndex": "1",
    "count": "10"
}'

enter image description here

Ref: Those steps are described well here

Advertisement