I'm trying to set user privilege levels (publish, create, subscribe, etc.) in the WSO2 API Manager at logon based on custom attributes contained in the SAML2 token. Not based on a list of active users and their mapped roles. Is it possible to customize the user privileges with a dynamic set of custom attributes?
The SAML token is coming from a third party source, however integration with WSO2 Identity Server is possible if required.
API Manager runs Identity Server application management under the hood to look up user roles and permissions. In org.wso2.carbon.identity.application.mgt.ApplicationMgtUtil you can see the isUserAuthorized method that is presumably fired whenever the application needs to check the user's permissions.
/**
* @param applicationName
* @param username
* @return
* @throws IdentityApplicationManagementException
*/
public static boolean isUserAuthorized(String applicationName, String username)
throws IdentityApplicationManagementException {
String applicationRoleName = getAppRoleName(applicationName);
try {
if (log.isDebugEnabled()) {
log.debug("Checking whether user has role : " + applicationRoleName + " by retrieving role list of " +
"user : " + username);
}
String[] userRoles = CarbonContext.getThreadLocalCarbonContext().getUserRealm()
.getUserStoreManager().getRoleListOfUser(username);
for (String userRole : userRoles) {
if (applicationRoleName.equals(userRole)) {
return true;
}
}
} catch (UserStoreException e) {
throw new IdentityApplicationManagementException("Error while checking authorization for user: " +
username + " for application: " + applicationName, e);
}
return false;
}
You should be able to replace
String[] userRoles = CarbonContext.getThreadLocalCarbonContext().getUserRealm()
.getUserStoreManager().getRoleListOfUser(username);
with code that will retrieve roles based on the attributes present in the SAML2 token, though obviously you'd have to build and support a structure capable of storing such a mapping.
