WSO2 IS 5.4.0: Using the username as attribute in SAML asserton

Question

Scenario:

WSO2 Identity Server 5.4.0 configured as SAML IDP.
A third party application configured as SAML Service Provider.
WSO2 IS uses MySQL as the JDBC user store

The SAML SP requires username, firstname and lastname as ATTRIBUTES in the SAML assertion. The SAML SP claim configuration is set as follows

firstname -> http://wso2.org/claims/givenname
lastname -> http://wso2.org/claims/lastname
username -> http://wso2.org/claims/username

firstname and lastname are sent in the SAML assertion as expected, whereas username is not sent in the SAML assertion.

Is there a way to achieve this?

Note: Further investigation showed that the username is not listed in the CLAIMS table UM_USER_ATTRIBUTE and as such may not be accessible via a claim mapping defined in WSO2 IS. Interestingly in OIDC the username is returned as the sub claim which is actually mapped to http://wso2.org/claims/username

Any hint and insight is appreciated.

In default setup wso2.org/claims/userid maps to scimId. No, that won't work — Hos
What is you subject claim URI set to? Do you get username as the subject in SAML assertion ? — Jayanga Kaushalya
Yes, the username is correctly sent as NameID. Subject Claim URI in Claim Configuration is still set to default (no attribute is selected) — Hos

Nilasini Nilasini · Accepted Answer · 2018-04-22T18:45:41

You need to enable scim for JDBCUserStoreManager. In user-mgt.xml file makes SCIMEnabled property to true as follows.

<Property name="SCIMEnabled">true</Property>

Then try the SAML flow.

WSO2 IS 5.4.0: Using the username as attribute in SAML asserton

1 Answers