SSO within two SPs while using a custom authenticator and a custom claim handler (WSO2IS-5.3.0)
Requirement:-
You have a custom authenticator and custom claim handler with wso2-IS. Let’s say the Custom authenticator uses a third party web service to authenticate the user and gets some claims in the response. The custom claim handler add some more claims from database to the id_token. So the id_token received by SP has “claims from service” + “claims from database”.
When you have two service providers (SP1, SP2) and SSO between them then only one SP which first logged in got the id token with all the claims (“claims from service” + “claims from database”), but second SP got only the claims from the database, it didn’t get claims returned from custom authenticator.
Example:-
Let’s say you have two SPs (SP1, SP2) using OIDC protocol and configure the same configuration (with the same custom authenticator). When user takes login in SP1, WSO2IS return the id_token with all claims, now user open the SP2 in other tab and got login directly without being asked for authentication but the SP2 gets only the claims from the database( from custom claim handler) and do not get any claims which were returned from custom authenticator.
The reason for the above behavior is “custom claim handler” is being called again for SP2 and recalculating the claims. Since the authenticator is not being called the claims from third-party service are null.
Let’s say the code snippet used to add the claims from third-party service is the following:
Custom Authenticator: method processAuthenticationResponse
context.setProperty("customname", restResponse.customname);Let’s say the code snippet used to add the claims from the database as follows:
Custom Claim Handler: method handleLocalClaims
claims.put("keplerNumber", "databaseResponse.keplerNumber");
claims.put("customname", (String)context.getProperty("customname"));For SP2, since the authenticator is not called, there is no property in context for “customname”. Hence SP2 only receives “keplerNumber”.
Solution:-
- Create custom local claims and mapped to an attribute which is available in your user store.
2. Then mapped these claims to an oidc claim.
3. Don’t forget to add the oidc claims to the registry.
4. After followed the above steps, assign the value for the claim http://test.wso2.org/claims/customname through your custom authenticator like below.
Custom Authenticator: method processAuthenticationResponse
userStoreManager.setUserClaimValue(username, “http://test.wso2.org/claims/customname",
restResponse.customname, “default”);5. Then in your custom claim handler just add only the claims you wanted to add from database response.
Custom Claim Handler: method handleLocalClaims
claims.put(“keplerNumber”, “databaseResponse.keplerNumber”);Now if you do the sso with two service providers, both service provider’s will receive the claims “keplerNumber”, “customname”.
You could refer [1] and [2] and follow the readme.txt to test this scenario with two OIDC applications. Follow [3] to get two OIDC sample applications (playground2,playground3) and then do an SSO with two sample application, invoke the userinfo for both applications.
This blog was written according to the issue mentioned in [4].
[1] https://github.com/nilasini/CustomBasicAuthenticator
[2] https://github.com/nilasini/CustomClaimHandler
[3] https://docs.wso2.com/display/IS530/Session+Management+with+Playground
[4] https://stackoverflow.com/questions/51735255/claims-are-missing-in-oidc-sso-from-wso2is-5-3-0
