Skip to content

Manage attributes

An attribute encapsulates a single, identifiable characteristic of a user. They may range from basic identifiers such as first name, last name, home address to dynamic properties like membership status.

Attributes play a crucial role in managing user information within an organization and enables applications to access the required data seamlessly. Additionally, attributes are used to manage and display user information in user profiles.

The following guides explain how you may manage attributes of an organization.

View attributes

To view attributes available for your organization:

  1. On the WSO2 Identity Server Console, go to User Attributes & Stores > Attributes.

  2. Under Manage Attributes, click Attributes.

    Attributes

    This page displays all the attributes available in your organization.

    View attributes

Add custom attributes

Apart from the default attributes, you may define your own custom attributes by following the steps below:

  1. On the WSO2 Identity Server Console, go to User Attributes & Stores > Attributes.
  2. Under Manage Attributes, click Attributes to view the list of all attributes

  3. Click New Attribute and enter values for the following properties:

    Custom attribute

    Attribute Name The name that will be shared with applications.
    Protocol Mappings Mappings for each protocol are generated automatically based on the attribute name. You may also customize them here.
    Attribute Display Name The name of the attribute that will be displayed in users' profiles.
    Regular expression The value of the attribute will be validated against the regex pattern specified here.

  4. Click Finish.

Configure attributes

To configure properties of user attributes:

  1. On the WSO2 Identity Server Console, go to User Attributes & Stores > Attributes.
  2. Under Manage Attributes, click Attributes to view the list of all attributes.

  3. Click Edit for the attribute you want to update.

    Edit attributes

    Note

    The Attribute field specifies the unique identifier of the attribute. It always starts with http://wso2.org/claims. This cannot be edited.

  4. In the General tab, update the following values.

    Attribute Display Name Update the display name of the attribute that will show in user profiles.
    Description Update the description for the attribute.
    Regular expression The attribute value will be validated against the regex pattern specified here.
    Select Source for Attribute Value of Shared Users When a user's profile is shared across multiple organizations, the value of this attribute will be taken from the selected source.
    • From Origin: The attribute value is inherited from the original organization which manages the user's profile.
    • From Shared Profile: The attribute value is taken from the shared user profile in the respective organization.
    • From First Found in Hierarchy: The attribute value is retrieved from the first organization in the hierarchy that has assigned a non-null value to the attribute.
    At the moment, you can only configure this option for custom attributes.
    Uniqueness Validation Select one of the following scopes to validate attribute uniqueness:
    • None: No validation is applied. Users can have duplicate values for the selected attribute.
    • Within User Store: Users within the same user store cannot have duplicate values for the selected attribute. However, users in other user stores may have duplicates.
    • Across User Stores: Attribute values are unique across all user stores preventing duplicates throughout the organization.

  5. Under Attribute Configurations, use the table to configure how attributes are handled for each entity.

    Edit attributes

    The table contains the following entities:

    • Administrator Console: User profiles as seen from the administrator's Console.
    • End-User Profile: User profiles as seen from the users' My Account portal.
    • Self-Registration: The form presented to users during self-registration.

    For each of these entities, you can configure the following properties:

    Display If selected, the attribute is displayed in the entity.
    Required If selected, the entity must contain a value for this attribute.
    Read-only If selected, the value will be read-only for the entity and cannot be modified.

Note

Using the attribute configurations, you can also configure which attributes are displayed in the user creation form when onboarding users in the console.

To display an attribute in the user creation form, select the both Display and Required checkboxes for the Administrator Console entity.

  1. Go to the Attribute Mappings tab and enter the attribute from each user store that you need to map.

    Edit attribute mappings

  2. Optionally, you may use the Additional Properties tab to add additional properties that can be used when writing an extension.

    Edit additional properties

Delete attributes

Before you proceed

Attributes cannot be deleted if it has any associations with external schema. If you have attribute mappings, make sure you delete these associations before attempting to delete an attribute.

Refer to Delete an OpenID Connect attribute and Delete a SCIM2 attribute to delete any existing associations.

To delete an attribute:

  1. On the WSO2 Identity Server Console, navigate to User Attributes and Stores > Attributes.
  2. Under Manage Attributes, click Attributes to view the list of all attributes.
  3. Select the attribute you wish to delete.
  4. Click Delete attribute within the Danger Zone.
  5. Select the checkbox to confirm your action.
  6. Click Confirm.

Note

Only custom attributes can be deleted.

Manage Identity Attributes

By default, identity claim values are stored in the JDBC datasource configured in the deployment.toml file. If required, you can configure WSO2 Identity Server to store the claim values in another user store as well.

  1. Open the <IS_HOME>/repository/conf/deployment.toml file and add the following configuration to change the identity_datastore property value to IdentityDataStoreService. This service, functioning as an OSGi service, is dedicated to accessing Identity data stores.
[identity_datastore]
datastore_type = "<Name of the identityDataStore class>"

Note

The class name configuration for the identity data store has been separated from the listener configurations. If you're using a custom data store class, it's crucial to update your deployment.toml file to reflect this choice. This update ensures that your custom class will override the default configuration.

To either maintain the previous behavior or use your custom data store, simply follow these steps and update your deployment.toml:

By making this configuration adjustment, you can ensure that your system aligns with your preferred data store class, whether it's the previous default or a custom class you've implemented. This helps you tailor the system to your specific needs.

  1. Map the identity claims mentioned below to attributes in the underlying user store.

    Info

    Learn more about adding claim mapping.

    • http://wso2.org/claims/identity/accountLocked: This claim is used to store the status of the user's account, i.e., if it is locked or not.

    • http://wso2.org/claims/identity/unlockTime: This is used to store the timestamp that the user's account is unlocked.

    • http://wso2.org/claims/identity/failedLoginAttempts: This is used to track the number of consecutive failed login attempts. It is based on this that the account is locked.

Assign multiple email addresses and mobile numbers to a user

WSO2 Identity Server allows users to associate multiple email addresses and mobile numbers with their profiles. For users with multiple values, they may also select a primary email address and a primary mobile number.

The following attributes are used for this purpose:

  • Email Addresses
  • Verified Email Addresses
  • Mobile Numbers
  • Verified Mobile Numbers

Enable/Disable multiple emails and mobile numbers feature

To manually enable or disable this feature, you must update all related attributes by following these steps:

  1. On the WSO2 Identity Server Console, navigate to User Attributes and Stores > Attributes.
  2. Under Manage Attributes, click Attributes to view the list of all attributes.
  3. Click Edit next to the corresponding attribute.
  4. Enable/Disable the Display this attribute on the user's profile checkbox.
  5. Click Update to save the changes.

Exclude these attributes from a user store

For non-JDBC secondary user stores, you must ensure proper mapping of these attributes in the user store. If mapping is not feasible, you can disable support for these attributes in that user store by following the steps below.

  1. On the WSO2 Identity Server Console, navigate to User Attributes and Stores > Attributes.
  2. Under Manage Attributes, click Attributes to view the list of all attributes.
  3. Click Edit for the attribute you wish to modify.
  4. Go to the Attribute Mappings tab.
  5. Find the corresponding user store and uncheck the Enable for this user store checkbox.
  6. Click Update to save the changes

Enable for user store