Role Based Provisioning¶
Under Outbound Provisioning in general we have discussed how to provision users to trusted identity providers. In this document we discuss how to provision users based on the roles they are assigned. In role based provisioning, the user is provisioned when the user is added to a preconfigured role, and the user is deleted from the trusted identity provider, when the user is removed from the role.
To do role-based provisioning, we need to configure the following,
Step 1: Configuring an identity provider¶
- Download the WSO2 Identity Server and run it.
- Log in to the Management Console as an administrator.
- Navigate to the Main menu and access the Identity menu.
Click Add under Identity Providers.
See the Configuring an Identity Provider topic for more information.
- Enter "role-based provisioning" as the Identity Provider name for this scenario.
- Configure the Outbound Provisioning Connectors with SPML, SCIM or Salesforce connecter.
Expand the Role Configuration section and enter a role name (or set of roles as a comma-separated list) for the Identity Provider OutBound Provisioning Roles field as seen below.
For this flow, a role named "provision" was created and has been entered here.
If you do not have roles already, see the Configuring Role and Permissions topic to add roles.
Click Update to save changes.
Step 2: Configuring outbound provisioning¶
- In the Main menu, under the Identity section, click Resident under Service Providers.
Expand the Outbound Provisioning Configuration section and enter the name of the identity provider you just created, and select the connector from the dropdown list.
If you enable Blocking, WSO2 Identity Server will wait for the response from the Identity Provider to continue.
Click Update to save changes.
Now let's try provisioning user with the defined role.
Try : Provisioning Users¶
- In the Main menu of the management console, click Add under Users and Roles under the Identity menu.
- Click Add New User. See Configuring Users for more information.
- Provide a username and a password(with confirmation) and click Next.
Click Finish to create the user.
At this point, the user is not yet provisioned to the identity provider.
On the Main tab in the management console, click List under Users and Roles in the Identity menu.
Click Users and then click the Assign Roles action of the newly created user. Select the "provision" role (or any role added in the Role Configuration section of the identity provider) and click Finish.
The user is now provisioned to the identity provider.
Remove user from the identity provider¶
- On the Main tab in the management console, click List under Users and Roles in the Identity menu.
Click Users and then click on the Assign Roles action of the newly created user. De-select the "provision" role (or any role added in the Role Configuration section of the identity provider) and click Finish.
The user will now be removed from the identity provider.