How can I do that one service provider only use one user store to authenticate in the IS 5.9.0?

Question

I am using a WSO2 Identity Server 5.9.0. I have created 3 User Store and many Service Providers.

I am using a XACML Policy in order to allow that each Service Provider only accept the user that send the request is exist in one User Store. The policy is the next:

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="POLICY-NAME" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
   <Description>I wirte a description</Description>
   <Target>
      <AnyOf>
         <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">scope_validation</AttributeValue>
               <AttributeDesignator AttributeId="http://wso2.org/identity/identity-action/action-name" Category="http://wso2.org/identity/identity-action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
            </Match>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ServiceProviderNameHere</AttributeValue>
               <AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
            </Match>
         </AllOf>
      </AnyOf>
   </Target>
   <Rule Effect="Permit" RuleId="permit_by_userstores">
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
               <AttributeDesignator AttributeId="http://wso2.org/identity/user/user-store-domain" Category="http://wso2.org/identity/user" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
            </Apply>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">USER-STORE-NAME</AttributeValue>
         </Apply>
      </Condition>
   </Rule>
   <Rule Effect="Deny" RuleId="deny_others"></Rule>
</Policy> 

   

The problem that I found, it is that the user is being looked for in all the user stores (one to one), when it found the user stop the search and it compare the user store with the user store in the policy. If the 2 user store name is equal, it works fine. However, if I have 2 user store with the same user and the Identity Server found first the user in the user store that is not allowed by the policy, return an error and it don't continue looking for.

How can I do that one service provider only use one user store to authenticate?

Is there any other way to do it?

Thank you.

Answer 1

Your requirement can be satisfied by the userstore preference order feature available since WSO2-IS 5.9.0. It allows you to define only particular userstores' users can access the particular service provider or the order of userstores chain the user should be checked.

Refer to this example customization: https://anuradha-15.medium.com/how-to-configure-your-preferred-user-stores-to-authenticate-users-for-a-service-provider-in-wso2-cdadf43f9366

Feature:https://github.com/wso2/product-is/issues/4350