Open in app

Sign in

Write

Sign in

CIAM FAQ6 — How to create Guest User accounts with the WSO2 Identity Server without Java code or XACML policies?

Dinali Rosemin Dabarera
5 min readDec 20, 2023
image from splash(free download)

This is one of the most common questions you will come up with when you design your onboarding processes for your CIAM solution. As a good SaaS application, whether it is B2B or B2C, you should let your customers try out your service before you let them purchase it. This will provide more credibility to your products and services and will help to retain long-term customers.

If you are using WSO2 Identity Server as your CIAM solution for your SaaS application, you might wonder how you should do it. Because out-of-the-box there is no straightforward feature called “guest user accounts” or “temporary accounts” in the feature list of WSO2 Identity Server.

Otherwise, if you happen to use XACML policies to create the guest user flow with WSO2 Identity Server, with the next release of Identity Server 7.0 — XACML will be deprecated. Hence, you have to figure out an alternative for that.

The solutions that I am proposing here will help all of you to think differently and figure out the best approach to creating guest user accounts in WSO2 IDM.

Using Adaptive Authentication

This is the easiest and most lightweight(high performance compared to XACML) approach to create a guest user account in WSO2 Identity Server(IDM).

To begin with, you have to have one custom claim called “http://wso2.org/claims/accountExpiryDateand map this as a scim2 claim so that you can update this claim vis SCIM2 API of WSO2 IDM

  1. Populate a custom claim like http://wso2.org/claims/accountExpiryDate during the self-sign-up phase or user creation phase. You can keep its value at seven days or 30 days depending on your requirements. The value for this claim could be captured as a hidden, auto-populated text box in your self-sign-up form.

If you use the existing form coming with IDM, then do a customization to it. If you use API, then it's easy from SCIM2 API once you map it to a SCIM2 claim dialect. Refer to the documentation for more information: https://is.docs.wso2.com/en/5.11.0/develop/extending-scim2-user-schemas/#add-the-custom-claim

Here to support SCIM2 the dateTime format should be ISO Date Time format.

SCIM2 sample request for creating a user :

curl -v -k --user admin:admin --data '{"schemas":[],"name":{"familyName":"jackson","givenName":"kim"},"userName":"help2","password":"admin","emails":[{"primary":true,"value":"kim.jackson@gmail.com","type":"home"},{"value":"kim_j@wso2.com","type":"work"}], "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {"accountExpiryDate": "2023-12-25T19:40:47.549665Z"}}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users

SCIM2 response:

{"emails":[{"type":"work","value":"kim_j@wso2.com"},{"type":"home","value":"kim.jackson@gmail.com"}],"meta":{"created":"2023-12-20T21:01:01.119480Z","location":"https://localhost:9443/scim2/Users/257ed30a-a331-4008-a047-3734ca82b36e","lastModified":"2023-12-20T21:01:01.119480Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"roles":[{"type":"default","value":"Internal/everyone"},{"display":"everyone"}],"name":{"givenName":"kim","familyName":"jackson"},"id":"257ed30a-a331-4008-a047-3734ca82b36e","userName":"help2","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"dateOfBirth":"2023-12-25T19:40:47.549665Z","accountExpiryDate":"2023-12-30T19:40:47.549665Z"}}

2. Next, you can add an adaptive script for the authentication options of your application. This is possible with Any IDM version above IS 5.9.0.

  • Go to the service provider/application that you need to have guest user accounts.
  • In the Local & Outbound Authentication Configuration -> Authentication Type:* -> Advanced Configuration, Add the following adaptive authentication script with Basic Authentication as the first step.
// Error page to redirect unauthorized users,
// can be either an absolute url or relative url to server root, or empty/null
// null/empty value will redirect to the default error page
var errorPage = '';

// Additional query params to be added to the above url.
// Hint: Use i18n keys for error messages
var errorPageParameters = {
    'status': 'Unauthorized',
    'statusMsg': 'Expired Account '
};

// Date of birth attribute at the client side
var expirydateClaim = 'http://wso2.org/claims/accountExpiryDate';

// The validator function for date
var validateExpiryDate = function (exTime) {
    var d = new Date(exTime);
    if (d.toISOString() === exTime) {
        Log.info('expired tume  '  + d.toISOString());
        return true;
    } else {
        return false;
    }
};

var onLoginRequest = function(context) {
    executeStep(1, {
        onSuccess: function (context) {
            var expired = true;
            // Extracting user store domain of authenticated subject from the first step
            var exTime = context.currentKnownSubject.localClaims[expirydateClaim];
            Log.info('exTime of user ' + context.currentKnownSubject.identifier + ' is : ' + exTime);
            if (exTime) {
                var expiryDate = exTime;
                var today  = new Date().toISOString();
             Log.info('expiryDate  is : ' + expiryDate);
              Log.info('today  is : ' + today);
                if (today >= expiryDate) {
                    Log.info('exTime of user ' + context.currentKnownSubject.identifier + ' is : ' + exTime);

                    expired = true;
                } else {
                    expired = false;
                }
            }
            if (expired === true) {
                Log.info('The user account for the user ' + context.currentKnownSubject.identifier + ' is Expired. Hence denied to login.');
                sendError(errorPage, errorPageParameters);
            }
        }
    });
};



// End of Script

This above code was written utilizing the Age based adaptive authentication template given by WSO2.

  • Save the configurations and Try to log in to the app using a user with an account expiry date.
  • You will get an error page like below. You can modify the error page according to the requirements.

When you follow this approach during a user or identity creation, a user account will have an expiry time where the user will no longer be able to log in to that app after the period exceeds.

Adaptive Authentication is the best method to provide a better user experience with WSO2 Identity Server, hence instead of this https://medium.com/identity-beyond-borders/how-to-enable-guest-accounts-in-wso2-identity-server-af17b2ca7b2c written by Johan Nallathamby, you can use this approach as the best methods instead of XACML.

In both approaches, you will left with many expired accounts at the end of every year. To avoid it you need to do an automated clean-up of expired accounts. I will let you know how to do it in my next blog post.

Thank you and hope you enjoyed this!!

Wso2 Identity Server
Wso2is
Identity Management
Wso2
Ciam

--

--

Dinali Rosemin Dabarera

Written by Dinali Rosemin Dabarera

198 Followers

Integration Consultant (IAM) @ Yenlo Nederland B.V, specialized in WSO2 IAM, an Identity Evangelist, a blogger, a nature lover, a backpacker

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams