Access Control Demonstration Sample

Use following steps to try out the sample

Step 1 : Create users

The Identity Provider of WSO2 Identty Solution is based on WSO2 Web Services Application Server (WSAS) . The WSAS instance used by the Identity Provider can be accessed using the "wsas" context.

https://localhost:12443/wsas

First log into WSAS management console (default admin user name is "admin" and password is "admin") and create a user account with the role "user". Now use the "Security" option in WSAS to create a user ("alice") with the role "user".

Step 2 : Change user store

Now log into the "Identity Provider management console" (default admin user name is "admin" and password is "admin") and set "wsasRealmForAccessControlSample" user store configuration as the default user store in "User Stores" configuration.

Step 3 : Define claims

Now since we changed the user store the enabled claims and claim mappings will have to be set.

Enable "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" claim.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier claim is enabled by default.

Now in the "WSO2 Claims" add a new claim with following details :

Enable "http://identity.wso2.org/claims/roles" claim

Step 4 : Map claims

Use the "Claim Mappings" configuration to map claims to user properties as listed below :

Claim URI User property
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname username
http://identity.wso2.org/claims/roles roles

Step 5 : Login to the user application and obtain a card

Log into the "Identity Provider" with the user credentials created in "Step 1" , download an information card and install it in your identity selector.

Step 6 : Try the access control application

Point the browser to the sample access control demo relying party available in the "ac" context of the identity provider container.

https://localhost:12443/ac/

.

Use the information card "alice" obtained earlier to log into this application. The web app will display that the user is not an admin user.

Now add "admin" role to "alice" using "WSAS management console" and log into the application again. Now since "alice" has the "admin" role the application will recognize "alice" as an admin user.