Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
The WS-Trust flow does not adhere to the Use user store domain in local subject identifier option of the SP. Even if it is enabled or not the user store domain is appended to the name identifier of the security token.
How to reproduce:
Setup a secondary user store in the WSO2 Identity Server.
Create a user in the secondary user store.
Setup the WS-Trust flow by following the official documentation at [1] (disable the option Use user store domain in local subject identifier in the service provider) and try out the flow with the user that was created.
Even if the relevant configuration is disabled the user store domain is appended to the token as follows.
This seems to be occurring since we have not considered this option in the source code. I debugged the issue at a high level and managed to fix the issue by manually setting the name identifier value that was existing in the subject object at [2] (Note: we will also have to have a proper way to extract the SP details so that we can check whether the option is enabled or not). However, please note that the fix should be applied to SAML1 and also the attributes statement values [3] should be checked for this. The fix mentioned here might not be the ideal solution hence feasibility should be checked.
Describe the issue:
The WS-Trust flow does not adhere to the Use user store domain in local subject identifier option of the SP. Even if it is enabled or not the user store domain is appended to the name identifier of the security token.
How to reproduce:
This seems to be occurring since we have not considered this option in the source code. I debugged the issue at a high level and managed to fix the issue by manually setting the name identifier value that was existing in the subject object at [2] (Note: we will also have to have a proper way to extract the SP details so that we can check whether the option is enabled or not). However, please note that the fix should be applied to SAML1 and also the attributes statement values [3] should be checked for this. The fix mentioned here might not be the ideal solution hence feasibility should be checked.
[1] - https://is.docs.wso2.com/en/5.11.0/learn/configuring-ws-trust-security-token-service/ [2] - https://github.com/wso2/wso2-rampart/blob/v1.6.1-wso2v45/modules/rampart-trust/src/main/java/org/apache/rahas/impl/SAML2TokenIssuer.java#L268 [3] - https://github.com/wso2/wso2-rampart/blob/v1.6.1-wso2v45/modules/rampart-trust/src/main/java/org/apache/rahas/impl/SAML2TokenIssuer.java#L271
Expected behavior:
The user store domain should not be appended when the option is disabled in the service provider. Sample response after the manual fix is as follows.
Environment information (Please complete the following information; remove any unnecessary fields) :