Open in app

Sign in

Write

Sign in

[WSO2 IS] [Asgardeo] Retrieving Google Account Profile Pictures During JIT Provisioning

Achini Udari Jayasena
3 min readAug 14, 2024

--

When setting up Just-In-Time (JIT) provisioning, it’s often essential to map specific attributes from an external identity provider (IDP) like Google to your local claims. One common requirement is retrieving and storing the Google account profile picture in your application during the provisioning process.

In this article, we’ll walk through the steps to create the Google connector and update the necessary IDP claim mappings to achieve this. Specifically, we will map Google’s profile picture URL to the local claim in your system.

To integrate Google as an Identity Provider (IDP) and update the claim mappings, we first need to create the Google connector. Once the connector is set up, we proceed to map the Google IDP claims to our local claims. Specifically, we map the Google IDP claim for the profile picture URL to the local claim http://wso2.org/claims/url. This local claim corresponds to the SCIM attribute urn:ietf:params:scim:schemas:core:2.0:User:profileUrl, ensuring that the user's profile picture URL from Google is accurately mapped and available in the local system.

When retrieving user profile information from the SCIM user endpoint, you’ll notice that the profileUrl attribute may not avaible even though the photo details are present but not yet mapped. To resolve this, we need to map the profileUrl to the photo detail retrieved from Google. Below is a sample request to retrieve the user profile details from the SCIM user endpoint.

curl 'https://<your-domain>:<port>/t/<tenant-domain>/scim2/Users/<user-id>' \
  -H 'Access-Control-Allow-Origin: https://<your-domain>:<port>/t/<tenant-domain>/console' \
  -H 'Accept: application/json, text/plain, */*' \
  -H 'Referer;' \
  -H 'Authorization: Bearer <your-access-token>'
{
    "emails": [
        "<user-email>"
    ],
    "meta": {
        "created": "2024-08-14T08:18:12.279238Z",
        "location": "https://localhost:9443/scim2/Users/<user-id>",
        "lastModified": "2024-08-14T08:18:12.286611Z",
        "resourceType": "User"
    },
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
        "urn:scim:wso2:schema"
    ],
    "roles": [
        {
            "audienceValue": "10084a8d-113f-4211-a0d5-efe36b082211",
            "display": "everyone",
            "audienceType": "organization",
            "value": "85081d25-9dfd-42f4-b58d-219e32f8e1be",
            "$ref": "https://localhost:9443/scim2/v2/Roles/<role-id>",
            "audienceDisplay": "Super"
        }
    ],
    "name": {
        "givenName": "Asgardeo",
        "familyName": "Testuser"
    },
    "id": "<user-id>",
    "userName": "<user-name>",
    "photos": [
        {
            "type": "photo",
            "value": "<photo-uri-value>"
        }
    ],
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "emailVerified": true,
        "lastPasswordUpdateTime": ""
    }
}

Claim Mapping

This cURL command maps the external identity provider claim “picture” to the local claim “URL” (http://wso2.org/claims/url) within the system.

Note: You can get the google oidc cofiguration details from, https://accounts.google.com/.well-known/openid-configuration

Request

curl --location --request PUT 'https://<your-domain>:<port>/t/<tenant-domain>/api/server/v1/identity-providers/<IDP_ID>/claims' \
--header 'Accept: application/json' \
--header 'Referer;' \
--header 'Content-Type: application/json' \
--data '{
    "userIdClaim": {
        "uri": "username"
    },
    "roleClaim": {
        "uri": "username"
    },
    "mappings": [
        {
            "idpClaim": "nickname",
            "localClaim": {
                "id": "aHR0cDovL3dzbzIub3JnL2NsYWltcy9naXZlbm5hbWU",
                "uri": "http://wso2.org/claims/givenname",
                "displayName": "First Name"
            }
        },
        {
            "idpClaim": "username",
            "localClaim": {
                "id": "aHR0cDovL3dzbzIub3JnL2NsYWltcy91c2VybmFtZQ",
                "uri": "http://wso2.org/claims/username",
                "displayName": "Username"
            }
        },
        {
            "idpClaim": "picture",
            "localClaim": {
                "id": "aHR0cDovL3dzbzIub3JnL2NsYWltcy91cmw",
                "uri": "http://wso2.org/claims/url",
                "displayName": "URL"
            }
        }
    ],
    "provisioningClaims": []
}'

Next, create an application and configure the login flow with the Google IDP you set up. Make sure to enable Just-In-Time provisioning.

Then, log in to the application using the Google IDP, and verify that the user is provisioned with the profile claim updated with the image URI obtained from the Google claim.

By following these steps, you can ensure that user profiles are accurately updated with the profile image from Google, enhancing the user experience with seamless integration.

Wso2is
Google
Positioning
Wso2 Identity Server
Wso2

--

--

Achini Udari Jayasena
Achini Udari Jayasena

Written by Achini Udari Jayasena

50 Followers
82 Following

🌟 With over 8 years in IT, I'm Senior Software Quality Engineer, dedicated to delivering excellence. Let's build exceptional software experiences together

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams