Merge pull request wso2#4560 from divyaamunugama/guides-updates

Updated oidc attributes doc

en/asgardeo/docs/guides/authentication/user-attributes/enable-attributes-for-oidc-app.md

@@ -1,3 +1,4 @@
 {% set product_name = "Asgardeo" %}
 {% set product_url_sample = "https://api.asgardeo.io/t/bifrost" %}
+{% set configure_subject_identifier = "" %}
 {% include "../../../../../includes/guides/authentication/user-attributes/enable-attributes-for-oidc-app.md" %}

en/identity-server/7.0.0/docs/guides/authentication/user-attributes/enable-attributes-for-oidc-app.md

@@ -1,3 +1,30 @@
 {% set product_name = "WSO2 Identity Server" %}
 {% set product_url_sample = "https://localhost:9443" %}
+{% set configure_subject_identifier = "
+## Configure the subject identifier
+
+WSO2 Identity Server uses a subject attribute to uniquely identify users logging into OIDC applications. This is set to be the **user ID** of the user which can be found in the user's profile in **User Management** > **Users**.
+
+However, having a single subject identifier for multiple applications may enable external entities to track the activity of a user across applications based on a single attribute.
+
+You can opt for a pairwise subject identifier to mitigate this issue. With a pairwise subject identifier, WSO2 Identity Server generates a unique pseudonymous ID for each user-application pair protecting the user's identity when accessing multiple applications.
+
+Follow the steps below to configure the subject identifier type:
+
+1. On the WSO2 Identity Server Console, go to **Applications**.
+
+2. Select the application and go to its **User Attributes** tab.
+
+3. Under **Subject type**, select **Pairwise**.
+
+4. Enter a **Sector Identifier URI**.
+
+    !!! info
+        The sector identifier URI is used to group clients belonging to the same security domain so that the same pairwise identifier is used for a given user accessing these clients.
+
+    ![Enter a sector identifier for pairwise subject identifier](../../../assets/img/guides/applications/fapi-compliant-apps/fapi-compliant-subject-identifier.png)
+
+4. Click **Update** to save the changes.
+
+" %}
 {% include "../../../../../../includes/guides/authentication/user-attributes/enable-attributes-for-oidc-app.md" %}

en/identity-server/next/docs/guides/authentication/user-attributes/enable-attributes-for-oidc-app.md

@@ -1,3 +1,30 @@
 {% set product_name = "WSO2 Identity Server" %}
 {% set product_url_sample = "https://localhost:9443" %}
+{% set configure_subject_identifier = "
+## Configure the subject identifier
+
+WSO2 Identity Server uses a subject attribute to uniquely identify users logging into OIDC applications. This is set to be the **user ID** of the user which can be found in the user's profile in **User Management** > **Users**.
+
+However, having a single subject identifier for multiple applications may enable external entities to track the activity of a user across applications based on a single attribute.
+
+You can opt for a pairwise subject identifier to mitigate this issue. With a pairwise subject identifier, WSO2 Identity Server generates a unique pseudonymous ID for each user-application pair protecting the user's identity when accessing multiple applications.
+
+Follow the steps below to configure the subject identifier type:
+
+1. On the WSO2 Identity Server Console, go to **Applications**.
+
+2. Select the application and go to its **User Attributes** tab.
+
+3. Under **Subject type**, select **Pairwise**.
+
+4. Enter a **Sector Identifier URI**.
+
+    !!! info
+        The sector identifier URI is used to group clients belonging to the same security domain so that the same pairwise identifier is used for a given user accessing these clients.
+
+    ![Enter a sector identifier for pairwise subject identifier](../../../assets/img/guides/applications/fapi-compliant-apps/fapi-compliant-subject-identifier.png)
+
+4. Click **Update** to save the changes.
+
+" %}
 {% include "../../../../../../includes/guides/authentication/user-attributes/enable-attributes-for-oidc-app.md" %}

en/includes/guides/authentication/user-attributes/enable-attributes-for-oidc-app.md

@@ -4,11 +4,17 @@ User attributes are pieces of information about the identity of a user such as a
 
 The following guides explain how you can configure OpenID Connect applications to request attributes from {{product_name}}.
 
-## Select user attributes
+## Configure user attributes
+
+Follow the steps given below to configure the user attributes from the {{ product_name }} Console and share them with the application.
+
+### Select user attributes
 
 You can specify the necessary user attributes for an application. This ensures that when a user logs in, the application is only granted access to the user information associated with these attributes.
 
-To request user attributes from an application:
+The user attributes are grouped by their specific scopes to ease the user attribute configuration process. You can add user attributes individually or all the attributes in the scope at once.
+
+To add user attributes to the app:
 
 1. On the {{ product_name }} console, go to **Applications**.
 2. Select your application and go to its **User Attributes** tab. The most common user attributes are listed according to the relevant scope.
@@ -27,36 +33,32 @@ To request user attributes from an application:
 
 4. Click **Update** once you are done.
 
-## Select mandatory user attributes
-
-{% include "../../fragments/manage-app/manage-user-attributes/select-mandatory-attributes.md" %}
-
-![Add madatory user attributes in {{ product_name }}]({{base_path}}/assets/img/guides/applications/attributes/oidc/add-mandatory-user-attributes.png){: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}
+### Select an alternate subject attribute
 
-## Configure the subject identifier
+The subject attribute is used for exchanging information about the user. The subject is represented by the **subject** attribute in the ID token.
 
-{{product_name}} uses a subject attribute to uniquely identify users logging into OIDC applications. This is set to be the **user ID** of the user which can be found in the user's profile in **User Management** > **Users**.
+By default, Asgardeo shares **User ID** as the subject. You can define any user attribute as the subject.
 
-However, having a single subject identifier for multiple applications may enable external entities to track the activity of a user across applications based on a single attribute.
+To define a different attribute as the subject:
 
-You can opt for a pairwise subject identifier to mitigate this issue. With a pairwise subject identifier, {{product_name}} generates a unique pseudonymous ID for each user-application pair protecting the user's identity when accessing multiple applications.
+1. In the **Subject** section of the **User Attributes** tab, enable **Assign alternate subject identifier**.
 
-Follow the steps below to configure the subject identifier type:
+    !!! note
+        According to the [OIDC specification](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes), is not recommended to change the default subject identifier.
 
-1. On the {{ product_name }} Console, go to **Applications**.
+    ![Select subject attribute in Asgardeo]({{base_path}}/assets/img/guides/applications/attributes/oidc/select-sub-attribute.png){: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}
 
-2. Select the application and go to its **User Attributes** tab.
+2. Select an attribute as the subject from the **Subject attribute** list.
 
-3. Under **Subject type**, select **Pairwise**.
+3. Click **Update**.
 
-4. Enter a **Sector Identifier URI**.
+### Define mandatory user attributes
 
-    !!! info
-        The sector identifier URI is used to group clients belonging to the same security domain so that the same pairwise identifier is used for a given user accessing these clients.
+{% include "../../fragments/manage-app/manage-user-attributes/select-mandatory-attributes.md" %}
 
-    ![Enter a suctor identifier for pairwise subject identifier]({{base_path}}/assets/img/guides/applications/fapi-compliant-apps/fapi-compliant-subject-identifier.png){: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}
+    ![Add madatory user attributes in {{ product_name }}]({{base_path}}/assets/img/guides/applications/attributes/oidc/add-mandatory-user-attributes.png){: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}
 
-4. Click **Update** to save the changes.
+{{ configure_subject_identifier }}
 
 ## How it works
 
@@ -90,7 +92,7 @@ If the user consents to share attributes with the application, {{ product_name }
 
 #### Subject Attribute
 
-The subject attribute is the unique identifer for a user. The application receives this value via the [subject attribute](#subject-attribute) parameter in the [ID token](#id-token). In {{ product_name }}, the user ID is used as the subject attribute.
+The subject attribute is the unique identifier for a user. The application receives this value via the [subject attribute](#subject-attribute) parameter in the [ID token](#id-token). In {{ product_name }}, the user ID is used as the subject attribute.
 
 #### ID token
 
@@ -145,7 +147,7 @@ _A sample userinfo response is given below:_
 2. Select your application and go to its **User Attributes** tab.
 3. Scroll down and under **Linked Accounts**, select **Prioritize local account attributes**.
 
-![Prioritize local account attributes]({{base_path}}//assets/img/guides/applications/attributes/oidc/prioritize-local-account-attributes.png)
+    ![Prioritize local account attributes]({{base_path}}//assets/img/guides/applications/attributes/oidc/prioritize-local-account-attributes.png){: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}
 
 Once enabled, the tokens issued from this application during federated authentication with an [external identity provider]({{base_path}}/guides/authentication/#supported-external-idps) will contain the attributes of the local account which is linked with the entity identified by the subject claim of the token issued by the external identity provider.
 

en/includes/guides/authentication/user-attributes/enable-attributes-for-saml-app.md

@@ -54,7 +54,7 @@ This ensures that the application receives attributes based on the name that is
 
 The subject attribute is used for exchanging information about the user. The subject is represented by the **subject** attribute in the SAML assertion.
 
-By default, {{ product_name }} shares **username** as the subject. You can define any user attribute as the subject.
+By default, {{ product_name }} shares **User ID** as the subject. You can define any user attribute as the subject.
 
 To define a different attribute as the subject: