Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User groups are not populating to APIM during federated login with IS #22087

Open
HiranyaKavishani opened this issue Dec 19, 2024 · 4 comments
Open

Comments

@HiranyaKavishani
Copy link
Contributor

HiranyaKavishani commented Dec 19, 2024

Description

User groups in sub-organization/root organization not populating in APIM during sub-organization/root organization user federated login with IS

Root Cause: Refer to PR [1]. The reproducing steps mentioned in [2], which led to the introduction of the fix in [1], were tried by reverting the fix. However, even after removing the fix, the issue [2] could not be reproduced.

[1] wso2/carbon-identity-framework#3732

Steps to Reproduce

How to reproduce:

  1. Setup IS 7.1-M5 as federated IDP for APIM 4.4.0/any other IS (IS 6.1.0)
  2. Create an App using Traditional Web Application option from super org
  3. Create a sub org, switch to that org and create a new user
  4. Add a user group and necessary role to user in order to access the APP
  5. Login to APP using that user

Version

IS 6.x,7.x

Environment Details (with versions)

No response

@HiranyaKavishani
Copy link
Contributor Author

The issue is already discussed with @ShanChathusanda93

@AnuradhaSK
Copy link
Contributor

AnuradhaSK commented Dec 19, 2024

@HiranyaKavishani
Why do you expect an external IDP's user assigned groups needs to be configured as JIT provisioning user's groups?

Hope the following is what you are trying.

Screenshot 2024-12-19 at 22 52 09

In this case, when provisioning the user A to IS 6.x, setting the http://wso2.org/claims/groups claim of JIT provision user as Group A, Group B is wrong. There can be cases where JIT provisioning IDP don't have same groups, sometime the same group names were used for different purposes like wise.
IS supports only IDP group to role mapping. You can configure a group to role mapping in federated IDP config end, and let JIT provisioning user to be assigned to mapped roles. Then APIM application needs to rely on roles of the it's trusted IDP.

@AnuradhaSK
Copy link
Contributor

Incase a fix is needed this issue falls under user mgt team, so removing Team/B2B label and adding relevant team.

@HiranyaKavishani
Copy link
Contributor Author

HiranyaKavishani commented Dec 20, 2024

Hi @AnuradhaSK,

This is required in Devportal when an application created by a user in an organization needs to be shared within a group or team, particularly when B2B is enabled with a federated IDP. This grouping could be based on any claim, but we cannot say that user groups in federated IDP should not be used to achieve it as user group functionality is natively supported in IS 7.x as a first-class feature for grouping users, in addition to roles.

Thanks!
Hiranya

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: No status
Development

No branches or pull requests

2 participants