Application/* roles are getting removed upon federated users re-login to servers

[malinthaprasan]

Description: In SSO (federated) setup where user stores are not shared and provisioning is enabled, the Application/* roles are removed from users when they re-login. Due to this, the users are unable to delete/update OAuth applications created in Store after re-login.

The reason for the issue is the current DefaultProvisioningHandler.java doesn't consider skipping Application/* roles when updating roles of user (when re-login).

OS, DB, other environment details and versions:
SSO, Federated, JIT Provisioning

Steps to reproduce:

1. Created an SSO setup enabling provisioning
2. Log into Store using a user with SSO
3. Create an application and generate keys

Now check from the carbon console for the particular user. The application role is assigned to the particular user.

4. Logout from the Store.
5. Again login to the store with the same user.

Now check from the carbon console for the particular user. The application role is not assigned to the particular user.

[praminda]

Fixed with wso2/carbon-identity-framework#2084

[josecu08]

I'm having this issues on Apim 4.0.0. I have configured wso2 is using the guide in the docs. However, when I create an application using devportal with api_user I cannot edit the application upon relogin. I've checked in management console that after a login the application/* role is not assigned anymore.

[praminda]

pls configure org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.SystemRolesRetainedProvisionHandler.java as the provisioning handler. It should resolve the issue.