Closed tharindu-b-hewage closed 1 month ago
Hi Team,
This issue is reproducible in IS 7.0.0 as well. From the console, only roles can be assigned, not groups, which should also be configurable. When a role is assigned from the console, it is saved without the "Internal" domain in the IDP outboundProvisioningRoles configuration. Due to the missing "Internal" domain, when the canUserBeProvisioned()[1] method checks if the user is allowed to be provisioned, it incorrectly determines that the user does not have the provisioning role because of the missing "Internal" domain prefix.
Using the following request should resolve the issue.
curl --location --request PUT 'https://localhost:9443/t/carbon.super/api/server/v1/identity-providers/<idp-id>/roles' \
--header 'Accept: application/json' \
--header 'Referer;' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--header 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36' \
--header 'Content-Type: application/json' \
--data '{
"mappings": [],
"outboundProvisioningRoles": [
"Internal/test1"
]
}'
Hi @ShehanDinuka
Even the role can be added via the API call, the role based outbound provisioning will be triggered when role assignment from the management console. When role assignment from the console app or via scim2/Roles API will not work as raised in this issue.
As management console is not recommended for the IS 7.0 and it is running in legacy mode with less features, we will have improve this feature properly working with REST APIs.
We are not promoting the Internal\
prefix for the roles. If we are passing that in the API payload it will make confusions.
I have tested without that prefix with only the role name, and the role based outbound provisioning is working fine. (The setup has the patches related to the backend fixes)
There are few other bugs around this feature which required to be fixed.
Trying to delete a group will not remove the outbound provisioned group due to below issue.
UI bug in provisioning connector information update.
UI inconsistency of displaying roles to assign for role based outbound provisioning.
UI issue of dropdown menu for selecting roles for role based outbound provisioning.
Thanks, Sadil
Hi Team,
This issue is reproducible in IS 7.0.0 as well. From the console, only roles can be assigned, not groups, which should also be configurable. When a role is assigned from the console, it is saved without the "Internal" domain in the IDP outboundProvisioningRoles configuration. Due to the missing "Internal" domain, when the canUserBeProvisioned()[1] method checks if the user is allowed to be provisioned, it incorrectly determines that the user does not have the provisioning role because of the missing "Internal" domain prefix.
Using the following request should resolve the issue.
curl --location --request PUT 'https://localhost:9443/t/carbon.super/api/server/v1/identity-providers/<idp-id>/roles' \ --header 'Accept: application/json' \ --header 'Referer;' \ --header 'Authorization: Basic YWRtaW46YWRtaW4=' \ --header 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36' \ --header 'Content-Type: application/json' \ --data '{ "mappings": [], "outboundProvisioningRoles": [ "Internal/test1" ] }'
Hi @ShehanDinuka
The referenced code line [1] is only executed when assigning a role to the user via the management console. Assigning a user to the role will not engaged in this flow. The REST APIs supports to assign a user to a role. Hence this flow is not engaged during the provision flow. Hence raised this PR, which triggers outbound provisioning when role updates [2].
[1] - https://github.com/wso2/carbon-identity-framework/blob/e4e583f08a52c7ad7f72fddaf6fbcd3a867a3601/components/provisioning/org.wso2.carbon.identity.provisioning/src/main/java/org/wso2/carbon/identity/provisioning/OutboundProvisioningManager.java#L560 [2] - https://github.com/wso2/carbon-identity-framework/pull/5893
Thanks, Sadil
(When set of provisioned groups not exist when creating user and whe set of users not exists when provisioning groups lead to fail the provisioning process. It was fixed to provision with available user or groups)
The 5.6 & 5.7 are partially happening due to the issue raised here
Describe the issue: Configure role-based outbound provisioning and simulate the flow by assigning outbound provisioning role to a user in the management console. It works.
But assigning the role via console does not trigger provisioning.
The same happens for assigning a group via the console app.
How to reproduce: Config role-based outbound provisioning.
Assign the provisioning role to a user via mgt console, it works.
Assign as a role to a user via console app, it does not trigger provisioning.
Assign as a group to a user via console app, it does not trigger provisioning.
Expected behavior: When a role or group assigned to the user, that user should be provisioned if the assigned role/group is the provisioning role.