SAML assertion Claims are by default copied to the ID token retrieved with the access token in SAML bearer grant

[tharindu-b-hewage]

When an ID token is requested with the SAML bearer grant access token, claim dialect for the claims included in the SAML assertion are directly copied in the default pack.

If the SAML assertion contained a claim in the local dialect, it will not be converted to the oidc dialect by default. This is due to the configuration option, <ConvertOriginalClaimsFromAssertionsToOIDCDialect> is disabled by default.

Above config is introduced with Handling Custom Claims with the JWT Bearer Grant Type and explained in the doc, which needs to be linked/explained in https://docs.wso2.com/display/IS580/Setting+up+a+SAML2+Bearer+Assertion+Profile+for+OAuth+2.0

[darshanasbg]

Better to have ConvertOriginalClaimsFromAssertionsToOIDCDialect config set to true in default pack.

If so, have to explain this behavior change in the migration guide.