-
Notifications
You must be signed in to change notification settings - Fork 722
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Role based outbound provisioning not triggered via assigning roles/groups through console app #11394
Comments
Hi Team, This issue is reproducible in IS 7.0.0 as well. From the console, only roles can be assigned, not groups, which should also be configurable. When a role is assigned from the console, it is saved without the "Internal" domain in the IDP outboundProvisioningRoles configuration. Due to the missing "Internal" domain, when the canUserBeProvisioned()[1] method checks if the user is allowed to be provisioned, it incorrectly determines that the user does not have the provisioning role because of the missing "Internal" domain prefix. Using the following request should resolve the issue.
|
Even the role can be added via the API call, the role based outbound provisioning will be triggered when role assignment from the management console. When role assignment from the console app or via scim2/Roles API will not work as raised in this issue.
As management console is not recommended for the IS 7.0 and it is running in legacy mode with less features, we will have improve this feature properly working with REST APIs. We are not promoting the There are few other bugs around this feature which required to be fixed.
Thanks, |
The referenced code line [1] is only executed when assigning a role to the user via the management console. Assigning a user to the role will not engaged in this flow. The REST APIs supports to assign a user to a role. Hence this flow is not engaged during the provision flow. Hence raised this PR, which triggers outbound provisioning when role updates [2]. [1] - https://github.com/wso2/carbon-identity-framework/blob/e4e583f08a52c7ad7f72fddaf6fbcd3a867a3601/components/provisioning/org.wso2.carbon.identity.provisioning/src/main/java/org/wso2/carbon/identity/provisioning/OutboundProvisioningManager.java#L560 Thanks, |
Testing effort1. Outbound User provisioning.
2. Outbound Group provisioning.
3. Complex user group creations while outbound provisioning.
(When set of provisioned groups not exist when creating user and whe set of users not exists when provisioning groups lead to fail the provisioning process. It was fixed to provision with available user or groups) 4. Assign users to groups.
5. Outbound provisioning when role management
The 5.6 & 5.7 are partially happening due to the issue raised here |
Describe the issue:
Configure role-based outbound provisioning and simulate the flow by assigning outbound provisioning role to a user in the management console. It works.
But assigning the role via console does not trigger provisioning.
The same happens for assigning a group via the console app.
How to reproduce:
Config role-based outbound provisioning.
Assign the provisioning role to a user via mgt console, it works.
Assign as a role to a user via console app, it does not trigger provisioning.
Assign as a group to a user via console app, it does not trigger provisioning.
Expected behavior:
When a role or group assigned to the user, that user should be provisioned if the assigned role/group is the provisioning role.
The text was updated successfully, but these errors were encountered: