Consider the case in which you have WSO2 IS (5.3.0) and an upstream IDP (e.g. a SAML IDP).
Login procedure is as follows: User accesses a service provider (e.g. OpenID Connect client) which redirects to the local WSO2 IS. The SP is configured to use the upstream SAML IDP or local login as outbound authentication option. The upstream SAML IDP returns some attributes in the assertion but no JiT provisioning is configured.
Now use the access token the service provider gets from the login process to
- query the SOAP token validation endpoint of WSO2 IS with the token -> User claims returned are the claims from the local user store (embedded LDAP)
- query the userinfo REST endpoint -> User claims are the claims that were returned by the upstream IDP in the SAML assertion, userinfo does not return any local attributes
Is this a configuration issue? Is there a way to work around this behavior?
What makes things even worse with the userinfo endpoint is that the claims returned depend whether the user logs in via a local login (in WSO2 IS) or via the upstream external IDP. That is not the case with the SOAP token validation endpoint which returns the same attributes in both cases.