WSO2 API Manager Scopes for Federated Users

0
votes

I have WSO2 API Manager federated setup with Azure AD. I can use the implicit and code grant type to generate the access tokens.

Now I want to use the WSO2 API Manager scope functionality to limit the access on certain API resources. I have created the role in API manager and added the scope on API publisher for the API resource. But when I generate the access token using scope value, it doesn't return the token with correct scope. But if I assign the local user to that role and generate the access token it works fine.

I wonder if WSO2 API manager support scope management for Federated users.

Any help would be appreciated.

1
wso2wso2iswso2-am
Have you configured your key manager user store as secondary user store of APIM? - Vithursa M
No, any specific reason to configure secondary user store? - Waqas Ali Razzaq
Yes, AKAIU, you mean by federated user is the user you have created in your key manager. In order to register this user into APIM you need to configure user store of key manager as secondary user store of APIM. At the moment, haven't you configured any user store in APIM - Vithursa M
Or else can you explain what do you mean exactly by federated user - Vithursa M

1 Answers

2
votes

By defaut roles are checked against the userstore managers, therefore if federated users are not findable in a local userstore manager, it is difficult to assign roles to them.

You have several options:

  • if you are using SAML, you can specify -DcheckRolesFromSamlAssertion=true it was quite tricky to find this one

  • create a secondary local (e. g. jdbc) userstore and setup the outbound provisioning for federated users. This way all federated users and their roles will be mirrored in a local userstore and their roles will be findable by the scope provider