WSO2 IS: Role based authentication/authorization in multitenant mode

0
votes

I have an app which authenticate using OAuth2 OIDC of WSO2 IS (multitenant mode). I want to have role based authorization. Basically I configured it as below:

In Super Tenant Carbon Page:

  1. Create a Service Provider
  2. Check the SaaS option to enable auth across tenant
  3. In Local & Outbound Auth Conf I enabled Authorization option
  4. Create a custom role say RoleA and assign it to a user.
  5. Configure a Policy Administration and Publish it (I followed this tutorial: https://docs.wso2.com/display/IS550/Configuring+Access+Control+Policy+for+a+Service+Provider)

In Tenant B Carbon Page

  1. Create RoleA and assign it to a user

Result:

  1. User with RoleA in Super Tenant can sign in
  2. User with RoleA in Tenant B unable to sign in (Authorization Failed)

How to make this works?

note:

  1. Without authorization enabled, cross tenant authentication works.
  2. I have tested with existing role (Internal/subscriber) which also not working across tenant.
  3. I am using WSO2 IS as KM 5.5
1
wso2wso2is

1 Answers

0
votes

I tried the same scenario and it worked as expected for me.

Are you using an external role or an internal role? Say, if you create an internal role with name foo. It would be named as Internal/foo. So you have to use Internal/foo in the XACML policy too.