WSO2 IS 5.3.0 I am using a local SAML SP to talk to a federated SAML IDP (in testing, configuring two WSO2 IS servers, as described in https://medium.com/@dehami.deshan/configuring-federated-authentication-with-saml-sso-using-two-wso2-identity-servers-8dc0d3841a6b ).
I want the federated IDP to do the authentication but use the roles/claims from the local (WSO2) user store directly. Is there any configuration I am missing here?
You should add role and claim mapping in the federated IDP configuration.
Which basically means, mapping federated IDP's roles, claims to local roles/ claims
Please follow the how to configure roles section and how to configure claims in this doc for more information.
https://docs.wso2.com/display/IS530/Adding+and+Configuring+an+Identity+Provider
Since you want to use roles and claims in the local userstore, I presume that the user already exists in the local userstore also. Since you want to authenticate with federated IDP, you can do user account association between the local user and federated user and use the claims of the user.
To read more about associating user accounts in IS5.3.0, please follow this documentation: https://docs.wso2.com/display/IS530/Associating+User+Accounts
After doing the account association, you can enable Assert identity using mapped local subject identifier (This option will use the local subject identifier when asserting the identity) under Local and Outbound Authentication Configuration for the Service Provider. Please follow this documentation to configure that property under the service provider. https://docs.wso2.com/display/IS530/Configuring+Local+and+Outbound+Authentication+for+a+Service+Provider
