First of all, let me explain how our product is configured. We use the version 4.1 of WSO2 IAM, with the version 5.11 of the WSO2 IS.
On our test environment, we configured an OIDC connection with a LDAP, to try the process before using it on our final environment, and it's working just fine.
About this connection, we have (1) an Identity Provider configured on the IAM, linked to (2) a Service Provider, which contacts (3) an Identity Provider configured on the IS and which refers to (4) the Service Provider of the LDAP. By using role mapping, we attribute an admin role to some users (with specific clearance) and an Internal/subscriber to the others.
If I detail those configurations, it's because our problem only appears on this environment.
In our process to give the access to the product to an user, we connect directly to the devportal by using exclusively the original admin account (no OIDC connection here). Then we create applications and we enable the user to operate with it. Then, we subscribe to some API and we generate the keys, because we do not allow our customers to do that. So, the admin is the owner of all of the applications on the platform and he enables users to access to them.
But, on our test environment, anytime we connect with the admin account and suppress an application, or create a new one and generate the keys, our admin user loses its Roles. Which leads to a display issue:
The difficult part of this problem is that we don't have any information about any error of any kind in our logs, when we lose the admin roles. For now, we can give back those roles to the admin account by reassigning them, but we need to fix this problem before committing this configuration on our final environment.
Do you have any ideas on which process could lead to this problem?
Thank you for your support.
The mentioned behaviour occurred due to the provisioning flow in the API Manager when doing the SSO. In the latest API Manager versions, when you have configured the SSO with the Portals and haven't set the Role Assignments to the respective users, the existing roles will be removed during the SSO provisioning process. The configuration given below will override the removal of the current roles and retain them as expected.
Add the following configurations in the WSO2 API Manager's deployment.toml and restart the server and try out the scenario again
[authentication.framework.extensions]
provisioning_handler = "org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.SystemRolesRetainedProvisionHandler"
More information about the configuration can be found under the Info block in Step 2 > Step 4 in this Doc.