From aafbd72793975fb86bad2715232150b08d80c6db Mon Sep 17 00:00:00 2001
From: SujanSanjula96 <sanjulasujan@gmail.com>
Date: Thu, 9 Nov 2023 09:57:18 +0530
Subject: [PATCH 1/2] Support federated IDP groups to role assignments

---
 .../pom.xml                                   |   5 +
 .../scim2/common/impl/SCIMRoleManagerV2.java  | 218 +++++++++++++++---
 .../common/internal/SCIMCommonComponent.java  |  29 +++
 .../internal/SCIMCommonComponentHolder.java   |  22 ++
 .../scim2/common/utils/SCIMCommonUtils.java   |  23 ++
 pom.xml                                       |   6 +
 6 files changed, 277 insertions(+), 26 deletions(-)

diff --git a/components/org.wso2.carbon.identity.scim2.common/pom.xml b/components/org.wso2.carbon.identity.scim2.common/pom.xml
index 0626624f4..2750e9868 100644
--- a/components/org.wso2.carbon.identity.scim2.common/pom.xml
+++ b/components/org.wso2.carbon.identity.scim2.common/pom.xml
@@ -131,6 +131,10 @@
             <groupId>org.wso2.carbon.identity.framework</groupId>
             <artifactId>org.wso2.carbon.identity.application.authentication.framework</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.framework</groupId>
+            <artifactId>org.wso2.carbon.idp.mgt</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.wso2.carbon.identity.governance</groupId>
             <artifactId>org.wso2.carbon.identity.password.policy</artifactId>
@@ -244,6 +248,7 @@
                             version="${org.wso2.carbon.identity.organization.management.core.version.range}",
                             org.wso2.carbon.identity.handler.event.account.lock.*;
                             version="${carbon.identity.account.lock.handler.imp.pkg.version.range}",
+                            org.wso2.carbon.idp.mgt.*;version="${carbon.identity.framework.imp.pkg.version.range}",
                         </Import-Package>
                         <Export-Package>
                             !org.wso2.carbon.identity.scim2.common.internal,
diff --git a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMRoleManagerV2.java b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMRoleManagerV2.java
index 7f79ccbea..b7966317f 100644
--- a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMRoleManagerV2.java
+++ b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMRoleManagerV2.java
@@ -25,6 +25,7 @@
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.CarbonConstants;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.identity.application.common.model.IdPGroup;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
 import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
 import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
@@ -33,13 +34,16 @@
 import org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementException;
 import org.wso2.carbon.identity.role.v2.mgt.core.model.AssociatedApplication;
 import org.wso2.carbon.identity.role.v2.mgt.core.model.GroupBasicInfo;
+import org.wso2.carbon.identity.role.v2.mgt.core.model.IdpGroup;
 import org.wso2.carbon.identity.role.v2.mgt.core.model.Permission;
 import org.wso2.carbon.identity.role.v2.mgt.core.model.Role;
 import org.wso2.carbon.identity.role.v2.mgt.core.model.RoleBasicInfo;
 import org.wso2.carbon.identity.role.v2.mgt.core.model.UserBasicInfo;
 import org.wso2.carbon.identity.role.v2.mgt.core.util.UserIDResolver;
+import org.wso2.carbon.identity.scim2.common.internal.SCIMCommonComponentHolder;
 import org.wso2.carbon.identity.scim2.common.utils.SCIMCommonConstants;
 import org.wso2.carbon.identity.scim2.common.utils.SCIMCommonUtils;
+import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
 import org.wso2.carbon.user.api.UserStoreException;
 import org.wso2.carbon.user.core.UserCoreConstants;
 import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
@@ -71,6 +75,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.function.Function;
 import java.util.stream.Collectors;
 
 import static org.apache.commons.collections.CollectionUtils.isNotEmpty;
@@ -136,10 +141,26 @@ public RoleV2 createRole(RoleV2 role)
                     LOG.debug("Creating role: " + role.getDisplayName() + " for organization.");
                 }
             }
+
+            List<String> groupIds = role.getGroups();
+            // Get valid IdP groups from the given group IDs.
+            List<IdPGroup> idpGroups = SCIMCommonComponentHolder.getIdpManagerService().getValidIdPGroupsByIdPGroupIds(
+                    groupIds, tenantDomain);
+            List<IdpGroup> idpGroupList = idpGroups.stream()
+                    .map(this::convertToIdpGroup)
+                    .collect(Collectors.toList());
+            List<String> validIdpGroupIds = idpGroupList.stream()
+                    .map(IdpGroup::getGroupId)
+                    .collect(Collectors.toList());
+            // Exclude the valid Idp groups from the given group IDs for role creation.
+            List<String> localGroupIds = groupIds.stream()
+                    .filter(groupId -> !validIdpGroupIds.contains(groupId))
+                    .collect(Collectors.toList());
             RoleBasicInfo roleBasicInfo =
-                    roleManagementService.addRole(role.getDisplayName(), role.getUsers(), role.getGroups(),
+                    roleManagementService.addRole(role.getDisplayName(), role.getUsers(), localGroupIds,
                             permissionList, audienceType, role.getAudienceValue(), tenantDomain);
-
+            roleManagementService.updateIdpGroupListOfRole(roleBasicInfo.getId(), idpGroupList, new ArrayList<>(),
+                    tenantDomain);
             RoleV2 createdRole = new RoleV2();
             createdRole.setId(roleBasicInfo.getId());
             String locationURI = SCIMCommonUtils.getSCIMRoleV2URL(roleBasicInfo.getId());
@@ -160,6 +181,10 @@ public RoleV2 createRole(RoleV2 role)
             }
             throw new CharonException(
                     String.format("Error occurred while adding a new role: %s", role.getDisplayName()), e);
+        } catch (IdentityProviderManagementException e) {
+            throw new CharonException(
+                    String.format("Error occurred while retrieving IdP groups for role: %s", role.getDisplayName()),
+                    e);
         }
     }
 
@@ -202,20 +227,34 @@ public RoleV2 getRole(String roleID, Map<String, Boolean> requiredAttributes)
                 }
             }
 
-            // Set role's assigned groups.
-            List<GroupBasicInfo> assignedGroups = role.getGroups();
-            if (assignedGroups != null) {
-                for (GroupBasicInfo groupInfo : assignedGroups) {
-                    groupInfo.getId();
-                    String groupLocationURI = SCIMCommonUtils.getSCIMGroupURL(groupInfo.getId());
+            // Set role's assigned userstore groups.
+            List<GroupBasicInfo> assignedUserstoreGroups = role.getGroups();
+            if (assignedUserstoreGroups != null) {
+                for (GroupBasicInfo groupInfo : assignedUserstoreGroups) {
+                    String groupId = groupInfo.getId();
+                    String groupLocationURI = SCIMCommonUtils.getSCIMGroupURL(groupId);
                     Group group = new Group();
                     group.setDisplayName(groupInfo.getName());
-                    group.setId(groupInfo.getId());
+                    group.setId(groupId);
                     group.setLocation(groupLocationURI);
                     scimRole.setGroup(group);
                 }
             }
 
+            // Set role's assigned idp groups.
+            List<IdpGroup> assignedIdpGroups = role.getIdpGroups();
+            if (assignedIdpGroups != null) {
+                for (IdpGroup idpGroup : assignedIdpGroups) {
+                    String idpGroupId = idpGroup.getGroupId();
+                    String idpGroupLocationURI = SCIMCommonUtils.getIdpGroupURL(idpGroup.getIdpId(), idpGroupId);
+                    Group group = new Group();
+                    group.setDisplayName(idpGroup.getGroupName());
+                    group.setId(idpGroupId);
+                    group.setLocation(idpGroupLocationURI);
+                    scimRole.setGroup(group);
+                }
+            }
+
             // Set associated applications.
             List<MultiValuedComplexType> associatedApps =
                     convertAssociatedAppsToMultivaluedComplexType(role.getAssociatedApplications());
@@ -866,17 +905,25 @@ private void updateGroups(String roleId, List<PatchOperation> groupOperations)
 
         try {
             Collections.sort(groupOperations);
+
+            Set<String> givenAddedGroupIds = new HashSet<>();
+            Set<String> givenDeletedGroupIds = new HashSet<>();
+            Set<String> givenReplaceGroupsIds = new HashSet<>();
+
             Set<String> addedGroupIds = new HashSet<>();
             Set<String> deletedGroupIds = new HashSet<>();
-            Set<String> replaceGroupsIds = new HashSet<>();
+            Set<String> replaceGroupIds = new HashSet<>();
 
-            List<GroupBasicInfo> groupListOfRole = roleManagementService.getGroupListOfRole(roleId, tenantDomain);
+            Set<String> addedIdpGroupIds = new HashSet<>();
+            Set<String> deletedIdpGroupIds = new HashSet<>();
+            Set<String> replaceIdpGroupIds = new HashSet<>();
 
+            List<GroupBasicInfo> groupListOfRole = roleManagementService.getGroupListOfRole(roleId, tenantDomain);
             for (PatchOperation groupOperation : groupOperations) {
                 if (groupOperation.getValues() instanceof Map) {
                     Map<String, String> groupObject = (Map<String, String>) groupOperation.getValues();
-                    prepareAddedRemovedGroupLists(addedGroupIds, deletedGroupIds, replaceGroupsIds,
-                            groupOperation, groupObject, groupListOfRole);
+                    prepareInitialGroupLists(givenAddedGroupIds, givenDeletedGroupIds, givenReplaceGroupsIds,
+                            groupOperation, groupObject);
                 } else if (groupOperation.getValues() instanceof List) {
                     List<Map<String, String>> groupOperationValues =
                             (List<Map<String, String>>) groupOperation.getValues();
@@ -886,19 +933,58 @@ private void updateGroups(String roleId, List<PatchOperation> groupOperations)
                                 collect(Collectors.toList()));
                     }
                     for (Map<String, String> groupObject : groupOperationValues) {
-                        prepareAddedRemovedGroupLists(addedGroupIds, deletedGroupIds, replaceGroupsIds,
-                                groupOperation, groupObject, groupListOfRole);
+                        prepareInitialGroupLists(givenAddedGroupIds, givenDeletedGroupIds, givenReplaceGroupsIds,
+                                groupOperation, groupObject);
                     }
                 }
-                prepareReplacedGroupLists(groupListOfRole, addedGroupIds, deletedGroupIds, replaceGroupsIds);
             }
 
+            Set<String> givenUniqueGroupIds = new HashSet<>();
+            givenUniqueGroupIds.addAll(givenAddedGroupIds);
+            givenUniqueGroupIds.addAll(givenDeletedGroupIds);
+            givenUniqueGroupIds.addAll(givenReplaceGroupsIds);
+
+            List<IdPGroup> idpGroups = SCIMCommonComponentHolder.getIdpManagerService().getValidIdPGroupsByIdPGroupIds(
+                    new ArrayList<>(givenUniqueGroupIds), tenantDomain);
+            Set<String> idpGroupIds = idpGroups.stream().map(IdPGroup::getIdpGroupId).collect(Collectors.toSet());
+            
+            Set<String> groupIdListOfRole =
+                    groupListOfRole.stream().map(GroupBasicInfo::getId).collect(Collectors.toSet());
+            List<IdpGroup> idpGroupListOfRole = roleManagementService.getIdpGroupListOfRole(roleId, tenantDomain);
+            Set<String> idpGroupIdListOfRole =
+                    idpGroupListOfRole.stream().map(IdpGroup::getGroupId).collect(Collectors.toSet());
+
+            seperatedAddedGroupLists(givenAddedGroupIds, idpGroupIds, idpGroupIdListOfRole, groupIdListOfRole,
+                    addedIdpGroupIds, addedGroupIds);
+            seperateRemovedGroupLists(givenDeletedGroupIds, idpGroupIds, deletedIdpGroupIds, deletedGroupIds);
+
+            seperateReplacedGroupLists(givenReplaceGroupsIds, idpGroupIds, replaceIdpGroupIds, replaceGroupIds);
+            prepareReplacedGroupLists(groupListOfRole, addedGroupIds, deletedGroupIds, replaceGroupIds);
+            prepareReplacedIdPGroupLists(idpGroupListOfRole, addedIdpGroupIds, deletedIdpGroupIds, replaceIdpGroupIds);
+
             if (isNotEmpty(addedGroupIds) || isNotEmpty(deletedGroupIds)) {
                 doUpdateGroups(roleId, addedGroupIds, deletedGroupIds);
             }
+            if (isNotEmpty(addedIdpGroupIds) || isNotEmpty(deletedIdpGroupIds)) {
+                Map<String, IdPGroup> idpGroupMap = idpGroups.stream()
+                        .collect(Collectors.toMap(IdPGroup::getIdpGroupId, Function.identity()));
+                List<IdpGroup> addedIdpGroups = addedIdpGroupIds.stream()
+                        .map(idpGroupMap::get)
+                        .map(this::convertToIdpGroup)
+                        .collect(Collectors.toList());
+                List<IdpGroup> deletedIdpGroups = deletedIdpGroupIds.stream()
+                        .map(idpGroupMap::get)
+                        .map(this::convertToIdpGroup)
+                        .collect(Collectors.toList());
+                doUpdateIdPGroups(roleId, addedIdpGroups, deletedIdpGroups);
+            }
         } catch (IdentityRoleManagementException e) {
             throw new CharonException(
                     String.format("Error occurred while retrieving the group list for role with ID: %s", roleId), e);
+        } catch (IdentityProviderManagementException e) {
+            throw new CharonException(
+                    String.format("Error occurred while retrieving the IDP group list for role with ID: %s", roleId),
+                    e);
         }
     }
 
@@ -974,6 +1060,23 @@ private void doUpdateGroups(String roleId, Set<String> newGroupIDList, Set<Strin
         }
     }
 
+    private void doUpdateIdPGroups(String roleId, List<IdpGroup> newGroupIDList, List<IdpGroup> deleteGroupIDList)
+            throws CharonException, BadRequestException {
+
+        // Update the role with added groups and deleted groups.
+        if (isNotEmpty(newGroupIDList) || isNotEmpty(deleteGroupIDList)) {
+            try {
+                roleManagementService.updateIdpGroupListOfRole(roleId, newGroupIDList, deleteGroupIDList, tenantDomain);
+            } catch (IdentityRoleManagementException e) {
+                if (RoleConstants.Error.INVALID_REQUEST.getCode().equals(e.getErrorCode())) {
+                    throw new BadRequestException(e.getMessage());
+                }
+                throw new CharonException(
+                        String.format("Error occurred while updating groups in the role with ID: %s", roleId), e);
+            }
+        }
+    }
+
     private void doUpdateUsers(Set<String> newUserList, Set<String> deletedUserList, Set<Object> newlyAddedMemberIds,
                                String roleId) throws CharonException, BadRequestException, ForbiddenException {
 
@@ -1036,27 +1139,64 @@ private List<String> getUserIDList(List<String> userList, String tenantDomain) t
         return userIDList;
     }
 
-    private void prepareAddedRemovedGroupLists(Set<String> addedGroupsIds, Set<String> removedGroupsIds,
-                                               Set<String> replacedGroupsIds, PatchOperation groupOperation,
-                                               Map<String, String> groupObject, List<GroupBasicInfo> groupListOfRole) {
+    private void prepareInitialGroupLists(Set<String> givenAddedGroupsIds, Set<String> givenRemovedGroupsIds,
+                                          Set<String> givenReplacedGroupsIds, PatchOperation groupOperation,
+                                          Map<String, String> groupObject) {
 
         switch (groupOperation.getOperation()) {
             case (SCIMConstants.OperationalConstants.ADD):
-                removedGroupsIds.remove(groupObject.get(SCIMConstants.CommonSchemaConstants.VALUE));
-                if (!isGroupExist(groupObject.get(SCIMConstants.CommonSchemaConstants.VALUE), groupListOfRole)) {
-                    addedGroupsIds.add(groupObject.get(SCIMConstants.CommonSchemaConstants.VALUE));
-                }
+                givenRemovedGroupsIds.remove(groupObject.get(SCIMConstants.CommonSchemaConstants.VALUE));
+                givenAddedGroupsIds.add(groupObject.get(SCIMConstants.CommonSchemaConstants.VALUE));
                 break;
             case (SCIMConstants.OperationalConstants.REMOVE):
-                addedGroupsIds.remove(groupObject.get(SCIMConstants.CommonSchemaConstants.VALUE));
-                removedGroupsIds.add(groupObject.get(SCIMConstants.CommonSchemaConstants.VALUE));
+                givenAddedGroupsIds.remove(groupObject.get(SCIMConstants.CommonSchemaConstants.VALUE));
+                givenRemovedGroupsIds.add(groupObject.get(SCIMConstants.CommonSchemaConstants.VALUE));
                 break;
             case (SCIMConstants.OperationalConstants.REPLACE):
-                replacedGroupsIds.add(groupObject.get(SCIMConstants.CommonSchemaConstants.VALUE));
+                givenReplacedGroupsIds.add(groupObject.get(SCIMConstants.CommonSchemaConstants.VALUE));
+                break;
+            default:
                 break;
         }
     }
 
+    private void seperatedAddedGroupLists(Set<String> givenAddedGroupIds, Set<String> idpGroupIds,
+                                          Set<String> idpGroupIdListOfRole,Set<String> groupIdListOfRole,
+                                          Set<String> addedIdpGroupIds, Set<String> addedGroupIds) {
+
+        for (String groupId : givenAddedGroupIds) {
+            if (idpGroupIds.contains(groupId) && !idpGroupIdListOfRole.contains(groupId)) {
+                addedIdpGroupIds.add(groupId);
+            } else if (!groupIdListOfRole.contains(groupId)) {
+                addedGroupIds.add(groupId);
+            }
+        }
+    }
+
+    private void seperateRemovedGroupLists(Set<String> givenDeletedGroupIds, Set<String> idpGroupIds,
+                                           Set<String> deletedIdpGroupIds, Set<String> deletedGroupIds) {
+
+        for (String groupId : givenDeletedGroupIds) {
+            if (idpGroupIds.contains(groupId)) {
+                deletedIdpGroupIds.add(groupId);
+            } else {
+                deletedGroupIds.add(groupId);
+            }
+        }
+    }
+
+    private void seperateReplacedGroupLists(Set<String> givenReplaceGroupsIds, Set<String> idpGroupIds,
+                                            Set<String> replaceIdpGroupIds, Set<String> replaceGroupIds) {
+
+        for (String groupId : givenReplaceGroupsIds) {
+            if (idpGroupIds.contains(groupId)) {
+                replaceIdpGroupIds.add(groupId);
+            } else {
+                replaceGroupIds.add(groupId);
+            }
+        }
+    }
+
     private void prepareAddedRemovedUserLists(Set<String> addedMembers, Set<String> removedMembers,
                                               Set<Object> newlyAddedMemberIds, PatchOperation memberOperation,
                                               Map<String, String> memberObject, String currentRoleName)
@@ -1124,6 +1264,25 @@ private void prepareReplacedGroupLists(List<GroupBasicInfo> groupListOfRole, Set
         addedGroupIds.addAll(replacedGroupsIds);
     }
 
+    private void prepareReplacedIdPGroupLists(List<IdpGroup> idpGroupListOfRole, Set<String> addedGroupIds,
+                                           Set<String> removedGroupsIds, Set<String> replacedGroupsIds) {
+
+        if (replacedGroupsIds.isEmpty()) {
+            return;
+        }
+
+        if (!idpGroupListOfRole.isEmpty()) {
+            for (IdpGroup idpGroupInfo : idpGroupListOfRole) {
+                if (!replacedGroupsIds.contains(idpGroupInfo.getGroupId())) {
+                    removedGroupsIds.add(idpGroupInfo.getGroupId());
+                } else {
+                    replacedGroupsIds.remove(idpGroupInfo.getGroupId());
+                }
+            }
+        }
+        addedGroupIds.addAll(replacedGroupsIds);
+    }
+
     private boolean isGroupExist(String groupId, List<GroupBasicInfo> groupListOfRole) {
 
         return groupListOfRole != null &&
@@ -1159,4 +1318,11 @@ private boolean isRoleModificationAllowedForTenant(String tenantDomain) throws C
             throw new CharonException("Error while checking whether the tenant is an organization.", e);
         }
     }
+
+    private IdpGroup convertToIdpGroup(IdPGroup idpGroup) {
+
+        IdpGroup convertedGroup = new IdpGroup(idpGroup.getIdpGroupId(), idpGroup.getIdpId());
+        convertedGroup.setGroupName(idpGroup.getIdpGroupName());
+        return convertedGroup;
+    }
 }
diff --git a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/internal/SCIMCommonComponent.java b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/internal/SCIMCommonComponent.java
index 6c8991f90..50b59bb77 100644
--- a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/internal/SCIMCommonComponent.java
+++ b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/internal/SCIMCommonComponent.java
@@ -56,6 +56,7 @@
 import org.wso2.charon3.core.config.SCIMUserSchemaExtensionBuilder;
 import org.wso2.charon3.core.exceptions.CharonException;
 import org.wso2.charon3.core.exceptions.InternalErrorException;
+import org.wso2.carbon.idp.mgt.IdpManager;
 
 import java.io.File;
 import java.util.concurrent.ExecutorService;
@@ -296,6 +297,34 @@ protected void unsetRoleManagementServiceV2(org.wso2.carbon.identity.role.v2.mgt
         logger.debug("RoleManagementServiceV2 unset in SCIMCommonComponent bundle.");
     }
 
+    /**
+     * Set idp manager service implementation.
+     *
+     * @param idpManager Idp manager service.
+     */
+    @Reference(
+            name = "org.wso2.carbon.idp.mgt.IdpManager",
+            service = org.wso2.carbon.idp.mgt.IdpManager.class,
+            cardinality = ReferenceCardinality.MANDATORY,
+            policy = ReferencePolicy.DYNAMIC,
+            unbind = "unsetIdPManagerService")
+    protected void setIdPManagerService(IdpManager idpManager) {
+
+        SCIMCommonComponentHolder.setIdpManagerService(idpManager);
+        logger.debug("IdPManagerService set in SCIMCommonComponent bundle.");
+    }
+
+    /**
+     * Unset idp manager service implementation.
+     *
+     * @param idpManager Idp manager service.
+     */
+    protected void unsetIdPManagerService(IdpManager idpManager) {
+
+        SCIMCommonComponentHolder.setIdpManagerService(null);
+        logger.debug("IdPManagerService unset in SCIMCommonComponent bundle.");
+    }
+
     /**
      * Set SCIMUserStoreErrorResolver implementation
      *
diff --git a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/internal/SCIMCommonComponentHolder.java b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/internal/SCIMCommonComponentHolder.java
index b78fe93a4..b8f803b28 100644
--- a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/internal/SCIMCommonComponentHolder.java
+++ b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/internal/SCIMCommonComponentHolder.java
@@ -21,6 +21,7 @@
 import org.wso2.carbon.identity.claim.metadata.mgt.ClaimMetadataManagementService;
 import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
 import org.wso2.carbon.identity.scim2.common.extenstion.SCIMUserStoreErrorResolver;
+import org.wso2.carbon.idp.mgt.IdpManager;
 import org.wso2.carbon.user.core.service.RealmService;
 import org.wso2.carbon.user.mgt.RolePermissionManagementService;
 import org.wso2.carbon.identity.role.mgt.core.RoleManagementService;
@@ -41,6 +42,7 @@ public class SCIMCommonComponentHolder {
     private static RoleManagementService roleManagementService;
     private static org.wso2.carbon.identity.role.v2.mgt.core.RoleManagementService roleManagementServiceV2;
     private static OrganizationManager organizationManager;
+    private static IdpManager idpManager;
     private static final List<SCIMUserStoreErrorResolver> scimUserStoreErrorResolvers = new ArrayList<>();
 
     /**
@@ -170,6 +172,26 @@ public static List<SCIMUserStoreErrorResolver> getScimUserStoreErrorResolverList
         return scimUserStoreErrorResolvers;
     }
 
+    /**
+     * Set IdpManager service.
+     *
+     * @param idpManager Idp Manager.
+     */
+    public static void setIdpManagerService(IdpManager idpManager) {
+
+        SCIMCommonComponentHolder.idpManager = idpManager;
+    }
+
+    /**
+     * Get IdpManager service.
+     *
+     * @return Idp Manager.
+     */
+    public static IdpManager getIdpManagerService() {
+
+        return idpManager;
+    }
+
     public static void addScimUserStoreErrorResolver(SCIMUserStoreErrorResolver scimUserStoreErrorResolver) {
 
         scimUserStoreErrorResolvers.add(scimUserStoreErrorResolver);
diff --git a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/SCIMCommonUtils.java b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/SCIMCommonUtils.java
index 5cc3d7522..345d18a03 100644
--- a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/SCIMCommonUtils.java
+++ b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/SCIMCommonUtils.java
@@ -154,6 +154,29 @@ public static String getApplicationRefURL(String id) {
         }
     }
 
+    public static String getIdpGroupURL(String idpId, String groupId) {
+
+        String idpGroupURL;
+        String path = "/api/server/v1/identity-providers";
+        try {
+            if (IdentityTenantUtil.isTenantQualifiedUrlsEnabled()) {
+                idpGroupURL = ServiceURLBuilder.create().addPath(path).build()
+                        .getAbsolutePublicURL();
+            } else {
+                idpGroupURL = getURLIfTenantQualifiedURLDisabled(path);
+            }
+            return StringUtils.isNotBlank(idpId) && StringUtils.isNotBlank(groupId) ?
+                    new StringBuilder().append(idpGroupURL).append(SCIMCommonConstants.URL_SEPERATOR).append(idpId)
+                            .append(SCIMCommonConstants.URL_SEPERATOR).append(groupId).toString() : null;
+        } catch (URLBuilderException e) {
+            if (log.isDebugEnabled()) {
+                log.debug("Error occurred while building the identity provider's group endpoint with " +
+                                "tenant/organization qualified URL.", e);
+            }
+            return null;
+        }
+    }
+
     public static String getPermissionRefURL(String apiId, String permissionName) {
 
         String apiResourceURL;
diff --git a/pom.xml b/pom.xml
index db18a2b3f..0e3145dbe 100644
--- a/pom.xml
+++ b/pom.xml
@@ -166,6 +166,12 @@
                 <version>${identity.framework.version}</version>
                 <scope>provided</scope>
             </dependency>
+            <dependency>
+                <groupId>org.wso2.carbon.identity.framework</groupId>
+                <artifactId>org.wso2.carbon.idp.mgt</artifactId>
+                <version>${identity.framework.version}</version>
+                <scope>provided</scope>
+            </dependency>
             <dependency>
                 <groupId>org.wso2.carbon.identity.organization.management.core</groupId>
                 <artifactId>org.wso2.carbon.identity.organization.management.service</artifactId>

From 95f331cd11dcf9d84e3b85a4845cb4d4ce3a167a Mon Sep 17 00:00:00 2001
From: SujanSanjula96 <sanjulasujan@gmail.com>
Date: Thu, 16 Nov 2023 08:26:27 +0530
Subject: [PATCH 2/2] bump framework version

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 0e3145dbe..f5f9a2e0d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -285,7 +285,7 @@
         <inbound.auth.oauth.version>6.5.3</inbound.auth.oauth.version>
         <commons-collections.version>3.2.0.wso2v1</commons-collections.version>
         <carbon.kernel.version>4.9.15</carbon.kernel.version>
-        <identity.framework.version>5.25.462</identity.framework.version>
+        <identity.framework.version>5.25.509</identity.framework.version>
         <junit.version>4.13.1</junit.version>
         <commons.lang.version>20030203.000129</commons.lang.version>
         <identity.governance.version>1.8.12</identity.governance.version>