diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java index 26685f10a4dc..d099efa1b518 100644 --- a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java +++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java @@ -368,8 +368,10 @@ private void filterSPClaims(Map spRequestedClaimMappings, Map StringUtils.isNotBlank(localUnfilteredClaims. get(entry.getKey()))).forEach(entry -> { spUnfilteredClaims.put(entry.getValue(), localUnfilteredClaims.get(entry.getKey())); + /* Add service provider requested claims to the filtered claims. Add federated roles claims even + not requested by the service provider. */ if (StringUtils.isNotBlank(spRequestedClaimMappings.get(entry.getValue())) || - FrameworkConstants.APP_ROLES_CLAIM.equals(entry.getKey())) { + isRoleClaim(entry.getKey())) { spFilteredClaims.put(entry.getValue(), localUnfilteredClaims.get(entry.getKey())); } } @@ -1276,4 +1278,18 @@ private static boolean isRemoveUserDomainInRole(SequenceConfig sequenceConfig) { return !sequenceConfig.getApplicationConfig().getServiceProvider().getLocalAndOutBoundAuthenticationConfig(). isUseUserstoreDomainInRoles(); } + + /** + * Based on the Authz runtime check the given claim is related to the role claim. + * + * @param roleClaim URI. + * @return true if the given claim is related to roles. + */ + private boolean isRoleClaim(String roleClaim) { + + if (CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) { + return FrameworkConstants.APP_ROLES_CLAIM.equals(roleClaim); + } + return FrameworkConstants.ROLES_CLAIM.equals(roleClaim); + } } diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkConstants.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkConstants.java index 684d11c26d7d..639f1d65012d 100644 --- a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkConstants.java +++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkConstants.java @@ -43,6 +43,8 @@ public abstract class FrameworkConstants { public static final String USER_ID_CLAIM = "http://wso2.org/claims/userid"; public static final String EMAIL_ADDRESS_CLAIM = "http://wso2.org/claims/emailaddress"; public static final String APP_ROLES_CLAIM = "http://wso2.org/claims/applicationRoles"; + public static final String ROLES_CLAIM = "http://wso2.org/claims/roles"; + public static final String GROUPS_CLAIM = "http://wso2.org/claims/groups"; public static final String PROVISIONED_SOURCE_ID_CLAIM = "http://wso2.org/claims/identity/userSourceId"; public static final String IDP_TYPE_CLAIM = "http://wso2.org/claims/identity/idpType";