Authorizing user using saml response from Single Sign On in APIM Publisher

Question

I have successfully integrated external IDP (keycloak) with publisher to do saml based single sign-on. After authentication, it says user is not authorized. From the investigations, For authorization

1. User DB need to be shared with external idp - this is not possible for my usecase
2. Sending user roles via saml response - is it possible?, if so what are the claims need to be sent and related configurations
3. pointing identity server for authorization - how to do it?

also I dont want to integrate IS server

I want answer for above unknown concerns?

Answer 1

it says user is not authorized

which version are you using? is there anything preventing the authorization, such as required scopes

User DB need to be shared with external idp - this is not possible for my usecase

Usually you need a userstore to manage users and roles, in case of SAML I believe that us not needed. However - you can setup a JDBC userstore and inbound user provisioning (all logged in users will be stored in the database with their attributes and roles)

Sending user roles via saml response - is it possible?, if so what are the claims need to be sent and related configurations

I believe WSO2AM 2.1.0 (other version I don't know) do not read roles directly from the SAML response (there is a environmental property where you could enable that, I cannot find it right now, so just search a little)

However - together with the inbound provisioning it should work (the roles should be stored and updated in the database on each login)

pointing identity server for authorization - how to do it?

What do you mean by that? You could setup an WSO2IS as KM (key manager) where you could do additional authorization (I am still not sure what are you asking here)