WSO2 Identity server - multiple tenants on service provider side

Question

Application I inherited uses WSO2 Identity server which I have't used before. I might need to support multiple tenants in this application and I need to research if WSO2 IS will support this. Documentation is not helping me unfortunately. I want all tenants to have same, shared roles. Adding new tenant should mean adding it's users and assigning them already existing roles.

So in my head solution should be rather simple. Just add new field to user profile - tenantId, and then return it as a claim in token. When I have it in token then it's up to code to use it. First of all is this possible at all? If it is it a good idea?

There are two other possible solutions I was considering.

1. Service Provider has SASS checkbox but I don't understand yet how it works.
2. You can add tenants to WSO2 IS itself. But to me it looks like it is multitenancy on WSO2 IS side (to share WSO2 IS) and it's not a feature to support multitenancy in my application. I was told that in this case each tenant would have to have roles defined again and that even those roles would have to be named differently.

Answer 1

WSO2 Identity Server do have the IDP level tenant separation but it does not have an OOB SP level tenant separation mechanism. However, your proposed solution can be done. It is a simple configuration to add an extra claim to the user [1](Assumes that the underlying user store supports it).

Answers for your other questions,

1. It is for IDP level tenant separation and if you need to share SP between those tenants, you can use this check box.
2. Correct.

This will do a clear separation in the IS side so data will be contained to each tenant. However, you can share user stores between each tenant.

[1] https://docs.wso2.com/display/IS580/Adding+Claim+Mapping