在 WSO2 身份服务器 5.10.0 中将本地用户帐户链接到联合用户的正确方法是什么

Question

I am using Google authenticator (Oauth2 client) as an Identity provider in WSO2 5.10.0. I created a Service provider which uses this google authenticator as Federated authentication .

When the user login for the first time using google credentials(gmail), I am able to make a local user by storing user in local user store through Just-In-Time Provisioning in Identity provider. https://is.docs.wso2.com/en/latest/learn/configuring-just-in-time-provisioning-for-an-identity-provider/

After the first login i assign roles to the local user manually.

Now when the user login again using federated(google) authentication, the roles that i provided to the local user does not get link with the federated user.

I read of Associating user account https://is.docs.wso2.com/en/latest/learn/associating-user-accounts/ using WSO2 user-portal

I tried adding

[user.association] enable_for_federated_users = true

in deployment.toml . But when i open user-portal, i only see the option of linking local user account to another local user account.

I want to link user account with federated user such that when the federated user logs in, it takes the roles provided to the local user earlier and pass through the XACML role based policy.

XAMCL policy

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="role_based_login_policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
   <Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied.</Description>
   <Target>
      <AnyOf>
         <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_Name</AttributeValue>
               <AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
            </Match>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticate</AttributeValue>
               <AttributeDesignator AttributeId="http://wso2.org/identity/identity-action/action-name" Category="http://wso2.org/identity/identity-action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
            </Match>
         </AllOf>
      </AnyOf>
   </Target>
   <Rule Effect="Permit" RuleId="permit_by_roles">
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
               <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
            </Apply>
         </Apply>
      </Condition>
   </Rule>
   <Rule Effect="Deny" RuleId="deny_others"></Rule>
</Policy>

Answer 1

In the latest versions of the Identity Server (including 5.10.0), when the Just-In-Time provisioning is enabled, federated users and local users are associated automatically. So you don't need to enable the config you have mentioned and as the documentation has mentioned, it is not recommended.

So if you want to send the attributes of the local provisioned user to the application, you have to enable Assert identity using mapped local subject identifier configuration for the application.