WSO2 APIM 4.1.0: multi-tenancy with custom OIDC identity provider

Question

I am using WSO2 API Manager 4.1.0 and I am trying to configure it with a custom OAuth2 authenticator to provide different users to different tenants.

By following this guide, meant for Okta , I was able to make logging in and token claim-to-role mapping work, with some adjustments to the configuration to adapt to the custom IdP. Users can successfully login with the custom IdP, are assigned roles correctly, and can act accordingly in the publisher and developer portals.

However, I cannot figure out if there is any way to assign users to any tenant other than carbon.super .

The custom IdP I am working with uses e-mail addresses as usernames and, when enable_email_domain=true in the configuration file deployment.toml , users are created in APIM with said e-mail as their names, but if that setting is false (or commented), only the part before @ is used. I thought this could be used to assign them to other tenants, but even if the e-mail domain is an existing tenant, the user is created in carbon.super .

I've noticed, when logging into carbon as admin, in the Service Providers section, under Local & Outbound Authentication Configuration for apim_devportal and apim_publisher , the Use tenant domain in local subject identifier setting. I am unsure what exactly this option entails, but checking it does not seem to change anything.

This article in the documentation talks about tenants, but does not cover this scenario.

Does anyone know how (if it's even possible) to assign a user to a specific API Manager tenant, instead of carbon.super , upon logging in via custom IdP (not Okta or Identity Server)?

Answer 1

same question here, i use Keycloak as Idp and not found solutions yet for multitenancy schema implementation