Solved

Can we setup Asgardeo as an external Key-manager for APIM?

  • 4 March 2022
  • 7 replies
  • 79 views

Userlevel 1

I’m having an APIM which is setup with IS as external KM. I’m thinking of using Asgardeo as the IDP and as external KM for my use case. Is there a way to setup this? 

icon

Best answer by dimuthuk 14 March 2022, 05:02

View original

7 replies

Userlevel 3

Hi Vignesh,

 

Can you provide more context about your use case ? 

Userlevel 1

Hi Dimuthu,

I’m trying to reproduce the following scenario, but with a single change. I would like to know whether we can use Asgardeo Cloud instead of Identity Server? 

Userlevel 1

I’m sorry i missed to attach the link. Please find it below

https://apim.docs.wso2.com/en/latest/install-and-setup/setup/distributed-deployment/configuring-wso2-identity-server-as-a-key-manager/

Userlevel 3

Hi Vignesh,

Currently, It is not supported yet to set up Asgardeo as the Key Manager directly by using the same approach that we used to set up Identity Server as Key Manager.

But you will be able to setup Asgardeo as IdP.

1. Authenticate User with Asgardeo
2. Exchange authentication assertion to a token from APIM key manager and utilize identity attributes such as groups/claims shared to issue scopes.
3. Call APIs

Userlevel 3

Hi Vignesh.

You can invoke APIs published in APIM by exchanging the Asgardeo Access Token to APIM token. Following are the steps to do that.

 

  • Create an OIDC application in Asgardeo 
     Change the Access Token Type to JWT
  • Configure Asgardeo as IdP in APIM Management Console.
     * Identity Provider's JWKS Endpoint: https://api.asgardeo.io/t/<org_name>/oauth2/jwks
     * Alias : Audience value of the ID token received from the Asgardeo
     * Identity Provider's Issuer Name : https://api.asgardeo.io/t/<org_name>/oauth2/token
  • Publish new API in APIM(from Publisher portal) 
  • Create a new Application and subscribe to the API(from Devportal application) 
  • Retrieve an access token using Authorization code grant[1] from Asgardeo. We can use the client_id,client_secret of the Asgardeo OIDC Application for this.  
  • In order to invoke APIs with APIM, We need to exchange the Asgardeo Access token to the APIM token. To do that, setup the OAuth2.0 Token Exchange grant[2] in APIM.
  • Currently, Token Exchange Grant is not supported OOB in APIM 4.0.0. So we need to add the component to the repository/components/dropins directory. This will support APIM 4.1.0 onwards. 
  • Select the Token Exchange Grant type from the application from DevPortal and Click on GENERATE KEYS. Then you will get Consumer Key and Consumer Secret Values for the applciation. 
  • Use that consumer key and secret values for the below CURL command to exchange Asgardeo token to APIM token. 
    • clientId → consumer key
    • clientSecret → consumer Secret
    • externalIdPToken → Asgardeo Access Token
  • Invoke the API using that APIM token.

 

curl --location --request POST 'https://localhost:9443/oauth2/token?scope=openid' \

--header 'Content-Type: application/x-www-form-urlencoded' \

--header 'Authorization: Basic ${base64(clientId:clientSecret)}' \

--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \

--data-urlencode 'subject_token=${externalIdPToken}' \

--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:jwt' \

--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:jwt'

 

[1]https://www.getpostman.com/collections/ece743362aaa6bf47101

[2]https://github.com/wso2-extensions/identity-oauth2-grant-token-exchange

 

Userlevel 1

Hi Dimuthu,

 

thanks for the configuration. With regards to setting up Asgardeo as the IDP for APIM, the following error is being through after Login is completed and redirected back to the callback URL. 

 

[2022-03-18 09:46:34,961] ERROR - DefaultStepBasedSequenceHandler User provisioning failed!
org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: Error while provisioning user : 89e48a9c-96fd-453f-8bc6-c13e40c79486
at org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:299) ~[org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
at org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:98) ~[org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handleJitProvisioning(DefaultStepBasedSequenceHandler.java:546) [org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.callJitProvisioning(DefaultStepBasedSequenceHandler.java:502) [org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.JITProvisioningPostAuthenticationHandler.callDefaultProvisioningHandler(JITProvisioningPostAuthenticationHandler.java:722) [org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.JITProvisioningPostAuthenticationHandler.handleRequestFlow(JITProvisioningPostAuthenticationHandler.java:353) [org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.JITProvisioningPostAuthenticationHandler.handle(JITProvisioningPostAuthenticationHandler.java:150) [org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
at org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService.executePostAuthnHandler(PostAuthenticationMgtService.java:116) [org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
at org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService.handlePostAuthentication(PostAuthenticationMgtService.java:82) [org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handlePostAuthentication(DefaultAuthenticationRequestHandler.java:230) [org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:195) [org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:248) [org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
at org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler.doPost(CommonAuthenticationHandler.java:46) [org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
at org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler.doGet(CommonAuthenticationHandler.java:37) [org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleAuthFlowThroughFramework(OAuth2AuthzEndpoint.java:2496) [classes/:?]
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleInitialAuthorizationRequest(OAuth2AuthzEndpoint.java:854) [classes/:?]
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:253) [classes/:?]
at sun.reflect.GeneratedMethodAccessor514.invoke(Unknown Source) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_281]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_281]
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179) [cxf-core-3.3.7.jar:3.3.7]
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) [cxf-core-3.3.7.jar:3.3.7]
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:201) [cxf-rt-frontend-jaxrs-3.3.7.jar:3.3.7]
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:104) [cxf-rt-frontend-jaxrs-3.3.7.jar:3.3.7]
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59) [cxf-core-3.3.7.jar:3.3.7]
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96) [cxf-core-3.3.7.jar:3.3.7]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) [cxf-core-3.3.7.jar:3.3.7]
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-core-3.3.7.jar:3.3.7]
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) [cxf-rt-transports-http-3.3.7.jar:3.3.7]
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) [cxf-rt-transports-http-3.3.7.jar:3.3.7]
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) [cxf-rt-transports-http-3.3.7.jar:3.3.7]
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) [cxf-rt-transports-http-3.3.7.jar:3.3.7]
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:225) [cxf-rt-transports-http-3.3.7.jar:3.3.7]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:296) [cxf-rt-transports-http-3.3.7.jar:3.3.7]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:220) [cxf-rt-transports-http-3.3.7.jar:3.3.7]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:655) [tomcat-servlet-api_9.0.52.wso2v1.jar:?]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:271) [cxf-rt-transports-http-3.3.7.jar:3.3.7]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat_9.0.52.wso2v2.jar:?]
at org.wso2.carbon.webapp.mgt.filter.AuthorizationHeaderFilter.doFilter(AuthorizationHeaderFilter.java:85) [org.wso2.carbon.webapp.mgt_4.11.1.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat_9.0.52.wso2v2.jar:?]
at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53) [org.wso2.carbon.ui_4.6.2.42.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat_9.0.52.wso2v2.jar:?]
at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:107) [org.wso2.carbon.identity.context.rewrite.valve_1.4.25.jar:?]
at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:110) [org.wso2.carbon.identity.authz.valve_1.4.25.jar:?]
at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:104) [org.wso2.carbon.identity.auth.valve_1.4.25.11.jar:?]
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:101) [org.wso2.carbon.tomcat.ext_4.6.2.jar:?]
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) [org.wso2.carbon.tomcat.ext_4.6.2.jar:?]
at org.wso2.carbon.webapp.authenticator.framework.WebappAuthenticationValve.invoke(WebappAuthenticationValve.java:87) [org.wso2.carbon.webapp.authenticator.framework_5.0.3.SNAPSHOT.jar:?]
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) [org.wso2.carbon.tomcat.ext_4.6.2.jar:?]
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62) [org.wso2.carbon.tomcat.ext_4.6.2.jar:?]
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:145) [org.wso2.carbon.tomcat.ext_4.6.2.jar:?]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) [tomcat_9.0.52.wso2v2.jar:?]
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) [org.wso2.carbon.tomcat.ext_4.6.2.jar:?]
at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:126) [org.wso2.carbon.tomcat.ext_4.6.2.jar:?]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1726) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat_9.0.52.wso2v2.jar:?]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat_9.0.52.wso2v2.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_281]
Caused by: org.wso2.carbon.user.core.UserStoreException: 31301 - Username 89e48a9c-96fd-453f-8bc6-c13e40c79486 is not valid. User name must be a non null string with following format, ^[\S]{3,30}$
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:215) ~[org.wso2.carbon.user.core_4.6.2.14.jar:?]
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:4689) ~[org.wso2.carbon.user.core_4.6.2.14.jar:?]
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:4675) ~[org.wso2.carbon.user.core_4.6.2.14.jar:?]
at org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:206) ~[org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
... 78 more
Caused by: java.security.PrivilegedActionException
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_281]
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:201) ~[org.wso2.carbon.user.core_4.6.2.14.jar:?]
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:4689) ~[org.wso2.carbon.user.core_4.6.2.14.jar:?]
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:4675) ~[org.wso2.carbon.user.core_4.6.2.14.jar:?]
at org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:206) ~[org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
... 78 more
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_281]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_281]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_281]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_281]
at org.wso2.carbon.user.core.common.AbstractUserStoreManager$2.run(AbstractUserStoreManager.java:204) ~[org.wso2.carbon.user.core_4.6.2.14.jar:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_281]
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:201) ~[org.wso2.carbon.user.core_4.6.2.14.jar:?]
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:4689) ~[org.wso2.carbon.user.core_4.6.2.14.jar:?]
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:4675) ~[org.wso2.carbon.user.core_4.6.2.14.jar:?]
at org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:206) ~[org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
... 78 more
Caused by: org.wso2.carbon.user.core.UserStoreException: 31301 - Username 89e48a9c-96fd-453f-8bc6-c13e40c79486 is not valid. User name must be a non null string with following format, ^[\S]{3,30}$
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:4883) ~[org.wso2.carbon.user.core_4.6.2.14.jar:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_281]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_281]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_281]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_281]
at org.wso2.carbon.user.core.common.AbstractUserStoreManager$2.run(AbstractUserStoreManager.java:204) ~[org.wso2.carbon.user.core_4.6.2.14.jar:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_281]
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:201) ~[org.wso2.carbon.user.core_4.6.2.14.jar:?]
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:4689) ~[org.wso2.carbon.user.core_4.6.2.14.jar:?]
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:4675) ~[org.wso2.carbon.user.core_4.6.2.14.jar:?]
at org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:206) ~[org.wso2.carbon.identity.application.authentication.framework_5.18.187.123.jar:?]
... 78 more

 

Inside the IDP claims config, i have mapped the roles,userid,username claims from the ID token with the local claims. But still, its taking the userid from Asgardeo as the username locally. 

Userlevel 3

Hi Vignesh, 

We only need to configure below fields when configuring IdP in APIM (https://localhost:9443/carbon). 

 * Identity Provider's JWKS Endpoint: https://api.asgardeo.io/t/<org_name>/oauth2/jwks
 * Alias : Audience value of the ID token received from the Asgardeo
 * Identity Provider's Issuer Name : https://api.asgardeo.io/t/<org_name>/oauth2/token

 

Reply