Enhance outbound provisioning with resident SP fallback and sub-organization support

components/provisioning/org.wso2.carbon.identity.provisioning/pom.xml

@@ -92,6 +92,10 @@
             <groupId>org.wso2.carbon.identity.framework</groupId>
             <artifactId>org.wso2.carbon.identity.application.authentication.framework</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.framework</groupId>
+            <artifactId>org.wso2.carbon.identity.central.log.mgt</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.testng</groupId>
             <artifactId>testng</artifactId>
@@ -173,6 +177,8 @@
                             version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon.identity.application.authentication.framework.util;
                             version="${carbon.identity.package.import.version.range}",
+                            org.wso2.carbon.identity.central.log.mgt.utils;
+                            version="${carbon.identity.package.import.version.range}",
                         </Import-Package>
                         <Export-Package>
                             !org.wso2.carbon.identity.provisioning.internal,

components/provisioning/org.wso2.carbon.identity.provisioning/src/main/java/org/wso2/carbon/identity/provisioning/OutboundProvisioningManager.java

@@ -204,24 +204,17 @@ private Map<String, RuntimeProvisioningConfig> getOutboundProvisioningConnectors
                         String connectorType = fIdP.getDefaultProvisioningConnectorConfig()
                                 .getName();
 
-                        boolean enableJitProvisioning = false;
+                        boolean enableJitProvisioning = fIdP.getJustInTimeProvisioningConfig() != null
+                                && fIdP.getJustInTimeProvisioningConfig().isProvisioningEnabled();
 
-                        if (fIdP.getJustInTimeProvisioningConfig() != null
-                            && fIdP.getJustInTimeProvisioningConfig().isProvisioningEnabled()) {
-                            enableJitProvisioning = true;
-                        }
-
-                        connector = getOutboundProvisioningConnector(fIdP,
-                                                                     registeredConnectorFactories, tenantDomain,
-                                                                     enableJitProvisioning);
+                        connector = getOutboundProvisioningConnector(fIdP, registeredConnectorFactories, tenantDomain);
                         // add to the provisioning connectors list. there will be one item for each
                         // provisioning identity provider found in the out-bound provisioning
                         // configuration of the local service provider.
                         if (connector != null) {
                             RuntimeProvisioningConfig proConfig = new RuntimeProvisioningConfig();
-                            proConfig
-                                    .setProvisioningConnectorEntry(new SimpleEntry<>(
-                                            connectorType, connector));
+                            proConfig.setJitProvisioningEnabled(enableJitProvisioning);
+                            proConfig.setProvisioningConnectorEntry(new SimpleEntry<>(connectorType, connector));
                             proConfig.setBlocking(defaultConnector.isBlocking());
                             proConfig.setPolicyEnabled(defaultConnector.isRulesEnabled());
                             connectors.put(fIdP.getIdentityProviderName(), proConfig);
@@ -250,15 +243,14 @@ private Map<String, RuntimeProvisioningConfig> getOutboundProvisioningConnectors
      * @param fIdP
      * @param registeredConnectorFactories
      * @param tenantDomainName
-     * @param enableJitProvisioning
      * @return
      * @throws IdentityProviderManagementException
      * @throws UserStoreException
      */
     private AbstractOutboundProvisioningConnector getOutboundProvisioningConnector(
             IdentityProvider fIdP,
             Map<String, AbstractProvisioningConnectorFactory> registeredConnectorFactories,
-            String tenantDomainName, boolean enableJitProvisioning)
+            String tenantDomainName)
             throws IdentityProviderManagementException, IdentityProvisioningException {
 
         String idpName = fIdP.getIdentityProviderName();
@@ -303,13 +295,17 @@ private AbstractOutboundProvisioningConnector getOutboundProvisioningConnector(
                 Property[] provisioningProperties = defaultProvisioningConfig
                         .getProvisioningProperties();
 
-                if (enableJitProvisioning) {
-                    Property jitEnabled = new Property();
-                    jitEnabled.setName(IdentityProvisioningConstants.JIT_PROVISIONING_ENABLED);
-                    jitEnabled.setValue("1");
-                    provisioningProperties = IdentityApplicationManagementUtil.concatArrays(
-                            provisioningProperties, new Property[]{jitEnabled});
-                }
+                /*
+                 * Always set JIT provisioning as enabled at the connector level. The actual JIT enablement check is
+                 * performed in ProvisioningThread before executing outbound provisioning for JIT provisioned entity.
+                 * Therefore, validating JIT conditions at the connector level is unnecessary and may cause issues
+                 * when the same connector is used by applications with different JIT configurations.
+                 */
+                Property jitEnabled = new Property();
+                jitEnabled.setName(IdentityProvisioningConstants.JIT_PROVISIONING_ENABLED);
+                jitEnabled.setValue("1");
+                provisioningProperties = IdentityApplicationManagementUtil.concatArrays(
+                        provisioningProperties, new Property[]{jitEnabled});
 
                 Property userIdClaimURL = new Property();
                 userIdClaimURL.setName("userIdClaimUri");
@@ -357,9 +353,7 @@ public void provision(ProvisioningEntity provisioningEntity, String serviceProvi
             }
 
             // Any provisioning request coming via Console, considered as coming from the resident SP.
-            // If the application based outbound provisioning is disabled, resident SP configuration will be used.
-            if (StringUtils.equals(CONSOLE_APPLICATION_NAME, serviceProviderIdentifier) ||
-                    !isApplicationBasedOutboundProvisioningEnabled()) {
+            if (StringUtils.equals(CONSOLE_APPLICATION_NAME, serviceProviderIdentifier)) {
                 serviceProviderIdentifier = LOCAL_SP;
                 inboundClaimDialect = IdentityProvisioningConstants.WSO2_CARBON_DIALECT;
             }
@@ -375,11 +369,6 @@ public void provision(ProvisioningEntity provisioningEntity, String serviceProvi
                         + serviceProviderIdentifier);
             }
 
-            String provisioningEntityTenantDomainName = spTenantDomainName;
-            if (serviceProvider.isSaasApp() && isUserTenantBasedOutboundProvisioningEnabled()) {
-                provisioningEntityTenantDomainName = CarbonContext.getThreadLocalCarbonContext().getTenantDomain();
-            }
-
             ClaimMapping[] spClaimMappings = null;
 
             // if we know the serviceProviderClaimDialect - we do not need to find it again.
@@ -393,6 +382,32 @@ public void provision(ProvisioningEntity provisioningEntity, String serviceProvi
             Map<String, RuntimeProvisioningConfig> connectors =
                     getOutboundProvisioningConnectors(serviceProvider, spTenantDomainName);
 
+            // When application-based outbound provisioning is disabled and the application has no
+            // outbound provisioning connectors configured, fall back to LOCAL_SP (resident app) connectors.
+            if (!isApplicationBasedOutboundProvisioningEnabled() && MapUtils.isEmpty(connectors)
+                    && !LOCAL_SP.equals(serviceProviderIdentifier)) {
+                ServiceProvider localSP = ApplicationManagementService.getInstance()
+                        .getServiceProvider(LOCAL_SP, spTenantDomainName);
+                if (localSP != null) {
+                    if (log.isDebugEnabled()) {
+                        log.debug(String.format(
+                                "No outbound provisioning connectors are configured for the application: %s. " +
+                                        "Falling back to resident application outbound provisioning connectors.",
+                                serviceProviderIdentifier));
+                    }
+                    serviceProvider = localSP;
+                    connectors = getOutboundProvisioningConnectors(localSP, spTenantDomainName);
+                    inboundClaimDialect = IdentityProvisioningConstants.WSO2_CARBON_DIALECT;
+                    // LOCAL_SP uses WSO2_CARBON_DIALECT; spClaimMappings is not needed.
+                    spClaimMappings = null;
+                }
+            }
+
+            String provisioningEntityTenantDomainName = spTenantDomainName;
+            if (serviceProvider.isSaasApp() && isUserTenantBasedOutboundProvisioningEnabled()) {
+                provisioningEntityTenantDomainName = CarbonContext.getThreadLocalCarbonContext().getTenantDomain();
+            }
+
             ProvisioningEntity outboundProEntity;
 
             ExecutorService executors = null;
@@ -412,6 +427,7 @@ public void provision(ProvisioningEntity provisioningEntity, String serviceProvi
                 AbstractOutboundProvisioningConnector connector = connectorEntry.getValue();
                 String connectorType = connectorEntry.getKey();
                 String idPName = entry.getKey();
+                boolean jitProvisioningEnabledForIdP = entry.getValue().isJitProvisioningEnabled();
 
                 IdentityProvider provisioningIdp =
                         IdentityProviderManager.getInstance().getIdPByName(idPName, spTenantDomainName);
@@ -535,7 +551,8 @@ public void provision(ProvisioningEntity provisioningEntity, String serviceProvi
                         outboundProEntity = new ProvisioningEntity(ProvisioningEntityType.USER,
                                                                    user, ProvisioningOperation.POST, mappedUserClaims);
                         Callable<Boolean> proThread = new ProvisioningThread(outboundProEntity, spTenantDomainName,
-                                provisioningEntityTenantDomainName, connector, connectorType, idPName, dao);
+                                provisioningEntityTenantDomainName, connector, connectorType, idPName, dao,
+                                jitProvisioningEnabledForIdP);
                         outboundProEntity.setIdentifier(provisionedIdentifier);
                         outboundProEntity.setJitProvisioning(jitProvisioning);
                         boolean isBlocking = entry.getValue().isBlocking();
@@ -560,7 +577,8 @@ public void provision(ProvisioningEntity provisioningEntity, String serviceProvi
                             outboundProEntity = new ProvisioningEntity(ProvisioningEntityType.USER,
                                                                        user, ProvisioningOperation.DELETE, mappedUserClaims);
                             Callable<Boolean> proThread = new ProvisioningThread(outboundProEntity, spTenantDomainName,
-                                    provisioningEntityTenantDomainName, connector, connectorType, idPName, dao);
+                                    provisioningEntityTenantDomainName, connector, connectorType, idPName, dao,
+                                    jitProvisioningEnabledForIdP);
                             outboundProEntity.setIdentifier(provisionedUserIdentifier);
                             outboundProEntity.setJitProvisioning(jitProvisioning);
                             boolean isBlocking = entry.getValue().isBlocking();
@@ -586,7 +604,8 @@ public void provision(ProvisioningEntity provisioningEntity, String serviceProvi
                                 provisioningEntity.getEntityName(), provisioningOp, mapppedClaims);
 
                         Callable<Boolean> proThread = new ProvisioningThread(outboundProEntity, spTenantDomainName,
-                                provisioningEntityTenantDomainName, connector, connectorType, idPName, dao);
+                                provisioningEntityTenantDomainName, connector, connectorType, idPName, dao,
+                                jitProvisioningEnabledForIdP);
                         outboundProEntity.setIdentifier(provisionedIdentifier);
                         outboundProEntity.setJitProvisioning(jitProvisioning);
                         boolean isAllowed = true;

components/provisioning/org.wso2.carbon.identity.provisioning/src/main/java/org/wso2/carbon/identity/provisioning/ProvisioningThread.java

@@ -18,7 +18,6 @@
 
 package org.wso2.carbon.identity.provisioning;
 
-import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
@@ -40,6 +39,7 @@ public class ProvisioningThread implements Callable<Boolean> {
     private String connectorType;
     private String idPName;
     private CacheBackedProvisioningMgtDAO dao;
+    private boolean jitProvisioningEnabledForIdP;
     private static final Log log = LogFactory.getLog(ProvisioningThread.class);
 
     public ProvisioningThread(ProvisioningEntity provisioningEntity, String tenantDomainName,
@@ -63,6 +63,28 @@ public ProvisioningThread(ProvisioningEntity provisioningEntity, String spTenant
         this.provisioningEntityTenantDomainName = provisioningEntityTenantDomainName;
     }
 
+    /**
+     * Parameterized constructor to propagate JIT provisioning state to the connector.
+     *
+     * @param provisioningEntity Provisioning entity containing details of the provisioning operation.
+     * @param spTenantDomainName Service provider tenant domain name.
+     * @param provisioningEntityTenantDomainName Tenant domain name of the provisioning entity.
+     * @param connector Outbound provisioning connector to perform the provisioning operation.
+     * @param connectorType Type of the outbound provisioning connector.
+     * @param idPName Name of the identity provider through which provisioning is triggered.
+     * @param dao Data access object to store and manage provisioning entity identifiers.
+     * @param jitProvisioningEnabledForIdP Flag indicating whether JIT provisioning is enabled or not.
+     */
+    public ProvisioningThread(ProvisioningEntity provisioningEntity, String spTenantDomainName,
+                              String provisioningEntityTenantDomainName,
+                              AbstractOutboundProvisioningConnector connector, String connectorType, String idPName,
+                              CacheBackedProvisioningMgtDAO dao, boolean jitProvisioningEnabledForIdP) {
+
+        this(provisioningEntity, spTenantDomainName, provisioningEntityTenantDomainName, connector, connectorType,
+                idPName, dao);
+        this.jitProvisioningEnabledForIdP = jitProvisioningEnabledForIdP;
+    }
+
     @Override
     public Boolean call() throws IdentityProvisioningException {
 
@@ -83,7 +105,13 @@ public Boolean call() throws IdentityProvisioningException {
 
             /* Skip outbound provisioning triggered for JIT provisioning flow, where the JIT outbound is disabled for
                the configured connector. */
-            if (provisioningEntity.isJitProvisioning() && !connector.isJitProvisioningEnabled()) {
+            if (provisioningEntity.isJitProvisioning() && !jitProvisioningEnabledForIdP) {
+                if (log.isDebugEnabled()) {
+                    log.debug(String.format("Skipping outbound provisioning for entity: %s via IDP: %s, connector: " +
+                            "%s. Reason: JIT provisioning is not enabled for this provisioning connector.",
+                            ProvisioningUtil.maskIfRequired(provisioningEntity.getEntityName()), idPName,
+                            connectorType));
+                }
                 return true;
             }
             ProvisionedIdentifier provisionedIdentifier = null;
@@ -118,8 +146,10 @@ public Boolean call() throws IdentityProvisioningException {
             }
             success = true;
         } catch (Exception e) {
-            String errMsg = "Fail the Provisioning for Entity " + provisioningEntity.getEntityName() +
-                    " For operation = " + provisioningEntity.getOperation();
+            String maskedEntityName = ProvisioningUtil.maskIfRequired(provisioningEntity.getEntityName());
+            String errMsg = "Outbound provisioning failed for connection: " + idPName + ", connector: " + connectorType
+                    + ", entity: " + maskedEntityName + ", entity type: " + provisioningEntity.getEntityType()
+                    + ", operation: " + provisioningEntity.getOperation();
             log.warn(errMsg);
             throw new IdentityProvisioningException(errMsg, e);
         } finally {

components/provisioning/org.wso2.carbon.identity.provisioning/src/main/java/org/wso2/carbon/identity/provisioning/ProvisioningUtil.java

@@ -30,6 +30,7 @@
 import org.wso2.carbon.identity.application.common.util.IdentityApplicationConstants;
 import org.wso2.carbon.identity.application.mgt.ApplicationConstants;
 import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
+import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.claim.metadata.mgt.ClaimMetadataHandler;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
 
@@ -618,4 +619,15 @@ public static boolean isApplicationBasedOutboundProvisioningEnabled() {
         }
         return applicationBasedOutboundProvisioningEnabled;
     }
+
+    /**
+     * Mask the given value if it is required.
+     *
+     * @param value Value to be masked.
+     * @return Masked/unmasked value.
+     */
+    public static String maskIfRequired(String value) {
+
+        return LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(value) : value;
+    }
 }

components/provisioning/org.wso2.carbon.identity.provisioning/src/main/java/org/wso2/carbon/identity/provisioning/RuntimeProvisioningConfig.java

@@ -1,12 +1,12 @@
 /*
- * Copyright (c) 2014, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2014-2026, WSO2 LLC. (http://www.wso2.com).
  *
- * WSO2 Inc. licenses this file to you under the Apache License,
+ * WSO2 LLC. licenses this file to you under the Apache License,
  * Version 2.0 (the "License"); you may not use this file except
  * in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
@@ -27,6 +27,7 @@ public class RuntimeProvisioningConfig implements Serializable {
 
     private boolean blocking;
     private boolean policyEnabled;
+    private boolean jitProvisioningEnabled;
     private Entry<String, AbstractOutboundProvisioningConnector> provisioningConnectorEntry;
 
     /**
@@ -43,6 +44,24 @@ public void setBlocking(boolean blocking) {
         this.blocking = blocking;
     }
 
+    /**
+     * Get JIT provisioning enabled or not.
+     * @return JIT provisioning enabled or not.
+     */
+    public boolean isJitProvisioningEnabled() {
+
+        return jitProvisioningEnabled;
+    }
+
+    /**
+     * Set JIT provisioning enabled or not.
+     * @param jitProvisioningEnabled JIT provisioning enabled or not.
+     */
+    public void setJitProvisioningEnabled(boolean jitProvisioningEnabled) {
+
+        this.jitProvisioningEnabled = jitProvisioningEnabled;
+    }
+
     /**
      * @return
      */

components/provisioning/org.wso2.carbon.identity.provisioning/src/main/java/org/wso2/carbon/identity/provisioning/cache/ServiceProviderProvisioningConnectorCache.java

@@ -35,7 +35,7 @@ private ServiceProviderProvisioningConnectorCache() {
      */
     public static ServiceProviderProvisioningConnectorCache getInstance() {
         if (instance == null) {
-            synchronized (ProvisioningConnectorCache.class) {
+            synchronized (ServiceProviderProvisioningConnectorCache.class) {
                 if (instance == null) {
                     instance = new ServiceProviderProvisioningConnectorCache();
                 }