api-manager icon indicating copy to clipboard operation
api-manager copied to clipboard
verified publisher icon wso2

Tenant-Specific Service Provider Creation Fails for Portal SSO in APIM 4.1.0

Open charithjayasanka opened this issue 2 months ago • 0 comments

Description

In WSO2 API Manager 4.1.0, tenant-specific Service Provider (SP) creation for portals (Publisher, Developer, and Admin) fails under certain conditions when configuring SAML SSO or OIDC SSO.

Observed Behavior

When configuring per-tenant SSO for portals:

  • The per-tenant SP is not created in the tenant’s Carbon Console.

  • The following error appears when logging in to the Developer Portal:

Cannot find an application associated with the given consumer key : undefined

  • In the logs, the system shows:
org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException:
Cannot find an application associated with the given consumer key : undefined
  • The tenant-specific DCR (Dynamic Client Registration) call is not triggered as expected because the retrieved system application object is non-null but contains undefined for client ID and secret.

Root Cause

When the tenant admin username is not “admin”, the SP creation fails. During the DCR request handling, the system retrieves the tenant domain from the authUser instead of the application owner, causing a mismatch. This results in:

  • “Application owner does not exist” error

  • The DCR call returning null for client credentials

  • Portals using undefined credentials (undefined:undefined)

Expected Behavior

A tenant-specific Service Provider should be created correctly regardless of the tenant admin username, and SSO should function as expected for all tenants.

Steps to Reproduce

  1. Add the following configuration to deployment.toml and start an APIM 4.1.0 latest U2 pack:
[apim.idp]
server_url = "https://localhost:9443/"
authorize_endpoint = "https://localhost:9443/oauth2/authorize"
oidc_logout_endpoint = "https://localhost:9443/oidc/logout"
oidc_check_session_endpoint = "https://localhost:9443/oidc/checksession"
  1. Go to the Carbon Console and create a new tenant.
  • For the first test, set the admin username to admin.
  1. While logged in as super admin, navigate to:

browse → resources → _system → governance

Create a new collection:

customurl/api-cloud/<tenant-domain>/urlMapping

(Replace with your actual tenant domain.)

  1. Inside the above path, create a text resource with the following content:
{
    "tenantDomain": "example.com",
    "store": {
        "customUrl": "devportal.example.com"
    }
}
  1. Log in to the Admin Portal as the tenant admin and, under Advanced Configuration, set:

"EnablePerTenantServiceProviderCreation": true,

  1. Restart the APIM server.

  2. Configure Nginx using the relevant reverse proxy configuration (replace tenant domain, URL, and certs as needed).

  3. Start Nginx and access your custom Dev Portal URL.

Version

wso2am-4.1.0

Environment Details (with versions)

No response

charithjayasanka avatar Nov 10 '25 15:11 charithjayasanka