Add configuration for SaaS app role return in ID token

components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java

@@ -84,6 +84,7 @@
 import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.AdaptiveAuthentication.ALLOW_AUTHENTICATED_SUB_UPDATE;
 import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.Config.SEND_ONLY_LOCALLY_MAPPED_ROLES_OF_IDP;
 import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.JSAttributes.PROP_USERNAME_UPDATED_EXTERNALLY;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.RETURN_ROLES_IN_SAAS_APPS_IN_ID_TOKEN;
 import static org.wso2.carbon.identity.core.util.IdentityUtil.getLocalGroupsClaimURI;
 
 /**
@@ -429,6 +430,12 @@ protected List<String> getAppAssociatedRolesOfLocalUser(StepConfig stepConfig, A
         if (serviceProvider == null) {
             return null;
         }
+        /* If the application and user are in different tenant domains and the ReturnRolesInSaaSAppsInIDToken config
+           is disabled, return an empty list. */
+        if (!StringUtils.equals(serviceProvider.getTenantDomain(), authenticatedUser.getTenantDomain()) &&
+                !Boolean.parseBoolean(IdentityUtil.getProperty(RETURN_ROLES_IN_SAAS_APPS_IN_ID_TOKEN))) {
+            return new ArrayList<>();
+        }
         String applicationId = serviceProvider.getApplicationResourceId();
         return FrameworkUtils.getAppAssociatedRolesOfLocalUser(authenticatedUser, applicationId);
     }

components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkConstants.java

@@ -303,6 +303,8 @@ public abstract class FrameworkConstants {
     public static final String AMR = "amr";
     public static final String USER_ASSERTION = "userAssertion";
 
+    public static final String RETURN_ROLES_IN_SAAS_APPS_IN_ID_TOKEN = "ReturnRolesInSaaSAppsInIDToken";
+
     // Authentication entity constants.
     public static final String AUTH_ENTITY = "auth_entity";
     public static final String AUTH_ENTITY_AGENT = "agent";

features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml

@@ -3049,6 +3049,7 @@
     </NotificationChannel>
     <PASTRCookieMaxAge>-1</PASTRCookieMaxAge>
     <MarkStepCompletedOnInterrupt>true</MarkStepCompletedOnInterrupt>
+    <ReturnRolesInSaaSAppsInIDToken>false</ReturnRolesInSaaSAppsInIDToken>
 
     <TenantLevelAuthenticationConfigForAuthSequence>true</TenantLevelAuthenticationConfigForAuthSequence>
     <EnhancedOrganizationAuthenticationFeatureEnabled>true</EnhancedOrganizationAuthenticationFeatureEnabled>

features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2

@@ -5298,6 +5298,7 @@
     <PASTRCookieMaxAge>{{pastr_cookie.max_age}}</PASTRCookieMaxAge>
     <ResolveTenantDomainFromUsername>{{resolve_tenant_domain_from_username.enabled | default(false)}}</ResolveTenantDomainFromUsername>
     <MarkStepCompletedOnInterrupt>{{authentication.mark_step_completed_on_interrupt}}</MarkStepCompletedOnInterrupt>
+    <ReturnRolesInSaaSAppsInIDToken>{{saas_apps.return_roles_in_id_token}}</ReturnRolesInSaaSAppsInIDToken>
 
     <!-- API filtering controls -->
     <APIFiltering>

features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json

@@ -2405,5 +2405,7 @@
   "circuit_breaker.min_calls_to_evaluate": 15,
   "circuit_breaker.failure_rate_threshold": 0.5,
   "circuit_breaker.open_duration": 60000,
-  "circuit_breaker.max_in_flight": 20
+  "circuit_breaker.max_in_flight": 20,
+
+  "saas_apps.return_roles_in_id_token": false
 }