After upgrading to TAS 2.7.x, users are getting authorization failures when logging in using apps bound to Pivotal Single-Sign-On (SSO) tile. 

The user attributes passed as "roles" in token are missing. Error message displayed after login show that specific groups needed for access to the app are not in the user account. 

in the SSO Operator Dashboard > Advanced Settings > Group Assignments, the checkbox "Persist Custom Attributes" under Custom Attributes MUST be checked in order for the "roles" attribute to be passed successfully. Once this is checked the resource mapping will be successfully interpreted on login.

This issue is about the conditions under which the roles claim will be present in the id_token or the /userinfo endpoint.

Prior to UAA v73.3.0, the roles claim would appear in the id_token as long as a user belonged to an external group that appeared in the uaa.ldap.externalGroupsWhitelist property. The roles would never be present in the response to /userinfo.

There was change was delivered in UAA v73.3.0 such that the roles claim is present in the id_token then it is also present in the response to /userinfo. This new feature changes the conditions which lead to the roles claim being included in the id_token and the /userinfo response. Now, uaa.ldap.storeCustomAttributes must be set to true in addition to the user belonging to an external group that appears in the uaa.ldap.externalGroupWhitelist property. The "Persist Custom Attributes" box in SSO dashboard controls this setting.

This is the commit which introduces the change in behavior: https://github.com/pivotal/lts-uaa/commit/d514a351ab25c98c34eb875b21edab2b18c32ccc