SAML problem with SMA
We were using ldap successfully but have a need to use SAML SSO. We followed the documentation to get connected and ran into a problem. In LDAP the login ID is first initial last name from Active Directory; but in azure what is sent as a claim is the email address. So we end up with a new account for each user. Futhermore required fields like job title and division are not being sent at all. Was working with someone from KACE but he was not able to get the problem resolved.
He did have me install a chrome SAML utility which shows the same XML. so for username from Azure what it sends is "<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">"
Has anyone had any luck declaring additional "claims" in azure? This far we cant seem to get Azure to send what we need.
-
Anyone? Bueller? - barchetta 4 years ago
-
Did you ever get this working? - bseaton 4 years ago
Answers (3)
The secret is in how you set it up. The documentation that Quest provides is pretty good but the issue is they use App Registration rather than an Enterprise App. If you create an Enterprise App it also creates an app under App Registration. Navigate to the app under App Registration and follow the same instructions. The only changes that you will need to make are:
- Enter the entity ID within the Single Sign-On info within the Enterprise application
- Add any additional claims in the claims section of Single Sign-On
- Do a test connection using Azure SSO test and capture it with the SAML Message Decoder Chrome extension. Grab the certificate from the SAML message and update it in Kace.
What we ended up doing is using the email address as the primary key in the saml setup. It can also be done by setting up claims so that for the UID you map the email address. lots of ways to go about this. However, if you are using Azure App registration you are limited as to what claims can be used. There is a way to use enterprise registration where you can bring in more claims but I digress.
If you want to use the email address this is how we map to the claim under email and it is set as the primary key.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
We were also using the UNC at one point and if you are azure it should be the email address.. we were using
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Hope this helps... that chrome extension is KEY in troubleshooting.. there seem to be only a few people on kace support that truly understand this and I wish I could remember a name but I cannot.
One thing though, if you have multiple email addresses you have to be careful here that ldap doesnt change the email address. Using ldap in conjunction with saml can be tricky depending on your configuration so keep this in mind.