SAML - Migration existing site with users fails

[vladaman]

After enabling SAML2 with Jumpcloud our users cannot log in. After successful login with Jumpcloud SSO we get an error:

2021-10-11 19:37:28] production.ERROR: A user with the email testuser@mydomain.com already exists but with different credentials. {"exception":"[object] (BookStack\\Exceptions\\UserRegistrationException(code: 0): A user with the email testuser@mydomain.com already exists but with different credentials. at /var/www/BookStack/app/Auth/Access/RegistrationService.php:68)
[stacktrace]
#0 /var/www/BookStack/app/Auth/Access/Saml2Service.php(344): BookStack\\Auth\\Access\\RegistrationService->registerUser(Array, NULL, false)
#1 /var/www/BookStack/app/Auth/Access/Saml2Service.php(380): BookStack\\Auth\\Access\\Saml2Service->getOrRegisterUser(Array)
#2 /var/www/BookStack/app/Auth/Access/Saml2Service.php(109): BookStack\\Auth\\Access\\Saml2Service->processLoginCallback('testuser@mydomain..', Array)

This is due to missing values in users table (in external_id column).

[ssddanbrown]

Hi @vladaman, This is expected. BookStack won't auto-match them up for security purposes, since existing users with a non-matching auth system ID may be a security concern. When migrating to an auth system like this, it's often best to populate the External Auth IDs of the existing users to match your auth system. This can be done either within-BookStack via editing users or via the database if preferred (Easier to batch edit via DB).

[ssddanbrown]

Since there's been no continuation of this I'll therefore close this off.

[lupin3rd]

I solve with: SAML2_EMAIL_ATTRIBUTE="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" SAML2_EXTERNAL_ID_ATTRIBUTE="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" SAML2_DISPLAY_NAME_ATTRIBUTES="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"

I find attributes with: APP_DEBUG=true SAML2_DUMP_USER_DETAILS=true