search

cloudfoundry / uaa

CloudFoundry User Account and Authentication (UAA) Server
Apache License 2.0
1.58k stars 827 forks source link

Wrong attributeMappings in SAML? #1249

Open giva01121 opened 4 years ago

giva01121 commented 4 years ago

Hello, I want to use AttributeMappings and map the incoming SAML information to the UAA attributes, unfortunately the mapping section is not respected. No matter what I put, after redeploying CF the values retrieved from uaac user get name are not changing .

What version of UAA are you running?

app version":"74.13.0"

How are you deploying the UAA?

I am deploying the UAA

What did you do?

I'm using ops file to add the attributes:

# add SIT Azure AD SAML provider
#
- type: replace
  path: /instance_groups/name=uaa/jobs/name=uaa/properties/login/saml/providers?/
  value:
    nameID: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    idpMetadata:
    showSamlLoginLink: true
    linkText: Log in with IDP
    metadataTrustCheck: false
    attributeMappings:
      given_name: givenname
      family_name: surname
      email: emailaddress
    groupMappingMode : AS_SCOPES

What did you expect to see? What goal are you trying to achieve with the UAA?

I'm expecting to see:

~:$ uaac user get john.doe@example.com
  name: John
    familyname: Doe
    givenname: John Doe
  emails: john.doe@example.com

What did you see instead?

~:$ uaac user get john.doe@example.com
  name
    familyname: example.com
    givenname: John.Doe
  emails:

Please include UAA logs if available.

cf-gitbot commented 4 years ago

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/172076402

The labels on this github issue will be updated when the story is started.

strehle commented 12 months ago

is this still an issue ? For Azure integration I recommend to use OIDC v2 integration, e.g. https://learn.microsoft.com/en-us/azure/active-directory/develop/optional-claims-reference because there the names and mappings are clear