Open tuptaker opened 3 years ago
Hello @tuptaker. It looks like role
is a string attribute. I'm not familiar with SAML, but I assume that in this case, you should specify some groupsDelim (,
for example) to make role
turn into an array. Could you try it?
Thanks @nabokihms I will give it a shot and report back. Much appreciated!
@tuptaker
First, try the SAML-Tracer browser-plugin to figure out the correct groupsAttr
. You might find something like this: groupsAttr: http://schemas.xmlsoap.org/claims/Group
Then you need to check, if multiple groups are sent by your SAML IdP as separate entries or as a comma-separated list. In the second case you have to define the groupSeparator
.
If you don't see the groups in SAML-Tracer, try adding the groups
scope to your initial OpenID Connect Auth request to dex.
Hi all, my team is trying to use groupsAttr and allowedGroups connector config properties to control which users from an organization can login in. Unfortunately, it seems like no one is allowed to login with this setup and we were trying to figure out what might be wrong with our connector config. Can someone have a look and let us know what we might be missing or if we've specified something incorrectly in the config? Here's the yaml for the connector config:
And here's the logging from dex when a user from this organization tries to login: