Menu
▾
▴
Re: [Unity-idm-discuss] Integrating remote IDP
|
From: Krzysztof B. <kb...@un...> - 2020-04-22 16:38:44
|
Hi,
W dniu 22.04.2020 o 17:35, D Baum pisze:
> 2. In order to trigger the "unknown remote user" flow, make sure _not
>> to auto create_ a user using input profile. I.e. if you use in your
>> profile mapIdentity action with CREATE_OR_MATCH, this flow will be
>> never triggered, as profile will either match with the existing user
>> or create a local account for the remote one and match to it. I guess
>> this is your problem from "as a side note".
> OK, so now I've got this in my input translation profile:
> mapIdentity
> unityIdentityType: identifier
> expression: 'remote-' + attr['username']
> credential requirement: Password requirement
> effect: UPDATE_OR_MATCH
>
> In my remote SAML facility config, I've selected the external
> registration form I've created and disabled account association. The
> registration form collects identities 'identifier' 'From remote IdP and
> shown RO' and 'userName' from user input (so hopefully a user can chose
> a local username on registration).
>
> I still never get to see the registration dialog. In the logs, unity
> complains:
> unity.server.externaltranslation.InputTranslationEngineImpl: Identity
> MappedIdentity [mode=UPDATE_OR_MATCH, identity=[identifier]
> remote-dbaum, credentialRequirement=Password requirement] not found in
> DB, details of exception follows
> pl.edu.icm.unity.exceptions.UnknownIdentityException: Entity
> [identifier] remote-dbaum is unknown
>
> On the GUI, unity complains:
> The remote authentication was successful, however your identity is not
> accepted by the local service. Please contact administrators or try to
> register first.
>
> Pretty much the same thing happens for mode=MATCH.
>
> What do I need to do to put users into the remote registration flow? I'm
> guessing my input translation profile isn't doing the right thing?
Hah, I forgot about case (d): you can also fail authentication in case
of unknown remote user :-)
You haven't shared a more complete log so can't say for sure, but seems
that your profile is fine: it maps remote user "dbaum" onto local
identifier with value "remote-dbaum". This identity is not in DB so
unknown remote user flow should be triggered (if I could see a log
around the end of profile execution and just after it, I were sure).
So two things to ensure, both in your remote authenticator config:
1. that you have enabled account association. For OAuth it is a setting
of an authnticator. For SAML you can have default setting, and also
overwrite it per each trusted IDP. For LDAP there is one setting
(see Interactive Login settings).
2. that you have configured which registration form should be presented
to unknown remote users. For SAML authenticators as above: you can
set one for authenticator, and also overwrite it per IdP. For OAuth
authenticators it is set per provider (the first option in Advanced
section). For LDAP sits next to linking.
HTH, if not please provide debug log from input profile an on.
>
>> Also note that there are also other options,
>> much different. E.g. you can create a registration form, using
>> remote credential. So you can guide users to register using remote
>> identity. This is more typical path, as you can instruct user more
>> clearly what happens, is more often used then the "unknown remote
>> user flow", in which users have to try to authenticate even when they
>> don't have any account/haven't access your service yet. This may be
>> puzzling for some, who will search for "sign up" instead of trying to
>> "sign in".
> So the difference is what? You get all remote users to register and
> afterwards they can manually associate their remote and local accounts?
Yes. If 90% of users registers, then showing some "link account" option
will only puzzle them. And those 10% can be instructed that they can go
to account association endpoint to perform linking (can be also done
from home UI).
Cheers,
Krzysztof
|
