Help with SSO configuration and mapping

Administrators
1

Hi,

we are setting up SSO and I’m guessing that we have reached the final line successfully, but …:slight_smile:
Even if I’m successfully authenticated I get redirected to “Create a new Indico profile” where my e-mail address is populating form while I’m supposed to provide my “First Name”, “Last Name” and “Affiliation”.
My guess is that this info should come from IdP but somehow is ignored. Correct?

I’m guessing it is a mapping problem in indico.config file, i.e.

'mapping': {
            'first_name': 'givenName',
            'last_name': 'sn',
            'email': 'mail',
            'affiliation': 'company',
            'phone': 'telephoneNumber'
        },

or maybe something else that I’m missing.

Thanks in advance,
Dejan

2

Does your LDAP IdP provide this data? In the fields you specified there?

Even if I’m successfully authenticated I get redirected to “Create a new Indico profile”

That’s correct if there is no indico profile yet that is either directly linked to the unique identifier coming from the IdP or has a matching email address.

PS: Please provide your full auth/identity provider config (censor secrets though), not just parts of it…

3

Thanks TM!
I was just assuming that First and Last Name would come from IdP during the creation of new Indico profile.

In this case, all good.
Cheers

4

yes they should be prefilled on that page, so the user only needs to make changes in case something isn’t ideal (e.g. multiple first names but the user only wants to use one of them)

5

Ok. Then I was guessing right.

So that means that I need to match my IdP providers (Shibboleth) attributes in that snippet of configuration code (‘mapping’ - part ), in order to pre-fill them?

There is no LDAP involved, we are using shibboleth and now I’ll try to sort out why these fields are not pre-filled. I’m guessing a we are using wrong values somewhere (attrs_prefix, affiliation, first_name, …)
But we get mail pre-filled, which is a good start :slight_smile:

Is there a good way on how to debug this?

Thanks again.

AUTH_PROVIDERS = {
    'shib-sso': {
        'type': 'shibboleth',
        'title': 'Chalmers Tekniska Högskola',
        'attrs_prefix': '',
        'callback_uri': '/login/shib-sso/shibboleth',
    },
    'shib-sso-ds': {
        'type': 'shibboleth',
        'title': 'Other University',
        'attrs_prefix': '',
        'callback_uri': '/login/shib-sso/shibboleth-ds',
    }
}
 
IDENTITY_PROVIDERS = {
    'shib-sso': {
        'type': 'shibboleth',
        'title': 'SSO',
        'identifier_field': 'subject-id',
        'mapping': {
            'affiliation': 'schacHomeOrganization',
            'first_name': 'givenName',
            'last_name': 'sn',
            'email': 'mail',
            'phone': 'ADFS_PHONENUMBER',
        },
        'trusted_email': True
    },
    'shib-sso-ds': {
        'type': 'shibboleth',
        'title': 'SSO',
        'identifier_field': 'subject-id',
        'mapping': {
            'affiliation': 'schacHomeOrganization',
            'first_name': 'givenName',
            'last_name': 'sn',
            'email': 'mail',
            'phone': 'ADFS_PHONENUMBER',
        },
        'trusted_email': True
    }
}
6

You’re using Shibboleth so check your attribute mapping xml file. By default only attributes starting with the attrs_prefix which defaults to ADFS_ are passed to the identity-provider. But I see you removed that, so if the attribute is really passed with the names you used there it should be fine.

I think we convert everything to lowercase but just in case try using all-lowercase attribute names.

7

Thanks for the support, now the problem is solved.

Solution: Upgrading from 3.2.9 to 3.3.1

1 Like