Shibboleth users lost access after migrating from v1.2 to 2.2

penelopec · May 4, 2020, 4:33pm

After migrating to from v1.2 to v2.2.8, users who only had Shibboleth accounts, are asked to create an account upon login but the new account is not associated with any of the permissions they had for categories and events on v1.2.
Is there a way that I can associate Shibboleth email with the permissions access instead of the ID?

This is my setup for SSO:

# SSO
AUTH_PROVIDERS = {
    'shib-sso': {
          'type': 'shibboleth'
        , 'title': 'Fermilab SSO'
        , 'attrs_prefix': 'SSO_'
        , 'callback_uri': '/login/shib-sso/shibboleth'
    }
}
IDENTITY_PROVIDERS = {
    'shib-sso': {
        'type': 'shibboleth',
        'title': 'Fermilab SSO',
        'identifier_field': 'SSO_USERID',
        'mapping': {
                     'email': 'SSO_EMAIL',
                     'login': 'SSO_USERID',
                     'personId': 'SSO_USERID',
                     'last_name': 'SSO_NAME_LAST',
                     'first_name': 'SSO_NAME_FIRST'
                    },
        'trusted_email': True
        }
   }

ThiefMaster · May 4, 2020, 4:57pm

Indico always matches emails even if the identifier (sso_userid) doesn’t match… so it’s very strange that that are asked to create new accounts instead of getting the prompt to associate their existing account…

penelopec · May 4, 2020, 5:27pm

The account was a Shibboleth account. In the permissions the person’s email was already present, yet he could not access the category or the event.
When I looked at the user account, the creation date was today’s day.

ThiefMaster · May 4, 2020, 5:29pm

The interesting question would be where his correct account is. Maybe he had a different email there but it worked in the past because once an account is linked to a login method the email doesn’t matter?

In any case, once you found the account and know it’s the same user, just merge them…

penelopec · May 4, 2020, 6:44pm

I did check the email and is exactly the same as in the newly created account.
I will look in the database and see what exists there just in case I have missed something

penelopec · May 4, 2020, 7:13pm

When I look at the database I see the following:

The top entry is the one created today. The other two are the ones migrated from v1.2 but are marked are deleted for some reason.
Also, there are no identities for this person.
I do not understand how he managed to create two indico accounts with the same email in indico v1.2 and why the migration process marked both accounts as deleted.
How can I merge these accounts as I do not see them in the indico interface?

penelopec · May 4, 2020, 8:27pm

I edited the database and changed the e-mail entries for the two deleted accounts to be different (pen1@fnal.gov, pen2@fnal.gov) and made the deleted flag on the emails and users to false. Then I was able to see the accounts on the interface and merged them.
The user tested his access and it is working fine.
Not the most elegant solution, but it worked.

ThiefMaster · May 4, 2020, 9:00pm

This happens exactly when you have the problem of multiple users with the same email in the legacy database:

github.com

indico/indico-migrate/blob/master/indico_migrate/steps/users_groups.py#L345


      
                  'force_timezone': avatar.displayTZMode == 'MyTimezone',
                  'show_past_events': show_past_events,
              }
          
              unlocked_fields = {SYNCED_FIELD_MAP.get(field) for field in getattr(avatar, 'unlockedFields', [])} - {None}
              if unlocked_fields:
                  settings['synced_fields'] = list(set(SYNCED_FIELD_MAP.viewvalues()) - unlocked_fields)
          
              return settings
          
          def _fix_collisions(self, user, avatar):
              is_deleted = user.is_deleted
              # Mark both users as deleted if there's a primary email collision
              coll = self.global_ns.users_by_primary_email.get(user.email)
              if coll and not is_deleted:
                  if bool(avatar.identities) ^ bool(coll.identities):
                      # exactly one of them has identities - keep the one that does
                      to_delete = {coll if avatar.identities else user}
                  else:
                      to_delete = {user, coll}
                  for u in to_delete:

The code tries to keep the one with identity information (ie accounts like shibboleth or ldap), but if that’s not possible both of them are deleted (that’s the problem with garbage data… you cannot really do much more than throwing it away :/)

Your way of fixing it manually by undeleting the user and their email entry and then merging was a good idea! It’s the solution that a human can easily do for specific case, but a migration script migrating ten thousands of users can’t

penelopec · May 4, 2020, 9:07pm

Thank Adrian! I imagined thatt was the case and this is what I told the user (two accounts with the same email is not allowed).
I am glad that the way I fixed the issue is acceptable as I was not able to find any other way of doing it fast. The only small glitch I had was that the new interface has the reverse order (primary, secondary) from v1.2… and I had to change which email is the primary one, very easy in this version, just click a button!!
Thank you for looking into this.

snapd · December 1, 2022, 9:00am

Hi @penelopec were you able to resolve this? I have a similar issue