Question

SAML module only works when using username as principal

2

When I use the latest version of the SAML module from the app store I run into the following issue. When configuring the principal to match anything other than username, logging in fails with a NPE. This makes sense when looking at the code in SessionManager.java on line 341. IUser newuser = Core.getUser(mxContext, principalValue); SAMLSessionInfo samlSessionInfo = new SAMLSessionInfo(mxSAMLAssertion, entityId, config, newuser); This tries to retrieve a user where their username is equal to the principalValue, which of course won't work (or even worse, retrieve the wrong user) when using anything other than username in your sso config. I am mostly creating this post so it might show up in Google when people run into the same problem. If someone in a position to fix this would read this that would be even better :).

asked 2017-02-01

Nikel Kruizinga

2 answers

Jasper van der Hoek · Answer 1 · 2017-02-01

With the latest version you should be able to use different fields for the user name.

As you see in the code the module uses a 'principalValue' (SAML term), this is whichever field you have chosen in the Idp configuration, and the module will match that against any other mendix attribute value previously in the code. The module uses a two step approach

When receiving the SAML response, the module looks in the response and looks up the field that you have chosen as the 'principal field' let's say we use the phone nr of the person.
A few steps later the module executes an xpath Query and searches for the entity that you have selected with a constraint on the attribute and the value of the principal field.
For example: //Admin.Account[phoneNr='+18578578578']

Based on the account that has been found (or created) during the next step the module will lookup value of the System.User.Name attribute. We need this since we are using standard session management from the platfrom and that needs the System.User.Name for signin and lookup.

Once we have the System.User.Name we store that in the 'principalValue' attribute and lookup the user information and start the session.

You should be able to use any attribute, as long as you use a entity that inherits from System.User. If you are having trouble with that can you give a bit of clarification on your saml setup.
In your question you are referring to an NPE? In case this isn't a type, you cannot sign in with user information in a NPE. The module uses the standard user/session management functions and that only works if there is a record in the System.User table.

Ronald Catersels · Answer 2 · 2017-02-01

Did you file a support ticket? Because that is the most sure way that Jasper van der Hoek will fix this :)

Regards,

Ronald