Jump to content

SAML - UPNs and Email Don't Match


cwaters

Recommended Posts

Hi everyone,

 

We're trying to take advantage of using SAML with Azure SSO (and Azure MFA) but are encountering some issues with the user mapping.  I followed the guide from the Security Admin Manual.  Our userprincipalnames don't match our email and that may be part of the issue.  SAML is "working" based on the error we get but I'm not sure where to go from here (Error 1).  I've also tried re-mapping the SAML token attributes on the Azure SSO side so that the emailaddress was the user.userprincipalname value and various combinations but anything other than the User Identifier as user.userprincipalname and the other defaults for the token fail with an unresolved error (Error 2).   Also, I previously set up normal ldaps auth and may be experiencing a conflict in usernames but I'm just not sure.  Thoughts/suggestions?  Thanks.

 

Error 1:

Access Denied

 User Not Found in Passwordstate

 

It appears your account has successfully authenticate to the SAML Identity Provider, but the email address returned was not found in the Passwordstate database. 

Below is the email address returned, and you will need to ask you SAML Provider Administrator to ensure the email address recorded for your account in Passwordstate, matches the email address recorded for your account on the SAML Provider's web site. 

Email Address
nobody@redacted.upn  <--this was a UPN not an email address

 

Error 2:

Server Error in '/' Application.

Runtime Error

Description: An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated. 

 

Link to comment
Share on other sites

Hi cwaters,

 

Sorry you're having some issues with this. The return value from any SAML provider must be the email address of the user in Passwordstate - this is what we use to validate who the user is. Based on what you're saying, is seems like the user.mail attribute in AD does not match the user's email address in Passwordstate - is that correct?

 

Unfortunately this is what's required for our SAML authentication to work. Let me know if this is possible or not.

Regards

Click Studios

Link to comment
Share on other sites

Thanks for the response.  I was able to get this to work and it appears it had to actually do with the IIS setting for Anonymous access needing to be enabled.  I should have kept better notes on my testing but I believe that was the change that enabled this to work as expected for me.  I'll try to test again to confirm that.

 

With SAML 2, is it not the case that you can choose which attributes can be used for the Name Identifier?.  Maybe a feature request would be to allow this to be configurable on the Passwordstate side (it is on the Azure SSO side).  A current use case is for administrative accounts (generally used for elevated access) that don't have an email address associated with them (in AD as an example). In this case, the UPN would be better than email as an identifier.

Link to comment
Share on other sites

Hi cwaters,

 

We could possibly look at a feature request for you for this. So at the moment, we are using the email address as a unique identifier, as this should be unique in the UserAccounts table. If we were not to use this, what other field would be unique which we could use? The only one I can think of is UserID, which maps to samAccountName in Active Directory - not sure if this appropriate for you?

Regards

Click Studios

Link to comment
Share on other sites

In our case because we have a hybrid traditional on-premise AD with integration to Azure AD (not an uncommon situation I would wager), UPN still seems like the best fit.  I would suggest that the change would be to allow user user to simply change the default for that specific attribute (Name Identifier).  That way, if a user doesn't actually have an email address, there is still a value to match against.  I'm not sure if that makes sense or not or perhaps I mis-understand how the SAML is supposed to work.

 

We have a work around by adding a bogus email address on the AD side, but it seems like hack.

 

Thanks for the support.

Link to comment
Share on other sites

Hi cwaters,

 

In the case where you're users do not have an email address, what would the format/value of the UPN you pass back to Passwordstate? Would it match the samAccountName in Active Directory? The only two unique fields we have in the database to identify a user is email address and samAccountName.

Regards

Click Studios

Link to comment
Share on other sites

The format is user@domain.  In this case, the domain is is not the same as the email domain.  I believe that most of what MS does in this area is here:

 

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp

 

I found this note on the page:

The “UserPrinciplName” value must match the value that you will send for “IDPEmail” in your SAML 2.0 claim and the “ImmutableID” value must match the value sent in your “NameID” assertion.

 

I'll ask my admins how we have this implemented specifically as it may help clarify this.  Since I understand the behavior we have a work around, but I'll take a look at these parameters in the Azure AD and see how they would map out.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...