Saml Source Enrollment and Authentication #7874
Unanswered
breagan1983
asked this question in
Q&A
Replies: 1 comment
-
Hi @breagan1983 I currently have difficulties also with an external SAML source. When a user is authenticated using the external SSO source, then Authentik generate an error instead of importing the user to the local database. I did not found useful documentation about the external SAML response fields Authentik is looking for. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
tl;dr Question: At what authentication stage should someone bind an expression policy to map updated SAML attributes from the IdP? E.g. Group Memberships
Whats working - Enrollment Flow
I have the enrollment flow working with our campus shibboleth based SAML IdP, by binding an expression policy to the
default-source-enrollment-prompt
stage to map the attributes to the Authentik User model...I was able to work through this by enabling Execution logging on an expression policy I called logger-policy that just returns true, and figuring out where the message data from the SAML response was being stored at the time.
What I can't figure out - Authentication Flow
What I'm struggling with is at what point in the Authentication flow is it processing the SAML source message from the IdP when it determines the user already exists.
I used the same logger-policy as a pre-flow policy, both before and after the default-source-authentication-if-sso policy, as was bound policies before and after the default-source-authentication-login stage. I can't find it now, but I recall some where in the overall logic to check
authentik_core:if-user
... is it possible, and is that where, an expression policy should be bound to upsert any SAML attibs?Many thanks,
-Bryan
P.S.> To all the authors and contributors to this project, to use brevity for emphasis... thank you. We're trying to sell our leadership time on using Authentik as a foundational service to our internal and external facing tools, and having the on-prem free open-source version has been critical to getting a MVP online and cost-justify the enterprise licensing down the road.
Beta Was this translation helpful? Give feedback.
All reactions