Search the FirstSpirit Knowledge Base
Hi *,
We are currently introducing the FirstSpirit SAML Login Module. With our setup we want to create and update users with the SAML attributes.
Creating users works as we expect, which means the mapping is correct. What does not work is an update in case user info stored in FirstSpirit differ from the SAML attributes.
At the moment we apply the following setting in the fs-saml-config:
# Create or update user from the SAML attributes (true)
# Authenticate existing FirstSpirit user only (false)
import.user=true
According to the comment in the config this setting should consider creation and update. Do we miss some additional config which probably is not documented?
Bye
Rolf
Hello Rolf,
I am not sure if I understand this correctly.
Is this about a user that was created with FirstSpirit and should now log in via SAML? If so, have you checked the "external user" option for this user? Otherwise the user is an internal user, whose attributes are definied within FirstSpirit.
Or is it about attributes not changing after the user has been created after his first SAML login?
And if so, have the attributes been created correctly when the user was created? If not, the SAML configuration for the corresponding attributes is probably not correct. (Server properties->Modules->FirstSpirit SAML/saml-config->Configure).
Best regards
Holger
Hi Holger,
It is about an external user logging in for the first time via SAML. The user is correctly created with all information from the attribute-mapping + external flag.
When user information in the AD change (e.g. the user gets a new email-address) and the user logs in via SAML again, the changed information are not updated on the persisted user in FirstSpirit.
But when removing the persisted user, another SAML login creates a new user with the updated values.
My question: Aren't the user attributes expected to be updated with every login.
Best regards
Rolf
Hello Rolf,
since the import of a new user is working, the import-user flag within the SAML configuration should be true.
This flag also defines, if user information should be updated during a login.
In this respect, the described behavior sounds like a bug to me.
However, the mention of AD makes me a bit suspicious. Is the AD information transmitted via the SAML protocol, or is there also an LDAP login module via which the information is fetched?
And is it possible that different login modules are used for new logins than for updates? This can be determined by switching the logging to DEBUG and then comparing the corresponding log outputs of both possibilities.
Overall, though, it sounds to me like this is a case for TechSupport. Please post an appropriate request there so that the problem can be analyzed cleanly. Further analysis will probably also require information that should not be visible in the community....
Best regards
Holger
Hi Holger,
Yes, the AD information is transmitted via the SAML protocol. No LDAP login module is in place. I had another call with the responsible and we will try to reproduce this issue to describe all details.
In case we figure out it is no issue on our side, I will contact the TechSupport.
Thanks a lot for the quick response
Rolf