We're using IBM Security Verify. Shouldn't there be a list of attribute names in the Guacamole documentation that the SAML IdP should be sending over? Do you have a list of attribute names I should be sending?
On Thu, Nov 24, 2022 at 1:40 PM Michael Jumper <[email protected]> wrote: > On Thu, Nov 24, 2022, 10:27 AM Timothy Dilbert <[email protected]> > wrote: > >> Hi Michael, >> >> I've checked everything I can within the IdP. >> > > Which IdP are you using? > > >> - I'm already sending the email address as the Name ID. >> >> Perhaps so, but your IdP appears to not be honoring that setting, and is > instead sending a UUID-like value. If it were sending the email address as > the name ID, then that's what you'd see in Guacamole. > >> >> - I've even tried selecting "Send all known attributes" but I am >> getting the following error in Tomcat: >> ``` >> Unexpected internal error: Duplicate key SAML_GIVEN_NAME >> ``` >> >> It seems your IdP is now sending an invalid SAML assertion... > > It's just not clear what I should do next to troubleshoot further. >> > > Try using a SAML tracing extension for your browser so you can see the > assertion. That might reveal what your IdP is doing wrong, the the fact > that it's sending duplicate keys and failing to honor your name ID settings > is troubling. > > Once you have obtained the SAML assertion and can see where it differs vs. > the way you have configured your IdP, you may need to reach out to your > IdP's support to correct things. > > I feel like I'm missing documentation that tells me what attributes to >> send and their names. >> >> Also, could setting `sqlserver-auto-create-accounts` to TRUE be the >> reason because the uuid accounts being created? >> > > No. The only reason there would be UUIDs anywhere for usernames is if that > is what the IdP is sending. Guacamole does not generate usernames on its > own; it simply uses the value received verbatim. > > - Mike > >
