IBM Security Verify

 View Only
  • 1.  SAML SSO assertion not working

    Posted Sun November 05, 2023 02:14 PM

    The SAML SSO assertion fails to function when I activate the "Enable identity linking for this identity provider" option and choose the unique user identifier as "email or emailAddress." Has anyone encountered a situation where a user with a distinct email address successfully links during SSO? Instead, I receive an error message stating "User Not found."

    Please note that the just-in-time provisioning feature is turned off. Enabling it results in the creation of duplicate user accounts.



    ------------------------------
    rs annan
    ------------------------------


  • 2.  RE: SAML SSO assertion not working

    Posted Mon November 06, 2023 11:34 AM

    Hello @rs annan,

    The reason that your SAML Assertion SSO resulted in a 'User Not Found' when you enabled Identity Linking using the 'email' or 'emailAddress' attribute is because when enabling Identity Linking and selecting the 'Unique User Identifier' you are choosing the attribute from the incoming SAML Assertion that matches the Cloud Directory user's 'User Name' attribute.

    You are not choosing the Cloud Directory attribute to link with. The link always searches against the Cloud Directory 'User Name' attribute.

    So, if you want to use the 'email' or 'emailAddress' attribute from the incoming SAML Assertion as your Identity Link attribute the 'User Name' attribute in the Cloud Directory user has to match the incoming value.

    EG: 
    SAML Assertion 'email' attribute: jcyarbor@us.ibm.com

    Cloud Directory 'User Name' value: jyarborough1990

    The above would not match and would result in a 'User Not Found'.

    The following would link as expected:

    SAML Assertion 'email' attribute: jcyarbor@us.ibm.com

    Cloud Directory 'User Name' value: jcyarbor@us.ibm.com

    Identity Linking is actually a two part process. The first part uses the 'Unique User Identifier' to find the user in the cloud directory by looking for a 'User Name' attribute that matches the value of the 'Unique User Identifier' attribute from the SAML Assertion.

    Then, after the user is found, the attribute you selected for the 'External ID' is then used to create a link.

    Hopefully this helps you understand why the linking may not be working as you expect.



    ------------------------------
    JACK YARBOROUGH
    ------------------------------