When registration is updated ?

didier.rano · 8 Mar 2021, 21:39

I need to get groups of user from my SAML Response, and set it in my JWT token. But my lambda SAML reconcile function is not called for each login process. Is it normal ?

dan · 8 Mar 2021, 23:48

Hmmm. I haven't heard of that behavior before.

A few more questions:

What version of FusionAuth are you running?
Have you enabled SAML debugging? Is there anything in the event log that might be useful? System -> Event Log in the admin UI will show extra debugging.
Can you share your lambda SAML reconcile function code?

To do this in general, that should be possible with custom data. Reconcile the groups and other info, store it in the user.data and then extract it in the JWT populate lambda.

Thanks,
Dan

PS @didier-rano , welcome to the FusionAuth community!

didier.rano · 9 Mar 2021, 01:22

FusionAuth version: 1.24.0

In saml response debug, I can see one group:
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
<AttributeValue>9bb8b8b2-e63a-48fe-9582-1001611d4888</AttributeValue>
</Attribute>

My saml reconcile lambda:

function reconcile(user, registration, samlResponse) {
// as default and add
user.data = user.data || {};
 user.data.groups = defaultIfNull(samlResponse, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups', 'groups') || [];  
  
 registration.data = registration.data || {};  
 registration.data.groups = defaultIfNull(samlResponse, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups', 'groups') || [];

My jwt populate lambda:

function populate(jwt, user, registration) {
  jwt.groups = registration.data.groups;
}

Finally my jwt.groups is empty, and registration.data is empty (user.data is empty too).

Thanks Dan

dan · 9 Mar 2021, 02:15

Hmmm.

What is defaultIfNull? I'm not familiar with that function.

Can you save other information to the user.data field (like a test string) in the reconcile lambda and have it read in the populate jwt lambda?

What does logging defaultIfNull(samlResponse, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups', 'groups') reveal?

didier.rano · 9 Mar 2021, 15:40

Reconcile function comes with default implementation, defaultIfNull is defined in it:

  var getAttribute = function(samlResponse, attribute) {
    var values = samlResponse.assertion.attributes[attribute];
    if (values && values.length > 0) {
      return values[0];
    }

    return null;
  };

  // Retrieve an attribute from the samlResponse
  // - Arguments [2 .. ] provide a preferred order of attribute names to lookup the value in the response.
  var defaultIfNull = function(samlResponse) {
    for (var i=1; i < arguments.length; i++) {
      var value = getAttribute(samlResponse, arguments[i]);
      if (value !== null) {
        return value;
      }
    }
  };

In this lambda, I added a fixed value in user.data.fixed and same in registration.data.fixed. But jwt populate lambda cannot see this value.

In fact, I can see log event for jwt populate lambda, but not log event for SAML v2 IdP Response Debug Log. It looks like that my user is registered one time only.

didier.rano · 9 Mar 2021, 15:43

dan · 10 Mar 2021, 14:20

Hmmm....

What SAML IdP are you trying to integrate with?

didier.rano · 12 Mar 2021, 16:39

With Azure AD

dan · 13 Mar 2021, 00:15

Is there a reason you can't use OIDC + Azure AD? https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/azure-ad/ is pretty thorough.

didier.rano · 15 Mar 2021, 15:07

With Azure AD, creating an application registration is the way to integrate a custom application (built by customers) in Azure AD. The way to integrate a SaaS is better using an Enterprise Application then SAML.
In screen shot, you can see some existing integrations with apps using Enterprise Application integration.
Moreover, sharing a client secret could be problematic for some customers.

!

didier.rano · 15 Mar 2021, 15:13

Do you know if some of fusionauth users are using Enterprise Application approach with OpenID Connect ?

dan · 18 Mar 2021, 15:47

@didier-rano

It looks like there are two issues.

The first is that the SAML login lambda runs after the JWT populate lambda (or at the least the order is indeterminate) so your groups aren't being propagated, at least for Azure AD. More concerning to me is the fact that you are only seeing one SAML reconciliation for your user. I would expect that lambda to run every time the user logs in.

These feel like issues to raise on our issues repo, preferably with reproduction steps. I have been trying to find time to replicate it and file the issue, but if you can, that'd be very helpful.

The second is whether we support Enterprise Applications. I don't know if any of the community is using that particular feature. That does make sense why you are not interested in OIDC, however. Do you have a link for the Azure docs on this so I could learn more (I googled for them, but wasn't able to find anything relevant).