You are viewing limited content. For full access, please sign in.

Question

Question

Where does the SID come from in the LFDS database for SAML accounts?

Directory Server Administration
Updated March 28
asked on March 27

In the LFDS database in the dbo.account_cache table, SAML accounts have a SID value. I would expect this for Windows Accounts as the SID would come from Active Directory, but where does the SID come from for SAML accounts? Does LFDS create the SID?

If yes, if I had a system that already had SAML accounts in it and I deleted my LFDS installation and database and created a new one, then added the same SAML provider back in LFDS, when I register a new SAML account, would it have the same SID as before?

0 0

Replies

replied on March 28

Hi Blake,

 

Unfortunately, if you re-register the SAML account as a new one, it won't keep the same SID as before. The SIDs are always created by LFDS every time you register a SAML account. We've recorded the situation you described and may consider it in future.

 

Regards,

Leon

0 0
replied on March 28

Microsoft's Security Identifier (SID) documentation page is a Fun™ read if you're curious as to how they're constructed:

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers

Laserfiche Directory Server constructs SIDs for non-AD trustees with an Identifier Authority value of "6" and its own Subauthority ("domain") value.

An LFDS "SAML" user is essentially a "Laserfiche" user linked to a specific SAML identity provider with a claim mapping for the NameID value. The NameID mapping allows LFDS to associate a SAML Response with the right "SAML" Laserfiche trustee. Note: The "Linked Providers" feature does basically the same thing, except maps the SAML Response claim to a registered Windows User trustee instead.

LFDS may use its internal ID for a given SAML IDP as a secondary Subauthority value in "SAML" trustee SID generation. The Relative Identifier (user-specific) part of the SIDs are simply generated sequentially. 1, 2, 3, 4, ... and so on in the order users are registered. 

If you read between the lines here, this means it is likely technically possible to construct a scenario where if you register the Identity Providers and then every user in exactly the same order so they receive the same sequentially generated IDs to be passed to the LFDS SID constructor, you could, for an exact point in time, get the "SAML" user SIDs lined up between two LFDS databases.

Needless to say, attempting to do this is not remotely a supported use case, and you shouldn't try it outside of a non-production lab environment purely as a learning experience. (And I only say that because I trust you to tinker responsibly).

 

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...