You are viewing limited content. For full access, please sign in.

Question

Question

SAML Linked Identity Provider with Azure AD Forms Login Issue

Directory Server Forms Security User Group Laserfiche
Updated May 11, 2024
asked on November 26, 2023

Hi all,

We have a customer trying to use SAML Linked Identity Provider and manage licensing/groups via AD sync

We have followed the below steps from an earlier Answers post:

  • Add AD IdP (customer already had this set up working ok)
  • Add SAML IdP, and link it to the AD IdP. Do not register anyone as a SAML user.
  • Sync users using the AD IdP
  • When users log in via SAML, the identity claims in their SAML token are mapped to the associated AD/Windows user, and Laserfiche recognizes them as an AD user.
  • Manage license provisioning with sync "Rules" on the AD IdP

 

The issue we see is that the user cannot log on to Forms - we have ensured their AD account is in an AD Group that gets 'Forms Participant License' via the AD IdP Rules

After syncing the user from AD to LFDS, we can see they have the 'Forms Participant License'

When they log on using the SAML Linked Identity Provider option, they see the Forms Error 'This user does not belong to a group that is authorized to sign in to LaserFiche Forms.'

 

We checked that the AAD is sending the groups down via decoding the SAML response token, we tried using SID as well as samAccountName for the groups in both lfds/aad claim settings

 

Is there any way we can check what the STS token has got, it should have the list of groups from the SAML response token technically but i can't identify how to confirm is STS token has correct groups

 

We've been troubleshooting with customer for a while so thought to check if the broader community has any examples, tips or guidance if anyone is using the same scenario

 

They are on LFDS v11 update 4 atm

 

Thanks for reading!

Priyanka

 

 

0 0

Replies

replied on November 26, 2023

You can use the instructions on this online help page to intercept the SAML response.

0 0
View 1 previous reply
replied on November 26, 2023

Thanks @████████that is what we used with an online base 64 decoder to check that the groups are coming through ok in the SAML response

We tested using LFDS Claim groups set to AD SID and setting the group claim attribute to send SID from AAD, we then also checked sending as samAccountName from AAD and leaving the LFDS Claim group format as default

 

Both ways, we can see the correct groups coming down, i have asked them to check the Forms licensing is applied to that group under Forms Administration > Security 

Any other tips much appreciated, thanks very much,

Priyanka

0 0
replied on May 9, 2024

Checking if anyone has been able to use Linked IdP provider to allow SAML authentication, where users & groups are sync'd in from AD then the AD group is added to the LF Group to assign Forms license

We still see the error below if we configure it that way

If we add the user directly to the LF GRoup, then they can log on via SAML 

If any LF team members are monitoring, it is Case# 235682

0 0
replied on May 9, 2024

I don't know the details of your case, but by default Forms syncs users every 24 hours. So it won't know that a new user was added until the sync happens. Also, depending on how you have Forms configured, you would need to make sure that the accounts are added to an LFDS group that syncs with Forms.

0 0
replied on May 11, 2024

Many thanks @████████, support team has basically said that we need to add SAML groups manually into the LF group - to me that sounds like defeating the purpose of using the Linked IdP.

Will continue troubleshooting to check if its sync related though we can see the AD group inside the LF group and user inside the AD group from LFDS portal, maybe we will retest with new user, thanks again

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...