We are configuring DX UIM SAML single-sign-on with AzureID.
Using this documentation: Configure SAML Single Sign-On in DX UIM
We configured everything correctly, however, we get Invalid credentials at OC.
We analyzed the token that the SSO/SAML Azure AD is sending back to the hub and it is correct. But still cannot log in.
We can log in with the same LDAP/AD directory user in IM and OC, but not via SSO/SAML.
In the hub log we may see:
Sep 30 20:05:38:639 [139684501326720] 0 hub: (nim_ldap_query) ldap_search_ext_s(base:=##=DOMAIN,##=XX,XX=XXX,XXX=SYS scope:=LDAP_SCOPE_SUBTREE filter:=(&(objectClass=person)(|(userPrincipalName=[email protected]@DOMAIN.CO.COM)(sAMAccountName=[email protected]@DOMAIN.CO.COM)(mail=[email protected]@DOMAIN.CO.COM))) attrs:=displayName, cn, memberOf
DX UIM 23.4.*
The LDAP query is adding an extra domain after the email [email protected]@DOMAIN.CO.COM
, So SSO doesn't occur.
The issue might be related to the 'name' property that is mapped in the SAML claims.
UIM is utilizing this 'name' claim, appending the domain to it, and verifying it against the LDAP, based on the configuration in the filter_user. If the 'name' already has a domain in it, the log in information will be formed by a wrong "double" domain name, so the hub cannot find any user.
To resolve the issue, review and update the 'Name' attribute in the IDP SAML configuration so that the result.