Username shows Undefined Undefined after login to CloudPak dashboard using SAML login option
Symptoms
When you use SAML login as option to login to the Cloudpak console, you might notice that the username is showing Undefined Undefined in the CloudPak dashboard page. You can observe this issue if you are using the foundational services
version 3.20 and 3.21.
Causes
Migration from the IdP V2 to V3.
Resolving the problem
As per the SAML V3 schema, given_name and family_name are mapped to the givenname and familyname of IdP. You can update the V3 registration call
to resolve this issue.
Steps
Get the V3 registration data
Note:
- The SAML UID that is supported is
defaultSP. For more information, see Getting SAML registration by UID. - Replace
base64-encoded-idp-xmlwith actual base64 encodedidp-metadatathat you have received in the GET call. - Get the
cp-console-urlby using the command,oc get routes.
To get the existing SAML registration:
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster Master Host
- Port number
Cluster Master API Port
- Path
idprovider/v3/auth/idsource/defaultSP
- Command
GET
- Command output format
application/json
curl -k -X GET 'https://cp-console.apps.mycluster.mydomain.com/idprovider/v3/auth/idsource/defaultSP' --header "Authorization: Bearer $ACCESS_TOKEN"
Update the V3 registration data by adding first_name and last_name under token_attribute_mappings
-
Copy the response that you get by using the curl command in Get the V3 registration data.
-
Remove the
uidentry from the response, "uid":"defaultSP". -
Add the following attributes,
first_nameandlast_nameunder thetoken_attribute_mappings."token_attribute_mappings": { "sub": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "groups": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups", "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "last_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" } -
Update the IdP V3 registration by adding the
token_attribute_mappingspayload as described in Step 3.
Note:
-
Replace
base64-encoded-idp-xmlwith actual base64 encodedidp-metadatathat you have received in the GET call. -
Get the
cp-console-urlby using the command,oc get routes.
For example:
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster Master Host
- Port number
Cluster Master API Port
- Path
idprovider/v3/auth/idsource
- Command
PUT
- Command output format
application/json
curl -k -X PUT 'https://cp-console.apps.mycluster.mydomain.com/idprovider/v3/auth/idsource/defaultSP' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
"name": "w3id-sample-saml",
"description": " this is plain saml testing",
"protocol": "saml",
"type": "default",
"idp_config": {
"token_attribute_mappings": {
"sub": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"groups": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups",
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"last_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
},
"idp_metadata": "<base64-encoded-idp-xml>"
},
"jit": true
}'