Username shows Undefined Undefined
after login to CloudPak dashboard using SAML login option
Symptoms
When you use SAML login as option to login to the Cloudpak console, you might notice that the username is showing Undefined Undefined
in the CloudPak dashboard page. You can observe this issue if you are using the foundational services
version 3.20 and 3.21.
Causes
Migration from the IdP V2 to V3.
Resolving the problem
As per the SAML V3 schema, given_name
and family_name
are mapped to the givenname
and familyname
of IdP. You can update the V3 registration call
to resolve this issue.
Steps
Get the V3 registration data
Note:
- The SAML UID that is supported is
defaultSP
. For more information, see Getting SAML registration by UID. - Replace
base64-encoded-idp-xml
with actual base64 encodedidp-metadata
that you have received in the GET call. - Get the
cp-console-url
by using the command,oc get routes
.
To get the existing SAML registration:
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster Master Host
- Port number
Cluster Master API Port
- Path
idprovider/v3/auth/idsource/defaultSP
- Command
GET
- Command output format
application/json
curl -k -X GET 'https://cp-console.apps.mycluster.mydomain.com/idprovider/v3/auth/idsource/defaultSP' --header "Authorization: Bearer $ACCESS_TOKEN"
Update the V3 registration data by adding first_name and last_name under token_attribute_mappings
-
Copy the response that you get by using the curl command in Get the V3 registration data.
-
Remove the
uid
entry from the response, "uid":"defaultSP". -
Add the following attributes,
first_name
andlast_name
under thetoken_attribute_mappings
."token_attribute_mappings": { "sub": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "groups": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups", "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "last_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" }
-
Update the IdP V3 registration by adding the
token_attribute_mappings
payload as described in Step 3.
Note:
-
Replace
base64-encoded-idp-xml
with actual base64 encodedidp-metadata
that you have received in the GET call. -
Get the
cp-console-url
by using the command,oc get routes
.
For example:
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster Master Host
- Port number
Cluster Master API Port
- Path
idprovider/v3/auth/idsource
- Command
PUT
- Command output format
application/json
curl -k -X PUT 'https://cp-console.apps.mycluster.mydomain.com/idprovider/v3/auth/idsource/defaultSP' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
"name": "w3id-sample-saml",
"description": " this is plain saml testing",
"protocol": "saml",
"type": "default",
"idp_config": {
"token_attribute_mappings": {
"sub": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"groups": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups",
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"last_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
},
"idp_metadata": "<base64-encoded-idp-xml>"
},
"jit": true
}'