Question

187 views2nd August 2024authentication JIT SAML JIT user account

1

Paul Lee [DevOps Advocate]549 2nd August 2024 0 Comments

Hi Dojo,

I am wondering if below situation is feasible.

We have recently built a new DMS that uses Azure SSO SAML Just In Time authentication method. Later we have noticed that the username created by DataMiner through JIT is different to what we had in the legacy DMS which does not use SAML JIT.

It turned out that we needed to bring the old style usernames in as they are used in a number of different places in the system. The old style usernames are currently stored as one of the attributes in Azure user data property (the attribute is called On-premises SAM account name).

We made an assumption that it might be feasible to bring the attribute to a DM user field e.g. pager and use pager in alarm filters should it have a placeholder like [this username]. We have tried adding the attribute and provided a name (Pager) and namespace (http://schemas.xmlsoap.org/ws/2005/05/identity/claims) in Azure portal -> Enterprise App -> SAML-based SIgn-on > Attributes & Claim as provided by Configuring SAML with Microsoft Entra ID as identity provider | DataMiner Docs

Then we added <Pager> in the DataMiner.xml file as below

<EmailClaim>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</EmailClaim>

<Givenname>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</Givenname>

<Surname>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</Surname>

<Groups claims="true">http://schemas.microsoft.com/ws/2008/06/identity/claims/groups</Groups>

<Pager>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/pager</Pager>

</AutomaticUserCreation>

We tested after restarting DM but unfortunately it didn't bring the attribute into the pager field when a new user was created.

So I have two questions here:

Is what I am trying to achieve feasible with combined Azure & DM configuration? It doesn't have to be the pager field as long as it's something we can retrieve with placeholder
Is there information about the list of placeholders that we can use within the alarm tab filters? We only have used [this username] to obtain the username of current user but wondering if there are any other placeholders that we can use instead of username e.g. [this pager] or something similar.

Hope this makes sense. Please let me know if anything isn't clear. Thanks.

Robbe De Ghein [SLC] [DevOps Advocate] Answered question 2nd August 2024

1 Answer

score 1 · Answer 1 · 2024-08-02T15:31:45+00:00

Regarding your first question: currently DataMiner will only read out the Email, Givenname, Surname & Groups Claims, other data, like your pager claim, will be ignored.

Unfortunately, I don't believe its possible to pass any other data to these users.

For that, I would recommend submitting a new feature suggestion:
DataMiner Feature Suggestions - DataMiner Dojo

Thanks for confirming. I will submit a new feature suggestion for this then.

What about my second question regarding the placeholder? Would you be able to answer?

Handling data with Azure SSO SAML JIT

1 Answer