Question

481 views27th March 2025authentication JIT SAML JIT user account

1

Paul Lee [DevOps Member]595 2nd August 2024 2 Comments

Hi Dojo,

I am wondering if below situation is feasible.

We have recently built a new DMS that uses Azure SSO SAML Just In Time authentication method. Later we have noticed that the username created by DataMiner through JIT is different to what we had in the legacy DMS which does not use SAML JIT.

It turned out that we needed to bring the old style usernames in as they are used in a number of different places in the system. The old style usernames are currently stored as one of the attributes in Azure user data property (the attribute is called On-premises SAM account name).

We made an assumption that it might be feasible to bring the attribute to a DM user field e.g. pager and use pager in alarm filters should it have a placeholder like [this username]. We have tried adding the attribute and provided a name (Pager) and namespace (http://schemas.xmlsoap.org/ws/2005/05/identity/claims) in Azure portal -> Enterprise App -> SAML-based SIgn-on > Attributes & Claim as provided by Configuring SAML with Microsoft Entra ID as identity provider | DataMiner Docs

Then we added <Pager> in the DataMiner.xml file as below

<EmailClaim>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</EmailClaim>

<Givenname>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</Givenname>

<Surname>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</Surname>

<Groups claims=“true”>http://schemas.microsoft.com/ws/2008/06/identity/claims/groups</Groups>

<Pager>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/pager</Pager>

</AutomaticUserCreation>

We tested after restarting DM but unfortunately it didn’t bring the attribute into the pager field when a new user was created.

So I have two questions here:

Is what I am trying to achieve feasible with combined Azure & DM configuration? It doesn’t have to be the pager field as long as it’s something we can retrieve with placeholder
Is there information about the list of placeholders that we can use within the alarm tab filters? We only have used [this username] to obtain the username of current user but wondering if there are any other placeholders that we can use instead of username e.g. [this pager] or something similar.

Hope this makes sense. Please let me know if anything isn’t clear. Thanks.

Marieke Goethals [SLC] [DevOps Catalyst] Posted new comment 27th March 2025

Marieke Goethals [SLC] [DevOps Catalyst] commented 23rd January 2025

Hi Paul,
Could you clarify what you mean with your second question? Where exactly do you intend to use this placeholder?

Marieke Goethals [SLC] [DevOps Catalyst] commented 27th March 2025

Hi Paul,
I see that this question has now been inactive for quite a long time. Do you still need help with this? If yes, could you clarify your second question? Or if not, could you select the answer to indicate that no further reaction is needed?

1 Answer

Hi Paul,
Could you clarify what you mean with your second question? Where exactly do you intend to use this placeholder?
Hi Paul,
I see that this question has now been inactive for quite a long time. Do you still need help with this? If yes, could you clarify your second question? Or if not, could you select the answer to indicate that no further reaction is needed?

score 1 · Answer 1 · 2024-08-02T15:31:45+00:00

Regarding your first question: currently DataMiner will only read out the Email, Givenname, Surname & Groups Claims, other data, like your pager claim, will be ignored.

Unfortunately, I don’t believe its possible to pass any other data to these users.

For that, I would recommend submitting a new feature suggestion:
DataMiner Feature Suggestions – DataMiner Dojo

Thanks for confirming. I will submit a new feature suggestion for this then.

What about my second question regarding the placeholder? Would you be able to answer?

Handling data with Azure SSO SAML JIT

1 Answer