memberof won't update with changes made to user's groups in Gluu!

By: Sean Warren named 28 Jun 2018 at 2:22 p.m. CDT

22 Responses
Sean Warren gravatar
The memberof array fix supplied by Gluu ticket 5458 will prevent the memberof field from being updated after the array has been added. This is a critical issue as it will quickly kill efforts to integrate with Vanguards SSO. Since they are having to use extraordinary means to supply us with a memberof attribute. "This is related to Gluu ticket 5458, and contains customization to handle a very large memberOf attribute." <- from: https://clickfox.atlassian.net/wiki/spaces/DEV/pages/427163652/Gluu+3.1.3+SSO+Setup+Using+Inbound+SAML?focusedCommentId=573636660#comment-573636660 This does not allow users' memberof permissions to be updated; attempted updates fail with: ``` [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Error in update Attribute setCustomAttribute(): 3rd arg can't be coerced to String Chris Hood [2:52 PM] added and commented on this Plain Text snippet: oxauth_script.log on the passport server 2018-06-27 16:45:05,156 INFO [qtp1744347043-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Error in update Attribute setCustomAttribute(): 3rd arg can't be coerced to String It looks like updates to the user from the IDP are having issues being propagated to the passport server. It adds me correctly, but if my groups are updated on the IDP, the passport server does not get its values updated. ``` I think it's an issue with the custom passport script: ``` else: foundUserName = foundUser.getUserId() print("Passport-saml: User Found " + str(foundUserName)) userService = CdiUtil.bean(UserService) for attributesMappingEntry in self.attributesMapping.entrySet(): remoteAttribute = attributesMappingEntry.getKey() localAttribute = attributesMappingEntry.getValue() localAttributeValue = self.getUserValueFromAuth(remoteAttribute, requestParameters) if ((localAttribute != None) & (localAttributeValue != "undefined") & ( localAttribute != "provider")): try: value = foundUser.getAttributeValues(str(localAttribute))[0] if value != localAttributeValue: userService.setCustomAttribute(foundUser,localAttribute,localAttributeValue) userService.updateUser(foundUser) except Exception, err: print("Error in update Attribute " + str(err)) userAuthenticated = authenticationService.authenticate(foundUserName) print("Passport-saml: Is user authenticated = " + str(userAuthenticated)) return True ``` Chris Hood [3:10 PM] Hahaha, yeah, dumping `value` and `localAttributeValue` returns the following: ``` 2018-06-27 17:09:30,628 INFO [qtp1744347043-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - cn=CLICKFOX-devapi2-jr,ou=Security Groups,dc=clickfox,dc=net 2018-06-27 17:09:30,629 INFO [qtp1744347043-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - array(java.lang.String, [u'cn=CLICKFOX-devapi2-jr,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-qacdh08-jr,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-foxqahdp01-adm,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-qacdh16-jmgr,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-foxqahdp02-adm,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-devcdh17-jmgr,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-fox_uat-adm,ou=Security Groups,dc=clickfox,dc=net', u'cn=devops,cn=Users,dc=clickfox,dc=net', u'inum=@!45EA.002D.8B1D.2656!0001!4259.D2DF!0003!60B7,ou=groups,o=@!45EA.002D.8B1D.2656!0001!4259.D2DF,o=gluu', u'cn=CLICKFOX-devcdh11-ja,ou=Security Groups,dc=clickfox,dc=net', u'cn=Employees,cn=Users,dc=clickfox,dc=net', u'cn=CLICKFOX-devfox01-jr,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-gray-adm,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-qacdh16-jr,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-devcdh03-ja,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-devcdh13-ja,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-qacdh06-jr,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-fox_uat-ja,ou=Security Groups,dc=clickfox,dc=net', u'cn=Engineers,cn=Users,dc=clickfox,dc=net', u'cn=CLICKFOX-gray-ja,ou=Security Groups,dc=clickfox,dc=net', u'cn=Clickfox,ou=TestDev,dc=clickfox,dc=net',u'cn=CLICKFOX-devcdh13-adm,ou=Security Groups,dc=clickfox,dc=net', u'cn=SSLVPN Services,cn=Users,dc=clickfox,dc=net', u'cn=CLICKFOX-devcdh12-adm,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-devcdh17-jr,ou=Security Groups,dc=clickfox,dc=net', u'cn=KnowBe4,cn=Users,dc=clickfox,dc=net', u'cn=CLICKFOX-foxqahdp02-ja,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-devcdh12-jr,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-devcdh02-jr,ou=Security Groups,dc=clickfox,dc=net', u'cn=VPN - Dev,cn=Users,dc=clickfox,dc=net', u'cn=VPN - Tech,cn=Users,dc=clickfox,dc=net', u'cn=CLICKFOX-devcdh11-jr,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-devfox01-ja,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-devcdh03-jr,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-devcdh18-adm,ou=Security Groups,dc=clickfox,dc=net', u'cn=CLICKFOX-devcdh13-jr,ou=Security Groups,dc=clickfox,dc=net', u'cn=Devops Projects,ou=Distribution Lists and Contacts,dc=clickfox,dc=net', u'cn=CLICKFOX-devcdh17-adm,ou=Security Groups,dc=clickfox,dc=net']) so value will always be `!=` for groups of more than one, but it appears that `userService.setCustomAttribute(foundUser,localAttribute,localAttributeValue)` will not work with an array value ```
CentOS 7.5
closed

Answers

By Sean Warren named 28 Jun 2018 at 2:25 p.m. CDT

Copy
Sean Warren gravatar
The attached oxauth_script.log is the log file showing the user getting added successfully on the first login, but failing to update the memberOf attribute on subsequent logins.

By Mohib Zico staff 28 Jun 2018 at 2:39 p.m. CDT

Copy
Mohib Zico gravatar
Hi Sean, [5458](https://support.gluu.org/installation/5458/is-the-gluu-313finaltargz-a-supportedinstallable-image/) isn't related to this issue; may be we are talking about [5354](https://support.gluu.org/single-sign-on/5354/accessing-memberof-in-sso-environment/) ?

By Sean Warren named 28 Jun 2018 at 2:47 p.m. CDT

Copy
Sean Warren gravatar
Yes, I believe this is related to 5354. Thanks.

By Aliaksandr Samuseu staff 02 Jul 2018 at 8:11 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Sean. **Status update:** Script indeed has a couple of issues, we are trying to resolve them now. Will get back to you soon with a solution, sorry for the delay.

By Aliaksandr Samuseu staff 03 Jul 2018 at 1:51 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Sean. Please find the updated script in attachment. Please test it and let us know what else needs to be adjusted. Three changes were introduced, mainly: 1. Script now is capable of updating multi-valued attributes 2. It also clears all attributes in local LDAP db for which mapping is set, but IDP hasn't sent any values in this particular response. 3. Optimization: no more separate writing per each attribute, just one write per an user entry. Please also note that the version of script you are using here will not be compatible in current 3.1.3 and newer packages (you are using 3.1.3 RC6 package you installed per our suggestion back then, I believe) due to some change in how attributes are passed from Passport to the script now. I'll get in touch with the developer in charge and make sure all enhancements we've achieved so far are migrated to "master" branch. That should allow you to migrate to the proper package in the future without any issues, as supporting this version will constitute a challenge in the future.
passport-saml_clickfox_custom_memberof.py

By Mohib Zico staff 11 Jul 2018 at 3:23 a.m. CDT

Copy
Mohib Zico gravatar
Hello Sean, Just touching base to know if you had chance to test our suggestions...

By Sean Warren named 12 Jul 2018 at 11:31 a.m. CDT

Copy
Sean Warren gravatar
Attached are both the original answer file answer_5669_passport-saml_clickfox_custom_memberof.py and the script with the singleton fix answer_5669_passport-saml_plus_fixed_singleton.py Note that while this fix works specifically for "memberOf", it appears that other aspects like "Display name" are not being updated on the passport side when updated on the IDP side.

By Aliaksandr Samuseu staff 12 Jul 2018 at 11:40 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Sean. > I added the fix from FXPB-1508 READY FOR CODE REVIEW Do you mean a pull request at Github? Please note the the latest Passport-SAML script in "master" branch is completely different now (the newest version was submitted by its developer last week), we can't merge your current script and the one from the "master" anymore, it has totally different structure, its flow was redesigned completely. I'll contacted the developer and warned him about issues you encountered, asking to account for multi-valued attributes from now on as well. We still need to test the new version properly, before we'll be able to suggest you to use it in production. Please also note that this new version won't be usable in your current Gluu instance, at least not without a lot of manual patching. I believe you deployed it as a test, or sort of proof of concept in the past? For production you must use the official 3.1.3 release package, or newer.

By Sean Warren named 12 Jul 2018 at 2:01 p.m. CDT

Copy
Sean Warren gravatar
We are using the Gluu 3.1.3, I simply included additional detail from the testing side of it. We are using the script as provided by Gluu, however, the issue is currently: while this fix works specifically for "memberOf", it appears that other aspects like "Display name" are not being updated on the passport side when updated on the IDP side.

By Aliaksandr Samuseu staff 12 Jul 2018 at 2:37 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
>We are using the Gluu 3.1.3 If I'm not mistaken, you are using pre-release package, 3.1.3 RC6, aren't you? For example, when I tried to use your script in the current, release 3.1.3 package, it didn't work. >while this fix works specifically for "memberOf", it appears that other aspects like "Display name" are not being updated on the passport side when updated on the IDP side. This probably has something to do with mappings, script doesn't distinguish attribute's by their names. I'll need to retest this in my local setup to answer this. Will get back to you shortly.

By Sean Warren named 16 Jul 2018 at 9:55 a.m. CDT

Copy
Sean Warren gravatar
Here is the specific version that we have installed: gluu-server-3.1.3-1-4.centos7.x86_64

By Aliaksandr Samuseu staff 18 Jul 2018 at 1:09 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Thanks, Sean. Could you also provide output of next commands (from within container)? It will allow us to see the exact version of components used: `# cat /opt/jetty-9.4/temp/jetty-localhost-808*/webapp/META-INF/MANIFEST.MF` Also, here are the steps to map `displayName` attribute which should work for your setup: 1. Log in to web UI and review properties of "passport_saml" custom script; make sure `displayName` attribute is correctly mapped there (see attached picture) 2. Move into container 3. Review your `/etc/gluu/conf/passport-saml-config.json` file; make sure there is a mapping for `displayName` looking like this: `"displayName": "urn:oid:2.16.840.1.113730.3.1.241",` 4. Edit `/opt/gluu/node/passport/server/auth/saml.js` file; find section which looks similar to excerpt below and make sure line responsible for `displayName` mapping is present: var userProfile = { id: profile[mapping["id"]] || '', memberOf: profile[mapping["memberOf"]] || '', displayName: profile[mapping["displayName"]] || '', name: profile[mapping["name"]] || '', username: profile[mapping["username"]] || '', email: profile[mapping["email"]], givenName: profile[mapping["givenName"]] || '', familyName: profile[mapping["familyName"]] || '', provider: profile[mapping["provider"]] || '', accessToken: "accesstoken" }; 5. Prepare a directory tree for oxAuth's custom pages (if you don't already have one): `# mkdir -p /opt/gluu/jetty/oxauth/custom/pages/auth/passport/` 6. Put the attached modified `passportpostlogin.xhtml` page under that directory 7. Set permissions: `# chown -R jetty:jetty /opt/gluu/jetty/oxauth/custom/pages/` 8. Restart passport: `# service passport restart` 9. Restart oxAuth: `# service oxauth restart` This should be it.
passportpostlogin.xhtml Selection_104.jpg

By Sean Warren named 23 Jul 2018 at 11:28 a.m. CDT

Copy
Sean Warren gravatar
+ Ian

By Aliaksandr Samuseu staff 23 Jul 2018 at 12:42 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Sean. Did something go wrong and the rest of your post was lost?

By Mohib Zico staff 01 Aug 2018 at 6:52 a.m. CDT

Copy
Mohib Zico gravatar
Hello Sean, Closing this ticket due to inactivity. Please feel free to reopen if required.

By Sean Warren named 27 Aug 2018 at 9:23 a.m. CDT

Copy
Sean Warren gravatar
>Log in to web UI and review properties of "passport_saml" custom script; make sure displayName attribute is correctly mapped there (see attached picture) "displayName" is available in "generic_local_attributes_list", but not "generic_remote_attributes_list" >Move into container >Review your /etc/gluu/conf/passport-saml-config.json file; make sure there is a mapping for displayName looking like this: "displayName": "urn:oid:2.16.840.1.113730.3.1.241", This is mapped as in /etc/gluu/conf/passport-saml-config.json: "displayName": "User ID", >Edit /opt/gluu/node/passport/server/auth/saml.js file; find section which looks similar to excerpt below and make sure line responsible for displayName mapping is present: "displayName" is not present here" Pending approval to perform the following on the production environment: Prepare a directory tree for oxAuth's custom pages (if you don't already have one): # mkdir -p /opt/gluu/jetty/oxauth/custom/pages/auth/passport/ Put the attached modified passportpostlogin.xhtml page under that directory Set permissions: # chown -R jetty:jetty /opt/gluu/jetty/oxauth/custom/pages/ Restart passport: # service passport restart Restart oxAuth: # service oxauth restart

By Aliaksandr Samuseu staff 29 Aug 2018 at 1:04 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Sean >"displayName" is available in "generic_local_attributes_list", but not "generic_remote_attributes_list" Yes, it's mapped to a different attribute by default. You'll need to change the mappings as shown on the picture. >This is mapped as in /etc/gluu/conf/passport-saml-config.json: "displayName": "User ID", Yes, that's the problem. You need to remap it to `"urn:oid:2.16.840.1.113730.3.1.241"` >"displayName" is not present here" Correct, please update it as an example shows >Pending approval to perform the following on the production environment: >Prepare a directory tree for oxAuth's custom pages (if you don't already have one): # >mkdir -p /opt/gluu/jetty/oxauth/custom/pages/auth/passport/ >Put the attached modified passportpostlogin.xhtml page under that directory >Set permissions: # chown -R jetty:jetty /opt/gluu/jetty/oxauth/custom/pages/ >Restart passport: # service passport restart >Restart oxAuth: # service oxauth restart You mean you're waiting for approval from your management for this, is this correct? Please let us know if you need something on our side to proceed.

By Mohib Zico staff 06 Sep 2018 at 1:11 p.m. CDT

Copy
Mohib Zico gravatar
Hello Sean, Should we keep this ticket open or is there anything else we can assist you regarding this issue?

By Sean Warren named 10 Sep 2018 at 10:14 a.m. CDT

Copy
Sean Warren gravatar
Please keep this ticket open, low priority while we verify.

By Mohib Zico staff 13 Sep 2018 at 2:48 a.m. CDT

Copy
Mohib Zico gravatar
Sure. Thanks, Sean.

By Mohib Zico staff 05 Oct 2018 at 1:33 p.m. CDT

Copy
Mohib Zico gravatar
Hello Sean, Do you think we can close this issue for now? We will reopen when we will start working on this again..

By Mohib Zico staff 17 Oct 2018 at 8:38 a.m. CDT

Copy
Mohib Zico gravatar
Hi Sean, Let's reopen when both of us ready to move forward.

Post an answer