bduffey
(Blake Duffey)
1
I’m using the API call api/users/update_identity_provider to migrate users from LDAP to SAML
When I issue this command, it works:
http://localhost:9000/api/users/update_identity_provider?login=blake&newExternalProvider=saml&newExternalIdentity=blake.duffey@noblis.org
When I issue this command, it works
http://localhost:9000/api/users/update_identity_provider?login=blake&newExternalProvider=saml&newExternalIdentity=Blake\.Duffey@noblis.org
When I issue this command, it fails
http://localhost:9000/api/users/update_identity_provider?login=blake&newExternalProvider=saml&newExternalIdentity=Blake.Duffey@noblis.org
If the first ‘.’ in the email address is followed by a capital letter, I get
Invoke-RestMethod : The remote server returned an error: (400) Bad Request.
I can run the same command with these parameters without issue:
BlakeADuffey
blake.duffey
Blake.duffey
bduffey
(Blake Duffey)
2
This causes a pretty significant problem because the email addresses in our IdP are capitalized.
So when I convert an LDAP user, the identity has to match exactly. Otherwise, the SAML login creates a 2nd account.
bduffey
(Blake Duffey)
3
Since I never got any response - I was able to work around this by doing the following:
$login = “ldap_ID”
$newIdentity = “email.address@domain.com”
$foo = “http://localhost:9000/api/users/update_identity_provider?login=$login&newExternalProvider=saml”
Invoke-RestMethod -Uri $foo -Headers $headers -Method POST
$foo = “http://localhost:9000/api/users/update_identity_provider?login=$login&newExternalProvider=saml&newExternalIdentity=$newIdentity”
Invoke-RestMethod -Uri $foo -Headers $headers -Method POST
For some reason if you do it as 2 separate steps it works.
ganncamp
(G Ann Campbell)
5
Hi,
Thanks for this report and sorry it got overlooked initially.
I’ve flagged this for team attention.
Ann
Hi @bduffey,
Thanks for the detailed report and for the workaround that you found!
We’ll investigate this on our side and we’ll open a ticket if we confirm it.
I’ll post an update as soon as we find time to take a look.
1 Like
Hi Blake,
Sorry for the very late answer.
Since 10.4, we deprecated POST api/users/update_identity_provider
and we recommend using PATCH api/v2/users-management/users/{id}
.
Cheers,
system
(system)
Closed
11
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.