I’m testing the SAML authentication on a (docker based) instance of version 10.0.
The authentication is work basically. But, I faced some issues I would like to clarify.
-
Why a migration is needed for all users individually?
I’ve a server with more than 100 users. Do I really need to “curl” all users to/api/users/update_identity_provider
manually? -
The login identification seems to be case-sensitive. Is this really necessary and by design?
I have users in the system which are currently identified with a name likelukas
but in the Azure AD they are named likeLukas
.
Would it be possible to make the identification case-insensitive? -
Why the email address is checked while login?
I have a local administrator (no SAML!) which I would like to configure with my personal email address.
The same email address is configured in my personal AD account.
If I have configured both SQ users with the same email address I cannot login anymore with SAML with the following error message:
This account is already associated with another authentication method.
Sign in using the current authentication method,
or contact your administrator to transfer your account to a different authentication method.
This is confusing because the configured identity is the domain user name (onpremisessamaccountname
).
- I started testing with version 9.9. There I configured the attribute
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
as “SAML group attribute”.
After migration to version 10.0 this attribute disapeared from configuration.
Why?