0

I'm using the SAML v2 Reconcile lambda to map roles from a ADFS-server:

function reconcile(user, registration, samlResponse) {
  var roles = samlResponse.assertion.attributes['http://schemas.xmlsoap.org/claims/Group'] || [];

  registration.roles = roles;
}

The code seems to works correctly when adding new roles. The user registration is assigned the roles correctly.

However when I remove roles in the AD it is not reflected in the user registration.

In the event log it does seem like the roles has been removed from the registration but when I view the user in the UI they remain the same.

8/26/2019 02:11:26 PM EEST Invoke configured lambda with Id [f9b358a9-63a2-4a28-b126-e70f9e0445f3]
8/26/2019 02:11:26 PM EEST User to reconcile: 
{
  "encryptionScheme" : null,
  "factor" : null,
  "id" : null,
  "password" : null,
  "passwordChangeRequired" : false,
  "passwordLastUpdateInstant" : null,
  "salt" : null,
  "verified" : false,
  "preferredLanguages" : [ ],
  "memberships" : [ ],
  "registrations" : [ {
    "data" : { },
    "preferredLanguages" : [ ],
    "tokens" : { },
    "applicationId" : "e6bc6d79-98b1-4a3b-8621-2a0a4dc9465c",
    "authenticationToken" : null,
    "cleanSpeakId" : null,
    "id" : null,
    "insertInstant" : null,
    "lastLoginInstant" : null,
    "roles" : [ ], <------------ roles are empty
    "timezone" : null,
    "username" : null,
    "usernameStatus" : null,
    "verified" : false
  } ],
  "active" : false,
  "birthDate" : null,
  "cleanSpeakId" : null,
  "data" : { },
  "email" : "johanad@xx",
  "expiry" : null,
  "firstName" : null,
  "fullName" : null,
  "imageUrl" : null,
  "insertInstant" : null,
  "lastLoginInstant" : null,
  "lastName" : null,
  "middleName" : null,
  "mobilePhone" : null,
  "parentEmail" : null,
  "tenantId" : null,
  "timezone" : null,
  "twoFactorDelivery" : null,
  "twoFactorEnabled" : false,
  "twoFactorSecret" : null,
  "username" : null,
  "usernameStatus" : null
}
8/26/2019 02:11:26 PM EEST The user with the email address [johanad@xx] already exists.
8/26/2019 02:11:26 PM EEST Merge the reconciled user from the Identity Provider into the FusionAuth user.
8/26/2019 02:11:26 PM EEST User is already registered for application with Id [e6bc6d79-98b1-4a3b-8621-2a0a4dc9465c].
8/26/2019 02:11:26 PM EEST User has successfully been reconciled and logged into FusionAuth.
johan
  • 41
  • 2

1 Answers1

1

This is the current behavior of the external IdP handling. FusionAuth doesn't know if the external IdP is handling roles or not, so it currently keeps the roles that are in the FusionAuth database and ignores the roles set in via the Lambda. This only happens when the user already exists. For new users, the roles can be set in the Lambda.

I think the root cause of this is that some IdPs don't provide roles and they need to be managed completely in FusionAuth. Other IdPs will provide roles and they can be mapped in the Lambda. It looks like when we added Lambdas, we didn't add the ability to specify if an Identity Provider would be providing roles.

The way to solve this is for FusionAuth to have a new flag on the Identity Provider that indicates whether or not the IdP will be resolving and managing the roles or not.

If you want to open a feature request on our GitHub issue tracker, we might be able to get this on the roadmap for you. You can also reach out regarding professional services if you need this feature built for you quickly.

voidmain
  • 1,625
  • 1
  • 14
  • 14