Unique Identifier in SAML SSO

  • Dev Null
    Participant
    # 3 weeks, 4 days ago

    Hi,

    We’re using the miniOrange SSO using SAML 2.0 (premium) plugin, and today I noticed some interesting behaviour. We have Username mapped to urn:oid:0.9.2342.19200300.100.1.1 and Email mapped to urn:oid:0.9.2342.19200300.100.1.3 – standard Educause mappings. But today I noticed that my account was manually created – before we installed miniOrange – with the wrong username but the correct email. The value in the Username field in WordPress does _not_ match the value returned for me for urn:oid:0.9.2342.19200300.100.1.1 from the IdP. Yet WordPress and miniOrange are still logging me in via SSO, and recognizing me as the correct account.

    How? Is it using the fact that the Email addresses match to override the fact that the usernames do not? So any user, with any username but my email address, can login to my account?

    We also have a number of users with no email address in WordPress. How are those users identified? Will it match on username only if email is blank? Or also if the emails don’t match?

    prashantkhurana
    Participant
    # 2 weeks, 3 days ago

    Hi there,

    Thanks for being our premium customer.

    Please find my answers below.

    >>Yet WordPress and miniOrange are still logging me in via SSO and recognizing me as the correct account.
    Yes, it will log you in because you are authenticated by your IDP. If the username (after attribute mapping) received in the SAML response is not present in the WordPress then it will check for email, if the email is present then it will log you in.

    >>Is it using the fact that the Email addresses match to override the fact that the usernames do not?
    Users with different usernames have different accounts. The plugin first checks if the username in the SAML response is present in the WordPress or not if the username is present then it will update all field that doesn’t match with the attributes from the SAML response that you have mapped in the plugin. If the username is not present then only it will consider email as an identifier. As both username and email are unique to an account.

    >>So any user, with any username but my email address, can log in to my account?
    At WordPress, both username and email address are unique for a user.
    Similarly, in most user directories or IDPs, both the username and email address are unique for a user.
    As mentioned above, the SAML SSO plugin first checks if the username received from the SAML Response matches with any account present at the WordPress site. If it is present, then the plugin will log you into that user account.
    If not, it will check if the email address received from the IDP is already present and log you in to the account if found.

    >>We also have a number of users with no email address in WordPress. How are those users identified? Will it match on username only if the email is blank? Or also if the emails don’t match?
    Yes, if the username is matched then email checking will not come into the play. After checking the username if the email is not matched then the plugin will update the email based on the response received from the IDP and attribute mapping in the plug-in.

    Do you only want the account mapping to work as per the username? In this case, you can reach out to us at samlsupport@xecurify.com and we can customize the plugin for your use-case.

    Feel free to contact me if you have any other questions.

    Thanks & Regards
    Team miniOrange

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.