Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
5
Helpful
4
Replies

Guest Single Click with LDAP

Go to solution
paul
Level 10
Level 10

‎06-21-2019 07:38 AM - edited ‎06-21-2019 08:01 AM

I am doing a guest install where the guest PSNs are not joined to AD and we are using LDAP.  We have an group mapped into to the sponsor role and the users can log into the sponsor portal without an issue using their account name (JDoe4567 as an example).   The user's email address is jdoe@customer.com.  Because they are doing O365 they have changed all their UPNs to jdoe4567@customer.com.  The only LDAP attribute that has the email address in it is the Mail attribute.

 

When the guest enters jdoe@customer.com in as the person they are visiting the sponsor receives an email but has to sign into the portal which means the single click process didn't work.  We set this up in a lab as well and changed the UPN to jdoe@customer.com and single clicked worked perfectly. 

 

Is ISE only looking up the UPN attribute when it does the single click look-up based on the email address?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to Jason Kunst

‎06-24-2019 01:57 PM

Not yet. We did some more debugging on the issue and can't get consistent results. We tried both LDAP group membership and using LDAP attributes to assign sponsor roles.



We will be opening a TAC case this week. The single click approval is a nice to have for the customer. We are working through other issues so we can start a pilot. We can do the pilot without single click working.


View solution in original post

0 Helpful
4 Replies 4

Go to solution
paul
Level 10
Level 10

‎06-21-2019 08:01 AM

An update, we turned on some debugs and we can see in the guest.log that the email lookup is working against LDAP but it says no groups are received.  The same account though works when we sign into the sponsor portal so LDAP groups are working there. 

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎06-24-2019 01:53 PM

I reached out to engineering, did you get a tac case opened?
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Jason Kunst

‎06-24-2019 01:57 PM

Not yet. We did some more debugging on the issue and can't get consistent results. We tried both LDAP group membership and using LDAP attributes to assign sponsor roles.



We will be opening a TAC case this week. The single click approval is a nice to have for the customer. We are working through other issues so we can start a pilot. We can do the pilot without single click working.


0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎06-28-2019 08:33 AM

they said need logs go through tac please
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents