Solved: ISE 2.1 SAML Integration problem with Azure

josgarza · ‎04-24-2017

hi experts,

I'm currently having a problem when enabling SAML authentication with Azure on the Sponsor Portal.

The issue is that, the employee is not able to see his sponsor pending accounts.

After debugging, I found that the attribute that we are using is: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name . However, this claim is returning the email with the following format: John.Smith@company.com. If the guest goes to the self-registration portal and type the email in the same format as above (matching the uppercase letters), the sponsor account is able to see the pending account. However, if the guest types the email in lower case format, it doesn't work.

I've tried other claims, but from the logs there's no response from those attributes:

"claims used"

2017-04-24 16:47:16,186 DEBUG [http-bio-10.156.92.142-8443-exec-11][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [SAMLAttributesParser:readDict]: read Dict attribute=<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn>

2017-04-24 16:47:16,186 DEBUG [http-bio-10.156.92.142-8443-exec-11][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [SAMLAttributesParser:readDict]: read Dict attribute=<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name>

2017-04-24 16:47:16,186 DEBUG [http-bio-10.156.92.142-8443-exec-11][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [SAMLAttributesParser:readDict]: read Dict attribute=<http://docs.oasis-open.org/imi/ns/token/saml2/200908/emailaddress>

2017-04-24 16:47:16,186 DEBUG [http-bio-10.156.92.142-8443-exec-11][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [SAMLAttributesParser:readDict]: read Dict attribute=<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress>

2017-04-24 16:47:16,186 DEBUG [http-bio-10.156.92.142-8443-exec-11][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [SAMLAttributesParser:readDict]: read Dict attribute=<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/windowsaccountname>

"result"

2017-04-24 16:47:16,187 DEBUG [http-bio-10.156.92.142-8443-exec-11][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] attributeName=<Azure.emailaddress>, not recieved in response, caching with default value=<>

2017-04-24 16:47:16,187 DEBUG [http-bio-10.156.92.142-8443-exec-11][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] attributeName=<Azure.email>, not recieved in response, caching with default value=<>

2017-04-24 16:47:16,187 DEBUG [http-bio-10.156.92.142-8443-exec-11][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] attributeName=<Azure.upn>, not recieved in response, caching with default value=<>

2017-04-24 16:47:16,187 DEBUG [http-bio-10.156.92.142-8443-exec-11][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] attributeName=<Azure.windowsaccountname>, not recieved in response, caching with default value=<>

2017-04-24 16:47:16,187 DEBUG [http-bio-10.156.92.142-8443-exec-11][] cisco.cpm.saml.framework.SAMLSessionDataCache -::::- [storeAttributesSessionData] idStore=<Azure> userName=John.Smith@company.com>

Any ideas of any other claims I can use? or how to change the email format?

hslai · ‎04-24-2017

Is Patch 2 or above applied? This seems same as CSCvb14848.

View solution in original post

hslai · ‎04-24-2017

Is Patch 2 or above applied? This seems same as CSCvb14848.