Solved: Re: SSO with change of PingIDP guest user are disappeared in sponsor portal

sebastian.dietz · ‎01-09-2019

Dear all,

I've got a little problem with my ISE system regarding the topic PingIDP change in the sponsor portal.

The sponsor portal is configured via SAML and in the background there is the PingIDP who is authenticating the sponsors based on group membership in the domain.

Unfortunately there are more domains who have to be connected to the PingIDP so we wanted to change to another PingIDP who is able to do this.

By virtue of this change we saw, that no sponsor can see his created guest user in the portal.

The portal is the same like before. Only the IDP changed and there is also the same config.

Now my question:

Is there a possibility to export the guest users, change to the new IDP and import it again, that the sponsor can see their guest users after the change?

I talked to another colleague who thought, that this could be a database problem of the ISE.

The sponsors with the same name could get a new ID in the ISE systems databases and therefore they can’t see their old guest users because of matching of the IDs.

For example:

The sponsor max.mustermann authenticated over the old IDP has 5 guests created. After the change from the old IDP to the new one the sponsor max.mustermann is authenticated with the same username (nothing changed) but no guest users are in the sponsor portal.

Everything is identical.

ISE information:

Version: 2.2.0.470

Patch: 2

PID: ISE-VM-K9

Do you know anything about this topic?

Many thanks for your response.

Jason Kunst · ‎01-09-2019

@Arne Bier thank you. Yes likely the linkage is broken as its different identity source. You could open a tac case to see if there is a way to possibly remap in the database

View solution in original post

Arne Bier · ‎01-09-2019

Hi Sebastian

I have not had the exact experience as what you have, but something similar. Perhaps my solution works for you too, but I am not familiar with how SAML config works for Sponsor Portal. If however, it involves configuring the Sponsor Groups, then I found a bug in ISE 2.4 where, if the User Group name changed whilst being used in the Selected User Groups column, then the Sponsor Portal authentication failed. I know in your case it doesn't fail, but it seems the SQL index (or whatever) of that user must have changed, and therefore no longer has any Guest accounts linked to it. But in my case all I did was to toggle the config. I moved the Selected User Group out of the column, clicked OK - and then moved it back again and clicked OK. That "re-programmed" something in ISE and got the Sponsor Portal auth working again. It's a long shot...

sebastian.dietz · ‎01-09-2019

Hello Arne,

thank you for your answer.

I created in my case two different Identity Source Sequences.

The first one is the old IDP (PingIDP:SPONSOR) while the second (PingIDP_company:SPONSOR) is the new one.

Could it be that there is no SQL match because of different names?

Could it be a solution to delete the old IDP and create the new one with the same name?

Thank you for your answer.

Arne Bier · ‎01-09-2019

Ah ok - so nothing to do with Groups then? In that case your guess is as good as anyone's ;-)

It's fair to say that deleting and re-adding config tends to often have the desired effect of "fixing" things - it's not ideal, but it might be a solution in your case. And then act as a point of discussion with the TAC if you can reproduce it.

Hopefully one of the clever Cisco guys can shed more light on how this might work under the covers (SQL etc.) - now imagine if we had access to the Linux CLI and could poke around in the Oracle DB ... heh heh. Wouldn't that be great ...

Good luck!

Jason Kunst · ‎01-09-2019

@Arne Bier thank you. Yes likely the linkage is broken as its different identity source. You could open a tac case to see if there is a way to possibly remap in the database

sebastian.dietz · ‎02-28-2019

Dear all,

I have to reopen the topic :-(

After our discussion here in the community I opened a TAC case which is still open.

The TAC Engineer analyzed many things but at the end it was the outcome that I should use in the sponsor group the "Accounts created by members of this sponsor group".

Unfortunately this does not help because after this solution change every sponsor can see every guestuser.

The cause is that we only have one sponsorgroup.

The TAC Engineer found out that for SAML authentication there will be build up a temporarily idStore for the sponsors.

Therefore I have an idStore PingIDP and PingIDP_new.

After that guess, I just reversed the names.

The result was that no IDP has any longer indicated the guests for the sponsors.

=> I believe that for every temporarily idStore there will be created an ID which never changes. (Like in past also supposed)

Now the question or possibly a workaround:

Is there a possibility to change the sponsor for the guests via Restful API?

I've tried to export the list of guestusers, but I always get an error 401 even though I've configured everything and I authenticate myself with a sponsor user.

Thanks in advance.