Make sure default role works
First, make sure you default role assignment is working with a default IriusRisk role. (refer to this document if necessary https://support.iriusrisk.com/hc/en-us/articles/360050136312-SAML-authentication)
Edit your SAMLv2-config.groovy file and make sure you have a default role for testing, like so:
// If there is no information about roles in the SAML Response, IriusRisk will use this property to assign a default role to the User
defaultRole = 'ROLE_PORTFOLIO_VIEW'
Remove yourself from any other groups that may be mapped to a role, and make sure you can login and get assigned the default role. This will confirm authentication is working (as well as the out of the box roles).
Assign the trouble role, and run a SAML capture.
Download your SAML capture tool of choice, we use a Google Chrome plugin called SAML Message Decoder, and turn it on.
Try to authenticate to IriusRisk using SSO, and review the SAML capture to see if the group attribute was set properly, and that the value is what was expected. Here is a sample SAML capture from an Okta integration:
<saml2:Attribute Name="memberOf"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Everyone</saml2:AttributeValue>
In this example the group that was assigned to my user was "Everyone"
(NOTE: For Azure AD you will see this for the attribute name http://schemas.microsoft.com/ws/2008/06/identity/claims/groups, but in Okta it is a custom value, in my case I set it to memberOf).
Verify Group to Role Mapping
Edit your SAMLv2-config.groovy and make sure you have the right group to role mapping, like so:
// Custom Values, mapping Okta Groups GUIDs (used as keys in the configuration map userGroupToRoleMapping) to Irius RoleGroup names (used as values in the configuration map userGroupToRoleMapping)
userGroupToRoleMapping = [
'Your_okta_group':'ROLE_TEST_ONLY',
'Everyone':'ROLE_ADMIN'
Verify the Role exists in IriusRisk
Login to the application (at this point you might have to set the defaultRole in the first step to 'ROLE_ADMIN') and make sure the mapped role exists. In the application, roles are located at Cog/Gear > Users and permissions > Roles
If the role does exist, make sure that you don't have any trailing spaces in the role name:
Verify no commas are located in group attribute value
(NOTE: Issue spotted in Ping Federate)
The SAMLv2-config.groovy does not recognize anything with a comma, or anything beyond a comma. For example if my attribute value being passed in the SAML capture is:
xsi:type="xs:string">Everyone,test</saml2:AttributeValue>
Then the group attribute mapping will still need to look like this in the SAMLv2-config.groovy file:
'Everyone':'ROLE_ADMIN'
This will not work:
'Everyone,test':'ROLE_ADMIN'
Comments
0 comments
Please sign in to leave a comment.