Regarding UAA service


Sree Tummidi
 

Hi Dax,
This is happening because your SAML has not been set up properly.
The email, first name and last name need to be mapped to attributes from the incoming SAML assertion.
Please reach out to the Predix team so that they can set the correct attribute mappings.

Thanks,
Sree

Sent from my iPhone

On May 17, 2016, at 7:22 PM, Dax Joshi <dax.joshi(a)tcs.com> wrote:

Hi,

Any update on this ?

Please let me know. I need to solve this issue as soon as possible.


Thanks & Regards,

Dax Joshi
Systems Engineer
Tata Consultancy Services
GARIMA PARK,IT/ITES SEZ,
PLOT # 41,
Gandhinagar - 382007,Gujarat
India
Cell:- 9586581656
Mailto: dax.joshi(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________




From: Dax Joshi/AHD/TCS
To: Sree Tummidi <stummidi(a)pivotal.io>
Cc: Jonathan Lo <jlo(a)us.ibm.com>, cf-dev(a)lists.cloudfoundry.org
Date: 05/14/2016 10:55 AM
Subject: Re: Regarding UAA service


Hi Sree and Jonathan,

Thank you very much for your consideration and reply.

I am working on predix. I have bind my UAA service with SAML.

I use the GE's common login page to login so that using SSO anyone from the same business can use my application.
https://<uaa-url>.predix-uaa.run.asv-pr.ice.predix.io/oauth/authorize?client_id=<client-id>&response_type=code


Which redirect me to GE's common login page. After successful login SAML is sending user information to
https://<uaa-url>.predix-uaa.run.asv-pr.ice.predix.io/saml/SSO/alias/<uaa-url>.cloudfoundry-saml-login

While this redirection I have seen in browser network, in encoded format as form data SAML is passing user's correct and full information to UAA. including first name, last name, email, groups, roles etc..

After that UAA service redirects the browser to my landing page which I have set as redirect_uri with one cookie named TS0164a009 and one code in request param.

In our application we use that code with /oauth/token service and get the auth_token. After this we use the auth_token with /check_token or /userinfo service of uaa to get the user information.

In which we get following json



{
"user_id": "d9cf7779-744a-407d-a846-36e0570d70d9",
"user_name": "sso",
"email": "sso(a)unknown.org",
"client_id": "client_id",
"exp": 1462921362,
"scope": [
"scim.me",
"openid"
],
"jti": "684643f2-a15a-4fca-b9ca-2f9ba2c22f82",
"aud": [
"scim",
"openid",
"ppduaa"
],
"sub": "d9cf7779-744a-407d-a846-36e0570d70d9",
"iss": "https://<uaa-url>.predix-uaa.run.asv-pr.ice.predix.io/oauth/token",
"iat": 1462878162,
"cid": "client-id",
"grant_type": "authorization_code",
"azp": "client_id",
"auth_time": 1462878076,
"zid": "489afafd-c6b4-4d81-ae52-e51116af4597",
"rev_sig": "d8ddc2e6",
"origin": "gefssstg"
}



Here I have replaced uaa-url, sso and client_id with its actual values.

You can notice that I am not even receiving correct mail id. it gives @unknown.org

In this json nothing except sso seems to be useful to me.

Please guide me how to get the exact user details from UAA that SAML is passing to it.

Let me know if anything else you need.


Regards,

Dax Joshi
Systems Engineer
Tata Consultancy Services
GARIMA PARK,IT/ITES SEZ,
PLOT # 41,
Gandhinagar - 382007,Gujarat
India
Cell:- 9586581656
Mailto: dax.joshi(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________





From: Sree Tummidi <stummidi(a)pivotal.io>
To: Jonathan Lo <jlo(a)us.ibm.com>
Cc: Dax Joshi <dax.joshi(a)tcs.com>
Date: 05/14/2016 04:01 AM
Subject: Re: Regarding UAA service



Hi Dax,

Nice to meet you virtually. In the future you can use the cf-dev(a)lists.cloudfoundry.org for any UAA & CloudFoundry related questions.
Can you elaborate on what you are trying to achieve with UAA & SAML Integration and the use-case you have in mind


Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry


On Fri, May 13, 2016 at 10:50 AM, Jonathan Lo <jlo(a)us.ibm.com> wrote:
Hi Dax,

Could you provide a bit more detail so that I can better direct your query? As far as I know, you would be able to decode your access token in order to obtain a user id, with which you could then get more user information.

I've CCed Sree, our UAA PM, on the email.

Regards,

Jonathan

Sent from my iPhone

On May 13, 2016, 4:30:16 AM, dax.joshi(a)tcs.com wrote:

From: dax.joshi(a)tcs.com
To: jlo(a)us.ibm.com
Cc:
Date: May 13, 2016 4:30:16 AM
Subject: Regarding UAA service

Hi Jonathan,

This is Dax Joshi From TCS.

I found you email from https://github.com/GESoftware-CF/uaa.

I have a query regarding getting loggedin
user details in case of UAA service and SAML Integration.

Please let me know if we can talk over
phone at your convenient time.

Please include other persons in this
loop if they can help me.


Thanks,

Dax Joshi
Systems Engineer
Tata Consultancy Services
GARIMA PARK,IT/ITES SEZ,
PLOT # 41,
Gandhinagar - 382007,Gujarat
India
Cell:- 9586581656
Mailto: dax.joshi(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services

Business Solutions

Consulting
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you





Siva Balan <mailsiva@...>
 

Hi Dax,
Can I request to log your issue at https://forum.predix.io ? There are a
lot more Predix focussed developers on that forum than this mailing list
and you are more likely to get a faster answer there.

Thanks
Siva

On Wed, May 18, 2016 at 8:25 AM, Sree Tummidi <stummidi(a)pivotal.io> wrote:

Hi Dax,
This is happening because your SAML has not been set up properly.
The email, first name and last name need to be mapped to attributes from
the incoming SAML assertion.
Please reach out to the Predix team so that they can set the correct
attribute mappings.

Thanks,
Sree

Sent from my iPhone

On May 17, 2016, at 7:22 PM, Dax Joshi <dax.joshi(a)tcs.com> wrote:

Hi,

Any update on this ?

Please let me know. I need to solve this issue as soon as possible.


Thanks & Regards,

Dax Joshi
Systems Engineer
Tata Consultancy Services
GARIMA PARK,IT/ITES SEZ,
PLOT # 41,
Gandhinagar - 382007,Gujarat
India
Cell:- 9586581656
Mailto: dax.joshi(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________




From: Dax Joshi/AHD/TCS
To: Sree Tummidi <stummidi(a)pivotal.io>
Cc: Jonathan Lo <jlo(a)us.ibm.com>, cf-dev(a)lists.cloudfoundry.org
Date: 05/14/2016 10:55 AM
Subject: Re: Regarding UAA service
------------------------------


Hi Sree and Jonathan,

Thank you very much for your consideration and reply.

I am working on predix. I have bind my UAA service with SAML.

I use the GE's common login page to login so that using SSO anyone from
the same business can use my application.

*https://<uaa-url>.predix-uaa.run.asv-pr.ice.predix.io/oauth/authorize?client_id=<client-id>&response_type=code*
<https://489afafd-c6b4-4d81-ae52-e51116af4597.predix-uaa.run.asv-pr.ice.predix.io/oauth/authorize?client_id=ppduaa&response_type=code>


Which redirect me to GE's common login page. After successful login SAML
is sending user information to

*https://<uaa-url>.predix-uaa.run.asv-pr.ice.predix.io/saml/SSO/alias/<uaa-url>.cloudfoundry-saml-login*
<https://489afafd-c6b4-4d81-ae52-e51116af4597.predix-uaa.run.asv-pr.ice.predix.io/saml/SSO/alias/489afafd-c6b4-4d81-ae52-e51116af4597.cloudfoundry-saml-login>

While this redirection I have seen in browser network, in encoded format
as form data SAML is passing user's correct and full information to UAA.
including first name, last name, email, groups, roles etc..

After that UAA service redirects the browser to my landing page which I
have set as *redirect_uri *with one cookie named *TS0164a009* and one *code
in request param.*

In our application we use that code with */oauth/token* service and get
the *auth_token. *After this we use the *auth_token *with */check_token*
or /*userinfo* service of uaa to get the user information.

In which we get following json



{
"user_id": "d9cf7779-744a-407d-a846-36e0570d70d9",
"user_name": "sso",
"email": "sso(a)unknown.org",
"client_id": "client_id",
"exp": 1462921362,
"scope": [
"scim.me",
"openid"
],
"jti": "684643f2-a15a-4fca-b9ca-2f9ba2c22f82",
"aud": [
"scim",
"openid",
"ppduaa"
],
"sub": "d9cf7779-744a-407d-a846-36e0570d70d9",
"iss": "
*https://<uaa-url>.predix-uaa.run.asv-pr.ice.predix.io/oauth/token"*
<https://489afafd-c6b4-4d81-ae52-e51116af4597.predix-uaa.run.asv-pr.ice.predix.io/oauth/token%27>
,
"iat": 1462878162,
"cid": "client-id",
"grant_type": "authorization_code",
"azp": "client_id",
"auth_time": 1462878076,
"zid": "489afafd-c6b4-4d81-ae52-e51116af4597",
"rev_sig": "d8ddc2e6",
"origin": "gefssstg"
}


Here I have replaced *uaa-url, sso *and *client_id* with its actual
values.

You can notice that I am not even receiving correct mail id. it gives @
unknown.org

In this json nothing except sso seems to be useful to me.

Please guide me how to get the exact user details from UAA that SAML is
passing to it.

Let me know if anything else you need.


Regards,

Dax Joshi
Systems Engineer
Tata Consultancy Services
GARIMA PARK,IT/ITES SEZ,
PLOT # 41,
Gandhinagar - 382007,Gujarat
India
Cell:- 9586581656
Mailto: dax.joshi(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________





From: Sree Tummidi <stummidi(a)pivotal.io>
To: Jonathan Lo <jlo(a)us.ibm.com>
Cc: Dax Joshi <dax.joshi(a)tcs.com>
Date: 05/14/2016 04:01 AM
Subject: Re: Regarding UAA service
------------------------------



Hi Dax,

Nice to meet you virtually. In the future you can use the cf-dev@
*lists.cloudfoundry.org* <http://lists.cloudfoundry.org/> for any UAA &
CloudFoundry related questions.
Can you elaborate on what you are trying to achieve with UAA & SAML
Integration and the use-case you have in mind


Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry


On Fri, May 13, 2016 at 10:50 AM, Jonathan Lo <*jlo(a)us.ibm.com*
<jlo(a)us.ibm.com>> wrote:
Hi Dax,

Could you provide a bit more detail so that I can better direct your
query? As far as I know, you would be able to decode your access token in
order to obtain a user id, with which you could then get more user
information.

I've CCed Sree, our UAA PM, on the email.

Regards,

Jonathan

Sent from my iPhone

------------------------------
On May 13, 2016, 4:30:16 AM, *dax.joshi(a)tcs.com* <dax.joshi(a)tcs.com>
wrote:

From: *dax.joshi(a)tcs.com* <dax.joshi(a)tcs.com>
To: *jlo(a)us.ibm.com* <jlo(a)us.ibm.com>
Cc:
Date: May 13, 2016 4:30:16 AM
Subject: Regarding UAA service

Hi Jonathan,

This is Dax Joshi From TCS.

I found you email from *https://github.com/GESoftware-CF/uaa*
<https://github.com/GESoftware-CF/uaa>.

I have a query regarding getting loggedin
user details in case of UAA service and SAML Integration.

Please let me know if we can talk over
phone at your convenient time.

Please include other persons in this
loop if they can help me.


Thanks,

Dax Joshi
Systems Engineer
Tata Consultancy Services
GARIMA PARK,IT/ITES SEZ,
PLOT # 41,
Gandhinagar - 382007,Gujarat
India
Cell:- *9586581656* <9586581656>
Mailto: *dax.joshi(a)tcs.com* <dax.joshi(a)tcs.com>
Website: *http://www.tcs.com* <http://www.tcs.com/>
____________________________________________
Experience certainty. IT Services

Business Solutions

Consulting
____________________________________________

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you






Sree Tummidi
 

Hi Dax,

Please use the attributes below for mapping


"phone_number"

"given_name"

"family_name"

"email"


Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry

On Fri, Jun 3, 2016 at 12:14 AM, Dax Joshi <dax.joshi(a)tcs.com> wrote:

Hello Sree, Jonathan,

Hope you are doing good.

Regarding that issue, it took time but now it seems that we are on right
track.

while SAML configuration with UAA, previously we didn't included following
option :



In the new attempt we tried with these.. But it gives 400 Bad Request.

Even we tried to map *firstname* with following 4 different keys
*"givenName", "givenname"*
*"name":{"givenName"} "name":{"givenname"}*

But none of that worked. All option gave 400 in Response.

When we executed only with *"email"* from this json, it worked well and
now we are getting correct email id from *auth_token*

Can you please tell me what keys should be used to map the first name and
last name there ?


Thanks & Regards,

Dax Joshi
Systems Engineer
Tata Consultancy Services
GARIMA PARK,IT/ITES SEZ,
PLOT # 41,
Gandhinagar - 382007,Gujarat
India
Cell:- 9586581656
Mailto: dax.joshi(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________




From: Dax Joshi/AHD/TCS
To: Sree Tummidi <stummidi(a)pivotal.io>
Cc: Jonathan Lo <jlo(a)us.ibm.com>, cf-dev(a)lists.cloudfoundry.org
Date: 05/19/2016 02:24 AM
Subject: Re: Regarding UAA service
------------------------------



Thanks a lot for your response.

We will surely look into it and get back to you.


Thanks & Regards,

Dax Joshi
Systems Engineer
Tata Consultancy Services
GARIMA PARK,IT/ITES SEZ,
PLOT # 41,
Gandhinagar - 382007,Gujarat
India
Cell:- 9586581656
Mailto: dax.joshi(a)tcs.com
Website: *http://www.tcs.com* <http://www.tcs.com/>
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________


-----Sree Tummidi <stummidi(a)pivotal.io> wrote: -----
To: Dax Joshi <dax.joshi(a)tcs.com>
From: Sree Tummidi <stummidi(a)pivotal.io>
Date: 05/18/2016 08:55PM
Cc: Jonathan Lo <jlo(a)us.ibm.com>, cf-dev(a)lists.cloudfoundry.org
Subject: Re: Regarding UAA service

Hi Dax,
This is happening because your SAML has not been set up properly.
The email, first name and last name need to be mapped to attributes from
the incoming SAML assertion.
Please reach out to the Predix team so that they can set the correct
attribute mappings.

Thanks,
Sree

Sent from my iPhone

On May 17, 2016, at 7:22 PM, Dax Joshi <*dax.joshi(a)tcs.com*
<dax.joshi(a)tcs.com>> wrote:

Hi,

Any update on this ?

Please let me know. I need to solve this issue as soon as possible.


Thanks & Regards,

Dax Joshi
Systems Engineer
Tata Consultancy Services
GARIMA PARK,IT/ITES SEZ,
PLOT # 41,
Gandhinagar - 382007,Gujarat
India
Cell:- 9586581656
Mailto: *dax.joshi(a)tcs.com* <dax.joshi(a)tcs.com>
Website: *http://www.tcs.com* <http://www.tcs.com/>
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________




From: Dax Joshi/AHD/TCS
To: Sree Tummidi <*stummidi(a)pivotal.io* <stummidi(a)pivotal.io>>
Cc: Jonathan Lo <*jlo(a)us.ibm.com* <jlo(a)us.ibm.com>>,
*cf-dev(a)lists.cloudfoundry.org* <cf-dev(a)lists.cloudfoundry.org>
Date: 05/14/2016 10:55 AM
Subject: Re: Regarding UAA service
------------------------------


Hi Sree and Jonathan,

Thank you very much for your consideration and reply.

I am working on predix. I have bind my UAA service with SAML.

I use the GE's common login page to login so that using SSO anyone from
the same business can use my application.

*https://<uaa-url>.predix-uaa.run.asv-pr.ice.predix.io/oauth/authorize?client_id=<client-id>&response_type=code*
<https://489afafd-c6b4-4d81-ae52-e51116af4597.predix-uaa.run.asv-pr.ice.predix.io/oauth/authorize?client_id=ppduaa&response_type=code>


Which redirect me to GE's common login page. After successful login SAML
is sending user information to

*https://<uaa-url>.predix-uaa.run.asv-pr.ice.predix.io/saml/SSO/alias/<uaa-url>.cloudfoundry-saml-login*
<https://489afafd-c6b4-4d81-ae52-e51116af4597.predix-uaa.run.asv-pr.ice.predix.io/saml/SSO/alias/489afafd-c6b4-4d81-ae52-e51116af4597.cloudfoundry-saml-login>

While this redirection I have seen in browser network, in encoded format
as form data SAML is passing user's correct and full information to UAA.
including first name, last name, email, groups, roles etc..

After that UAA service redirects the browser to my landing page which I
have set as *redirect_uri *with one cookie named *TS0164a009* and one *code
in request param.*

In our application we use that code with */oauth/token* service and get
the *auth_token. *After this we use the *auth_token *with */check_token*
or /*userinfo* service of uaa to get the user information.

In which we get following json



{
"user_id": "d9cf7779-744a-407d-a846-36e0570d70d9",
"user_name": "sso",
"email": "*sso(a)unknown.org* <sso(a)unknown.org>",
"client_id": "client_id",
"exp": 1462921362,
"scope": [
"*scim.me* <http://scim.me/>",
"openid"
],
"jti": "684643f2-a15a-4fca-b9ca-2f9ba2c22f82",
"aud": [
"scim",
"openid",
"ppduaa"
],
"sub": "d9cf7779-744a-407d-a846-36e0570d70d9",
"iss": "
*https://<uaa-url>.predix-uaa.run.asv-pr.ice.predix.io/oauth/token"*
<https://489afafd-c6b4-4d81-ae52-e51116af4597.predix-uaa.run.asv-pr.ice.predix.io/oauth/token%27>
,
"iat": 1462878162,
"cid": "client-id",
"grant_type": "authorization_code",
"azp": "client_id",
"auth_time": 1462878076,
"zid": "489afafd-c6b4-4d81-ae52-e51116af4597",
"rev_sig": "d8ddc2e6",
"origin": "gefssstg"
}



Here I have replaced *uaa-url, sso *and *client_id* with its actual
values.

You can notice that I am not even receiving correct mail id. it gives @
*unknown.org* <http://unknown.org/>

In this json nothing except sso seems to be useful to me.

Please guide me how to get the exact user details from UAA that SAML is
passing to it.

Let me know if anything else you need.


Regards,

Dax Joshi
Systems Engineer
Tata Consultancy Services
GARIMA PARK,IT/ITES SEZ,
PLOT # 41,
Gandhinagar - 382007,Gujarat
India
Cell:- 9586581656
Mailto: *dax.joshi(a)tcs.com* <dax.joshi(a)tcs.com>
Website: *http://www.tcs.com* <http://www.tcs.com/>
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________





From: Sree Tummidi <*stummidi(a)pivotal.io* <stummidi(a)pivotal.io>>
To: Jonathan Lo <*jlo(a)us.ibm.com* <jlo(a)us.ibm.com>>
Cc: Dax Joshi <*dax.joshi(a)tcs.com* <dax.joshi(a)tcs.com>>
Date: 05/14/2016 04:01 AM
Subject: Re: Regarding UAA service
------------------------------



Hi Dax,

Nice to meet you virtually. In the future you can use the cf-dev@
*lists.cloudfoundry.org* <http://lists.cloudfoundry.org/> for any UAA &
CloudFoundry related questions.
Can you elaborate on what you are trying to achieve with UAA & SAML
Integration and the use-case you have in mind


Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry


On Fri, May 13, 2016 at 10:50 AM, Jonathan Lo <*jlo(a)us.ibm.com*
<jlo(a)us.ibm.com>> wrote:
Hi Dax,

Could you provide a bit more detail so that I can better direct your
query? As far as I know, you would be able to decode your access token in
order to obtain a user id, with which you could then get more user
information.

I've CCed Sree, our UAA PM, on the email.

Regards,

Jonathan

Sent from my iPhone

------------------------------
On May 13, 2016, 4:30:16 AM, *dax.joshi(a)tcs.com* <dax.joshi(a)tcs.com>
wrote:

From: *dax.joshi(a)tcs.com* <dax.joshi(a)tcs.com>
To: *jlo(a)us.ibm.com* <jlo(a)us.ibm.com>
Cc:
Date: May 13, 2016 4:30:16 AM
Subject: Regarding UAA service

Hi Jonathan,

This is Dax Joshi From TCS.

I found you email from *https://github.com/GESoftware-CF/uaa*
<https://github.com/GESoftware-CF/uaa>.

I have a query regarding getting loggedin
user details in case of UAA service and SAML Integration.

Please let me know if we can talk over
phone at your convenient time.

Please include other persons in this
loop if they can help me.


Thanks,

Dax Joshi
Systems Engineer
Tata Consultancy Services
GARIMA PARK,IT/ITES SEZ,
PLOT # 41,
Gandhinagar - 382007,Gujarat
India
Cell:- *9586581656* <9586581656>
Mailto: *dax.joshi(a)tcs.com* <dax.joshi(a)tcs.com>
Website: *http://www.tcs.com* <http://www.tcs.com/>
____________________________________________
Experience certainty. IT Services

Business Solutions

Consulting
____________________________________________

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you