Bomgar/BeyondTrust relying party?
IAM David Bantz
dabantz at alaska.edu
Mon Oct 17 17:27:18 UTC 2022
I’m surprised an error was based on friendlyNames; does that suggest the
attribute mapping that is configured in the Bomgar interface requires
friendlyName rather than name of the attributes I’m sending? I provided
OID-based names (e.g., urn:oid:0.9.2342.19200300.100.1.1) rather than
friendlyName (e.g., uid).
On 17Oct2022 at 06:10:05, Paul Engle via users <users at shibboleth.net> wrote:
>
> We're also not doing anything special for Bomgar with our standard
> persistent NameID. The only gotcha I ever recall encountering was when we
> were accidentally releasing duplicate attributes with different names but
> the same friendlyName. Bomgar really didn't like that. No one else seemed
> to have a problem with it. Nevertheless, I fixed it so the duplicate
> attributes weren't being released, and it started to work again.
>
> --
> Paul Engle
> IAM Architect
> Identity & Access Management
> pengle at rice.edu 713-348-4702
>
>
> On Fri, Oct 14, 2022 at 8:38 AM Herron, Joel D <herronj at uww.edu> wrote:
>
>> We are allowing their release of the persistent nameID which is just our
>> standard persistent ID (a sha1 hash of a salted UUID). As well I’m
>> releasing:
>> uid, displayName, mail and groupMembership (for authorization in BT)
>>
>>
>>
>> I’m doing nothing special in relying party or in their metadata, was a
>> really easy setup from what I recall.
>>
>>
>>
>> Hope that helps,
>>
>>
>>
>> --Joel
>>
>>
>>
>> *From: *users <users-bounces at shibboleth.net> on behalf of IAM David
>> Bantz via users <users at shibboleth.net>
>> *Date: *Thursday, October 13, 2022 at 2:40 PM
>> *To: *Shib Users <users at shibboleth.net>
>> *Cc: *IAM David Bantz <dabantz at alaska.edu>
>> *Subject: *Bomgar/BeyondTrust relying party?
>>
>> *EXTERNAL EMAIL*
>>
>> Have you successfully configured Bomgar (BeyondTrust) for SSO via your
>> Shibb IdP ?
>>
>>
>>
>> Bomgar (BeyondTrust) has a GUI for SAML SSO integration that is mostly
>> clear and straightforward,
>>
>> but seemingly appropriate SAML assertions trigger “Authentication Failed”
>> message at the service
>>
>> (with no further details).
>>
>>
>>
>> Incoming SAML request specifies a nameid-format:persistent (not mentioned
>> in the GUI) so
>>
>> I configured release of nameID based on uid (unscoped username) and ePPN
>> (same username, @alaska.edu)
>>
>> with the requested format. Neither alternative produced anything further
>> than “Authentication Failed” at the service.
>>
>> Support has so far been less than useless. Perhaps you know an additional
>> unmentioned requirement or trick?
>>
>>
>>
>> David St Pierre Bantz
>>
>> U Alaska IAM
>> --
>> For Consortium Member technical support, see
>> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221017/d0f98aaf/attachment.htm>
More information about the users
mailing list