cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SAML Attributes don't get updated in the Controller

Kai.Steinwascher
Wanderer

We added the SAML Authentication Provider to our AppDynamics Controller. When a user logs in for the first time the SAML Attributes get mapped to the AppDynamics Attributes Username, Display Name, and Email.

 

Changes to Display Name or Email in the IdP don't get updated in AppDynamics, even if the Attributes in the SAML Response are correct.

 

Is there a way to force an update to the user attributes? Or is it possible to delete a user and recreate it with the next login?

7 REPLIES 7

Pratik.Maskey
AppDynamics Team (Retired)

Hi,

 

Once you login user will be created in the system. If you change any of the attributes it will create a new user. You can delete an existing user with the REST API.

 

Please refer following document and below description -

https://docs.appdynamics.com/display/PRO45/RBAC+API#RBACAPI-DeleteUser

 

curl -X DELETE -u user1@customer1 http(s)://<controller-host>:<controller-port>/controller/api/rbac/v1/users/<user-id>


Replace user1 with your Admin user, customer1 with your account name, <controller-host> with the actual host and <controller-port> with the actual port.
Replace the <user-id> with the ID which you want to delete.

To get the User ID run the following query.

Select id, name, email, security_provider_type from user where name=<user-name> and account_id=2 and security_provider_type = 'SAML';

Replace <User-name> with the name of the user which you want to delete. The above query will return the Id of the user, use that ID and execute the rest API.

 

- Thanks



Found something helpful? Click the Accept as Solution button to help others find answers faster.
Liked something? Click the Thumbs Up button.

Hello,

 

Thank you for your answer. The way to delete a SAML users really helped. 

But Appdynamics does not create a new user when an attribute is changed. It just ignores it.

The SAML Attribute in the ticket looks like this:

<saml:Attribute FriendlyName="lastname" Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">"NAME1"</saml:AttributeValue>

if i change the name from "NAME1" to "NAME2" AppDynamics still shows the old name and no new user is created.

And even if it did this would lead to a lot of Problems - there could be multiple users with the same username and password.

 

Thanks

Hi Kai,

 

The new user is created in the AppDynamics database once the user is logged in, did you try to login after the login? Let me know if we can have a call to discuss the issue.

 

Thanks,

Yogesh



Found something helpful? Click the Accept as Solution button to help others find answers faster.
Liked something? Click the Thumbs Up button.

Hello Yogesh,

 

i opened a ticket in the Support Portal. It is easier to send Screenshots and SAML Responses there.

 

Thanks,

Kai

Thank you



Found something helpful? Click the Accept as Solution button to help others find answers faster.
Liked something? Click the Thumbs Up button.

Did AppDynamics ever fix the code?  We are running OnPrem on version 4.3.3.

 

We just implemented the use of SAML on our Dev Controller.  We have three controllers (Dev, QA, Prod).  My first time logging in, using SAML, the attributes were incorrect, so SAML passed through userid to the Name and User fields.  I've since correct it, and the key field (username) is correct, but the name field (full name) is still my userid.  Does AppD have any plans to fix this and update the fields with what SAML is passing through?

 

What if someone in my org gets married, changes her last-name, legally, then gets her name changed in our company?  Will she still be known as her maiden last name, in AppD?  The way it's coded in AppD her last name will never change.  And if it does, a new user will not be created.   

 

Based on what I read in this thread the issue still exists.

 

I'm aware I can use a curl command to delete the user.  It's not a preferred solution, but I'm sure it works.

 

Ross Flemer

Aetna/CVS

Hello, 

 

I spoke with some people and was told this, we do sync the SAML attributes on subsequent logins. this was implemented with version 4.5 of the controller."

 

 


Thanks,

Ryan, Cisco AppDynamics Community Manager




Found something helpful? Click the Accept as Solution button to help others find answers faster.

Liked something? Click the Thumbs Up button.



Check out Observabiity in Action

new deep dive videos weekly in the Knowledge Base.