One thing i found when implementing SSO and custom user provisioning was to retrieve the User role from the database using xpath and then assigning that association to the user. You might have to retrieve the current user account to assign these if your initial retrieve is not providing an account to assign the role to.
EX.
for the retrieve x-path
and then assigning
Hi Branden,
Thank you very much for your detailed answer with the very helpful screenshots. I build it according to your template - first I retrieve the current user from System.User with [id = '[%CurrentUser%]'] and the UserRole I want to assign from System.UserRole with [id = '[%UserRole_Administrator%]']) and then assign this userrole to the CurrentUser:
But I get the following error in the SAML log:
Change object 'CurrentUser' should not be null
at SAML20.Azure_Assign_UserRole (Change : 'Change 'CurrentUser' (UserRoles)')
This sounds to me as if the retrieve of the current user does not work properly. Do I really have to retrieve the current user from System.User or Administration.Account?
Also what is the most elegant way to look in the AssertionAttributeList for the key “userrole” with a sepecific value (e.g. “user”)? Should I use a loop or can I just use a ListOperation Find? If yes, how do I check whether the ListOperation was successful?
Thanks for your help
Thank you very much for your detailed help. It works now. Here my attempt to understand what went wrong:
Since the annotation of the SAML microflow 'CustomUserProvisioning' says that logic should be included "by calling microflows containing said logic from this microflow" I packed my logic into a submicroflow and copied the parameters from 'CustomUserProvisioning'.
By that Mendix – or I? – seem to have inserted the argument $currentUser to the parameter System.User when passing the parameters from 'CustomUserProvisioning' Microflow to my submicroflow - which I hadn't noticed until yesterday. The current user is - as I learned through your comments - not available on this system level at this time, which is why I always got the error Change object 'User' should not be null.
Now I packed the whole logic directly into the microflow 'CustomUserProvisioning' and it works.
Here is my current solution:
Thanks for your help, patience and the screenshots.
Hey Rom, thanks for the quick reply. I deleted the retrieve and now I am only
Nevertheless I get the following error in the SAML log:
Change object 'currentUser' should not be null.
Thanks
Thanks guys,
I have not put a ChangeObject action on the User input parameter and assign the retrieved user role.
Still getting this error in SAML:
Change object 'User' should not be null
@Ronald: What do you mean by ‘retrieve the user based on the input parameter of the SAML’ – how would I do that in the microflow? The User parameter is already there right?