angrycuban
opened 3 months ago
-
When I look under the "SSO Accounts" for my users, it is not mapped to anything. I am not sure if this occurred after the update or not.
-
Switch to tab
Link Existing Userto link your SSO account with existing OneDev account. -
Would that work even if my existing account does not have a password?
-
Yes it should work
-
Unfortunately, it does not seem to be working - see below. My user does not have a password since when I first logged in, I used SSO.
-
My mistake. Then you will set a password first for your account to link to it.
OneDev prompt this as it can not link your SSO account with your existing account via email, mostly because that the email_verfied flag is not set from your SSO provider.
-
Odd, this was all working before the upgrade. What claims are required on the IdP side for this to work without me having to set up a password for each of my users?
For context I had initially set my external authentication as "OpenID" and used Azure AD (before the rename) as my IdP but did not configure any additional claims. During my troubleshooting, I switched to Microsoft Entra ID hoping this might work but it did not. I am hoping that if I add claims to the Entra application it will work :)
I am assuming that this commit is the one that caused this issue on my end. https://code.onedev.io/onedev/server/~commits/f717f5ecd8145be61813a0d825d46aa56b4d5cff
-
It works previously as the email_verified flag is not checked previously which is wrong. Please check your Idp to make sure this standard flag is set.
-
Is there any available documentation for how to set up Entra ID SSO in OneDev? In the past I believe I pieced together instructions from the Okta section but I might have something misconfigured on my IdP.
-
This is not specific to OneDev. You may use some OpenId test tool to make sure that the email_verified flag is set in ID token. This is something need to be configured at Idp side.
-
Name Previous Value Current Value Type
Bug
Question
-
Entra does not have an "email_verified" flag which is why I am asking what claims does OneDev expect from Entra?
-
It looks like this might be similar to what I am seeing - could you potentially add a similar approach for Entra?
Here is Microsoft's official documentation for OIDC mapping - "email_verified" is not mapped.
-
This seems to be a recurring issue across applications that are following the OIDC spec such as OneDev but some enterprise providers not following it such as Microsoft.
-
Thanks for the info. Since this claim is not supported by some OIDC providers, build OD-6701 (13.0.7) is released to just accept email as verified if email_verified claim is not present.
-
Thank you for the quick turnaround Robin, I can confirm it is working.
-
Previous Value Current Value Open
Closed
| Type |
Question
|
| Priority |
Normal
|
| Assignee | |
| Labels |
No labels
|
When I upgraded from 12.0.8 to 13.0.6, my configured SSO stopped working somehow. Whenever I try to log in as my SSO provider it prompts me to create a new account despite my account already existing (see screenshot below). I have verified that my existing user has all the correct attributes such as login name, email, etc.