User accounts for SAML authentication.

[Pedro Rivera]

We are in the process of setting up SAML authentication on Linux Red Hat box, we followed the steps in this chapter:

Chapter 8. SAML Setup for i2b2 (v1.7.13 release)

We are very close, we have Shibboleth installed/configured and Apache configured for our IdP, and get a SAML response after an authentication request, but we can't get past a 'Username is empty' webclient error after what appears to be a successful authentication.

The attribute-map for eduPersonPrincipalName seems to be okay, so we are not sure why it is not being passed to the application via Apache.

I suspect we are missing something about the creatin/configuration of users for SAML authentication, the instructions say the following:

1. Create a user for each SAML-authenticating user with the username set to the SAML EPPN.
2. Create a pm_user_param setting authentication_method to SAML.

So, I created accounts that also contain the domain, such as i2b2...@mydomain.org, then added a pm user parameter named authentication_method with a value of SAML, am I missing something?

Thank you!

Pedro Rivera

[Pedro Rivera]

Resolved:

We were able to resolve this issue last week, the solution for "Username is empty" error at login was to add a new claim for a Username attribute in Azure. 

• Name: Username
• Namespace: leave blank
• Choose name format:
  • Name format: Basic
• Source: Attribute
  • Source Attribute: user.userprincipalname

We had a username attribute, but it was all lowercase and this is case sensitive, also Username was not on the list of Shibboleth variables required by the webclient: 

Chapter 8. SAML Setup for i2b2 (v1.7.13 release) - Developers Getting Started With i2b2 - i2b2 Community Wiki