How to migrate from LDAP to SAML?


We’ve been using LDAP as authentication backend for a couple of weeks and now we have an SAML auth setup with Shibboleth. The login page currently allows both authentication mechanisms but we would like to keep only SAML.

The problem is that users who previously used RC with LDAP auth cannot use SAML auth because “Email already exists”.
Then I’ve manually modified the email addresses (and also modifying the username) and now these users can login with SAML… but they have lost all their previous messages because they are associated to a distinct RC account.

Is there a way to recover all previous messages?
Or is there a way to allow SAML authentication to “overwrite” any existing account with the same email address?

Server Setup Information

  • Version of Rocket.Chat Server: 3.3.0
  • Operating System: Debian Buster
  • Deployment Method: manual install
  • Number of Running Instances: 1
  • DB Replicaset Oplog: 1
  • NodeJS Version: v12.14.0
  • MongoDB Version: 4.2.5
  • Proxy: apache2

OK by reading the code of saml_server.js I found a trick: before authenticating a user with SAML, I manually inject the appropriate eppn attribute in mongodb and then the user can login with both SAML or LDAP.
Havn’t seen any side-effects for the moment, but I have only tried with 2 tests accounts.

db.users.updateOne({"username": "firstname.lastname"}, {$set: {"eppn":""}})

This is possible because our eppn are predictable.

I hope it will work on the production server too :slight_smile:

Actually, migrating from LDAP to SAML should work out-of-the-box. But in our case it was not working because there was a typo in our SAML_Custom_user_data_fieldmap parameter and it was silently ignored…