Login with SAML (SSO) without creating Users first

#1

Hello,

I managed to Install Rocketchat in a Docker environment but now I cant get further with the SAML authentication. Iam trying to Log in via SSO without creating users first (except the Admin User at the Start) Is there any possibility to create the user who wants to log in without LDAP integration.

When I activate LDAP synch it Imports all the users i need and i can login with SSO. But it needs to work without the LDAP synch.
When i try to log in i get an Internal server Error

From the logs:
Error in oplog callback TypeError: Cannot read property ‘_id’ of undefined
and
Exception while invoking method ‘login’ TypeError: text.replace is not a function

Is there any possibility i can create the users automatically while they login with SSO ?

#2

Hello belmin,

at first I am not quite sure whether you want to do the authentication with LDAP or SAML.

The SAML Service Provider (SP) interface of the RC should normally work out the box with an Identity Provider (IDP). I authenticate my RC as SP against an IDP.

What I don’t understand is why you don’t want the RC to create the new user after logging in to the IDP. This is actually the purpose of an SSO. In fact, the SAML interface of the RC does not take over the “uid” of the IDP and generates a RC user of the same name. So the userid in the RC is not the same as that of the IDP. This is a point which bothers me and why I have adapted the SAML interface of my RC so that uid of the IDP and userid in the RC are identical, see “packages/meteor-accounts-saml/saml_server.js”. What there “RocketChat.generateUsernameSuggestion(newUser);” does, is in my opinion not optimal. The userid does not have to be “suggested” from the email address. The IDP provides the uid, you don’t have to do “suggestion”. But that’s another matter.

If you now deactivate “create new user” at the SAML interface in the RC, a corresponding user should of course be created in the RC first. Here again the wrong logic of the “generateUsernameSuggestion” comes into play, so that it is difficult to “guess” what the userid might be.

And the RC generates metadata for the IDP without e.g. “RequestedAttribute”, so you either have to create the metadata manually, customize the SAML interface or tell the IDP admin which attributes to send to you as SP.

In my opinion RC should not generate the metadata automatically. In the configuration for the SAML interface it would be sufficient to simply provide a text field in which the metadata can be stored manually. This way you are completely flexible, you can request attributes from the IDP and make configurations like “RequestedAttribute” etc… But this is also another topic. :wink:

I’ve posted a feature request on that:

Ciao
Marcus