so is this a bug or just something wrong on my end?
It looks like the issue here is your name claim type is different than what PSU is exepecting:
nameidentifier vs name
I’m seeing this info in the claim table. It’s the first row in each screenshot.
Your SAML provider should provide a way to change this. That said, we should also have a way to configure this in PSU. I’ve seen this happen with Okta as well.
Hi are you saying that Okta could return the user account with “name” instead of “nameidentifier”? I can look into that but clearly the issue is that at the time of executing the code for a role the $User variable is null but once authentication is complete with the code of an App page it is properly populated. To me this seems like a bug on the Puniversal side.
My workaround for now is to simply execute the function to check for role memberships at the beginning of the App pages which is not idea but it works the same way.
I see the issue. It does look like PSU is attempting to retrieve the username out of nameidentifier if username is null.
if (string.IsNullOrEmpty(username))
{
claimType = ClaimTypes.NameIdentifier;
username = principal.FindFirstValue(claimType);
}
This value is used later on for the session but is not used for the authorization scripts. This could be fixed.
In the meantime, you could retrieve the nameidentifier claim from the claim list rather than the identity directly.
$UserName = ($User.Identity.Claims | Where-Object Value -eq 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier').Value
Thanks Adam. When I try this I’m still getting Usern as NULL.
$Usern = ($User.Identity.Claims | Where-Object Value -EQ 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier').Value
I’m also not getting any output in the log for some reason. the write-output and write-error statements never show up in the log. here’s the full code i’m using. The error I do see in the log is when I run the replace on a NULL variable.
param(
[Security.ClaimsPrincipal]$User
)
if ([string]::IsNullOrEmpty($User)) {
Write-Error "null"
}
else {
Write-Output "not null"
}
$Usern = ($User.Identity.Claims | Where-Object Value -EQ 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier').Value
$Usern = $Usern.Replace("@xxxx.com", "")
Sorry. This should have been:
$Usern = ($User.Identity.Claims | Where-Object Type -EQ 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier').Value
Can you try that?
tried it but still getting Usern is NULL