SAML Bug

Hello All,

I've just created a new SAML Group login and i'm using the fully distinguished name from AD. I'm only doing this because when I used the CN name it would not let me login to Solarwinds with the SAML group name. Weirdly when I use the fully distinguished name it crashes Solarwinds telling me it cannot use commas, but as you can see below its created the group but with no editable permissions. So I can login read only to Solarwinds.

I think i've found a bug! emoticons_happy.png

pastedImage_0.png

Here is the group (below) that is created despite the obvious error above. When I try to edit the permissions it comes up with the above error again.

pastedImage_2.png

Any ideas how to fix this?

  •  Did you find a solution to this, I have this issue now.
    I was able to modify the SQL DB to give it rights, but don't trust everyone doing that when a new group has to be added.

  • We rebuilt the F5's and re-added the integration again and this resolved it for us. Bit of a long one. We did also upgrade SolarWinds to remediate against issues and I can now add groups properly. So i'm not entirely sure what fixed it.

  • Hello folks!
    This "bug" is still alive... Maybe not a bug, but clearly SolarWinds does not expect the full CN name in groups configured in the web interface.

    Our project is being affected by this. We're using a proprietary SAML application that we can not change or modify in any aspect. All groups a person belongs to are sent in full CN name and there is no way to add them in SW interface.

    I opened a case with support. Lets see what they can tell about it. I will post the results here as soon as I have them.

  • Can you share the support case number with me?

  • Update:
    The case is still open. Support has acknowledged the bug but did not provide an ETA for a fix, or a workaround.
    I insisted that I need to manage authorization using SAML groups, and asked again for a workaround.

    Our directory send the full group DN in SAML assertion, like "cn=groupname,ou=groups,o=site.com", and SolarWinds can't use this string as rule for authorization, as the interface wont accept the commas.

    Maybe a simple workaround would be to compare groups in SolarWinds with only part of the group names. So intead of an exact match for the group, an additional option to create a "group containing string <groupName>" would suffice.



  • Today I had a conference with SolarWinds support. 
    The specialist acknowledged the "commas in group names" bug and commented that there is a fix planned for that. He could not tell when exactly it will be released but at least there is a plan. 
    He also told me that he would link the support ticket with the bug ticket, which is nice and could speed up the release of a fix. THIS is the page where we can look for new versions and what they fix.

    The workaround is to create the group with commas anyway (like "cn=groupname,ou=groups,o=site.com"), then ignore the bug and change the permissions for that group directly in the database (SolarWindsOrion.Accounts). Some are very intuitive: 
    - AllowAdmin
    - AllowNodeManagement
    - AllowMapManagement
    - AllowCustomize, etc

    I am happy with this workaround, as I can implement this in the server and will be transparent to users. 

  • Thats good news! Sounds like we might have a fix at some point then...