```2021-09-22T20:07:53-04:00 00:07:53 [application...
# troubleshootc
careful-artist-3840
09/23/2021, 12:10 AM Copy code
2021-09-22T20:07:53-04:00 00:07:53 [application-akka.actor.default-dispatcher-197] WARN auth.sso.oidc.OidcCallbackLogic - Failed to extract groups: No OIDC claim with name groups foundcareful-artist-3840
09/23/2021, 12:12 AMi am using oidc / ibm appid and have the scope set to
scopes = ["email", "profile"]b
big-carpet-38439
09/23/2021, 12:14 AMplease use the following scopes:
big-carpet-38439
09/23/2021, 12:15 AM Copy code
openid profile emailbig-carpet-38439
09/23/2021, 12:15 AMThat warning is just saying that there were no groups fields found in the response from IBM
big-carpet-38439
09/23/2021, 12:16 AMSo we cannot provision any (we attempt to provision the groups the user is in by default)
c
careful-artist-3840
09/23/2021, 1:48 AMopenid is added by default ( i think )
careful-artist-3840
09/23/2021, 1:48 AMdo i need to add groups?
careful-artist-3840
09/23/2021, 1:48 AMi switched over to okta for test and that went thru okay except for logout
b
big-carpet-38439
09/23/2021, 1:52 AMwhat occurred during logout?
big-carpet-38439
09/23/2021, 1:53 AMand you dont need to add groups, no
big-carpet-38439
09/23/2021, 1:53 AMif you don't nothing will break or anything
big-carpet-38439
09/23/2021, 1:53 AMi've seen a case (iirc) where login was not working because the openid scope was missing
big-carpet-38439
09/23/2021, 1:54 AMif there is something wrong with our ability to integrate with IBM, though, it'd definitely be good to know
c
careful-artist-3840
09/23/2021, 1:56 AMon okta logout (https://{base}/logout) - i get
b
big-carpet-38439
09/23/2021, 2:00 AMOkay thanks - it appears you need to configure the logout redirect URL with Okta
c
careful-artist-3840
09/23/2021, 2:04 AMthat i did
careful-artist-3840
09/23/2021, 1:31 PM@big-carpet-38439, back to ibmcloud-appid , here is my user detail.
Copy code
{
"id": "e826ddff-a3d1-45a6-90a8-7779580caf2d",
"email": "<mailto:amit.varangaonkar@employer.com|amit.varangaonkar@employer.com>",
"given_name": "Amit",
"family_name": "Varangaonkar",
"identities": [
{
"provider": "saml",
"id": "<mailto:amit.varangaonkar@employer.com|amit.varangaonkar@employer.com>",
"idpUserInfo": {
"name_id": "<mailto:amit.varangaonkar@employer.com|amit.varangaonkar@employer.com>",
"attributes": {
"cn": "Amit A Varangaonkar",
"emailAddress": "<mailto:amit.varangaonkar@employer.com|amit.varangaonkar@employer.com>",
"uid": "####",
"firstName": "Amit",
"lastName": "Varangaonkar",
"blueGroups": [
"cn=US Employees,ou=memberlist,ou=groups,o=<http://employer.com|employer.com>",
]
},
"entityID": "https://<base>/saml/sps/saml20ip/saml20"
}
}
],
"attributes": {},
"roles": [
{
"id": "5bb87e02-f10e-4f24-a67c-afde7383f0c5",
"name": "datahub"
}
]
}AUTH_OIDC_GROUPS_CLAIMextraEnvs Copy code
#extraEnvs-7
set {
name = "datahub-frontend.extraEnvs[8].name"
value = "AUTH_OIDC_GROUPS_CLAIM"
}
set {
name = "datahub-frontend.extraEnvs[8].value"
value = "roles"
}WARN auth.sso.oidc.OidcCallbackLogic - Failed to extract groups: No OIDC claim with name roles foundb
big-carpet-38439
09/23/2021, 4:20 PMHey @careful-artist-3840 - So currently the only group claims we support are a flat array of group names. It seems that your roles are complex objects. Is there any way to leave out the id part and just provide a claim with a list of strings?
c
careful-artist-3840
09/23/2021, 5:11 PMnot really , this is a cloud managed service and we dont have ability to tweak.
b
big-carpet-38439
09/23/2021, 8:56 PMTypically you can adjust the claims from these identity providers via their dashboard
big-carpet-38439
09/23/2021, 8:57 PMBut if you cannot, then perhaps just disable the groups extraction...
4 Views