I have a large base of users for K12 where I started with each UserName reflecting the first part of their email address (e.g. firstname.lastname@example.org, where the UseName was just first_grader). Now, to comply with a new SSO requirement, I need to Modify each account to include @domain. When I attempt to do this using UserSync (to create bulk change) it doesn't make the modification.
I am using the correct field name mappings, it just doesn't do it. If I delete the user and then create via UserSync, it does create the new account with the correct UserName.
I hate to have to delete 70,000 accounts and start over.
Your advice is appreciated, Steph.
Is this change required to be done to make sure the soon to be deprecated SHA-1 directories are upgraded to SHA-2? If yes, you don't necessarily need to change the usernames of the users. We can just map the right attributes to make sure that the SAML Subject (NameID) continues to pass the username as just first_grader as opposed to email@example.com .
This is because we do not have any bulk operations to allow change of usernames of all users.
Depending on who you're using as your identity provider, I can suggest you the right attribute mappings.
Yes, thanks, this is due to that change.
I'm using identityAutomation (RapidIdentity).
As soon as I invoke my new SAML Provider with SHA-256, it no longer accepts
the FIRST_GRADER and requires FIRST_GRADER@SCHOOL.COM
I made the original setup, so I understand much of what I'm trying to
accomplish, but I'm missing something.
What I worked on today was an attempt to wipe all 71,000 users and refresh
with the new username. If I don't have to do that, it would be preferred.
I've attempted to use the documentation you have for identityAutomation,
but it is outdated.
Please let me know what you suggest to resolve this issue.
Thanks in advance for your help.
Hi Again Steph,
I am sure you have registered a new service provider app for Adobe for the new configuration on the RapidIdentity portal. Here's our documentation for this: https://helpx.adobe.com/enterprise/kb/adobe-single-sign-on-configuration-with-rapid-identity.html
Under the section titled "Configure Rapid Identity" on the above doc, the 6th pointer talks about setting up NameID and shows how you can configure it to use mail. You'll need to make two changes to this:
(a) Change the NameID format to unspecified from whatever it is currently set to.
(b) Change the LDAP attribute it passes to whatever corresponds to the value "first_grader" in your directory.
This would change what is currently being passed in the SAML subject as the value of NameID and it would match with the users' usernames and the authentication would then be successful.
Please let me know how it goes.
Yes, any help would be appreciated.