Hi all I have a white labelled domain that I am struggling t GoodData #gd-beginners

Hi all, I have a white labelled domain that I am ...

Paiwand Karem

05/21/2024, 5:24 AM

Hi all, I have a white labelled domain that I am struggling to use with the login gdc API endpoint. The overarching use case is to enable SAML SSO and execute step 2 of configuring the SSO provider in the Service Provider-initiated scenario. I am attempting to get TTs/SSTs so I can use the SSO Providers API endpoints however I am getting 405 not allowed at this endpoint when using the correct JSON body and the only admin user and password of the GoodData instance. Feel like I'm doing something wrong here - any help would be appreciated.

Marek Zelc

05/21/2024, 6:32 AM

Hello Paiwand, the likely reason here seems to be that you are trying to set up authentication for different product. From what I can see, you are using documentation for GoodData Platform product, while your subscription seem to be for newer product - GoodData Cloud. How to set up authentication in GoodData Cloud is described in this part of documentation.

Paiwand Karem

05/21/2024, 9:42 AM

Hi Marek, Thanks for the clarification. Could you assist in troubleshooting the PUT Organization endpoint? /api/v1/entities/admin/organizations/:id I am getting the following output:

Copy code

{
  "detail": "The requested endpoint does not exist or you do not have permission to access it.",
  "status": 404,
  "title": "Not Found",
  "traceId": "90ad8f1c0bf7b1f9230d233ec2ea8e3d"
}

using this body

Copy code

{
  "data": {
    "id": "localis",
    "type": "organization",
    "attributes": {
      "allowedOrigins": [],
      "earlyAccess": "",
      "hostname": "<http://app.localis.co|app.localis.co>",
      "jitEnabled": false,
      "name": "Localis",
      "oauthClientId": "clientId",
      "oauthClientSecret": "ClientSecret",
      "oauthIssuerId": "auth0",
      "oauthIssuerLocation": "<https://localis.au.auth0.com>",
      "oauthSubjectIdClaim": "sub"
    }
  }
}

Paiwand Karem

05/21/2024, 9:42 AM

I'm using the OpenAPI spec provided in the reference too

Marek Zelc

05/21/2024, 9:48 AM

Hi Paiwand, I can’t validate this myself, however are you using correct organization id? Org id. is typically not readable word and do not correspond with your hostname. You can find your organization ID in your GD welcome email.

Paiwand Karem

05/21/2024, 10:06 AM

That was it 🙂 thanks

Paiwand Karem

05/22/2024, 8:40 AM

@Marek Zelc, if possible could you provide some guidance on the JIT User Provisioning using Auth0? I've enabled the organisation on GoodData to have jitEnabled as true, however I'm a bit confused as to where to go on Auth0 to configure what the ID token contains per Step 2 here. I'm creating an Action on Auth0 to handle this though it seems like there is a different way to configure that ID token.

Marek Zelc

05/22/2024, 8:59 AM

Sorry @Paiwand Karem, JIT provisioning is bit beyond my experience but I have notified colleagues who would be better suited to help

Boris

05/22/2024, 9:16 AM

Hi Paiwand, Auth0 is a 3rd party provider, so it's a bit out of our scope, but I was doing some testing, so I can share some findings: You have following claims that we need in the ID token:

Copy code

sub
given_name, family_name
email
urn.gooddata.user_groups

sub - it's always there, it's the unique identifier of the user in your auth0 tennant given_name, familiy_name - I was surprised because it seems that there's no easy way to add these through UI, but they are standard user parameters, that could easily be added through user API email - should be there always as it's a needed parameter when creating the user urn.gooddata.user_groups - this is a custom claim and it was only one that's not straightforward - only way we found is indeed through actions in auth0 and we haven't found a mention of any other way in their documentation/forums

Paiwand Karem

05/22/2024, 9:23 AM

Hey Boris, thanks for that. Yeah I'm a bit stumped as I'm looking for a way to send back that information to GoodData so it can be used for a user signup though I cannot find any place that actually shows how to edit that token. It seems like it is already handled with the SSO side of things when someone uses Google for example on the Auth0 portal sitting on top of the whitelabelled GoodData instance. I would've thought that token is what Auth0's actions handles. though I cannot get past the login screen despite having handled those inputs via Actions in their UI. It seems like there is no intuitive way to edit that token that is supposedly sent back as it is apparently outside the realm of Auth0 actions...

Boris

05/22/2024, 9:49 AM

the OIDC works in a way that (SP) GoodData will request scopes that should be in the ID token and the IdP (auth0) will send the claims that are part of these scopes in the ID token. You basically just need to make sure that the required parameters are part of the users data. You mention that you cannot get past the login screen - what excatly do you mean? Because the JIT still requires the user to be logged in to auth0 tennant, it will just provision the user to gooddata if it already isn't there....

Paiwand Karem

05/22/2024, 11:49 AM

I get an empty page and no provisioned users

Paiwand Karem

05/22/2024, 11:49 AM

The page says this -

Copy code

{
  "title": "Unauthorized",
  "status": 401,
  "detail": "401 UNAUTHORIZED \"Authorization failed. Missing mandatory claims: [given_name, family_name]\"",
  "traceId": "2faab11cbaef332e2f69d10abece7917"
}

Paiwand Karem

05/22/2024, 11:49 AM

essentially saying that no given and family name are in the token that I cannot seem to edit in any way on Auth0

Paiwand Karem

05/22/2024, 11:49 AM

By the way, I appreciate this is beyond your scope and thanks for the help

Boris

05/22/2024, 11:51 AM

okay, that's quite self explaining.... these need to be added through auth0 user API: https://auth0.com/docs/api/management/v2/users/patch-users-by-id

Boris

05/22/2024, 11:53 AM

you can see that the body can contain these properties:

Copy code

{
  "blocked": false,
  "email_verified": false,
  "email": "<mailto:user@example.com|user@example.com>",
  "phone_number": "string",
  "phone_verified": false,
  "user_metadata": {},
  "app_metadata": {},
  "given_name": "string",
  "family_name": "string",
  "name": "string",
  "nickname": "string",
  "picture": "string",
  "verify_email": false,
  "verify_phone_number": false,
  "password": "string",
  "connection": "string",
  "client_id": "string",
  "username": "string"
}

since it's patch call and the endpoint is defined by user ID, it should pass with minimal content (but it's possible that some of these are mandatory):

Copy code

{
  "given_name": "AA",
  "family_name": "BB"
}

Paiwand Karem

05/22/2024, 11:54 AM

I see, thank you

Paiwand Karem

05/22/2024, 11:54 AM

Yet to dive deeper into this - but would this propagate to newly signed up users having those properties set?

Paiwand Karem

05/22/2024, 11:56 AM

Ideally the flow would be to have any users who sign up to our auth0 instance to automatically be provisioned on our whitelabelled instance of GoodData with a demo workspace

Boris

05/22/2024, 11:59 AM

One option is to do some custom registration form using API (or maybe some native functionality of auth0) Second option is to have some automation to fill these parameters (with either dummy values or parsing the name property), which is maybe possible through actions

Boris

05/22/2024, 12:03 PM

but my testing was mostly focused on getting it work for one user, not fully production scenario, so there might be some nuances I didn't get to

Paiwand Karem

05/22/2024, 12:08 PM

Alright, I'll have a play around, appreciate the pointers. While I have your attention as well - the moment I switched from GoodData's auth0 instance to our own, I seemed to lose access (at least via UI and the current auth0 setup) to the account provisioned by the support team that had admin access.

Copy code

{
            "id": "2f3faa2a-1427-43d4-839e-1067961ab83f",
            "type": "user",
            "attributes": {
                "authenticationId": "google-oauth2|114876045742542820210",
                "firstname": "Paiwand",
                "lastname": "Karem",
                "email": "paiwand@localis.co"
            },
            "links": {
                "self": "<https://app.localis.co/api/v1/entities/users/2f3faa2a-1427-43d4-839e-1067961ab83f>"
            }
        },
   {
            "id": "paiwand",
            "type": "user",
            "attributes": {
                "authenticationId": "auth0|66336fecad53dc15b4cce02a",
                "email": "paiwand@localis.co"
            },
            "links": {
                "self": "<https://app.localis.co/api/v1/entities/users/paiwand>"
            }
        }

You can see there are now two accounts with the same email with the latter being the one provisioned by the support team for my original access. It's associated the same email to our new auth0 instance and did not translate across anything else (probably due to the current user provisioning setup being incorrect). I do still have the original accounts API token and am using that to interact with the API. Is there an endpoint to grant this new user admin access?

Boris

05/22/2024, 12:11 PM

Hi Paiwand, the parameter used for matching the user is the authenticationId so the value

auth0|66336fecad53dc15b4cce02a

which points to our auth0 needs to be replaced with id from your own auth0 (be sure to use

?include=userGroups

parameter when updating the user, in order to not lock them out of admin group and losing access for your api token)

👍 1

7 Views

Open in Slack

Previous Next