Addressing the SAML User ID Issue in Tulip Platform Following AD Password Changes

Support, Troubleshooting, & Help
1

Problem Description:

Users are unable to access Tulip instances after password changes in SAML. The errors encountered include “Unexpected Error” or “Internal Error. Please contact support@tulip.co.” This issue seems related to the change in SAML user IDs after password updates. The Tulip Platform and SAML Login Authentication fail to recognize users with their new IDs, causing login disruptions across instances. Currently, the workaround is to deactivate the user each time their password is changed.

Proposed Solution:

  1. Synchronization of Data:
  • After an Active Directory password change, synchronize the updated user data with the previous data stored in Tulip.
  • Use the email and badge ID data to update the new NameID and replace the previous NameID.
  • This allows users to retain their previous accounts using the updated credentials.
  1. Additional Suggestions:
  • Implementing a Synchronization Button:
    • Provide a synchronization button in Tulip for administrators to align user data from the database.
    • This button should efficiently capture user data, including emails and badge IDs, and update the NameID to maintain the linkage between Tulip and SAML accounts.
  • User Login Flow Adjustment:
    • Modify the login flow in Tulip to check for synchronized user data and ensure proper authentication post-AD password reset using the updated NameID, email, and badge information.

By implementing these solutions, users should consistently access their previous accounts with updated credentials, thus resolving issues related to NameID changes.

Technical Implementation Steps:

  1. Data Synchronization:
  • Develop a routine that triggers after an AD password change event.
  • Capture the new user credentials.
  • Query the Tulip database to locate user accounts based on email and badge ID.
  • Update the NameID field with the new ID.
  1. Synchronization Button:
  • In the admin panel, add a feature to manually synchronize user data.
  • When the button is clicked, execute the synchronization routine to update the NameID based on email and badge ID.
  1. Login Flow Modification:
  • Adjust the authentication logic in the Tulip login process.
  • Include verification steps to check for updated NameID and validate against email and badge ID data.

Benefits:

  • Maintains user access without the need for deactivation/reactivation steps.
  • Enhances user experience by ensuring smooth transitions after password changes.
  • Reduces administrative overhead and error incidents related to logins.

Implementing these solutions will streamline the login process and ensure users can access their accounts seamlessly after an AD password change.

2

Hello Rajesh, can you clarify what this sentence means? “related to the change in SAML user IDs after password updates.”? It makes it seem like the user’s nameID and password are somehow related, which is not a setup we typically se.