Alias instead of ID

We have SAML authentication in place and because of the dynamic environment we have selected the ObjectID as ID for our users. ex: c6d63137-2490-4fab-8939-1dc1f426e149

This userID is used on as the creator ID making it unreadable or harder to traceback who has implemented a rule, comment… Is it possible to use the alias in the display or any of the other parameters except the ID

image

looks like your attribute-mapping needs adjustment.
As the screenshot is cut off i cannot really determine what you are using.

However (assumption you are on a Microsoft environment) you want to map a/the UPN of a user to the userID field.

This can be (application) CMK-side done to adjust the mapping there to a ‘readable’ attribute (as in what your assertion offers, and map the attribute to UserID)
Or add an attribute to the assertion IDP-side.

Use the addon ‘SAML Tracer’ to exactly see what is sent in your response from the IDP (after authentication), and map the field accordingly.

IF the above does not contain a satifying attribute, go talk to your IDP admin to get it added, and then map it accordingly.

  • Glowsome

you can use whatever you want - not sure why your users would change, you just made a bold statement there for some reasons.

Tnx for your replies, but as I mentioned, the environment is rather dynamic, meaning the identifier changes … I know what you are thinking now, how can someones name change … thing is the admins sometimes want to normalise the cae usage of a name, the problem is, in cmk a user web dir also changes and people loose their bookmarks, viuws etc …
This is why we started using this ObjectID a field that never changes in ENtraID

Can you ask your IDP-admin to take care of casing on attributes ?

i mean me on my IDP can use/create virtual attributes where i can manipulate casing.

(reference from my IDP: Managing a Virtual Attribute - NetIQ Access Manager Appliance 5.0 Administration Guide )

  • Glowsome

agree, but isn’t it better to pick a unique field like ObjectID so we don’t have to worry anymore and don’t have to discuss with the administrator ?

Downsie : CheckMK has to use the Alias instead of the UserID to make everything readable (btw why does the alias actually exists on users in cmk)

Below comments/suggestions might be considered blunt, so beware !

It is my opinion that the issue you are facing is related to the ‘Quality of Data’ offered over your SAML connection.

the environment is rather dynamic, meaning the identifier changes … I know what you are thinking now, how can someones name change … thing is the admins sometimes want to normalise the case usage of a name.

This is the best indication of the situation you are in, your admins are changing vital information you are depending on, without (i guess) having any clue as to what it does to the monitoring solution, thus breaking your monitoring whenever they change something.

As from where i stand (if i were in your position) is that you need to get a grip on the attributes you are using, and engage in a conversation with your IDP-admin to solve this.

In esssence a SAML connection is a mutual agreement between an IDP and its SP in how and what is being sent in regards of information (the assertion).

In your case you have avoided the conversation and have created a workaround yourself (which is creative) by using the GUID as unique identifyer for data-consistency, but now you are running into audit-related issues as mentioned in your topicstarter.

so we don’t have to worry anymore and don’t have to discuss with the administrator

This feels as if you are actively avoiding the conversation with the IDP-admins for reasons not given, and again are searching for a workaround on top of your already in-place workaround.
Chances are that - if the IDP-admins are different from the EntraID they are not even aware of your struggles.

This even tho the IDP-Admins are the ones who could offer you data consistency by just sending attributes to be always lowercase, meaning if admins change a username regarding casing in EntraID, then your monitoring will not be affected, as you are already receiving ‘normalised’ attributes.

Hopefully also these types of discussion will create awareness with the IDP- and EntraID- admins as to the issues you are facing now, and in the future.

  • Glowsome

If we can select to display the Alias instead of the UserID things are solved …
Is the user alias used anywhere ?