I am a Zivver admin
Configure and manage Zivver
Correct ZivverAccountKey from IdP
How you know whether the identity provider (IdP) returned the correct ZivverAccountKey value?
Cause
When you create a Zivver account with the Synctool, a user attribute is the basis of the ZivverAccountKey. In most cases, this is AD attribute ObjectGUID. When you setup a single sign-on (SSO) link, the IdP must fetch the same ZivverAccountKey value. Also, the SAML response to the service provider (SP) must contain that same value. If the ZivverAccountKey at creation does not agree with the value in the SAML response, the user cannot login directly. After the user entered the SSO credentials, they see “please enter your Zivver password once”.
Solution 1
Examine the SAML response. - Identify which ZivverAccountKey value the IdP sent to the SP. - Identify which authentication the SAML shows.
Solution 2
- Open Chrome.
- Install the SAML Message Decoder.
- Go to https://app.zivver.com
- Enter your mail address.
- Wait for the WebApp to redirect you to the IdP.
ADFS authenticates you with Windows Authentication.
If not, manually enter your SSO credentials. - Wait until you see Please enter your Zivver password once.
- Click on the SAML Decoder icon.
- Go to the latest message.
Search for an XML snippet similar to this snippet.
<saml:AttributeStatement> <saml:Attribute Name="https://zivver.com/SAML/Attributes/ZivverAccountKey" NameFormat="urn:oasis:names:tc:SAML:2:attrname-format:basic"> <saml:AttributeValue>482548ad-506d-47cc-842d-ea1042d0addf> </saml:AttributeValue> </saml:Attribute>
Remarks
- You can see which value is set for
ZivverAccountKey.
- You can do a check whether the value is correct.
Use the Synctool > Step 2 > Preview users in Zivver. The password column shows theZivverAccountKey. - Do not compare the value with the value for
ObjectGUIDin the AD Attribute Editor for this specific user. The reason is that the Attribute Editor shows you auser friendly
ObjectGUID. You must compare it with the Base64 value of ObjectGUID.