"the flow was slightly different..." <- > <@bitmap:chatbrainz.org> the flow was slightly different now, kandim actually asked me for permission to read my email address, though now I end up on a google page that says: > > Couldn’t sign you in > > Contact your domain admin for help. that's promising! i'll look at the traces you sent, but my guess is that i need to update the attribute mappings in the proxy since the full principal names for users in kanidm =/= emails -- this would be a non issue in other idm tools (including the secondary candidate, authentik) where the principal names can end in different domains from the server host (plus authentik supports SAML natively, which sidesteps the whole proxy mess)