Hi, Currently, if the user doesn't specify the user store domain name with username then we are trying to authenticate the user with all the available user store. I am in the process of implementing a feature to support authentication against a predefined user store list.
*Requirement* If more than one user stores having the same user name with different passwords then during the authentication we must have to specify the user store domain. In case if user stores are LDAP or AD and the user store domain couldn't be appended to the username then there can be issues like account locking if AD and LDAP have configured for wrong password policies. So with the current implementation, the following requirement can't be full filled without specifying the user store domain along with the username. 1. AD and LDAP have configured for wrong password policies. AD and LDAP are having the same user(let's say the *username is bob*) with a different password. 2. Employees only can access SP1(service provider) and Employees details are stored in UserStore1(LDAP). 3. Customers only can access SP2 and Customers details are stored in UserStore2(AD). 4. Employee and Customer can access SP3 *Issues* 1. Now if either employee or customer tries to log in to SP1 without specifying the userStoredomain then the user will be searched to both the user store domains 2. If we have fixed the above issue and allow the users to search only through UserStore1 for SP1 application, allow the users to search only through UserStore2 for SP2 then we will face another issue that if SP1 already logged with user *bob *using the LDAP password and now if we try to access the application SP2 in the same browser we will be automatically logged in to SP2 as the LDAP user *bob *since there is already a session. But as mentioned in point 3, only AD users can access SP2 app. *How to address the issues.* 1. To solve issue 1, we could introduce a callback handler and generate the SP wise user store list through an extension point of the call back handler. So in the user store level, we will consider the generated user store list and only execute the generated user store list for a specific service provider. For example, we could configure the service provider name against the allowed user stores in the registry. 2. To solve the issue2, when there is already an existing session, in addition, to check already authenticated authenticator and identity provider, we should include a logic to check whether already logged in user's user store domain is included in the allowed user store domain (this allowed user store list will be created through the extensions point as mentioned in point 1). If included only we will allow the user to logged-in else prompt the login page. *Example:-* *bob *is logged in to SP1 using LDAP credential and in the same browser try to access SP2, now he will be redirected to the login page since SP2 will only allow the users in AD. Once we address the above two issues we need to find an approach to support requirement 4. Once the user (bob) logged in to SP1 with LDAP credential and SP2 with AD credential in the same browser, if we try to access the application SP3 then there will be two logged in users (LDAP user and AD user) so we could show a drop-down list and asked the user to choose the logged-in user. Appreciate your suggestions and feedback on this. Thanks, Nila. -- Nilasini Thirunavukkarasu | Senior Software Engineer | WSO2 Inc. (m) +94775241823 | Email: nilas...@wso2.com <http://wso2.com/signature>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture