Hi Maduranga, When we added this configuration, the expectation was to add the tenant > domain to the subject identifier no matter what is used as the subject > claim or it is a requested claim (it can be username or telephone number, > if this is enabled tenant domain should be appended). If we deviate from > this there can be lots of unexpected inconsistencies.
I have analyzed the source in IS 5.3.0 and the behavior is bit different. We are appending the tenant domain and user domain only when the subject identifier is user name [1]. Otherwise we are not appending them [2]. IMO as this is an option which can be decided by the user, if the user checked the check boxes we should append tenant domain and userstore domain to the subject identifier whether it is user name or not. If the user does not wish to append those domains he can use the default configurations. So shall we change the existing behavior? WDYT? [1] https://github.com/wso2-attic/carbon-identity/blob/master/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/model/AuthenticatedUser.java#L175 [2] https://github.com/wso2-attic/carbon-identity/blob/master/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/model/AuthenticatedUser.java#L143 Thanks, Hasanthi Dissanayake Software Engineer | WSO2 E: [email protected] M :0718407133| http://wso2.com <http://wso2.com/> On Fri, May 5, 2017 at 11:21 PM, Maduranga Siriwardena <[email protected]> wrote: > Hi Hasanthi, > > When we added this configuration, the expectation was to add the tenant > domain to the subject identifier no matter what is used as the subject > claim or it is a requested claim (it can be username or telephone number, > if this is enabled tenant domain should be appended). If we deviate from > this there can be lots of unexpected inconsistencies. > > Thanks, > > Maduranga Siriwardena > Senior Software Engineer > WSO2 Inc; http://wso2.com/ > > On May 5, 2017 2:03 PM, "Isura Karunaratne" <[email protected]> wrote: > >> Hi, >> >> On Fri, May 5, 2017 at 10:59 AM, Hasanthi Purnima Dissanayake < >> [email protected]> wrote: >> >>> Hi All, >>> >>> There are few jiras [1],[2],[3],[4] reported related to the above >>> attribute and thought of discussing the expected behavior of this attribute. >>> >>> AFAIU if the above attribute is checked in both federated and local >>> scenarios: >>> - the tenant domain should append with the sub claim even when the >>> username is added as a requested claim or username is set as the subject >>> claim uri. >>> >>> If the above attribute is unchecked : >>> - The tenant domain should not append with the sub claim even when the >>> user name is subject claim uri or a requested claim. >>> >> >>> [1] https://wso2.org/jira/browse/IDENTITY-5013 >>> [2] https://wso2.org/jira/browse/IDENTITY-4931 >>> [3]https://wso2.org/jira/browse/IDENTITY-4956 >>> [4]https://wso2.org/jira/browse/IDENTITY-4470 >>> >>> Please let me know if the behavior of this attribute is something >>> different. >>> >> Yes. That is the behavior of 'Use tenant domain in local subject >> identifier" attribute. >> >> Thanks >> Isura. >> >>> >>> >>> Thanks, >>> >>> Hasanthi Dissanayake >>> >>> Software Engineer | WSO2 >>> >>> E: [email protected] >>> M :0718407133| http://wso2.com <http://wso2.com/> >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> >> *Isura Dilhara Karunaratne* >> Senior Software Engineer | WSO2 >> Email: [email protected] >> Mob : +94 772 254 810 <+94%2077%20225%204810> >> Blog : http://isurad.blogspot.com/ >> >> >> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
