Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-5987

LdapClaimHandler Support for multipart usernames

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 3.0.1
    • None
    • STS
    • Unknown

    Description

      Currently the LdapClaimHandler is only able to lookup attributes for user with a direct match of the username and the username in the LDAP directory.

      In case of Kerberos the username looks like this user@domain.com. If the user is authenticated with a Kerberos token at the STS, the LdapClaimHandler is able to extract the username. But if the username comes from a different token type (e.g. SAML token in a WS-Federation scenario with initial Kerberos authentication) then the lookup fails.

      Hy proposal would be to extend the LdapClaimHandler in such a way that it is possible to define a DELIMITER (e.g. '@') which can be used on any token type to extract the username. An even more generic way, would be to provide the option for an callback handler to map the username. But for now I would go with the simple solution of a delimiter.

      Attachments

        Activity

          People

            Unassigned Unassigned
            jan4talend Jan Bernhardt
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated: