The Authentication Gateway appears to strip off a domain before passing credentials to whatever scheme is configured. In most cases this is fine, but I have an OERealm scheme that relies on getting that domain name to uniquely identify a user in a multi-tenanted environment. Is there a way to configure the gateway to pass along the domain name, so I don’t need to append it twice?
Example: I have a PAS app set up for STS authentication. The user logs in as user@domain. When my Realm receives credentials from the Gateway, it logs out username: "user", domain: "". If the user logs in as user@domain@domain, the realm logs username: "user", domain: "domain".
With OERealm, I never get to the stage where the policy is applied.
When I run stsclientutil with username bennettb@APP, my Realm logs out the correct username, but a blank domain name, and then the CLIENT-AUTHENTICATION-ERROR event fires:
sender: STS event: CLIENT-AUTHENTICATING C-P Token 1150 context: Progress.Json.ObjectModel.JsonObject_1152Request by sparkRest@OESPA for 'ValidateUser' is valid.User: bennettb Domain: sender: STS event: CLIENT-AUTHENTICATION-ERROR C-P Token 1160 context: Progress.Json.ObjectModel.JsonObject_1162
When I run with username bennettb@APP@APP, authentication succeeds, and only the inner domain is registered by the policy (confirmed by setting up a second domain on the same scheme):
sender: STS event: CLIENT-AUTHENTICATING C-P Token 1297 context: Progress.Json.ObjectModel.JsonObject_1299Request by sparkRest@OESPA for 'ValidateUser' is valid.User: bennettb Domain: APPRequest by sparkRest@OESPA for 'GetAttribute' is valid.10005 : ATTR_ROLES : WatchlistAdminMaster,WatchlistCreate,WatchlistDelete,WatchlistRead,WatchlistUpdateRequest by sparkRest@OESPA for 'GetAttribute' is valid.10005 : ATTR_ENABLED : 1Request by sparkRest@OESPA for 'GetAttribute' is valid.10005 : ATTR_LOCKED : 0Request by sparkRest@OESPA for 'GetAttribute' is valid.10005 : ATTR_EXPIRED : 0Request by sparkRest@OESPA for 'ValidatePassword' is valid.UserID: 10005 Password: n*******sender: STS event: POLICY-APPLYING C-P Token 1328 context: Progress.Json.ObjectModel.JsonObject_1330POLICY User: bennettb@APP, Status: INITIALsender: STS event: POLICY-APPLIED C-P Token 1342 context: Progress.Json.ObjectModel.JsonObject_1344sender: STS event: CLIENT-AUTHENTICATED C-P Token 1349 Progress.Json.ObjectModel.JsonObject_1351
We have the exact same problem now, so I am curious if there is a solution.
Using the double @ doesn't work for us either. The STS gives the error "Domain qualified user not allowed.