The Authentication Gateway appears to strip off a domain before passing credentials to whatever scheme is configured. In most cases this is fine, but I have an OERealm scheme that relies on getting that domain name to uniquely identify a user in a multi-tenanted environment. Is there a way to configure the gateway to pass along the domain name, so I don’t need to append it twice?
Example: I have a PAS app set up for STS authentication. The user logs in as user@domain. When my Realm receives credentials from the Gateway, it logs out username: "user", domain: "". If the user logs in as user@domain@domain, the realm logs username: "user", domain: "domain".
With OERealm, I never get to the stage where the policy is applied.
When I run stsclientutil with username bennettb@APP, my Realm logs out the correct username, but a blank domain name, and then the CLIENT-AUTHENTICATION-ERROR event fires:
sender: STS
event: CLIENT-AUTHENTICATING
C-P Token 1150
context: Progress.Json.ObjectModel.JsonObject_1152
Request by sparkRest@OESPA for 'ValidateUser' is valid.
User: bennettb Domain:
sender: STS
event: CLIENT-AUTHENTICATION-ERROR
C-P Token 1160
context: Progress.Json.ObjectModel.JsonObject_1162
When I run with username bennettb@APP@APP, authentication succeeds, and only the inner domain is registered by the policy (confirmed by setting up a second domain on the same scheme):
sender: STS
event: CLIENT-AUTHENTICATING
C-P Token 1297
context: Progress.Json.ObjectModel.JsonObject_1299
Request by sparkRest@OESPA for 'ValidateUser' is valid.
User: bennettb Domain: APP
Request by sparkRest@OESPA for 'GetAttribute' is valid.
10005 : ATTR_ROLES : WatchlistAdminMaster,WatchlistCreate,WatchlistDelete,WatchlistRead,WatchlistUpdate
Request by sparkRest@OESPA for 'GetAttribute' is valid.
10005 : ATTR_ENABLED : 1
Request by sparkRest@OESPA for 'GetAttribute' is valid.
10005 : ATTR_LOCKED : 0
Request by sparkRest@OESPA for 'GetAttribute' is valid.
10005 : ATTR_EXPIRED : 0
Request by sparkRest@OESPA for 'ValidatePassword' is valid.
UserID: 10005 Password: n*******
sender: STS
event: POLICY-APPLYING
C-P Token 1328
context: Progress.Json.ObjectModel.JsonObject_1330
POLICY User: bennettb@APP, Status: INITIAL
sender: STS
event: POLICY-APPLIED
C-P Token 1342
context: Progress.Json.ObjectModel.JsonObject_1344
sender: STS
event: CLIENT-AUTHENTICATED
C-P Token 1349
Progress.Json.ObjectModel.JsonObject_1351
We have the exact same problem now, so I am curious if there is a solution.
Using the double @ doesn't work for us either. The STS gives the error "Domain qualified user not allowed.