We have a PAS app serving as an SSO provider, receiving a SAML token, and providing an OECP in exchange.
The problem is that whenever a SAML token contains a username like "username@randomdomain.com", PAS doesn't know which domain to use from ABLDomainRegistry.keystore.
Use case: a company wants to provide access to its app for individuals outside the company, and who can have email addresses from any domain.
We have tried the route of using the OEClientPrincipalFilter.domainRoleFilter=OEDomain:(.*) and having the SAML token contain OEDomain:correctdomain.com, which by the documentation, *should* make the CP using the correctdomain.com domain setup in ABLDomainRegistry.keystore.
But this is not happening, and I've yet to figure out how to get logging to tell me anything useful.
Is it even possible to have PAS use the domain I tell it to, regardless of what is in the username?