cancel
Showing results for 
Search instead for 
Did you mean: 

Realm w/ secondary auth: Always fail primary auth if user not defined in Role Mapping anyway?

Occasional Contributor

Realm w/ secondary auth: Always fail primary auth if user not defined in Role Mapping anyway?

When a user does not have a role mapping (i.e. cannot sign in) and the realm is configured with a secondary authentication server, then primary authentication can be successful even though the user will never be able to finally log in.

Is it possible to check the role mapping after first authentication and make it artificially fail (if it was successful) since the user will never be able to log in anyway?

Thanks.

3 REPLIES 3
Moderator

Re: Realm w/ secondary auth: Always fail primary auth if user not defined in Role Mapping anyway?

No
Occasional Contributor

Re: Realm w/ secondary auth: Always fail primary auth if user not defined in Role Mapping anyway?

Why?
Moderator

Re: Realm w/ secondary auth: Always fail primary auth if user not defined in Role Mapping anyway?

I do not think that is a use case or option that has been presented to the product team; I would definitely recommend asking your account team to talk to PLM about adding this as a feature to optionally do an attribute check between authentications.

At this time, the flow is designed to do the following:
- check if the user exists with proper credential on the primary authentication server
- check if the user exists with proper credential on the secondary authentication server
- check attributes (authorization) received from both authentication servers against the values defined for role mapping
- assign roles, or reject login, based on what was determined during the authorization stage