Feature #2047
open
Make SSO filter case-insensitive
0%
Description
When using SSO to login to IdM, IdM basically compares login to the value it gets from Kerberos. Since AD is case-insensitive and IdM is case-sensitive, issues can arise because users can use any combination of lower and upper case in AD. IdM will then not find the user since the SSO filter is case-sensitive.
There is also the issue that right now you can have all of these accounts in IdM at the same time: "JNovak", "jnovak", "jNovak", "jnoVak" - this is also probably not ideal and would have to change if we were to make SSO filter case-insensitive.
Updated by Radek Tomiška about 4 years ago
- Assignee changed from Vít Švanda to Radek Tomiška
All authentication methods implemented in IdM are case sensitive. We doesn't have a restriction to usernames and "JNovak", "jnovak" are different users for us.
I'm not sure about this requirement, if it's right to simply change just one way of authentication to be case-insensitive.
The possible solution can be add new configuration property, something like "idm.sec.core.authentication.casesensitive=false" - where even usernames will be validated to be unique (case insensitive). Ind this will work for all authentication methods.
Updated by Tomáš Doischer about 4 years ago
Yes, this configuration property is precisely what we had in mind, it would be great.
Updated by Vladimír Kotýnek about 4 years ago
Are you sure this should be just a configuration property? Changing it form case-sensitive to case-insensitive when the IDM runs in production for some time might cause a serious data inconsistency.
Updated by Radek Tomiška about 4 years ago
Of course, this property changes behavior at all - so it makes sense to set it on the start of project or with project data knowledge (=> is project dependent).