Feature #2047
open
Make SSO filter case-insensitive
Added by Tomáš Doischer over 4 years ago.
Updated over 4 years ago.
Category:
Authentication / Authorization
Description
When using SSO to login to IdM, IdM basically compares login to the value it gets from Kerberos. Since AD is case-insensitive and IdM is case-sensitive, issues can arise because users can use any combination of lower and upper case in AD. IdM will then not find the user since the SSO filter is case-sensitive.
There is also the issue that right now you can have all of these accounts in IdM at the same time: "JNovak", "jnovak", "jNovak", "jnoVak" - this is also probably not ideal and would have to change if we were to make SSO filter case-insensitive.
- Assignee changed from Vít Švanda to Radek Tomiška
All authentication methods implemented in IdM are case sensitive. We doesn't have a restriction to usernames and "JNovak", "jnovak" are different users for us.
I'm not sure about this requirement, if it's right to simply change just one way of authentication to be case-insensitive.
The possible solution can be add new configuration property, something like "idm.sec.core.authentication.casesensitive=false" - where even usernames will be validated to be unique (case insensitive). Ind this will work for all authentication methods.
Yes, this configuration property is precisely what we had in mind, it would be great.
Are you sure this should be just a configuration property? Changing it form case-sensitive to case-insensitive when the IDM runs in production for some time might cause a serious data inconsistency.
Of course, this property changes behavior at all - so it makes sense to set it on the start of project or with project data knowledge (=> is project dependent).
Also available in: Atom
PDF
