Details
-
Feature
-
Status: Released (View Workflow)
-
Minor
-
Resolution: Fixed
-
2.4.1
-
None
Description
Current Situation
The identity service IS1 is of type LDAP
The identity service IS2 is of type LDAP-JOC
User U1 can login with both LDAP identity services
User U2 can login with both LDAP identity services
U1 does not have any role in LDAP, therefore the group/roles mapping does not assign any role when the login is done with IS1
U2 does not have any role assignment in IS2
When IS2 has a lower order than IAM1 U2 will login with IS2 and does not have any roles.
When IS1 has a lower order than IAM2 U1 will login with IS1 and does not have any roles.
Desired Behavior
Only users that are listed in the Accounts sub-view for an LDAP-JOC identity service should be able to login with an LDAP-JOC identity service. Login of a user that is not assigned any roles will result in an empty authorization. Therefore it is preferable to try the next identity service in the list of available Identity Services.
This allows U1 and U2 to login with the desired roles by setting the ordering for the identity services to IS2 -> IS1