search

sbidy / privacyIDEA-ADFSProvider

A Microsoft Active Directory Federation Service provider for the open source authentication system privacyIDEA.
MIT License
32 stars 15 forks source link

multiple realms in config.xml file #36

Open MikhalMcAlister opened 4 years ago

MikhalMcAlister commented 4 years ago

good day, not an issue, but more question on features, have not found in documentation. all is working well with 1 realm defined in config.xml file, but is there possibility to add multiple realms to check 2FA, what would be the correct code to add 2, 3 etc realm?

sbidy commented 4 years ago

Hey, that is a good point. In the current implementation you can only define one realm per provider. The API endpoints (e.g. /validate/triggerchallenge) doesn't support multiple realms (documentaion). Maybe @cornelinux can help to clarify this 😄

But this or similar feature will come in one of the next provider versions (~1.4). My plan is to take the user domain information (Domain/User or User@Domain.TLD) and map these as realm name. This requires that a 1:1 mapping form domain name to realm name exists. This feature will be become configurable in the config.xml.

See #24 for more information - it is possible to define multiple LDAP endpoints in one realm.

cornelinux commented 4 years ago

One API request only searches a user in one realm.

Read more about realms here: https://privacyidea.readthedocs.io/en/latest/configuration/realms.html

To differentiate realms, there are different possibilities:

A) Have the application (or the user) choose the realm

The application (the ADFS provider) passes the realm in the request. Either by configuration (from config.xml - but then you only can have one realm) or by having the user choose a realm. THe user could choose a realm from an additional dropdown box or the user could login as "user@realm". Then the request sent would either contain:

or

B) Have privacyIDEA choose the realm

Based on policies and certain conditions privacyIDEA can overwrite the realm from the request. e.g. using the policy "setrealm".

However, in all cases privacyIDEA will search for the user only in one realm.

(i like the new feature in 1.7 of adfs provider!)

jroth-haj commented 3 years ago

@MikhalMcAlister

49 and #50 will give you the realm from the user.

This should help you. Currently waiting for approval.