Authentication policy mangle

I’ve been trying to solve the following with the policy mangle all day, but somehow I have a knot in my head about it:

Doc: 7.3. Authentication policies — privacyIDEA 3.8 documentation


are supposed to become
Username: TestStudent@students
Username: TestMember@staff


I have already tried:

mangle: user/(.*)@.*\\.university\\.edu/\\1/ 
mangle: user/(.*)\\.university\\.edu/\\1/  
mangle: realm/(.*)\.university\.edu/\\1/ 

i made a separate policy for this with a priority at the top. So far it just doesn’t take effect and I wonder if the split in username and realm happens before or if I even need two rules, one to extract the username and one to shorten the realm.

Unfortunately I can’t figure it out from the doc or the code. Has anyone done something like this before?

The user resolving is done before the mangling.

I.e. your input “” is split into username=TestStudent and if this realm exists (or not split, according to the splitting rules described in readthedocs.)

I.e. you can not mangle a non-existing realm or non-existing user.