WebUI behaviour

AAuer · January 8, 2021, 11:27am

Hi,
I’m using PI with multiple realms, Login is normally performed with samaccountname. Now I have the requirement to authenticate users with the UserPrincipleName which contains an @-sign.

The login via RADIUS is no problem, I made a script to add the realm to any username from specific IPs, so login is made as user@domain@realm which is working perfect.

Unfortunately the login in the WebUI is not controllable this way. So I thought, if I add the realm as dropdown in the webui-policy, PI would not split the username at the @ when a realm is selected. But it looks like, the dropdown is just for convenience…

Is this baviour a bug or works-as-designed?

Is it possible, to change the split-character from @ to something other, like § or &?

Kind regards

Andi

cornelinux · January 8, 2021, 1:21pm

I hope we have covered everything here in the docs:
https://privacyidea.readthedocs.io/en/latest/configuration/realms.html#relate-user-to-a-realm

When you login in the UI with a realm dropdown, the following parameters will be sent:

username: user@domain
realm: realm

Now the behaviour depends on all the naming you have.

privacyIDEA would be capable of splitting realm\\user but in your case with the double @ this is not possible.

AAuer · January 11, 2021, 10:02am

Hi,

but if the domain and the realm from the dropdown are the same, just user and realm are sent, the domain is stripped of or the value from the dropdown is not used.

Is there a possibility to set a realm from the dropdown-list as the default?

cornelinux · January 13, 2021, 6:02am

If you send user=user@specificrealm` ` and realm=specificrealm via the API it is indeed the expected behaviour to finduser in thespecificrealm``.

In regards to a dropdown: no.