Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9601

Scripted Auth Module Not Using Alias Search Attribute Name



    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 13.5.0
    • Fix Version/s: None
    • Component/s: authentication
    • Labels:


      The Scripted Auth Module does not use the Alias Search Attribute Name parameter in case it can find the identity in the repository using the default search attribute; more precisely in ScriptIdentityRepository.getIdentity (line 105) it simply fails after searching using the default search attribute, while it should use Alias Search Attribute Name like in HOTPService.getIdentity (line 267) with the HOTP Auth Module.

      Scenario that causes issues is when you authenticate using the email instead of UID (by changing the auth attribute) but keep the UID as the default search parameter in the data store configuration (seems the XUI has couple bugs if you don't do so); hence username is set to the email address. When then using, for example the Device Match Scripted Auth Module, it can't find the device profiles of the user. The HOTP Auth Module has no issue with this setup as it uses Alias Search Attribute Name in case of failure. I suspect that the XUI bug, the trusted devices are not showing if you change the default search attribute to mail for example, is related to this issue.

      My suggestion would be to ideally incapsulate this behaviour and separate it from the individual modules; as it seems to return over and over.




            • Assignee:
              chrisadriaensen Chris Adriaensen [X] (Inactive)
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: