privacyIDEA-ADFSProvider icon indicating copy to clipboard operation
privacyIDEA-ADFSProvider copied to clipboard

Published 20 hours ago verified publisher icon sbidy

multiple realms in config.xml file

Open MikhalMcAlister opened this issue 5 years ago • 3 comments

good day, not an issue, but more question on features, have not found in documentation. all is working well with 1 realm defined in config.xml file, but is there possibility to add multiple realms to check 2FA, what would be the correct code to add 2, 3 etc realm?

MikhalMcAlister avatar Feb 18 '20 07:02 MikhalMcAlister

Hey, that is a good point. In the current implementation you can only define one realm per provider. The API endpoints (e.g. /validate/triggerchallenge) doesn't support multiple realms (documentaion). Maybe @cornelinux can help to clarify this 😄

But this or similar feature will come in one of the next provider versions (~1.4). My plan is to take the user domain information (Domain/User or [email protected]) and map these as realm name. This requires that a 1:1 mapping form domain name to realm name exists. This feature will be become configurable in the config.xml.

See #24 for more information - it is possible to define multiple LDAP endpoints in one realm.

sbidy avatar Feb 18 '20 08:02 sbidy

One API request only searches a user in one realm.

Read more about realms here: https://privacyidea.readthedocs.io/en/latest/configuration/realms.html

To differentiate realms, there are different possibilities:

A) Have the application (or the user) choose the realm

The application (the ADFS provider) passes the realm in the request. Either by configuration (from config.xml - but then you only can have one realm) or by having the user choose a realm. THe user could choose a realm from an additional dropdown box or the user could login as "user@realm". Then the request sent would either contain:

  • user=user
  • realm=realm

or

  • user= user@realm

B) Have privacyIDEA choose the realm

Based on policies and certain conditions privacyIDEA can overwrite the realm from the request. e.g. using the policy "setrealm".

However, in all cases privacyIDEA will search for the user only in one realm.

(i like the new feature in 1.7 of adfs provider!)

cornelinux avatar Feb 18 '20 13:02 cornelinux

@MikhalMcAlister #49 and #50 will give you the realm from the user. This should help you. Currently waiting for approval.

jroth-haj avatar May 04 '21 12:05 jroth-haj