Instructions for the claim configuration for username and user id claim when using AD/LDAP

[isuruhettiarachchi]

Is your suggestion related to a missing or misleading document? Please describe. When using a AD/LDAP userstore manager, it is necessary to map the correct attributes for username and userid claim for the authentication to work. As an example, if the username attribute is configured to mail in the userstore conifguration level, the username claim attribute should also set to the mail.

<Property name="UserNameAttribute">mail</Property>
<Property name="UserNameSearchFilter">(&amp;(objectClass=person)(mail=?))</Property>

This is because some of the methods will create the username search filter from the attribute mapped in the username claim instead of username search filter defined in the userstore configs. It is same for the userid as well.

Describe the improvement This should be clearly documented in the LDAP/AD userstore config documents, that the username attribute should be mapped in the user claim configurations.