Highlighted
stagefright Contributor.
Contributor.
309 views

IDP Login Using Email Instead of Username

Jump to solution

Hi everyone. I'm having trouble of getting IDP to authenticate using email address instead of username. As of now I'm following this guide but I'm stuck at editing login_latest.jsp file.

https://www.netiq.com/documentation/access-manager-45/admin/data/bok7icl.html

In the guide it says to replace %Ecom_User_ID% to %EMail_Address% but in the file the variable has no % sign. I tried replacing what is there but it just failed to authenticate.

Any idea?

0 Likes
1 Solution

Accepted Solutions
Sebastijan Respected Contributor.
Respected Contributor.

Re: IDP Login Using Email Instead of Username

Jump to solution

1. Is "mail" in (&(objectclass=person)(mail=%Ecom_User_ID%) referring to user LDAP attribute for email?

Yes. This is LDAP filter and LDAP filter must use LDAP attribute names, not eDirectory attribute names.

2. If yes then by right it should pick up user email address in eDirectory as username?

Yes, it should. Sometimes I'm using also other attributes for authentication, this is one od my old examples with AD as backend userstore:

(&(&(objectclass=Person)(!(objectclass=computer)))(|(sAMAccountName=%Ecom_User_ID%)(mail=%Ecom_User_ID%)(cn=%Ecom_User_ID%)))

3. Referring to documentation, is it possible if I just define the query value on Method without going through the rest of the process?

Yes, you can use standard Name/Password method and just add query property. No other customization needed.

 

View solution in original post

0 Likes
5 Replies
Sebastijan Respected Contributor.
Respected Contributor.

Re: IDP Login Using Email Instead of Username

Jump to solution

Hi!

Easiest way to do it is not by customizing JSP, but by setting Query property on Method, as described here:

https://www.netiq.com/documentation/access-manager-45/admin/data/bok7icl.html#bmy4r46

 

Basically with query property you can set any LDAP filter to find user you wish to authenticate.

Example in this document is to use value (&(objectclass=person)(mail=%Ecom_User_ID%)), which will search of users where mail is set to whatever user enters in "Username" field.

But you could also set something like (&(objectclass=person)((cn=%Ecom_User_ID%)(mail=%Ecom_User_ID%)))

In this case user could enter either username or mail address.

To summarize, you can use Query property to set LDAP filter how to find user in directory, but keep in mind that %Ecom_User_ID% placeholder is then replaced with whatever user enters in login form as a username.

 

Kind regards

Sebastijan

0 Likes
stagefright Contributor.
Contributor.

Re: IDP Login Using Email Instead of Username

Jump to solution

Will try. Thank you for your input

0 Likes
stagefright Contributor.
Contributor.

Re: IDP Login Using Email Instead of Username

Jump to solution

Hi Sebastian.

As per suggestion I tried define the said value under Method and set everything to my reverse proxy but to no success during login process. I I have few questions in mind they might sound silly because I'm still new in Access Manager and LDAP.

1. Is "mail" in (&(objectclass=person)(mail=%Ecom_User_ID%) referring to user LDAP attribute for email?

2. If yes then by right it should pick up user email address in eDirectory as username?

3. Referring to documentation, is it possible if I just define the query value on Method without going through the rest of the process?

Thank you in advance.

0 Likes
Sebastijan Respected Contributor.
Respected Contributor.

Re: IDP Login Using Email Instead of Username

Jump to solution

1. Is "mail" in (&(objectclass=person)(mail=%Ecom_User_ID%) referring to user LDAP attribute for email?

Yes. This is LDAP filter and LDAP filter must use LDAP attribute names, not eDirectory attribute names.

2. If yes then by right it should pick up user email address in eDirectory as username?

Yes, it should. Sometimes I'm using also other attributes for authentication, this is one od my old examples with AD as backend userstore:

(&(&(objectclass=Person)(!(objectclass=computer)))(|(sAMAccountName=%Ecom_User_ID%)(mail=%Ecom_User_ID%)(cn=%Ecom_User_ID%)))

3. Referring to documentation, is it possible if I just define the query value on Method without going through the rest of the process?

Yes, you can use standard Name/Password method and just add query property. No other customization needed.

 

View solution in original post

0 Likes
stagefright Contributor.
Contributor.

Re: IDP Login Using Email Instead of Username

Jump to solution

Yes. This is LDAP filter and LDAP filter must use LDAP attribute names, not eDirectory attribute names.

Weird. I followed exactly like in documentation but it refused to authenticate using email. Will test again tomorrow and see how it goes.

Thank you.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.