Can't retrieve attributes at Authentication phase

Cantor, Scott cantor.2 at
Fri May 1 10:06:27 EDT 2015

On 5/1/15, 8:15 AM, "Ranil De Silva" <ranil.desilva at> wrote:
>I am trying to retrieve the user's mobile number at the authentication phase. We have an Active Directory LDS server. In my previous experience AD servers didn't need any special permissions to read the directory but AD LDS has three roles - admin, readers and users. Users can't retrieve anything from the LDAP but can authenticate against it. While readers can read the LDAP and attributes and admins have full access. So once I created a reader user and configured its credentials, I am now getting attributes from the LDAP at the attribute resolution phase but nothing at the authentication phase.

The only circumstances in which you can possible get attributes during authentication (unless you write something up by hand that does it) is to trigger the lookup using the idp.authn.resolveAttribute property. Assuming that's what you're trying to do, that only works if you also set the idp.authn.flows.initial property.

-- Scott

More information about the users mailing list