attribute resolver question

Cantor, Scott cantor.2 at
Thu Jul 13 12:11:26 EDT 2017

> How could I allow authentication and use the returned employeeNumber for
> attribute resolution?
> Specifically I would like to use the employeeNumber and not
> requestContext.principalName.

You have to be able to map from one to the other regardless. How you want to actually configure it depends on a lot of factors but in a nutshell it depends whether you want to change the canonical value the whole system sees as a user identifier for the subject or just add additional logic to the resolver and leave everything else alone.

For example:

* what you want logged in the audit log
* whether you have MFA systems like Duo involved that depend on particular username values

The resolver can do anything you want after the fact. If you want to remap the canonical principal name (thus changing what ends up in requestContext.principalName, that's subject canonicalization and there's a plugin to do the remapping via the resolver and that's documented in the wiki.

-- Scott

More information about the users mailing list