I have been fighting an issue for awhile where I cannot get our application to work with a secondary user store (AD) without specifying the domain name. AD user/role enumeration is working fine, and I am able to login to the WSO2 admin console with an AD account (username only!) granted admin rights via an AD group, so if that works, then I would think the entitlement service would too...
I have determined the reason for this is that while I can login to the application (and WSO2 admin console) with the AD username only, the role assignment is not being picked up by the application unless I specify the domain with the account (domain/user), as confirmed by using the PEP/search tool. If I use the domain/user in PEP search, I can see the entitlements.. if I use the username only, I don't. My XACML is defined to use domain/group for the role. It's worth noting that if I use an internal role with an internal user and applicable XACML policy, the application works perfect.
This looks to be the same bug as for 4.2.0 (https://wso2.org/jira/browse/CARBON-14861) but I cannot find anything similar for 4.5.0. Does anyone know of a way around this other than making my LDAP user store primary?
TIA!
Idea is that, when you are using XACML with multiple user stores feature of Identity Server, you need to send the username with domain name. Therefore, when you are searching, you must set the username to
domain/user
I think it is fine, because authorization happened after the authentication. When authenticating, somehow, user's domain name (user store which user has been authenticated) can be known.
The issues that has been referred, is a separate issue.