User name formats from differing user registries

WebSEAL maps the user name that the Kerberos authentication process provides to the Verify Identity Access user registry. This mapping process depends on the type of user registry.

Kerberos authentication provides Verify Identity Access with a user name in the following form:

user@domain.com

When multiple-domain Active Directory is used as the Verify Identity Access user registry, the user name listed in the Active Directory registry uses the same format as the user name provided by the Kerberos authentication process.

If the Verify Identity Access user registry is not Active Directory, WebSEAL, by default, truncates the user name that is provided by Kerberos authentication. WebSEAL maps this truncated user name to the user registry.

For example, the following format is received from Kerberos authentication:

user@domain.com

WebSEAL truncates this name by removing the domain designation and leaving only the short-name:

user

WebSEAL creates a credential for that user based on the short-name.

This mapping from the full Active Directory user name to the short-name of the user is not always appropriate and can cause conflicts when resolving user names. For example, consider the scenario of two users with the same short-name in different Active Directory domains. When WebSEAL truncates the user names for each of these users, the users are mapped incorrectly to the same Verify Identity Access user. When truncation does not occur, the users are correctly mapped to unique Verify Identity Access users (for example user@domainA.com and user@domainB.com).