User name formats from differing user registries

WebSEAL maps the user name the Kerberos authentication process provides to the ISAM user registry. This mapping process depends on the type of user registry.

Kerberos authentication provides Security Verify Access with a user name in the following form:

When multiple-domain Active Directory is used as the ISAM user registry, the user name listed in the Active Directory registry uses the same format as the user name provided by the Kerberos authentication process.

If the ISAM user registry is not Active Directory, WebSEAL, by default, truncates the user name provided by Kerberos authentication. WebSEAL maps this truncated user name to the user registry.

For example, the following format is received from Kerberos authentication:

WebSEAL truncates this name by removing the domain designation and leaving only the short-name:

WebSEAL creates a credential for that user based on the short-name.

This mapping from the full Active Directory user name to the short-name of the user is not always appropriate and can cause conflicts when resolving user names. For example, consider the scenario of two users with the same short-name in different Active Directory domains. When WebSEAL truncates the user names for each of these users, the users are mapped incorrectly to the same Security Verify Access user. When truncation does not occur, the users are correctly mapped to unique Security Verify Access users (for example user@domainA.com and user@domainB.com).

Parent topic: Map of user names from multi-domain Active Directory registries