Hi,
We use an Active Directory user source, which returns all the roles from AD. Problem is you cannot assign a badge to a user in a pure AD user source.
We then used a soft failover AD Internal Hybrid to assign the user badges, as originally recommended by @jspecht.
This worked really well until 8.1.2 as when a user logged in with a badge, the user would be found in the hybrid failover source, matched to a user in the pure AD source and return with the AD groups as roles. Similar to below:
{
"tokenEndpointResponse": {
"access_token": "<accesstoken>",
"id_token": "<token>",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "openid"
},
"idTokenClaims": {
"iss": "<idp name>",
"aud": "ignition",
"exp": 1612952433,
"jti": "<jti>",
"iat": 1612951833,
"nbf": 1612951713,
"sub": "<username>",
"preferred_username": "<username>",
"roles": [
"all",
"the",
"roles",
"from",
"AD"
],
"nonce": "<nonce>",
"email": "<email>",
"given_name": "<name>",
"family_name": "<surname>",
"amr": [
"badge"
],
"auth_time": 1612951058,
"challenged": false
}
}
Now, after upgrade to 8.1.2, it returns an empty list for roles if authenticated against the soft failover.
How can we restore this critical functionality, other than rolling back to 8.1.1?
If we can assign a badge to a users to a pure AD user source, that would be ideal. We can replicate the user roles assignment in AD Hybrid source as that is not maintainable at scale.
Please assist.
Regards,
Deon