Multiple user store search

This document describes how to configure the execution flow to perform a user store search against multiple user stores.

The reader of this document should have some basic knowledge about PhenixID Authentication Services.

We will make changes to phenix-store.json, so make sure to have a recent  copy/backup of this file.

System requirements

- PhenixID Authentication Services installed.

- User store connections configured.

Overview

In some use cases, users requesting access reside in one of multiple user sources. This solution document presents how to configure a flow where a search is first performed against user store 1. If the user is not found in user store 1, a new search is performed against user store 2. If the user is not found in user store 2, a new search is performed against user store 3. And so forth. No additional searches are performed once the user is found in one of the user stores.

Example

The following example is a use case where:

- There are three different LDAP stores:
1. ad.company1.local

2. ad.company2.local

3. ad.company3.local

- The user authenticates with username, password and OTP-SMS over Radius

 

The configuration is applicable to all protocols (saml, oidc, radius, api) and all authentication methods where a user store search is involved.

Please change values to suite your environment / use case.

User store connections - overview

Execution flow - overview

This is an overview of the username-password Execution flow. A detailed guide for each step will be presented below.

Execution flow - step #1

This valve has no special configuration. Please adjust values to suite your environment.

Execution flow - step #2

This valve must only be executed if the previous search (#1) found the user. Add the statement !flow.isEmpty() to Advanced->Execute if expression. See example below.

Execution flow - step #3

This valve must only be executed if any of the previous searches did not find the user. Add the statement flow.isEmpty() to Advanced->Execute if expression.

Make sure that the attribute distinguishedName is fetched from the user object. (This might be named differently based on the user store type).

See example below.

Execution flow - step #4

This valve must only be executed if the previous search (#3) found the user. Add the statement !flow.isEmpty() && flow.getPropertyValue('distinguishedName').contains('dc=company2') to Advanced->Execute if expression.

If necessary, change distinguishedName and dc=company2 to values that suite your environment.
See example below.

Execution flow - step #5

This valve must only be executed if any of the previous searches did not find the user. Add the statement flow.isEmpty() to Advanced->Execute if expression.

Make sure that the attribute distinguishedName is fetched from the user object. (This might be named differently based on the user store type).

See example below.

Execution flow - step #6

This valve must only be executed if the previous search (#5) found the user. Add the statement !flow.isEmpty() && flow.getPropertyValue('distinguishedName').contains('dc=company3') to Advanced->Execute if expression.

If necessary, change distinguishedName and dc=company3 to values that suite your environment.

See example below.

Execution flow - step #7

This valve must only be executed if no user was found in any of the searches. Add the statement flow.isEmpty() to Advanced->Execute if expression.

See example below.