Hi list,
To my understanding, the Fediz IDP allows for configuring:
- realms and requested claims ("type" of information to be contained in the
ticket)
- credentials (username and password)
- claims (friendly name, email, roles, ...)
Also, to me understanding, the claims are defined globally, so whenever a user
authenticates against the IDP from a specific realm, the same claims are
returned by the STS. Even though the realm definition contains the list of
claims to be returned, the roles defined for a user cannot be specified per
realm.
As an example, if to realms "realm-a" and "realm-b" are defined (both returning
the "role" claim), and one user "test" is defined with the roles "USER,
APP_ROLE_1, APP_ROLE_2", the ticket returned by the STS will always contain all
three roles, independent of which realm the user has provided.
Is my understanding correct?
Is there any way to specify the claims (i.e. role values) per realm?
Thank you & regards,
Christian
