I have an existing site A protected with CA SSO Web Agent with DirA using username attribute for user disambiguation and DirB for user authorization. DirA is mapped to DirB by UniversalId (cn).
Now I implemented Google OAuth 2.0 authentication. All social ids are stored in DirA ssoopenid multivalue attribute. Google sends customer's email in a claim. Policy Server can not disambiguate a user by email against DirA because DirA uses username to disambiguate not ssoopenid attribute. I need to createte DirC equal to DirA, but using ssoopenid attributefor disambiguation. Now, when browser is redirected from OAuth client to site A, a session created during OAuth authentication against DirC is not accepted by Site A, because CA SSO considers DirA != DirC.
How this is supposed to be resolved? Some OAuth AZ servers are not even returning email, but a random id, i.e. MobileConnect. The whole OAuth user disambiguation should be done over a custom disambiguation parameter, not a generic one from a user directory.