An update on this problem.
Part of the complexity of the problem is that we're dealing with two different bugs.
1) SAML11 to ODBC binding is broken if the bind field contains an "=". Ours does.
2) The UI refuses multiple SAML auth schemes with the same issuer.
We've worked around (2) by creating a perl script using the Policy Management API, so we've shifted gears to bind the SAML 11 auth scheme directly to the end directory.
This works, but requires a workaround for (1) that short circuits the MCP postDisambiguateUser to always return SUCCESS -
public int postDisambiguateUser(APIContext apiContext,
UserContext userContext,
String parameters,
String message,
Map props,
String loginID,
final StringBuffer output
) throws Exception {
if ( !userContext.isUserContext() )
{
output.append(loginID);
}
return SUCCESS;
}
The problem with this scheme is that if the user really doesn't exist in the directory, the validate on the target fails.
This is fine, but there's no authreasoncode handling. And I can't find where to handle a on validate user not found event.
Any ideas?