You are viewing limited content. For full access, please sign in.

Question

Question

Email address as Username - SAML

Directory Server
Updated November 13, 2020
asked on November 10, 2020

When attempting to create a user with any username, LFDS will allow not allow to create a username in the format of the email address or upn (john@abc.com).

 

However, once a user account is created, you can change the username to the email format and it will allow you to save although the account name will have a red border around it.

 

Is this a bug? What is the expectation here?

 

0 0

Replies

replied on November 10, 2020

I believe Email address and UPN formatted usernames are reserved for things like LDAP, so you shouldn't be able to manually create an account with email or UPN as the username. You can have accounts where the username is an email or UPN but only with accounts synchronized from other sources.

1 0
replied on November 10, 2020

Hi Karim,

Yes that is a bug, you should not be able to use the "@" character in a user-entered username. We'll look into this.

1 0
replied on November 12, 2020 Show version history

Hi Chase,

Did you mean to say,

you should be able to use the "@" character in a user-entered username?

If not, and you did mean to say that the @ symbol is not a permitted character in a username, could you please elaborate on the reason for this restriction? 

SAML IdPs often use email/UPN format for default usernames, as ours does. Forcing admins to change the username format in an application like Laserfiche requires workarounds to convert between the two formats and risks duplication in the application, when every user already has a unique account attribute in the form of their email address or UPN.

If this restriction is intentional, it only seems to add complication and doesn't seem to have any benefit. Why would UPN formatted usernames be available only for LDAP users?

0 0
replied on November 13, 2020

Hi Andrew,

That was not a typo, the following characters are banned from user-entered usernames for security reasons: / \ @ " ' ? * : ; = [ ]

The "@" character is perfectly valid for a SAML user's unique attribute when it comes to linking the account in the SAML provider with the account in LFDS, but it is not allowed in the username (which is the username within the Laserfiche system, independent from the SAML implementation).

The above restricted characters are occasionally permitted when being generated by the system (i.e. Windows user "DOMAIN\foo.bar") as security concerns are diminished when user input is taken out of the equation.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...