Issue: Duplicate LDAP User Creation in Proficy Authentication Database

The issue can occur when using multiple LDAP IDP configurations, especially in scenarios involving 'multi-domain support' introduced in version 2023.

Leveraging Multi-Domain Support

The introduction of 'multi-domain support' aimed to allow the configuration of multiple LDAP IDPs, primarily to support user authentication and authorization across different domains (multiple LDAP servers) through a single instance of the Proficy Authentication service.

Secondary Usecase: The 'multi-domain support' feature can also be utilized to configure multiple LDAP IDPs for a single domain (single LDAP server). This is often done when dealing with large domains with users spread across the directory structure.

Problem Scenario: A potential challenge arises when selecting a single User or Group Search Base in the IDP configuration. This choice may lead to a generic scope, resulting in timeout errors during user authentication. The issue stems from the extensive search scope for both User and Group searches. To avoid these timeout errors, it is crucial to carefully consider and configure the User and Group Search Base values to align with the specific structure and distribution of users within the targeted domain.

Solution: When setting up multiple LDAP IDPs targeting a single domain or LDAP server, ensure that the 'User Search Base' values across the IDP configurations are distinct. In other words, a user from the configured domain should not be found in more than one LDAP IDP.

Neglecting this precaution can result in a user being authenticated from multiple LDAP IDPs, leading to the creation of multiple user records with different 'origin' names in the UAA Database. This situation can further cause authorization issues in applications like Operations Hub (or any other client application) if authorization selections are made at the individual user level rather than for user groups.