According to the JavaDoc, the event should be published right before authentication, while according to your post just before searching through directories. What is the right approach?
Additionally, in our app, there are cases for which we search via email or other attributes, but not username. Thus, the username is not given before searching through the directories and I cannot publish the event since it relies on the username.
If we should publish the event before user search, how should we handle these cases?
thanks for your reply. Let me describe our auth process first:
During a SAML authentication, we get all the attributes sent by the identity provider. Then we search for the user based on a so-called user configurable “look-up attribute”, this can be anything: the username, email address, or any other (also created custom) crowd attribute.
Basically, we iterate over all directories and then search for the user depending on the look-up attribute.
Thus in the best case, we know the username before iterating over all directories (lookup attribute = username), and in the worst case, we will know the username after we found the user (or we will never know the username because the user does not exist).
Thus, if I get you right, it depends a bit on when we have to publish the event:
If the username is known before searching for the user, we can already publish it before we iterate over the directories
In case we don’t know the username yet, we first have to search for the user and publish the event as soon as we know the username.