Multiple user store search
This document describes how to configure the execution flow to perform a user store search against multiple user stores.
Important Note: The below solution will make use of expressions for the respective LDAPSearch and LDAPBind. It's extremely important to verify the flow when configuration is in place. So that wrong username or password is stopped correctly.
The reader of this document should have some basic knowledge about PhenixID Authentication Services.
We will make changes to phenix-store.json, so make sure to have a recent copy/backup of this file.
System requirements
- PhenixID Authentication Services installed.
- User store connections configured.
In some use cases, users requesting access reside in one of multiple user sources. This solution document presents how to configure a flow where a search is first performed against user store 1. If the user is not found in user store 1, a new search is performed against user store 2. If the user is not found in user store 2, a new search is performed against user store 3. And so forth. No additional searches are performed once the user is found in one of the user stores.
The following example is a use case where:
- There are three different LDAP stores:
1. ad.company1.local
2. ad.company2.local
3. ad.company3.local
- The user authenticates with username, password and OTP-SMS over Radius
The configuration is applicable to all protocols (saml, oidc, radius, api) and all authentication methods where a user store search is involved.
Please change values to suite your environment / use case.
User store connections - overview

Execution flow - overview
This is an overview of the username-password Execution flow. A detailed guide for each step will be presented below.
Execution flow - step #1
This valve has no special configuration. Please adjust values to suite your environment.

Execution flow - step #2
This valve must only be executed if the previous search (#1) found the user. Add the statement !flow.isEmpty() to Advanced->Execute if expression. See example below.

Execution flow - step #3
This valve must only be executed if any of the previous searches did not find the user. Add the statement flow.isEmpty() to Advanced->Execute if expression.
Make sure that the attribute distinguishedName is fetched from the user object. (This might be named differently based on the user store type).
See example below.

Execution flow - step #4
This valve must only be executed if the previous search (#3) found the user. Add the statement !flow.isEmpty() && flow.getPropertyValue('distinguishedName').toLowerCase().contains('dc=company2') to Advanced->Execute if expression.
NOTE: The dc=company2 part is case sensitive. In the example above "toLowerCase" is used to make sure that we get a match for the expression. If other expression is used, please make sure to verify upper/lower case.
If necessary, change distinguishedName and dc=company2 to values that suite your environment.
See example below.

Execution flow - step #5
This valve must only be executed if any of the previous searches did not find the user. Add the statement flow.isEmpty() to Advanced->Execute if expression.
Make sure that the attribute distinguishedName is fetched from the user object. (This might be named differently based on the user store type).
See example below.

Execution flow - step #6
This valve must only be executed if the previous search (#5) found the user. Add the statement !flow.isEmpty() && flow.getPropertyValue('distinguishedName').contains('dc=company3') to Advanced->Execute if expression.
If necessary, change distinguishedName and dc=company3 to values that suite your environment.
See example below.