Incorrectly configured user datastore doesn’t impact the health status of an Identity server

Access Manager Admin Console and Identity (IDP) server components installed on same machine. Authentication to the IDP server working as expected and health check shows green.

Administrator changes the current user store directory type from the current eDir to Active Directory (or SunOne) and applies the change to the Admin Console. This was a test setup and administrator was trying to test different LDAP platforms with minimal change to the Access Manager setup.

AFter updating the IDP server with the user store changes, the health check showed the green light. Users trying to authenticate to the IDP server would fail. The failure existed because the LDAP requests generated to the back end user store assumed that the user store was still eDir and not the Active Directory server we had reconfigured.

The Identity server healthcheck should ideally show a red alert to indicate to the administrator that the user datastore has not been configured correctly.

When changing the user store configuration type, the administrator must delete and recreate the user store completely. It is not possible, via a health check, to determine the user store type.