Environment
Situation
Sometimes there is a problem with User Application SSO using an iFrame portlet. When you login to the UA with a CN everything works great. If you login to the UA using a full DN the SSO fails for my iFrame portlet based application as it's expecting a "CN' type value not a "DN" type value. Logging in via the DN is automatically done when more then one CN of the same name exists in the search base. How do I ensure the CN value is always passed via SSO?
Resolution
If you put the following text in the message portlet:
User ID is: ${User/id}
User Canonical is: ${User/canonical}
User Simple ID is : ${User/simpleid}
Application login-user is: ${Application/login-user}
====================
You will see that if login with just ablake:
User ID is: cn=ablake,ou=users,ou=medical-idmsample,o=novell
User Canonical is: ablake.users.medical-idmsample.novell
User Simple ID is : ablake
Application login-user is: ablake
==================
If you login with ablake full dn:
User ID is: cn=ablake,ou=users,ou=medical-idmsample,o=novell
User Canonical is: ablake.users.medical-idmsample.novell
User Simple ID is : ablake
Application login-user is: cn=ablake,ou=users,ou=medical-idmsample,o=novell
================
As you can see Application/login-user will pass exactly the value entered in the login. If you only want the "cn" value to be passed then replace ${Application/login-user} with ${User/simpleid} in the preferences in your iFrame portlet.