User ID and domain resolution

In OneSpan Authentication Server Appliance, user accounts are identified using a user ID and a domain.

1. If entry fields for the user ID and domain are separate, name resolution ends and authentication continues. Otherwise simple name resolution continues with step 2.
2. If logon uses a similar format to UPN: user@domain, simple name resolution continues to step 3. Otherwise, default domain processing proceeds in step 5.
3. The OneSpan Authentication Server Appliance searches for a domain record with the name given after the @ sign. If the domain record is found, name resolution continues to step 4. Otherwise, default domain processing proceeds in step 5.
4. The user ID and domain parts are separated out, name resolution ends and authentication continues.
5. If a default domain has been configured for the policy, name resolution continues in step 6. Otherwise, domain processing continues in step 7.
6. The user ID is used as entered, with the default domain from the policy. Domain resolution ends and authentication continues.
7. The master domain is used, domain resolution ends and authentication continues. For more information about the master domain, see Master domain concepts and practical uses.

Figure: User ID and domain resolution

Additional considerations for user ID and domain resolution

Users who have the domain name in their user ID can experience authentication issues because OneSpan Authentication Server Appliance uses the corresponding part of the user ID as the domain name. To prevent this issue, users with the domain name in their user ID need to also provide the domain when logging on.

User jane.master in the master domain needs to use one of the following formats for a successful logon:

• master\jane.master
• jane.master@master

If user jane.master does not explicitly provide the domain in addition to the user ID, the logon attempt will fail.