APM logon to multiple directories in same flow
I am new to APM and have been tasked to migrate our company away from Novell EDIR. We have both EDIR and AD and our current APM auth scheme calls EDIR in per session and checks group membership in per request.
Most of my users could get by with AD only if we replicated groups and memberships then change the per session to auth against AD and per request policies to point to AD groups. I have a fair understanding of how to accomplish this effort and it will get us 80% of the way.
Our identity tool syncs uses the same user account name for a user and keeps PW for the 2 in sync. Most users use that tool but in some cases they do not and PWs are not in sync. We have a handful of apps which require users to be authenticated against EDIR and if I flipped the per session auth against AD and they don't have their PWs in sync, they would get an app error when they try to access the application.
I am wondering if I could capture their PW as a part of the AD auth and then try to auth EDIR with those same credentials (without user interaction) and silently succeed or pop a 2nd logon screen if they failed and weren't in Sync?
Any suggestions on how to try that theory out?