{"id":41752,"date":"2025-12-06T19:47:00","date_gmt":"2025-12-06T18:47:00","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/?p=41752"},"modified":"2026-02-25T21:16:12","modified_gmt":"2026-02-25T20:16:12","slug":"dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/","title":{"rendered":"Dctm – OTDS SSO with sAMAccountName AD\/LDAP attribute and Azure"},"content":{"rendered":"\n

The OpenText Directory Services (OTDS) is a pretty interesting piece of software, and it works quite well out-of-the-box. If you are starting to use the OTDS from scratch (when you have nothing internally), then there isn’t much problem, you can just use what they provide OOTB and that’s fine. But for big companies or if you already have a lot of specific use-cases and specific configurations that wouldn’t be considered “standard” usually, then it can quickly become (much) more complex.<\/p>\n\n\n\n

Default configuration & behavior<\/h2>\n\n\n\n

In a previous blog, I talked about ways to configure OTDS to allow the login to Documentum with something else than the default “oTExternalID3<\/em><\/strong>” (c.f. this blog<\/a> – mapped to “userPrincipalName<\/em><\/strong>” by default). That blog was on the Resource side of things, to populate the accounts in Documentum as well as perform a simple username\/password login through OTDS. I also mentioned in that publication that the simplest way to achieve that would be to change the “AD\/LDAP attribute<\/em><\/strong>” property of the Partition directly, but that’s only IF (and that’s a big IF) it doesn’t mess with other systems that you might have (e.g. other than Documentum).<\/p>\n\n\n\n

But what about Single Sign-On if you aren’t using the default\u2026? That’s what I will talk about in this new blog. I will use OTDS integrated with Azure OAuth 2 \/ OpenID Connect for that example. For my demo environment, I already setup the following things:<\/p>\n\n\n\n

    \n
  1. A Partition, named “APP1<\/em><\/strong>“, with its “AD\/LDAP attribute<\/em><\/strong>” property set to “sAMAccountName<\/em><\/strong>“. That means that “oTExternalID3<\/em><\/strong>” will have as value “MYUSERID<\/em><\/strong>” instead of the default “MYUSERID@DOMAIN-NAME.COM<\/em><\/strong>” (which it would have had with the default “userPrincipalName<\/em><\/strong>“)<\/li>\n\n\n\n
  2. An Auth Handler, named “SSO<\/em><\/strong>“, configured with OAuth 2.0 \/ OpenID Connect with its client ID, client secret, etc\u2026 So that all needed fields of the “Parameters<\/em><\/strong>” page are properly set for communications \/ exchanges. On the “Configuration<\/em><\/strong>” page, you can reduce the priority value from 10 to 5 (i.e. higher priority) and then there is a single field “Authentication principal attribute<\/em><\/strong>“. Based on the name only, you would probably set that to oTExternalID3, right?<\/li>\n<\/ol>\n\n\n\n

    With the above setup, the following will happen when you login through the SSO (with DEBUG enabled, to see the messages, otherwise you will have no clue why it fails):<\/p>\n\n\n

    \n==> otds.log <==\n2025-07-28 09:05:24.070|DEBUG |[https-jsse-nio-8080-exec-33]|OtdsAuthenticationManager||Authentication attempt with handler SSO result {CLIENT_CONTINUE_NEEDED, null, null, null}\n\n==> access.2025-07-28.log <==\n2025-07-28 09:05:24,074 UTC code:302 thread:https-jsse-nio-8080-exec-33 user:- ip:172.1.1.1 req:'POST \/otdsws\/login HTTP\/1.1' bytes:- session:- time-taken-ms:8\n\n==> otds.log <==\n2025-07-28 09:05:27.740|DEBUG |[https-jsse-nio-8080-exec-35]|OAuth2Handler||fetchURL received response code 200\n2025-07-28 09:05:27.742|DEBUG |[https-jsse-nio-8080-exec-35]|OAuth2Handler||Obtained access token: eyJ0eXAiOiJKV1QiLCJub25jZSI...Kuj4re_gei97mSMsLGXcXZ3Os3g\n2025-07-28 09:05:27.743|DEBUG |[https-jsse-nio-8080-exec-35]|OAuth2Handler||Obtained id_token: eyJ0eXAiOiJKV1QiCJhbGciOiJS...VTd_jsBFlPcxQLCOxKk85wdywQQ\n2025-07-28 09:05:27.842|DEBUG |[https-jsse-nio-8080-exec-35]|OAuth2Handler||fetchURL received response code 200\n2025-07-28 09:05:27.842|DEBUG |[https-jsse-nio-8080-exec-35]|OAuth2Handler||Obtained user object: {"@odata.context":"https:\/\/graph.microsoft.com\/v1.0\/$metadata#users\/$entity","businessPhones":["+41 123456789"],"displayName":"Patou Morgan","givenName":"Morgan","jobTitle":"Technology Leader ECM","mail":"morgan.patou@domain-name.com","mobilePhone":null,"officeLocation":"CH","preferredLanguage":null,"surname":"Patou","userPrincipalName":"MYUSERID@DOMAIN-NAME.COM","id":"77021...54e5c"}\n2025-07-28 09:05:27.909|DEBUG |[https-jsse-nio-8080-exec-35]|ReplayCache||OTDS Replay Cache Cleaner started\n2025-07-28 09:05:27.909|DEBUG |[https-jsse-nio-8080-exec-35]|ReplayCache||uuid added to replay cache: OIDC_https:\/\/login.microsoftonline.com\/9b5...918\/v2.0_bfb...d49\n2025-07-28 09:05:27.909|DEBUG |[https-jsse-nio-8080-exec-35]|OtdsAuthenticationManager||Authentication attempt with handler SSO result {SUCCESS, null, null, MYUSERID@DOMAIN-NAME.COM}\n2025-07-28 09:05:27.921|DEBUG |[https-jsse-nio-8080-exec-35]|OtdsAuthenticationManager||Search for MYUSERID@DOMAIN-NAME.COM using attributes [oTExternalID3] returned: null\n\n==> directory-access.log <==\n2025-07-28 09:05:27.921|WARN  ||0|0|Authentication Service|Failure Access|28,Initial authentication failed|172.1.1.1|""||"MYUSERID@DOMAIN-NAME.COM"|"Authentication failure [ACCOUNT_NOT_EXIST]: MYUSERID@DOMAIN-NAME.COM for resource __OTDS_AS__"\n<\/pre><\/div>\n\n\n
    Azure user details<\/h2>\n\n\n\n
    The SSO isn’t working\u2026 But why exactly? In the logs, we can see that the request is initiated on OTDS side, and a communication is sent to the OAuth 2 \/ OIDC provider. There is a response received by OTDS which includes the “access token<\/em><\/strong>” and “id_token<\/em><\/strong>“. You can check the exact content of these tokens with a JWT Decoder. So, if you have issues with setting up the OTDS-OAuth2 communications, that will probably tell you what is going on. In this case, I do receive the correct information, and my user object is retrieved properly (c.f. the “User Info Endpoint<\/em><\/strong>” field on the Auth Handler Parameters page, which is set to “https:\/\/graph.microsoft.com\/v1.0\/me<\/a>” for Azure). It contains fields such as “businessPhones<\/em><\/strong>“, “displayName<\/em><\/strong>“, “givenName<\/em><\/strong>“, “jobTitle<\/em><\/strong>“, “mail<\/em><\/strong>“, “surname<\/em><\/strong>” or “userPrincipalName<\/em><\/strong>“. Unfortunately, “sAMAccountName<\/em><\/strong>” isn’t part of the user details provided by Azure.<\/p>\n\n\n\n
    Why it’s not working<\/h2>\n\n\n\n
    In above example, the Auth Handler “SSO<\/em><\/strong>” result was actually “SUCCESS<\/em><\/strong>“. The problem comes after that\u2026 As you can see on the logs, once Azure confirmed the user details, it’s now up to OTDS to find that same account in its users list. Therefore, OTDS will look at the Auth Handler “User Identifier Field<\/em><\/strong>” field (Parameters page) and it will use that parameter from the received details. Then OTDS will look at the Auth Handler “Authentication principal attribute<\/em><\/strong>” (Configuration page) and it will try to find some accounts in its database that would match for both values.<\/p>\n\n\n\n
    Most Azure fields might not be very reliable so you will probably end-up using “userPrincipalName<\/em><\/strong>“\u2026 Indeed, multiple people can technically have the same first name or last name (or even both), the same job title and sometimes some of these fields might be empty like the phone number, etc. Therefore, “userPrincipalName<\/em><\/strong>” is most probably the one you will configure for the Auth Handler “User Identifier Field<\/em><\/strong>” field (Parameters page).<\/p>\n\n\n\n
    I don’t know if it’s possible to configure the fields that Microsoft returns but since I have no control over that, I can only impact the second part of the matching\/searching process. With our example, the Auth Handler “Authentication principal attribute<\/em><\/strong>” (Configuration page) uses “oTExternalID3<\/em><\/strong>” as the one and only parameter that OTDS will use for that mapping. Again, in an out-of-the-box OTDS, where you kept the default Partition configuration, then oTExternalID3 would have had the value from the AD’s “userPrincipalName<\/em><\/strong>“. Therefore, by default, it would have worked. But in this example, since we changed the “AD\/LDAP attribute<\/em><\/strong>” property of the Partition, then it doesn’t match anymore and therefore, OTDS isn’t able to find the user “MYUSERID@DOMAIN-NAME.COM<\/em><\/strong>“, as in its user registry, this account has a value of “MYUSERID<\/em><\/strong>“.<\/p>\n\n\n\n
    Updated configuration to fix the issue<\/h2>\n\n\n\n
    The solution in this case is then pretty simple once you understand how OTDS works. The first thing to do is to update the Partition so that OTDS can fill at least one of its properties with the value from the AD’s “userPrincipalName<\/em><\/strong>“. Therefore, on the Partition User Mappings page, you can define that a parameter like “oTExtraAttr0-9<\/em><\/strong>” or “oTUserID1-4<\/em><\/strong>” would take the value as needed. In this example, I will use “oTUserID1<\/em><\/strong>“:<\/p>\n\n\n
    \nOTDS Attribute(s)  ||  Active Directory Attribute(s)  ||  Format\naudio              ||                                 ||  %s\nbirthDate          ||                                 ||  %s\n...                ||  ...                            ||  ...\ncn                 ||  cn                             ||  %s\n...                ||  ...                            ||  ...\noTSAMAccountName   ||  sAMAccountName                 ||  %s\n...                ||  ...                            ||  ...\noTUserID1          ||  userPrincipalName              ||  %s\n...                ||  ...                            ||  ...\n<\/pre><\/div>\n\n\n
    \"OTDS<\/figure>\n\n\n\n
    After a Partition consolidation, all OTDS users will have their parameter “oTUserID1<\/em><\/strong>” set to the value of the AD’s “userPrincipalName<\/em><\/strong>“. The second step is then to configure the Auth Handler to use that same parameter for the user search:<\/p>\n\n\n\n
      \n
    • Select the checkbox of the current value set and remove it<\/li>\n\n\n\n
    • Using the dropdown list, select the new parameter you want to use (“oTUserID1<\/em><\/strong>” in this case) and add it<\/li>\n\n\n\n
    • Note: there can be multiple parameters if you want, just make sure it’s unique enough\u2026<\/li>\n\n\n\n
    • Save the Auth Handler<\/li>\n<\/ul>\n\n\n\n
      \"OTDS\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
      With the updated details, trying to login again through SSO will now generate these logs:<\/p>\n\n\n
      \n==> otds.log <==\n2025-07-28 09:19:53.940|DEBUG |[https-jsse-nio-8080-exec-25]|OAuth2Handler||fetchURL received response code 200\n2025-07-28 09:19:53.941|DEBUG |[https-jsse-nio-8080-exec-25]|OAuth2Handler||Obtained access token: eyJ0eXAiOiJKV1QiLCJub25jZSI...CypMuiNm3njnvRxjWGMF29pzwfx\n2025-07-28 09:19:53.942|DEBUG |[https-jsse-nio-8080-exec-25]|OAuth2Handler||Obtained id_token: eyJ0eXAiOiJKV1QiLCJhbGciOiJ...EqlQtTgGqW3svHBV1fhyxOnTuYQ\n2025-07-28 09:19:54.058|DEBUG |[https-jsse-nio-8080-exec-25]|OAuth2Handler||fetchURL received response code 200\n2025-07-28 09:19:54.058|DEBUG |[https-jsse-nio-8080-exec-25]|OAuth2Handler||Obtained user object: {"@odata.context":"https:\/\/graph.microsoft.com\/v1.0\/$metadata#users\/$entity","businessPhones":["+41 123456789"],"displayName":"Patou Morgan","givenName":"Morgan","jobTitle":"Technology Leader ECM","mail":"morgan.patou@domain-name.com","mobilePhone":null,"officeLocation":"CH","preferredLanguage":null,"surname":"Patou","userPrincipalName":"MYUSERID@DOMAIN-NAME.COM","id":"77021...54e5c"}\n2025-07-28 09:19:54.059|DEBUG |[https-jsse-nio-8080-exec-25]|ReplayCache||uuid added to replay cache: OIDC_https:\/\/login.microsoftonline.com\/9b5...918\/v2.0_f41...e95\n2025-07-28 09:19:54.059|DEBUG |[https-jsse-nio-8080-exec-25]|OtdsAuthenticationManager||Authentication attempt with handler SSO result {SUCCESS, null, null, MYUSERID@DOMAIN-NAME.COM}\n2025-07-28 09:19:54.182|DEBUG |[https-jsse-nio-8080-exec-25]|OtdsAuthenticationManager||Search for MYUSERID@DOMAIN-NAME.COM using attributes [oTUserID1] returned: oTPerson=779...bf4,orgunit=users,partition=APP1,dc=identity,dc=opentext,dc=net\n\n==> directory-access.log <==\n2025-07-28 09:19:54.193|INFO  ||0|0|Authentication Service|Success Access|27,Initial authentication successful|172.1.1.1|""|APP1|"MYUSERID"|"Authentication success: MYUSERID using authentication handler SSO for resource __OTDS_AS__"\n2025-07-28 09:19:54.226|INFO  ||0|0|Authentication Service|Success Access|71,OAuth access token issued|172.1.1.1|""|APP1|"MYUSERID"|"Issued access_token with ID 952...c0e for session 95c...501 issued to client dctm-demo-d2 for grant_type implicit"\n<\/pre><\/div>\n\n\n
      The SSO is now fully working, as OTDS can find a matching user by using the attribute “oTUserID1<\/em><\/strong>“. In some cases, you might be able to use the “mail<\/em><\/strong>” attribute instead, but you need to make sure that it is really unique for the users and partitions that you import into OTDS (right now, and in the future too). It can be a rather common practice for some customers to have multiple users with the same email, because there could be standard vs admin\/high-privilege users (or different AD like lower environments, which might re-use the same email, etc\u2026). So, use and configure OTDS as you need, but with caution!<\/p>\n\n\n\n
      <\/p>\n","protected":false},"excerpt":{"rendered":"
      The OpenText Directory Services (OTDS) is a pretty interesting piece of software, and it works quite well out-of-the-box. If you are starting to use the OTDS from scratch (when you have nothing internally), then there isn’t much problem, you can just use what they provide OOTB and that’s fine. But for big companies or if […]<\/p>\n","protected":false},"author":20,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[525],"tags":[1338,2609,3202,3203,3500,3758,445,3759],"type_dbi":[],"class_list":["post-41752","post","type-post","status-publish","format-standard","hentry","category-enterprise-content-management","tag-azure","tag-documentum-2","tag-oauth2","tag-openid-connect","tag-otds","tag-samaccountname","tag-sso","tag-userprincipalname"],"acf":[],"yoast_head":"\nDctm - OTDS SSO with sAMAccountName AD\/LDAP attribute and Azure - dbi Blog<\/title>\n<meta name=\"description\" content=\"Let's go through a quick and simple way to configure OTDS SSO with sAMAccountName AD\/LDAP attribute when using Azure OAuth2 \/ OpenID Connect.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Dctm - OTDS SSO with sAMAccountName AD\/LDAP attribute and Azure\" \/>\n<meta property=\"og:description\" content=\"Let's go through a quick and simple way to configure OTDS SSO with sAMAccountName AD\/LDAP attribute when using Azure OAuth2 \/ OpenID Connect.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-06T18:47:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-25T20:16:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/12\/OTDS_SSO_1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"908\" \/>\n\t<meta property=\"og:image:height\" content=\"43\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Morgan Patou\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@MorganPatou\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Morgan Patou\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/\"},\"author\":{\"name\":\"Morgan Patou\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8\"},\"headline\":\"Dctm – OTDS SSO with sAMAccountName AD\/LDAP attribute and Azure\",\"datePublished\":\"2025-12-06T18:47:00+00:00\",\"dateModified\":\"2026-02-25T20:16:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/\"},\"wordCount\":1152,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/12\/OTDS_SSO_1.png\",\"keywords\":[\"Azure\",\"Documentum\",\"OAUTH2\",\"OpenID Connect\",\"OTDS\",\"sAMAccountName\",\"SSO\",\"userPrincipalName\"],\"articleSection\":[\"Enterprise content management\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/\",\"name\":\"Dctm - OTDS SSO with sAMAccountName AD\/LDAP attribute and Azure - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/12\/OTDS_SSO_1.png\",\"datePublished\":\"2025-12-06T18:47:00+00:00\",\"dateModified\":\"2026-02-25T20:16:12+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8\"},\"description\":\"Let's go through a quick and simple way to configure OTDS SSO with sAMAccountName AD\/LDAP attribute when using Azure OAuth2 \/ OpenID Connect.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/#primaryimage\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/12\/OTDS_SSO_1.png\",\"contentUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/12\/OTDS_SSO_1.png\",\"width\":908,\"height\":43},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Dctm – OTDS SSO with sAMAccountName AD\/LDAP attribute and Azure\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8\",\"name\":\"Morgan Patou\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g\",\"caption\":\"Morgan Patou\"},\"description\":\"Morgan Patou has over 12 years of experience in Enterprise Content Management (ECM) systems, with a strong focus in recent years on platforms such as Alfresco, Documentum, and M-Files. He specializes in the architecture, setup, customization, and maintenance of ECM infrastructures in complex & critical environments. Morgan is well-versed in both engineering and operations aspects, including high availability design, system integration, and lifecycle management. He also has a solid foundation in open-source and proprietary technologies - ranging from Apache, OpenLDAP or Kerberos to enterprise-grade systems like WebLogic. Morgan Patou holds an Engineering Degree in Computer Science from ENSISA (\u00c9cole Nationale Sup\u00e9rieure d'Ing\u00e9nieurs Sud Alsace) in Mulhouse, France. He is Alfresco Content Services Certified Administrator (ACSCA), Alfresco Content Services Certified Engineer (ACSCE) as well as OpenText Documentum Certified Administrator. His industry experience spans the Public Sector, IT Services, Financial Services\/Banking, and the Pharmaceutical industry.\",\"sameAs\":[\"https:\/\/blog.dbi-services.com\/author\/morgan-patou\/\",\"https:\/\/x.com\/MorganPatou\"],\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/morgan-patou\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Dctm - OTDS SSO with sAMAccountName AD\/LDAP attribute and Azure - dbi Blog","description":"Let's go through a quick and simple way to configure OTDS SSO with sAMAccountName AD\/LDAP attribute when using Azure OAuth2 \/ OpenID Connect.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/","og_locale":"en_US","og_type":"article","og_title":"Dctm - OTDS SSO with sAMAccountName AD\/LDAP attribute and Azure","og_description":"Let's go through a quick and simple way to configure OTDS SSO with sAMAccountName AD\/LDAP attribute when using Azure OAuth2 \/ OpenID Connect.","og_url":"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/","og_site_name":"dbi Blog","article_published_time":"2025-12-06T18:47:00+00:00","article_modified_time":"2026-02-25T20:16:12+00:00","og_image":[{"width":908,"height":43,"url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/12\/OTDS_SSO_1.png","type":"image\/png"}],"author":"Morgan Patou","twitter_card":"summary_large_image","twitter_creator":"@MorganPatou","twitter_misc":{"Written by":"Morgan Patou","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/"},"author":{"name":"Morgan Patou","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8"},"headline":"Dctm – OTDS SSO with sAMAccountName AD\/LDAP attribute and Azure","datePublished":"2025-12-06T18:47:00+00:00","dateModified":"2026-02-25T20:16:12+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/"},"wordCount":1152,"commentCount":0,"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/12\/OTDS_SSO_1.png","keywords":["Azure","Documentum","OAUTH2","OpenID Connect","OTDS","sAMAccountName","SSO","userPrincipalName"],"articleSection":["Enterprise content management"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/","url":"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/","name":"Dctm - OTDS SSO with sAMAccountName AD\/LDAP attribute and Azure - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/#primaryimage"},"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/12\/OTDS_SSO_1.png","datePublished":"2025-12-06T18:47:00+00:00","dateModified":"2026-02-25T20:16:12+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8"},"description":"Let's go through a quick and simple way to configure OTDS SSO with sAMAccountName AD\/LDAP attribute when using Azure OAuth2 \/ OpenID Connect.","breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/#primaryimage","url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/12\/OTDS_SSO_1.png","contentUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/12\/OTDS_SSO_1.png","width":908,"height":43},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/dctm-otds-sso-with-samaccountname-ad-ldap-attribute-and-azure\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Dctm – OTDS SSO with sAMAccountName AD\/LDAP attribute and Azure"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8","name":"Morgan Patou","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g","caption":"Morgan Patou"},"description":"Morgan Patou has over 12 years of experience in Enterprise Content Management (ECM) systems, with a strong focus in recent years on platforms such as Alfresco, Documentum, and M-Files. He specializes in the architecture, setup, customization, and maintenance of ECM infrastructures in complex & critical environments. Morgan is well-versed in both engineering and operations aspects, including high availability design, system integration, and lifecycle management. He also has a solid foundation in open-source and proprietary technologies - ranging from Apache, OpenLDAP or Kerberos to enterprise-grade systems like WebLogic. Morgan Patou holds an Engineering Degree in Computer Science from ENSISA (\u00c9cole Nationale Sup\u00e9rieure d'Ing\u00e9nieurs Sud Alsace) in Mulhouse, France. He is Alfresco Content Services Certified Administrator (ACSCA), Alfresco Content Services Certified Engineer (ACSCE) as well as OpenText Documentum Certified Administrator. His industry experience spans the Public Sector, IT Services, Financial Services\/Banking, and the Pharmaceutical industry.","sameAs":["https:\/\/blog.dbi-services.com\/author\/morgan-patou\/","https:\/\/x.com\/MorganPatou"],"url":"https:\/\/www.dbi-services.com\/blog\/author\/morgan-patou\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/41752","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=41752"}],"version-history":[{"count":3,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/41752\/revisions"}],"predecessor-version":[{"id":43171,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/41752\/revisions\/43171"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=41752"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=41752"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=41752"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=41752"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}