/** User's computed permissions. */
        protected String[] permissions;

        /** Azure AD authentication result. */
        protected IAuthenticationResult authResult;

        /**
         * Constructs an Azure AD user with the authentication result.
         * @param authResult The authentication result from Azure AD.
         */
        public AzureAdUser(final IAuthenticationResult authResult) {

- User provides their AD/LDAP username and password to the STS API.
- MinIO looks up the user's information (specifically the user's Distinguished Name) in the LDAP server.
- On finding the user's info, MinIO verifies the login credentials with the AD/LDAP server.
- MinIO optionally queries the AD/LDAP server for a list of groups that the user is a member of.

    protected static final String AZUREAD_CLIENT_SECRET = "aad.client.secret";

    /** Configuration key for Azure AD client ID. */
    protected static final String AZUREAD_CLIENT_ID = "aad.client.id";

    /** Configuration key for Azure AD reply URL. */
    protected static final String AZUREAD_REPLY_URL = "aad.reply.url";

    /** Session attribute key for storing Azure AD states. */

| [**AD/LDAP**](https://github.com/minio/minio/blob/master/docs/sts/ldap.md)             | Let AD/LDAP users request temporary credentials using AD/LDAP username and password.                                                          |

- `aws:groups` - This is an array containing the group names, this value would point to group mappings for the user, use `jwt:groups` in case of OpenID connect and `ldap:groups` in case of AD/LDAP.

## Explore Further

		{"Test", "", "", "", "", 0, ListMultipartsInfo{}, BucketNameInvalid{Bucket: "Test"}, false},
		{"---", "", "", "", "", 0, ListMultipartsInfo{}, BucketNameInvalid{Bucket: "---"}, false},
		{"ad", "", "", "", "", 0, ListMultipartsInfo{}, BucketNameInvalid{Bucket: "ad"}, false},
		// Valid bucket names, but they do not exist (Test number 5-7).
		{"volatile-bucket-1", "", "", "", "", 0, ListMultipartsInfo{}, BucketNotFound{Bucket: "volatile-bucket-1"}, false},

     *
     * Examples:
     * - "div.content" matches div elements with class "content"
     * - "span#header" matches span elements with ID "header"
     * - "p[data-type=ad]" matches p elements with data-type attribute equal to "ad"
     *
     * @param value the comma-separated string of pruned tag configurations
     * @return an array of PrunedTag objects parsed from the input string

MinIO provides a custom STS API that allows authentication with client X.509 / TLS certificates.

A major advantage of certificate-based authentication compared to other STS authentication methods, like OpenID Connect or LDAP/AD, is that client authentication works without any additional/external component that must be constantly available. Therefore, certificate-based authentication may provide better availability / lower operational complexity.

### 4. Test with MinIO STS API

Once etcd is configured, **any STS configuration** will work including Client Grants, Web Identity or AD/LDAP.

        // Use an auth type that doesn't require complex parsing (e.g., 999 - unknown type)
        authElementVector.add(new DERTaggedObject(0, new ASN1Integer(999))); // ad-type
        authElementVector.add(new DERTaggedObject(1, new DEROctetString(new byte[] { 1, 2, 3, 4 })));
        authDataVector.add(new DERSequence(authElementVector));