COmanage Developers List

[Benn Oshrin <>]

Hey Ioannis,

I'm not sure I'm following the flow exactly, but a couple of thoughts...

- If the user has already passed through the new IdP, then SSO could 
prevent the "extra" login from being visible to the user.

- If you already know the appropriate state for the old and new 
identities, you could just link them in your plugin rather than use the 
enrollment flow.

As for our next call, I suspect we will end up canceling 30 Oct as I 
will be traveling that day. Unfortunately, we will probably also cancel 
13 Nov as I will be at a conference. On top of that, 27 Nov is the day 
before a US holiday. I'll be available that day, but I'm not sure if 
everyone else will be.

Ordinarily I would propose we just switch the weeks at this point, and 
meet starting Nov 6 instead... but I also have a conflict that day. 
Maybe Wed @ 10am ET wasn't such a good choice...

Maybe Nov 7 @ 10am ET/5pm EET?

Thanks,

-Benn-

On 10/25/19 8:11 AM, Ioannis Igoumenos wrote:
> Hi Benn and Arlen,
>
> i need some advice/assistance regarding an Enrollee plugin i am writing. 
> It is the plugin that will redirect to OrgIdentityLinking instead of 
> signup if a user with the same email exists in the registry. Benn this 
> is the one we discussed during the Hackathon.
>
> I created the functionality we wanted but there is a tricky part for 
> which i need some advice. Currently during the start step of the 
> petition i fetch the existing CO People that match my criteria and i let 
> the user pick one to proceed or abort and continue signing up. As soon 
> as the user makes a choice,  i force him to log out and re-login with 
> the old account. In order to manage this we will redirect to a specific 
> IdP, IdP hinting. Also i save the state of the new idp in a new table in 
> the model and track the entry with a token.
>
> So far so good. The problem is that i want to bypass the log out and 
> re-login step during an enrollment flow that performs an OID linking. I 
> do have the session data that i want to use for the linking but i do not 
> know how to 'fool' the registry. The reason for this is twofold:
>
>   * It is not user friendly to force the user re-login to an idp he
>     logged in 30 seconds ago. *The user should authenticate twice. Once
>     in the new idp and the second time in the old idp*. If we do not
>     'fool' the registry then there must be a third authentication to the
>     new idp, again, during the OId linking petition.
>       o This is the flow requested by the *EGI foundation*
>   * this will speed up the enrollment process
>
> I saw that there is dev call scheduled for next Wednesday. Is this going 
> to happen? Could we discuss this during this call? In case the call is 
> canceled, could we have a quick call in a day and time that suits either 
> of you so that i can move forward?
>
> Thank you both in advance.
>
> Best Regards,
>
> Ioannis
>
>
> P.S. The pull request for the Enrollment flow filtering has been updated.
>
> --
> Ioannis Igoumenos
> Research Engineer
> National Infrastructures for Research and Technology (GRNET)
> 7, Kifisias Av., 115 23, Athens, Greece
> t: +30 210 7471130 ext: 442
> f: +30 210 7474490
>
> Follow us:www.grnet.gr
> Twitter: @grnet_gr | Facebook: @grnet.gr
> LinkedIn: grnet | YouTube: GRNET EDET