comanage-users - Re: [comanage-users] login IDs
Subject: COmanage Users List
List archive
- From: Benn Oshrin <>
- To: Paul Caskey <>
- Cc: "" <>
- Subject: Re: [comanage-users] login IDs
- Date: Sat, 22 Apr 2017 15:18:47 -0400
- Ironport-phdr: 9a23:r1Rl2xAwuKNas3sB9uKsUyQJP3N1i/DPJgcQr6AfoPdwSPTzpcbcNUDSrc9gkEXOFd2CrakV1ayN7eu5AjJIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSijewZbJ/IA+4oAjQucUanIVvJ6cswRbVv3VEfPhby3l1LlyJhRb84cmw/J9n8ytOvv8q6tBNX6bncakmVLJUFDspPXw7683trhnDUBCA5mAAXWUMkxpHGBbK4RfnVZrsqCT6t+592C6HPc3qSL0/RDqv47t3RBLulSwKLCAy/n3JhcNsjaJbuBOhqAJ5w47Ie4GeKf5ycrrAcd8GWWZNW8BcXDFDDIyhdYsCF/cPM/hWr4f9pFUAoxWxCgauC+zzxTFFnWP23bQg3ug9DQ3L0gwtEtQTu3rUttX1M6ISXPiowabWyzXDae5d1y7m6IjIaBAhoPeMVq93fMXK10YvEQXFjlKLpIzkOTOVyvoCs3Kd7+V+SeKjlXQrpB9srTiy38ohjJTCiIENyl3c6yl13IU4Kce8RUN5e9KoDZVduz+AO4doXs8vQHlktSYkxrEctpO2fDIGxZA7yxLFdfCKfJaE7xT+X+iLOzh4nmhqeLenihay70egzur8W9G00FZNqypFk8fDtnUX2BzS7siLU+Fy80a71TaAzQzc9/tELl4umqreK54hxaUwloYJvUvfGS/2nV36jK6Qdko65uil8/rrbqnlq5OGM4J5iBvyPrkgl8ChG+g0LBQCUmuD9eS5zrLj/En5QLtQjv0xl6nUqIvVKtodpq6/BA9YyYcj6xCjDzi4ytQYm2cILE5bdB6dkYfmJkzOLOjiDfijm1SsjCtrx/feM7L9BZXNK2LMkLH7crZy9UFQ0RczzctB6JJOEbEMO/bzWk7qtNzEFR81LRa4w+fhCNVhyIweQ2SPDbGFMK/Mq1OH+P8gI/SUbo8PpDn9M+Ql5+LpjXIhgV8SYbOm3YAUaH+mHvVrOESZYXzwgtgfC2cKuBQxTPD0hFGYTzFcemuyDOoA4WQDAZ+iRazKXYOgkfTVxCyyBZ5bd0hHDEyBC3Hla9/CVvsRPnG8OMhkxxYJU77pbJQhzxCo/FvwxrxhKcLV/DEVr5TuyIIz6uHOw0JhvQdoBtiQhjneB1p/mXkFEnpvhPhy
I think what you're implicitly asking for is the ability to "copy back"
an identifier from a CO Person record to an Org Identity record. This
gets a bit tricky because it's not obvious which Org Identity to copy
the identifier back to.
It might be easier just to let COmanage look at CO Person identifiers
for login purposes... I think we didn't just do that in the first place
for philosophical reasons ("COmanage is just consuming external
identities") rather than anything technical.
A third option would be to consider the proxy identity to be "external"
and have an Org Identity to represent it, but that might be more
complicated than it's worth.
I'll have a better answer for you on Monday...
On 4/22/17 12:29 PM, Paul Caskey wrote:
> In a situation where COmanage is behind a collaborative proxy (one that
> is adding/modifying attributes), a user’s ePPN, as seen by SAML
> assertions to COmanage, will change once the user is enrolled (at least
> in our setup currently).
>
>
>
> That’s because a CO Identifier is generated and written to LDAP as the
> user’s eppn.
>
>
>
> Now, as I understand it, COmanage should be OK with this as long as the
> “Login” property on the identifier assignment is checked (and it is).
> But, it’s not working. After enrolling, subsequent login attempts by an
> enrolled user are met with the error:
>
>
>
> *The identifier "*<your*CO-assigned ID>" is not registered. If your
> request for enrollment is still being processed, you will not be able to
> login until it is approved. Please contact an administrator for assistance.*
>
>
>
> But, the referenced ID is most definitely registered to the right CO Person.
>
>
>
> When I double-checked the COmanage doc, I found this:
>
> *“Login*: In general, CO Person identifiers are not used to log in to
> COmanage services (Organizational Identities are), so this should
> generally be left unchecked.”
>
> So, what’s the right way to do this? Obviously, I could send the right
> thing from the proxy and then give it a priority mapping to REMOTE_USER
> in the COmanage Shibb SP, but that doesn’t feel like the right way…
>
>
>
> Are there other ways of doing this?
>
>
>
> Thanks!
>
- [comanage-users] login IDs, Paul Caskey, 04/22/2017
- Re: [comanage-users] login IDs, Benn Oshrin, 04/22/2017
- RE: [comanage-users] login IDs, Paul Caskey, 04/22/2017
- Re: [comanage-users] login IDs, Scott Koranda, 04/25/2017
- Re: [comanage-users] login IDs, Benn Oshrin, 04/22/2017
Archive powered by MHonArc 2.6.19.