COmanage Users List

[Paul Caskey <>]

It's the second answer I'm after - 'let COmanage look at CO Person 
identifiers for login purposes'.

I thought that could be enabled with that 'Login' property on the Identifier 
Assignment page.

Thanks!


> -----Original Message-----
> From: Benn Oshrin 
> [mailto:]
> Sent: Saturday, April 22, 2017 2:19 PM
> To: Paul Caskey 
> <>
> Cc: 
> 
> Subject: Re: [comanage-users] login IDs
> 
> I think what you're implicitly asking for is the ability to "copy back"
> an identifier from a CO Person record to an Org Identity record. This gets 
> a bit
> tricky because it's not obvious which Org Identity to copy the identifier 
> back
> to.
> 
> It might be easier just to let COmanage look at CO Person identifiers for 
> login
> purposes... I think we didn't just do that in the first place for 
> philosophical
> reasons ("COmanage is just consuming external
> identities") rather than anything technical.
> 
> A third option would be to consider the proxy identity to be "external"
> and have an Org Identity to represent it, but that might be more complicated
> than it's worth.
> 
> I'll have a better answer for you on Monday...
> 
> On 4/22/17 12:29 PM, Paul Caskey wrote:
> > In a situation where COmanage is behind a collaborative proxy (one
> > that is adding/modifying attributes), a user's ePPN, as seen by SAML
> > assertions to COmanage, will change once the user is enrolled (at
> > least in our setup currently).
> >
> >
> >
> > That's because a CO Identifier is generated and written to LDAP as the
> > user's eppn.
> >
> >
> >
> > Now, as I understand it, COmanage should be OK with this as long as
> > the "Login" property on the identifier assignment is checked (and it is).
> > But, it's not working.  After enrolling, subsequent login attempts by
> > an enrolled user are met with the error:
> >
> >
> >
> > *The identifier "*<your*CO-assigned ID>" is not registered. If your
> > request for enrollment is still being processed, you will not be able
> > to login until it is approved. Please contact an administrator for
> > assistance.*
> >
> >
> >
> > But, the referenced ID is most definitely registered to the right CO 
> > Person.
> >
> >
> >
> > When I double-checked the COmanage doc, I found this:
> >
> > *"Login*: In general, CO Person identifiers are not used to log in to
> > COmanage services (Organizational Identities are), so this should
> > generally be left unchecked."
> >
> > So, what's the right way to do this?  Obviously, I could send the
> > right thing from the proxy and then give it a priority mapping to
> > REMOTE_USER in the COmanage Shibb SP, but that doesn't feel like the
> > right way...
> >
> >
> >
> > Are there other ways of doing this?
> >
> >
> >
> > Thanks!
> >