Subject: COmanage Users List
- From: Paul Caskey <>
- To: Benn Oshrin <>
- Cc: "" <>
- Subject: RE: [comanage-users] login IDs
- Date: Sat, 22 Apr 2017 19:23:18 +0000
- Accept-language: en-US
- Authentication-results: internet2.edu; dkim=none (message not signed) header.d=none;internet2.edu; dmarc=none action=none header.from=internet2.edu;
- Spamdiagnosticoutput: 1:0
It's the second answer I'm after - 'let COmanage look at CO Person
identifiers for login purposes'.
I thought that could be enabled with that 'Login' property on the Identifier
> -----Original Message-----
> From: Benn Oshrin
> Sent: Saturday, April 22, 2017 2:19 PM
> To: Paul Caskey
> Subject: Re: [comanage-users] login IDs
> I think what you're implicitly asking for is the ability to "copy back"
> an identifier from a CO Person record to an Org Identity record. This gets
> a bit
> tricky because it's not obvious which Org Identity to copy the identifier
> It might be easier just to let COmanage look at CO Person identifiers for
> purposes... I think we didn't just do that in the first place for
> reasons ("COmanage is just consuming external
> identities") rather than anything technical.
> A third option would be to consider the proxy identity to be "external"
> and have an Org Identity to represent it, but that might be more complicated
> than it's worth.
> I'll have a better answer for you on Monday...
> On 4/22/17 12:29 PM, Paul Caskey wrote:
> > In a situation where COmanage is behind a collaborative proxy (one
> > that is adding/modifying attributes), a user's ePPN, as seen by SAML
> > assertions to COmanage, will change once the user is enrolled (at
> > least in our setup currently).
> > That's because a CO Identifier is generated and written to LDAP as the
> > user's eppn.
> > Now, as I understand it, COmanage should be OK with this as long as
> > the "Login" property on the identifier assignment is checked (and it is).
> > But, it's not working. After enrolling, subsequent login attempts by
> > an enrolled user are met with the error:
> > *The identifier "*<your*CO-assigned ID>" is not registered. If your
> > request for enrollment is still being processed, you will not be able
> > to login until it is approved. Please contact an administrator for
> > assistance.*
> > But, the referenced ID is most definitely registered to the right CO
> > Person.
> > When I double-checked the COmanage doc, I found this:
> > *"Login*: In general, CO Person identifiers are not used to log in to
> > COmanage services (Organizational Identities are), so this should
> > generally be left unchecked."
> > So, what's the right way to do this? Obviously, I could send the
> > right thing from the proxy and then give it a priority mapping to
> > REMOTE_USER in the COmanage Shibb SP, but that doesn't feel like the
> > right way...
> > Are there other ways of doing this?
> > Thanks!
- [comanage-users] login IDs, Paul Caskey, 04/22/2017
Archive powered by MHonArc 2.6.19.