comanage-users - RE: [comanage-users] login IDs
Subject: COmanage Users List
List archive
- From: Paul Caskey <>
- To: Benn Oshrin <>
- Cc: "" <>
- Subject: RE: [comanage-users] login IDs
- Date: Sat, 22 Apr 2017 19:23:18 +0000
- Accept-language: en-US
- Authentication-results: internet2.edu; dkim=none (message not signed) header.d=none;internet2.edu; dmarc=none action=none header.from=internet2.edu;
- Ironport-phdr: 9a23:OfR/QBZn62uAOjrTWTUFyzj/LSx+4OfEezUN459isYplN5qZrsy8bnLW6fgltlLVR4KTs6sC0LuI9fu+EjVbv96oizMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVrO+/7BpDdj9it1+C15pbffxhEiCCzbL52LRi6twvcu8gZjYd/JKs8ywbCr2dVdehR2W5mP0+YkQzm5se38p5j8iBQtOwk+sVdT6j0fLk2QKJBAjg+PG87+MPktR/YTQuS/XQcSXkZkgBJAwfe8h73WIr6vzbguep83CmaOtD2TawxVD+/4apnVAPkhSEaPDMi7mrZltJ/g75aoBK5phxw3YjUYJ2ONPFjeq/RZM4WSXZdUspUUSFKH4GyYJYVD+cZPehWsZTzp0cAoxW9CwmjBuLvxSNHiHD5xqA6z/0hHR3a0AA8A94CrnLZp8j1OqcIVuC1ybHFwy/ZYPNL3Tf29ZbFfQo6ofGPQ71xcdfaxE43FwzZlFqQso/lMC2V1+kWsmib6fZgWvy1i24htQ5xviajyt0yhYbUm4IY01bJ/jh6zoYtPdC0VlR0bcK5HJZVqi2WKpZ6T8YsQ2xnpCo21rgLtJylcyUF1JgqwhvSZ+Kbf4WM+h7uUOScLS16iX9nYr6zmhK//Eq6xuHhS8W531BHpTdfnNbWrHACzRnT59CHSvRj+keh3i6C2RjP5+9DPUw4iLPXJYM5zLItj5YTtl/METHslEXxka+Wal4r+u+16+Thf7rqvIecN5VzigHiLKshhtC/AeU/MggIRWSb/vm81KHn/U3+R7VKjec6nbXesJDfPcgbp6i5DBFJ0os79RqwFSuq3MkdkHUaMV5JZReKj4bmNl3SPPz1CPWyjEqjnTt3wv3LO6PtDonJI3TblbfuZ7d960pSyAopytBf4opZCqkdL/3pQU/xt8LXDx8iPgy1xebnFMty1pkYWW2RHq+VLrnevkGV6eIyO+WMfpMauC7hK/g54P7jlWM2mVgYfaaz25sYcn+4Eep/L0WEenrjnM0BEXwRswo6Tezqk0GCUSVNa3qoXqI84C07B5y8DYfFWI+tnKKN0D2lEZJLe2AVQmyLRF3lcYPMfOwMciOUaptrnzoCUpCgTZMszxejqFW8xrZ6eLn64Cod4Krqydw9zOTIlhwjvWhsBM2G0GycZ2Bygm4SQTIqhuZyrVErmQTL6rRxn/ENTY8b3PhOSApvcMeEl+E=
- Spamdiagnosticoutput: 1:0
It's the second answer I'm after - 'let COmanage look at CO Person
identifiers for login purposes'.
I thought that could be enabled with that 'Login' property on the Identifier
Assignment page.
Thanks!
> -----Original Message-----
> From: Benn Oshrin
> [mailto:]
> Sent: Saturday, April 22, 2017 2:19 PM
> To: Paul Caskey
> <>
> Cc:
>
> Subject: Re: [comanage-users] login IDs
>
> I think what you're implicitly asking for is the ability to "copy back"
> an identifier from a CO Person record to an Org Identity record. This gets
> a bit
> tricky because it's not obvious which Org Identity to copy the identifier
> back
> to.
>
> It might be easier just to let COmanage look at CO Person identifiers for
> login
> purposes... I think we didn't just do that in the first place for
> philosophical
> reasons ("COmanage is just consuming external
> identities") rather than anything technical.
>
> A third option would be to consider the proxy identity to be "external"
> and have an Org Identity to represent it, but that might be more complicated
> than it's worth.
>
> I'll have a better answer for you on Monday...
>
> On 4/22/17 12:29 PM, Paul Caskey wrote:
> > In a situation where COmanage is behind a collaborative proxy (one
> > that is adding/modifying attributes), a user's ePPN, as seen by SAML
> > assertions to COmanage, will change once the user is enrolled (at
> > least in our setup currently).
> >
> >
> >
> > That's because a CO Identifier is generated and written to LDAP as the
> > user's eppn.
> >
> >
> >
> > Now, as I understand it, COmanage should be OK with this as long as
> > the "Login" property on the identifier assignment is checked (and it is).
> > But, it's not working. After enrolling, subsequent login attempts by
> > an enrolled user are met with the error:
> >
> >
> >
> > *The identifier "*<your*CO-assigned ID>" is not registered. If your
> > request for enrollment is still being processed, you will not be able
> > to login until it is approved. Please contact an administrator for
> > assistance.*
> >
> >
> >
> > But, the referenced ID is most definitely registered to the right CO
> > Person.
> >
> >
> >
> > When I double-checked the COmanage doc, I found this:
> >
> > *"Login*: In general, CO Person identifiers are not used to log in to
> > COmanage services (Organizational Identities are), so this should
> > generally be left unchecked."
> >
> > So, what's the right way to do this? Obviously, I could send the
> > right thing from the proxy and then give it a priority mapping to
> > REMOTE_USER in the COmanage Shibb SP, but that doesn't feel like the
> > right way...
> >
> >
> >
> > Are there other ways of doing this?
> >
> >
> >
> > Thanks!
> >
- [comanage-users] login IDs, Paul Caskey, 04/22/2017
- Re: [comanage-users] login IDs, Benn Oshrin, 04/22/2017
- RE: [comanage-users] login IDs, Paul Caskey, 04/22/2017
- Re: [comanage-users] login IDs, Scott Koranda, 04/25/2017
- Re: [comanage-users] login IDs, Benn Oshrin, 04/22/2017
Archive powered by MHonArc 2.6.19.