Skip to Content.
Sympa Menu

comanage-users - Re: [comanage-users] login IDs

Subject: COmanage Users List

List archive

Re: [comanage-users] login IDs

Chronological Thread 
  • From: Scott Koranda <>
  • To: Paul Caskey <>
  • Cc: "" <>
  • Subject: Re: [comanage-users] login IDs
  • Date: Tue, 25 Apr 2017 10:34:09 -0500
  • Ironport-phdr: 9a23:b3IWsxddYl+7fnkkJidLyHaTlGMj4u6mDksu8pMizoh2WeGdxcW7Yh7h7PlgxGXEQZ/co6odzbGH7ea8AydQsN6oizMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVrO+/7BpDdj9it1+C15pbffxhEiCCzbL52LRi6twrcutcZjYZhLqs61wfErGZPd+lK321jOEidnwz75se+/Z5j9zpftvc8/MNeUqv0Yro1Q6VAADspL2466svrtQLeTQSU/XsTTn8WkhtTDAfb6hzxQ4r8vTH7tup53ymaINH2QLUpUjms86tnVBnlgzocOjUn7G/YlNB/jKNDoBKguRN/xZLUYJqIP/Z6Z6/RYM8WSXZEUstXSidPAJ6zb5EXAuQPPehWsZTzqVgArRSxGQajGezhxT1GiXLtwa030P4sHR3a0AE6Hd8DtmnfotXvNKcVVOC41LTGwinEb/NKxTf29Y3Gchc7of6WW7J/bNDewlQoGgPejVWQrpblMCmT1usQqWeW9OVgVee1hG4mrwF9uCSgxsApioTQgI8e11PK9T1hzYorJNC0VEx2bNuqEJZTrC6WK457T8w+T210pSk3z6EJtYKmcyUPzZkr2QDTZOaff4SV4x/vSvydLSl3iX9qYr6zmgq+/Ey6xuHhVcS4zVBHpTdfnNbWrHACzRnT59CHSvRj+keh3i6C1wXJ5eFFJUA4jLPbK4I9zrIpmZsfr1rPETXslEX5i6+WcUok+uy25Oj9frrmoZqcO5d1igH4LKsuhtSyDfo5PwQSXWWW/Oq82b748kHlRbhHgeE6nrXEv53fOcsXurO2DgpQ34o99RqwFS+q0NECknkGKFJFdgiHj4/sO1zWO/D4DvC/g062nzdt2v/JJKbsAprILnfZkbfheaxx5FJbyAo21dxf/Y5bCqkdIPLvXU/8rMTYAQMjPAyvwOboFtV825gfWWKJHq+WLrnSsVmW6eIzPeWAfpEatyvgK/I9/f7hkWc5mUMBfamuxZYYdHe4HvF8LEWfe3XsjckOHX4XvgolUuPqkkaCXCVXZ3azRKI8+io7BJy8AYfCQICtnKKO3D29HpJIemBKFEqAHmn1eIWZCL8wb3eqK9Jl2hcNTrusWsd1zRqnrwz32pJmKPbZ4CsVqcil2dRosb79jxY3oAd/CNiBm0KKVWhykmpAEyQ127p2p0B04liG2Kl8xfdfEIoAtLtyTg4mOMuEnKRBANfoV1eEJ4/RRQ==


I spoke with Paul directly about this, but for the benefit of the
email archive...

My recommendation when putting COmanage and other SPs behind an IdP/SP
proxy is that the proxy NOT filter the attributes from the eduGAIN IdPs
sent to COmanage, but instead just pass them through.

For the other SPs you usually want the proxy to take the attributes
from an eduGAIN IdP, use ePPN or ePUID or whatever as an index to
look up the user in an attribute store (usually populated by COmanage),
and find the VO attributes to send to the SP.

But for COmanage you usually want to not do that and just have the proxy
pass through the attributes from the eduGAIN IdP so that COmanage
can consume them directly.


Scott K

> In a situation where COmanage is behind a collaborative proxy (one that is
> adding/modifying attributes), a user’s ePPN, as seen by SAML assertions to
> COmanage, will change once the user is enrolled (at least in our setup
> currently).
> That’s because a CO Identifier is generated and written to LDAP as the
> user’s
> eppn.
> Now, as I understand it, COmanage should be OK with this as long as the
> “Login”
> property on the identifier assignment is checked (and it is). But, it’s not
> working. After enrolling, subsequent login attempts by an enrolled user are
> met with the error:
> The identifier "<your CO-assigned ID>" is not registered. If your request
> for
> enrollment is still being processed, you will not be able to login until it
> is
> approved. Please contact an administrator for assistance.
> But, the referenced ID is most definitely registered to the right CO Person.
> When I double-checked the COmanage doc, I found this:
> “Login: In general, CO Person identifiers are not used to log in to COmanage
> services (Organizational Identities are), so this should generally be left
> unchecked.”
> So, what’s the right way to do this? Obviously, I could send the right
> thing
> from the proxy and then give it a priority mapping to REMOTE_USER in the
> COmanage Shibb SP, but that doesn’t feel like the right way…
> Are there other ways of doing this?
> Thanks!

Archive powered by MHonArc 2.6.19.

Top of Page