[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: Re: MCB Use Case Question
From: Paul Hethmon <paul.hethmon () clareitysecurity ! com>
Date: 2014-05-21 15:22:46
Message-ID: 63DB0395-C3BC-4803-822F-E5442B484830 () clareitysecurity ! com
[Download RAW message or body]
On May 21, 2014, at 11:01 AM, Mike Wiseman <mike.wiseman@utoronto.ca<mailto=
:mike.wiseman@utoronto.ca>> wrote:
The relying party requires username/password for all applications and OTP f=
or a subset. The username is different from the institutional username so a=
separate idp that works with the RP environment will be deployed. The OTP =
service uses the institutional username only. So the idp/MCB needs to handl=
e the RP-related username, look up the institutional username and then offe=
r an OTP login to the user. Will MCB keep track of the RP-related username?=
Can the LDAP lookup be done before the OTP login?
You'll pretty much have to do what David L mentioned, have the OTP submodul=
e handle the principal translation. The MCB/Shib principal will be what the=
RP wants, so you'll have to do a look up to find the other principal name =
for the OTP validation or have (and educate) the users to use their standar=
d principal name during the OTP step, but not set a new principal name when=
you do.
Paul
Paul Hethmon
Chief Software Architect
paul.hethmon@clareitysecurity.com<mailto:paul.hethmon@clareitysecurity.com>
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space;"> On May 21, 2014, at 11:01 AM, Mike Wiseman <<a \
href="mailto:mike.wiseman@utoronto.ca">mike.wiseman@utoronto.ca</a>> wrote:<br> \
<div><br class="Apple-interchange-newline"> <blockquote type="cite">
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, \
sans-serif; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px;"> The relying party requires \
username/password for all applications and OTP for a subset. The username is \
different from the institutional username so a separate idp that works with the RP \
environment will be deployed. The OTP service uses the institutional username only. \
So the idp/MCB needs to handle the RP-related username, look up the institutional \
username and then offer an OTP login to the user. Will MCB keep track of the \
RP-related username? Can the LDAP lookup be done before the OTP \
login?<o:p></o:p></div> <br class="Apple-interchange-newline">
</blockquote>
</div>
<div><br>
</div>
<div>You'll pretty much have to do what David L mentioned, have the OTP submodule \
handle the principal translation. The MCB/Shib principal will be what the RP wants, \
so you'll have to do a look up to find the other principal name for the OTP \
validation or have (and educate) the users to use their standard principal name \
during the OTP step, but not set a new principal name when you do.</div> <div><br>
</div>
<div>Paul</div>
<div><br>
</div>
<br>
<div apple-content-edited="true">Paul Hethmon<br>
Chief Software Architect<br>
<a href="mailto:paul.hethmon@clareitysecurity.com">paul.hethmon@clareitysecurity.com</a><br>
<br>
</div>
<br>
</body>
</html>
--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
--===============6117205491279781031==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic