Various "Usernames" for a user

Cantor, Scott cantor.2 at osu.edu
Tue Jul 16 10:29:34 EDT 2013


> So the lunchtime question was could we get Shibboleth to work with all of
> these "username" types. From my first paragraph the answer was yes, but I
> wasn't entirely happy with it.

Having done this, I strongly advise you to avoid it and push back. It leads to a lot of complexity in your systems, and confusion for users.
 
> While this all functions, I spent quite some time searching for a way to do it all
> in the login.config - I thought I would be able to specify what is populated as
> the PrincipalName. Maybe someone has tackled this before, or maybe it's
> not possible.

The principal name is simply what the user enters, for the most part. There is no support in V2 for dealing with name canonicalization. It is a high priority in V3 to address that. This is what leads to the problems today with identity switching, because the IdP just assumes that any names are referring to one subject by different means.

> Also I don't think there is anything significantly bad with doing this, but was
> wondering if anyone had an alternate view before I get an official request to
> actually do it.

I find it significantly bad, if that helps. We've been doing it for a long time, on and off, and it's never been a positive thing.

-- Scott




More information about the users mailing list