MCB Use Case Question

Paul Hethmon paul.hethmon at
Wed May 21 11:22:46 EDT 2014

On May 21, 2014, at 11:01 AM, Mike Wiseman <mike.wiseman at<mailto:mike.wiseman at>> wrote:

The relying party requires username/password for all applications and OTP for a subset. The username is different from the institutional username so a separate idp that works with the RP environment will be deployed. The OTP service uses the institutional username only. So the idp/MCB needs to handle the RP-related username, look up the institutional username and then offer an OTP login to the user. Will MCB keep track of the RP-related username? Can the LDAP lookup be done before the OTP login?

You'll pretty much have to do what David L mentioned, have the OTP submodule handle the principal translation. The MCB/Shib principal will be what the RP wants, so you'll have to do a look up to find the other principal name for the OTP validation or have (and educate) the users to use their standard principal name during the OTP step, but not set a new principal name when you do.


Paul Hethmon
Chief Software Architect
paul.hethmon at<mailto:paul.hethmon at>

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list