MCB Use Case Question
Paul Hethmon
paul.hethmon at clareitysecurity.com
Wed May 21 11:22:46 EDT 2014
On May 21, 2014, at 11:01 AM, Mike Wiseman <mike.wiseman at utoronto.ca<mailto:mike.wiseman at utoronto.ca>> wrote:
The relying party requires username/password for all applications and OTP for a subset. The username is different from the institutional username so a separate idp that works with the RP environment will be deployed. The OTP service uses the institutional username only. So the idp/MCB needs to handle the RP-related username, look up the institutional username and then offer an OTP login to the user. Will MCB keep track of the RP-related username? Can the LDAP lookup be done before the OTP login?
You'll pretty much have to do what David L mentioned, have the OTP submodule handle the principal translation. The MCB/Shib principal will be what the RP wants, so you'll have to do a look up to find the other principal name for the OTP validation or have (and educate) the users to use their standard principal name during the OTP step, but not set a new principal name when you do.
Paul
Paul Hethmon
Chief Software Architect
paul.hethmon at clareitysecurity.com<mailto:paul.hethmon at clareitysecurity.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140521/ada0d90f/attachment.html
More information about the users
mailing list