ECP Practical issue

lalith jayaweera j_lalith at hotmail.com
Wed Nov 4 06:54:06 EST 2015 

Hi Mathew,
 
Thanks for your reply.
 
The issue is below, probably I will try to elaborate more,
 
For Office 365, our UPN is firstname.lastname @ test.x.y.z which is same as our email attribute,
 
For non-web clients (say smartphones), when they try to authenticate via UPN (using ECP), it fails because as per my understanding of how ECP works with office365, from above UPN, the username for IdP Apache server(below auth block) will be firstname.lastname  (local part of UPN) but not full UPN which is firstname.lastname @ test.x.y.z
 
Unfortunately we don't have any LDAP attribute to authenticate against firstname.lastname  but only for email which is the full UPN.
 
So my question is how to overcome this practical issue of Apache authentication for ECP,
 
As I said it may not be direct shib question, but am curious how others achieved this where local part of UPN is not a direct LDAP attribute value.
 
Hope this is clear.
 

 
> From: M.Slowe at kent.ac.uk
> To: users at shibboleth.net
> Subject: Re: ECP Practical issue
> Date: Wed, 4 Nov 2015 09:35:58 +0000
> 
> On 04/11/2015, 05:07, "users on behalf of lalith jayaweera" <users-bounces at shibboleth.net on behalf of j_lalith at hotmail.com> wrote:
> 
> 
> > Hi,
> > 
> >as we know in apache for standard basic ECP configuration we got the below block in apache to authenticate against LDAP.
> > 
> >However my question is, when ECP works with Office365, only local part of UPN becomes the username for ECP, that is if my UPN is
> >mysamplename at test.x.y.z only
> >mysamplename <mailto:mysamplename at test.x.y.z> because the username for below block, which is not the full email.
> > 
> >Given that password is same as UPN, and considering test.x.y.z is a constant for all the students, is there any way to still use below email to authenticate.
> > 
> >Even though not a direct shib question, I thought some may have encountered the same issue in ship-office 365 integration.
> > 
> >  <Location /idp/profile/SAML2/SOAP/ECP>
> >                AuthType Basic
> >                AuthName "ECP profile"
> >                AuthzLDAPAuthoritative Off
> >                AuthBasicProvider ldap
> >                AuthLDAPURL "ldap://sampleldap.ext1/dc=x,dc=y,dc=z?mail"
> >                AuthLDAPBindDN "cn=testadmin,cn=testadmin,cn=config"
> >                AuthLDAPBindPassword "samplepassword1"
> >                Require valid-user
> >    </Location>
> 
> Hi,
> 
> Your config is pretty much exactly what we have in place in production and it’s working fine.
> 
> Was there something not working or did you think it wouldn’t for some reason?
> 
> Matthew
> 
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151104/58d0f212/attachment-0001.html>

More information about the users mailing list