Cherwell application (on-prem)

Mon Apr 29 13:53:28 EDT 2019

On 4/29/19, 1:43 PM, "IAM David Bantz" <db at alaska.edu> wrote:

> 1. Both thick (Windows) clients and web browser interface is supported. To support both as seamlessly as possible, our
> AD team asked that we identify users of the web client with an identifier including the Windows domain, like
> ua\username. This required  ginning up that identifier in attribute-resolver.xml

We support SSO for both thick client and browser, and both use email address IDs just fine (not that I'm advocating it, but in practice email vs. domain naming is functionally the same, it's likely name based on just as good/bad as the other). It's SAML either way. If there's a domain login feature for the thick client (SPNEGO), we didn't use it, but that would be a probable reason for pushing the domain naming. It's also probably a bad choice, since it's a giant pain to support compared to browser-based login, and you lose MFA, etc.

-- Scott