[External] Re: Cornerstone On Demand + SSO + custom attribute for user matching

Shweta Kautia skautia at northcarolina.edu
Mon Jun 15 21:06:27 UTC 2020 

Scott,

We're being informed now, that NameID is the only way supported to send in a user matching value.
Is it possible for you to confirm if that integration was in fact with an attribute (or a custom attribute) or just setting the NameID to an email or user id to match in their data?

I don't know if the product versions on their end have anything to do with their SSO model.

Their documentation shared with us says this for SAML 2.0 integration:

Element: NameID

Definition: This element contains the User's identifier information to log-in to CSOD. This could be any of the following
User fields:

  *   User ID
  *   Username
  *   Email Address

This is described in http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf(page 14).

CSOD validation steps:
Verify the User information in the Client's CSOD database. The User must be an existing, Active User in the Client's CSOD portal. Otherwise, access is denied to the User


[cid:7fc64695-971f-4aa2-9a64-f80daf61434d]

Thanks,
Shweta
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Monday, June 15, 2020 8:57 AM
To: Shib Users <users at shibboleth.net>
Subject: [External] Re: Cornerstone On Demand + SSO + custom attribute for user matching

[CAUTION: External email. Do not click links or open attachments unless verified. Send all suspicious email as an attachment to spam at northcarolina.edu<mailto:spam at northcarolina.edu>]


On 6/12/20, 6:16 PM, "users on behalf of Shweta Kautia" <users-bounces at shibboleth.net on behalf of skautia at northcarolina.edu> wrote:

> Has anyone set up SSO with CSOD, using EduPersonPrincipalName from assertion,  matching on a custom attribute in
> the system?

They mapped in a custom Attribute when I integrated it, we had nothing we could use at the time that fit the use case for various reasons, but if EPPN had been appropriate for us, that could have been the one that we mapped in.

There are a whole lot of problems with Cornerstone, but that wasn't one of them.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200615/89e3ab4f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 40880 bytes
Desc: image.png
URL: <http://shibboleth.net/pipermail/users/attachments/20200615/89e3ab4f/attachment.png>

More information about the users mailing list