TimeClock Plus

[Cantor, Scott]

On 5/15/20, 9:10 AM, "users on behalf of Lohr, Donald" <users-bounces at shibboleth.net on behalf of lohrda at jmu.edu> wrote:

> Any of you have this application/SP configured.

No.

> Per the vendor, they only support "IdP Initiated" and do not have any 
> configuration documentation to provide.

I have a couple dozen like that.

> They do configuration as a conference call.

Also common. I waste my time on the call while they realize nobody there knows what to do and finally go find the single engineer I have to talk to, usually after weeks of silence.

Meanwhile you have to do the real part....what's the access management model? How are users identified? If by email are yours stable? What if they're not and you have to get the customer to understand the implications for name changes?

That's what integrations are about, not the SAML part.

And then at the end, you've got a system on which you have no means to revoke your key because the vendor has to do it. Getting the business to accept and document that risk is something I still haven't managed.

> I need more detailed information about what a configuration looks like.

Metadata. Worst case metadata plus an attribute release rule most of the time, but I use metadata to drive most of those now.

I also handle IdP-initiated systems by installing redirect scripts in a cgi-bin directory on the web server and I give those to customers to insulate our web pages from the proprietary signaling to the IdP in case it changes.

-- Scott