RE: [Bodington-developers] Bodington with SP and IdP

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

>>Just one of the issues that came up when we were doing the WebAuth=20
>>integration here at oxford was that having two URLs depending on which =

>>authentication method was going to be used would cause problems for =
users.

>It means you can't give out a definite URL in your lectures because it=20
>depends on who your audience are.

The definite URL is the same as it always was. Only those students =
coming in
via Shibboleth, to a restricted set of URLs will need the alternative =
URL.
Presumably, they know who they are. In most cases, they won't need to =
know
about the dual URLs, as they will simply click on a link in their 'home'
Bodington, which then takes them via Shib to the resources revealed in =
the
'target' Bodington. If these students try the /shibsite URL, they will =
get
in. If they try the /site URL, they will be challenged for a username =
and
password at the target.  =20

>> If the visitor's IdP doesn't release the eduPersonPrincipalName
attribute,
>> the visitor doesn't get in.  Yes - the users get put into the =
pass_phrase
>> table with a null or dummy passphrase. If necessary, we could prevent
them
>> from logging in except via Shib.

>Would having a shibb_user table be a simpler/cleaner way to get this to =

>work?

The problem there is that the pass_phrase table is a very important one. =
It
is used for much more than just password authentication. If we move to a
shib_user table, there's a lot of code that will get duplicated and/or
changed. I'm inclined to put the shib users in with the other users and =
live
with the schema change.

Aggie