Menu
▾
▴
[Unity-idm-discuss] Integrating remote IDP
|
From: D B. <ba...@aw...> - 2020-04-17 16:49:11
|
Hi, from the manual I gather that unity supports quite complex scenarios for combining remote and local authentication - but I wasn't able to piece together from it how to configure what I need. I've got local users with username identities who authenticate with passwords. Now I'd like to add a remote SAML IDP with the following behaviour: 1. If a user tries remote authentication for a locally existing username for the first time, they are asked to associate those identities. This should prevent malicious users from hijacking existing local users' accounts by registering the same username at the remote IDP. 2. If a user tries remote authenticiation after association with a local account, they can just log in normally. 3. If a user tries remote authentication and the username doesn't exist locally, they are shown a pre-filled registration form (with the values obtained from the remote IDP) where they have to accept the terms and conditions. Admins are notified and can accept registrations. After acceptance, the local account is associated with the remote identity. 4. Local login with passwords for existing local users is still possible. Ideally, newly created remote users are able to set a password and thus have a 'local' account as well. I can't quite figure out how to do 1 and 3 yet. Re 1: How can I force association and not just let remote users in as soon as the usernames match? I suspect it has to do with the identity mapping in the input translation profile, described in http://www.unity-idm.eu/documentation/unity-3.2.1/manual.html#input-translation but I'm unclear if CREATE_OR_MATCH, MATCH, REQUIRE_MATCH, or UPDATE_OR_MATCH would be the correct value to chose. And what else is required to make it work. Re 3: In my remote saml authentication facility, I've set the registration form to an existing, public form that collects username and email 'From remote IdP and shown RO'. However, when testing I'm never presented with this registration form after remotely authenticating - seems I'm missing some option? As a side note: it seems account association can produce entities with multiple usernames. Both of those usernames will be sent to my SAML SPs - what's best practice here to avoid weird effects? Can I somehow tell unity to only send along the username that was created first? Or to import a new (remote) username only if the entity doesn't already have one? Cheers, D |
