Hi Sander,
W dniu 23.08.2023 o 14:15, Sander Apweiler pisze:
> Hi Krzysztof, hi Roman,
> in our new setup we have the requirement, that users have only one
> account, even if they login via different upstream IdPs. Since there is
> also LDAP one of the identity provider I do not have a persistent
> identifier from the home organisation but can only use the email
> address for this. Of course email address is a bad choise because it is
> reused after a retention period if the user leaves the home
> organisation.
>
> To have the email unique across the user we would need to store it as
> an identity of the account. Please correct me if I am wrong in this
> point.
You are correct.
> If a user logs in and there is already an account with the used email
> address we want to start the account linking procedure instead of
> automatically linking the accounts or giving just access because of the
> same email address. With this step we want to avoid providing access to
> an old account where the user does not exist anymore and is not yet
> removed.
>
> By reading the manual and testing I were just able to automatically
> bind the user to one entity. The second identity from the upstream IdP
> was not taken into account. So I have at the moment two questions.
>
> 1. Is there a way to configure unity to log the user in, if both
> identities does exist at the entity? E.g. username+email for ldap or
> id+email for others.
Yes, it is: in the input profile you need to setup REQUIRE_MATCH for
both identity types required for a given IdP.
Then the login will be successful only if both will match.
> 2. Is there a way to trigger the account linking if the login provides
> only one of the stored identity but not a second one?
Unfortunately not. When using REQUIRE_MATCH the failure is critical,
i.e. it does not allow to associate the remote identity with some local one.
We would need a new feature for that.
> I hope you can understand the scenario.
I think more or less yes.
HTH,
Krzysztof
|
