mrenvoize
commented
8 years ago This enhancement has been accepted
Open mrenvoize opened 8 years ago
mrenvoize
commented
8 years ago This enhancement has been accepted
richughes
commented
8 years ago Hi Martin
This would be very useful. I take it this would work for Shibboleth as well?
Thanks
Richard
mrenvoize
commented
8 years ago Hi Richard,
Unfortunately due to the inherent workflow involved in shibboleth (i.e, it's entirely browser driven using redirects) I don't currently know of a way to query the directory via any back channels.
My current thoughts about a work around would be to enable both shibboleth and ldap integrations in complimentary roles. Using LDAP for back channel communications enabling us to query the active directory for user data (but not passwords) and leaving actual user authentication to shibboleth and thus keeping confidential user data (password) completely out of the applications reach and enabling proper SSO (Single Sign On).
That probably doesn't explain that very well, it's unfortunately a real black hole of complexity :( Just shout though if there's anything you'd like clarifying, I'd certainly be more than happy to chat with some IT people inside universities to understand their thoughts on the problem area's.
Currently when adding users to a list we are limited to pre-existing local users.
We should open this up to remote sources (for example LDAP) if enabled to allow for inline addition of a user via their LDAP record at this point. This would lead to a much more streamlined workflow.