jdpurdyvi
commented
1 year ago Well, I was able to remap the Username attribute to something from our Identity Provider and all is well enough.
Open jdpurdyvi opened 1 year ago
jdpurdyvi
commented
1 year ago Well, I was able to remap the Username attribute to something from our Identity Provider and all is well enough.
jrchamp
commented
1 year ago I'm so sorry @jdpurdyvi! In looking at the code, I was assuming that username was a required mapping. How were you getting around it before? Oh! Do you rely completely on the shibboleth_override_username hook?
jdpurdyvi
commented
1 year ago I suppose so? I would be happy to share specific env details if that's helpful:
Allow Automatic Account Merging (Bypass Username Management) was also enabledcolostateEduPersonEID which provides the matching unique-name without the @colostate.edu Automatic login continued to work if I had a valid Shib session from a same-domain site that was still on v2.4.2
jrchamp
commented
1 year ago Ah, I see! It looks like you were using the email-matching to have it map to the correct user. Now that you have the Username mapping set to your unique-name which does match the account in WordPress, you can probably switch from Allow Automatic Account Merging (Bypass Username Management) to Allow Automatic Account Merging (it's a slightly more efficient WordPress lookup).
I'll see what I can do to add a fallback check that mirrors the truly required fields instead of only the username.
d64dd2baeb61f4e7422e6aaca242f6324cba5f14 breaks configs that don't provide [username][name]. Could the code fallback to using Shib-Session-ID?