Invitation Feature and Shibboleth Authentication

Hi all,

when combining Shibboleth Authentication with the invitation feature, it is easily possible to invite a user by an email address that actually belongs to the domain namespace of the organisation that authenticates with Shibboleth.
Inviting a user in this case is not only unnecessary but also possibly dangerous since it can “shadow” the official account and render it unusable with the Shibboleth authentication.

We would very much prefer having the possibility to configure a regular expression that works as a white- or blacklist for identifying users that belong to the Shibboleth authenticated domains.
This setting can then be used to prevent sending invites to such email addresses and additionally prevent such users from accidentally using the default login page instead of the Shibboleth one.

We hacked a quick and dirty solution for this via custom templates and JavaScript but would very much prefer to have that handled by the server itself (since client-side JavaScript is only good for usability but not for security).

Best regards,
Moritz

1 Like

Hi,

We are in the same situation. Adding the Shibboelth login button next to the Password field in the form could prevent users for using a local password. Useful when When eppn = email. And we could also edit the email notifications.

But I don’y really understand the shadow account. Does it occurs when eppn <> email ?

Regards