I’m going to upgrade my indico from 2.x to 3.x, with 2.x I never use shibboleth or any SSO, mostly because when I install the indico I choose nginx.
Now because I will start from a fresh install, I’m thinking to bring shibboleth, and I would like to know what happen with old accounts, does indico will automatically merge accounts according to the email attribute ?
What happen if the shibboleth server are down ? Is that going to use LDAP (I still need that) ?
That depends on how you configure it. You can add multiple AUTH_PROVIDERS like Shibboleth/SAML (I suggest using SAML directly to avoid the need for Apache and all the Shibboleth bloat) and LDAP - in the login form the user can then either enter credentials directly or use the SSO option.
For existing accounts: If there’s a matching email, Indico will offer the user to link the SSO login to their existing account; no duplicate accounts are created so no merging is necessary.
Ok Thanks. Nice I can keep my puppet module (who use nginx)
Ok, but if the user choose to link the sso login to their existing account, can the user still authenticate against LDAP (or indico internal database) ?