On 09-04-2018 10:24 PM, dvandermaas wrote:
> First of the 2 major issues is solved, (Thx to Niel Cashell !!)
> It turns out that Session Assurance on the ESP was on where it fails,
> and it appears to be with the request to /nidp/app/soap. We saw a couple
> of hijack suspected message, so i guess those were logged when it went
> wrong
> I disabled Session Assurance in total and we didn't get any error
> stating "Resource not Available"
> Next step is to enable it again and add (ESP options) /nidp/app/soap to
> the SA exclude URL.
> Some of the other issues were due to the fact that users were using
> deeplinks. It turned out that those deeplinked pages were not reading
> the header authentication resulting in 401 errors or windows
> authentication popups depending on the browser and configuration.
> And for the last issues, we're gonna do a test as Edward suggests,
> pointing towards 1 IDP, hope it survives ;-)
> @Edward, yes, we're gonna remove the AD's as an IDStore, makes no sense
> using them anymore ...

Using eDirectory when enabling kerberos auth also allows you to authenticate from multiple forests and mapping users to a single identity in the user
store as the received UPN value can be stored in a multi-valued attribute.