Using AutoCreateSSO FALSE, TransferCertToSSO FALSE, UseCertGroupsForSSO TRUE

[lauramengel]

[I propose we table this to the next release and we'll either keep
AutoCreateSSO TRUE or keep UseCertGroupsForSSO FALSE
if AutoCreateSSO FALSE until then.]

the SSO account appears to inherit more than the groups from the cert

• Looking at the account via SelectEmailPrefs also shows the notifications of the cert.
  (The cert still retains the notifications.)
• Using SSO and looking at a doc that has been signed by the cert,
  shows the "remove signature" button to the SSO user.
  (The "remove signature" button also shows for the Cert user.)

So it hasn't been transferred, but the SSO account seems to think it is the cert account,
instead of being the SSO account and inheriting only the groups.
Will include a couple screen grabs that show cert ID being used.
(and one that shows if turn UseCertGroupsForSSO off, then it
finds but decides not to use cert ID.

If we set:
AutoCreateSSO FALSE, TransferCertToSSO FALSE, UseCertGroupsForSSO FALSE
we get these messages instead where it finds but does not use the cert and everything
works as expected (https://esh-docdbdev.fnal.gov/cgi-bin/sso/ShowDocument?docid=3490)

Getting all security groups
From Database DocID: 3490
From Database DRI: 18359 DI: 3490 V: 1
Finding EmailUserID by FNAL SSO name [email protected]
Determined user ID from cert to be 1000
Could not find SSO information for [email protected], Certificate ID 1000 found but not used.
Could not find any user information for [email protected]
Determined user ID to be 
User explicity has groups 
After SSO groups, DocDB groups for user: 1, 35, 6, 26, 24
Final unique DocDB groups for user: 6, 35, 1, 24, 26

If we set:
AutoCreateSSO FALSE, TransferCertToSSO FALSE, UseCertGroupsForSSO TRUE

[ericvaandering]

Ok. As long as you are OK deferring this, I won't bother to try to figure out what's going wrong. Sounds like a logic issue somewhere.

[lauramengel]

Deferring this.