My understanding is that the GSA isn't really intended to use one
credential group with multiple authentication mechanisms, unless one
of those "authentication" mechanisms is really only being used for
group lookups. That's the point of having multiple credential groups.
How would late-binding authorization work if you could have multiple
authentication mechanisms within a single credential group, for
example? Would it only use the authentication mechanism that succeeded
for authorization checks?
If you want to provide multiple authorization paths, even if the
corresponding authentication mechanisms all point to the same user
repository under the covers, you're going to need to provide multiple
credential groups. And if you want to have multiple authentication
mechanisms that point to different user repositories, you definitely
want to use multiple credential groups.
Dave Watts, CTO, Fig Leaf Software
1-202-527-9569
http://www.figleaf.com/
http://training.figleaf.com/
Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business
(SDVOSB) on GSA Schedule, and provides the highest caliber vendor-
authorized instruction at our training centers, online, or onsite.