IAM, 2FA, and "plus addresses"

tl;dr: will IAM make the connection between the plus address and base account?

Some systems, like gmail, allow users to use “plus addresses”. Heroku will require 2FA verification – for users verified with mozillians via a “base” address, can they use a “plus address” to for services such as Heroku?

Example:

• I’m hwine@m.c in mozillians
• I create a hwine+heroku@m.c on heroku
• will IAM understand that “hwine+heroku@m.c” is equivalent to “hwine@m.c” for purposes of logging in with 2FA?

If IAM does not recognize the plus address, is there a way the user can configure their Mozillian’s account to allow the plus address to be recognized as a 2FA account?

@jlorenzo - I believe this is what you were asking. Please correct what I got wrong

That’s exactly it! Thank you for voicing my concern

For the purposes of login, hwine@mozilla.com is different from hwine+heroku@mozilla.com. In other words, you have a one single LDAP account login (the + accounts will fail to login with LDAP).

For the purpose of setting email aliases and informing services of various emails, both work fine - however, most third party services (relying parties/RPs) do NOT actually read these values.

Note: for non-LDAP accounts, if you were to use hwine@gmail.com and hwine+heroku@gmail.com as your GitHub personal account emails, this would simply use GitHub rules and thus work as long as GitHub let you login with your alternate emails (otherwise, it also wont)

I’m sorry, I’m not too sure to follow. So, if my LDAP account is jlorenzo@m.c and my Heroku account is jlorenzo+heroku@m.c, then I don’t have anything to do, do I? The migration from Heroku logins to LDAP will likely be okay, right?

The TLDR is: please change your Heroku email to be jlorenzo@mozilla.com

Okay, I have some good and some bad news.

Bad news is: I wanted to change my email address to jlorenzo@m.c, but Heroku tells me this address already exists. That’s true. I used to have this account, before I lost the 2FA token several years ago (thank you Firefox OS!). The solution I was told back then was to create a new account. The old account was removed the mozillacorporation group in favor of the new one.

Good news is: if I understand correctly, I can get the access to my old account back! Loosing the new account is not a big deal. I used to be admin of a sign app, but I just deleted it. Therefore, I don’t own/manage/collaborate to any Heroku app anymore. I don’t mind switching accounts.

@kang, should I delete jlorenzo+heroku@m.c before the migration? Can my old account be added to mozillacorporation after the migration?

I’m not 100% sure how Heroku works (I’m not Heroku admin) but this may be true as long as Heroku does not check an additional 2FA after SSO. @hwine might know - else, we should definitely ask Heroku support (@hwine do you have credentials to do that with them?)

Otherwise, we’d definitely have an issue that we’ll have to work out with Heroku or otherwise - thanks for bringing that up as we did not flag it

The SSO migration page asks me to connect with the credentials of my lost Heroku account (jlorenzo@m.c). Because I don’t have the 2FA tokens anymore, I’m locked out and I can’t perform the migration. @hwine, would you know how I should proceed? Can an admin erase my 2FA config temporarily?

You should be good once your mozillian’s account is in the group ‘heroku-members’, as you’ll be using your LDAP credentials at that time. Just use the initial URL of:
https://sso.heroku.com/saml/mozillacorporation/init
from now on to login to the dashboard.

Ping me on slack if that doesn’t work

This issue is now fixed. Here’s what happened:

1. jlorenzo@m.c has been deleted
2. I changed the email address of my functioning account from jlorenzo+heroku@m.c to jlorenzo@m.c
3. I activated SSO on my functioning account because the email addresses now match.

Thanks a lot Hal for your help!

Let’s close this thread then