Skip to end of metadata
Go to start of metadata

In COmanage you administer attributes and Identifiers values of each Identity. Attributes values are associated to Attribute Types. Identifiers are specific Attributes and are used to uniquely identify an identity. As a CO-Admin you can define which identifiers are allowed to be used for Authentication. There are standard predefined Identifiers, and you can define your own custom identifiers as well.

Below we will explain the 'standard attributes types' and how you can define your own custom attribute type. Also the Standard Identifiers are explained and how you can make your own custom identifier as well.

Next we will explain how Attributes & Identifiers are getting specific values for a certain Identity.

Attribute: Standard Attribute Types

COmanage holds various predefined attributes. You can learn about these predefined attributes via Configuration / Enrollment Flows / Flow (pick one) / Add Enrollment Attribute

Example:

 

Attribute: Define your own 'Attribute Type'

If you need an attribute that is not listed in above Standard Attribute Types, you can make an attribute definition yourself. This is called an 'Extended Attribute'.

Goto Configuration / Extended Attributes / Add Extended Attribute

You now have the option to define your own Attribute:

 

Identifier: Standard Identifier

COmanage holds a set of standard identifiers. You can list them for example via Configuration / Identifier Assignments / Add New Identifier Assignment

Identifier: Custom Identifier

When you need an Identifier that is not yet existing, you can make your own custom Identifier. Go to Configuration / Extended Types

Attribute + Identifier: Values Assignment

The different methods on how the Attribute Value is provisioned will be explained in more detail.

Attributes values will be assigned typically during following events:

  • Obtained from identity provider, during Authentication flow

  • User input during enrollment flow

  • Automatically Assigned (unique) value by COmanage rule

  • Manually assigned value by CO-Admin

Next we will explain the different events and what is needed in the CO configuration for that.

Attributes + Identifier values obtained from identity provider

Typically these values are originating from the Identity Provider. For example,  the Identity Provider 'knows' the given name of the Authenticated User. This attribute value is promoted to COmanage.

Some CO's want to use the attributes supplied by the IdP. How to do so?

  • In COmanage 3.0 it was possible to configure the platform so for all CO's in COmanage SAML attributes received from the IdP could be used during enrollment. But that configuration wrecked all 'invitation' enrollment flows'.
  • In COmanage 3.1 a new feature was introduced: 'Organizational Identity Source' (OIS). This should enable per CO and per flow configuration of usage of IdP supplied attributes during enrollment. But that in practice turned out to be harder than the theory predicted. We haven't been able to have the IdP attributes pre-populate COmanage fields. An option is, while defining the Enrollment Flow Attributes, to specify on what environment variables they are based/mapped to. Which is hard, as you need to figure out the names of those variables. The names start with 'MELLON_' followed by a SAML oid URN. For example: MELLON_urn:oid:0.9.2342.19200300.100.1.3 for an email address. Or MELLON_urn:oid:2.16.840.1.113730.3.1.241 for displayName. For a complete mapping, see Attributes in SURFconext .

    The problem is you don't know in advance for sure what SAML attributes are released by the IdP. Some attributes are mandatory (according to R&S) but outside of those, it depends on what you'll receive. Another problem is some attributes are allowed to have different names, while in the Enrollment Flow attributes you can only specify one name.

    We're investigating whether whether a CO connected OrgIdentity (for example an OrgIdentity created as result of a OIS plugin) can be used as basis for these attributes. For now, we don't know whether that is possible via an Enrollment flow plugin or whether that needs COmanage hacking.

Even more, sometimes you don't just want to populate fields, you also want to prevent users from editing those IdP vouched for attributes. EnrollmentFlow Attributes have a 'Modifiable' and 'Hidden' option; so you can either hide those fields, or prevent people from changing them. 

Attribute + Idenitier: User input during enrollment flow

Another method is that there is a question to the new CO member to provide a value for a specific attribute. For example, I want the person to provide a value for the Attribute 'Shoe Size".

Identifier only: Automatically Assigned (unique) value

COmanage automatically calculates and assigns a value, for example during enrollment based on the configuration specified in Configuration / Identifier Assignments

Attribute + Identifier: Manually assigned value by CO-Admin

Both Attributes and Identifier values van be updated by the CO-Admin.

(TO BE COMPLETED)

 

  • No labels