In COmanage you administer attributes and Identifiers values of each Identity. Attributes values are associated to Attribute Types. Identifiers are specific Attributes and are used to uniquely identify an identity. As a CO-Admin you can define which identifiers are allowed to be used for Authentication. There are standard predefined Identifiers, and you can define your own custom identifiers as well.
Below we will explain the 'standard attributes types' and how you can define your own custom attribute type. Also the Standard Identifiers are explained and how you can make your own custom identifier as well.
Next we will explain how Attributes & Identifiers are getting specific values for a certain Identity.
Attribute: Standard Attribute Types
COmanage holds various predefined attributes. You can learn about these predefined attributes via Configuration / Enrollment Flows / Flow (pick one) / Add Enrollment Attribute
Attribute: Define your own 'Attribute Type'
If you need an attribute that is not listed in above Standard Attribute Types, you can make an attribute definition yourself. This is called an 'Extended Attribute'.
Goto Configuration / Extended Attributes / Add Extended Attribute
You now have the option to define your own Attribute:
Identifier: Standard Identifier
COmanage holds a set of standard identifiers. You can list them for example via Configuration / Identifier Assignments / Add New Identifier Assignment
Identifier: Custom Identifier
When you need an Identifier that is not yet existing, you can make your own custom Identifier. Go to Configuration / Extended Types
Attribute + Identifier: Values Assignment
The different methods on how the Attribute Value is provisioned will be explained in more detail.
Attributes values will be assigned typically during following events:
Obtained from identity provider, during Authentication flow
User input during enrollment flow
Automatically Assigned (unique) value by COmanage rule
- Manually assigned value by CO-Admin
Next we will explain the different events and what is needed in the CO configuration for that.
Attributes + Identifier values obtained from identity provider
Typically these values are originating from the Identity Provider. For example, the Identity Provider 'knows' the given name of the Authenticated User. This attribute value is promoted to COmanage.
Some CO's want to use the attributes supplied by the IdP. How to do so?
- In COmanage 3.0 it was possible to configure the platform so for all CO's in COmanage SAML attributes received from the IdP could be used during enrollment. But that configuration wrecked all 'invitation' enrollment flows'.
- In COmanage 3.1 a new feature was introduced: 'Organizational Identity Source' (OIS). This should enable per CO and per flow configuration of usage of IdP supplied attributes during enrollment. But that in practice turned out to be harder than the theory predicted. We haven't been able to have the IdP attributes pre-populate COmanage fields. An option is, while defining the Enrollment Flow Attributes, to specify on what environment variables they are based/mapped to. Which is hard, as you need to figure out the names of those variables. The names start with 'MELLON_' followed by a SAML oid URN. For example: MELLON_urn:oid:0.9.2342.19200300.100.1.3 for an email address. Or MELLON_urn:oid:2.16.840.1.1137126.96.36.199 for displayName. For a complete mapping, see Attributes in SURFconext .
The problem is you don't know in advance for sure what SAML attributes are released by the IdP. Some attributes are mandatory (according to R&S) but outside of those, it depends on what you'll receive. Another problem is some attributes are allowed to have different names, while in the Enrollment Flow attributes you can only specify one name.
We're investigating whether whether a CO connected OrgIdentity (for example an OrgIdentity created as result of a OIS plugin) can be used as basis for these attributes. For now, we don't know whether that is possible via an Enrollment flow plugin or whether that needs COmanage hacking.
Even more, sometimes you don't just want to populate fields, you also want to prevent users from editing those IdP vouched for attributes. EnrollmentFlow Attributes have a 'Modifiable' and 'Hidden' option; so you can either hide those fields, or prevent people from changing them.
Attribute + Idenitier: User input during enrollment flow
Another method is that there is a question to the new CO member to provide a value for a specific attribute. For example, I want the person to provide a value for the Attribute 'Shoe Size".
Identifier only: Automatically Assigned (unique) value
COmanage automatically calculates and assigns a value, for example during enrollment based on the configuration specified in Configuration / Identifier Assignments
Attribute + Identifier: Manually assigned value by CO-Admin
Both Attributes and Identifier values van be updated by the CO-Admin.
(TO BE COMPLETED)