COmanage Users List

[Niels van Dijk <>]

On 03/15/2014 05:55 PM, Niels van Dijk wrote:
> On 03/14/2014 02:29 AM, Benn Oshrin wrote:
>> On 3/13/14 9:58 PM, Niels van Dijk wrote:
>>
>>> Whenever I try to use a previously created enrolment I get "No
>>> Implemented" after pressing submit. (see screenshot).
>>> Is enrolling in general not implemented or is this caused by a specific
>>> field I request during enrolment?
>>
>> You need to have at least the set of attributes defined here:
>>
>>
>> https://spaces.internet2.edu/display/COmanage/Registry+Enrollment+Flow+Configuration#RegistryEnrollmentFlowConfiguration-DefiningEnrollmentFlows
>>

Ok, so in my scenario I'd like to enroll people coming via SAML, map a
few attributes if available and let the user fill out the rest. I think
this patern is called "Invitation" in the table over at
https://spaces.internet2.edu/display/COmanage/Registry+Enrollment+Flow+Configuration

Requirements for an enrollment:
The following fields must be defined:
(a)    COU, if COUs are enabled
(b)    Org Identity Name (see note below)
(c)    Org Identity Email Address
(d)    CO Person Name (see note below)
(e)    CO Person Role Affiliation
(f)    See also the note below about automatically populating ePPN (no
need to explicitly define an attribute for this)
(g)    See also Configuring Registry Identifier Assignment (no need to
explicitly define an attribute for this)
(h)    See also Registry Platform Configuration


To achive this I think I need to:

1) Configure CMP Enrollment Configuration to "Enable Environment
Attribute Retrieval" and make sure that Shib attribute mapping is set to
deliver the required attributes
(from the shib log:
INFO Shibboleth-TRANSACTION [6]:        CMP_EF_SN (1 values)
INFO Shibboleth-TRANSACTION [6]:        CMP_EF_GIVENNAME (1 values)
INFO Shibboleth-TRANSACTION [6]:        CMP_EF_MAIL (1 values)
INFO Shibboleth-TRANSACTION [6]:        shib-eppn (1 values)
I have put shib-eppn in the CMP Enrollment Configuration Environment
Variable Name form to make sure EPPN can be matched. The others default
the CoManage default config
The above user authenticates against Shib and the registry successfully
I think this fulfils requirements (h)

2) I have configured an "Identifier Assignments" to use EPPN, allowing
login and matching the pattern (#) as described by (f)

3) I've configured the enrollment flow with Require Confirmation of
Email and  Require Authentication turned on.

I am assuming the combination of (1,2,3) should allow me to  matched the
following attributes from the saml attributes: (b) Org Identity Name and
(c) Org Identity Email Address and make us of (f,g)


4) I have defined "CO Enrollment Attributes"
Name            Name (Official, CO Person)      2 (requirement d)
Affiliation     Affiliation (CO Person Role)    3 (requirement e)
Your group      COU (CO Person Role)            1 (requirement a)
I am assuming Org Identity Name and Org Identity Email Address will be
set when the user authenticates. And I am assuming I do not need to
configure these in the enrollemtn flow as attributes explicitly, as
suggested by "Email Verification and Authentication"

When I now start an enrollment, I am again greeted by "Not impemented",
so I am still missing something, or have configured soemthing
incorrectly. Any tips?

thanks!
Niels