COmanage Users List

[Benn Oshrin <>]

We probably need better documentation on this (possible admin manual
document?) but typically this is the procedure most deployments use:

(1) Configure shib SP to populate $REMOTE_USER with desired attribute.
(2) Configure enrollment flow to require email verification/confirmation
and require authentication (set mode to probably Review or maybe
Automatic depending on your preference).
(3) Do NOT define an Enrollment attribute for ePPN. It will be
automatically populated into the Org Identity during enrollment.
(4) This places the ePPN into the Org Identity, not the CO Person record
(which is appropriate since it's not a CO/VO attribute), so to populate
it into LDAP you need to tick the 'Copy value from Org Identity'
configuration for the attribute you want to populate into. This probably
isn't eduPersonPrincipleName, since that's single valued, and in a VO
context this is a multivalued attribute. See discussions in MACE-dir,
but for now the workaround is to pick a different attribute (like uid).

See also

 
https://spaces.internet2.edu/display/COmanage/Registry+Enrollment+Flow+Configuration#RegistryEnrollmentFlowConfiguration-EmailVerification(Confirmation)andAuthentication

There are other, more complicated ways to do this as well, but this is
usually the starting point.

Thanks,

-Benn-

On 4/14/17 9:51 AM, Paul Caskey wrote:
> Howdy!
> 
>  
> 
> I’m trying to get ePPN from an authenticated enrollment flow into the
> COPerson.
> 
>  
> 
> It’s making it into the Org Person (along with validated email addr),
> but not the COPerson.
> 
>  
> 
> I see that I can probably define ePPN as an enrollment attribute, then
> force it to be copied to the CO Person object, but I don’t want to
> display a box on the enrollment form asking the user for their ePPN.
> 
>  
> 
> So, what am I missing on populating ePPN in CO Person objects?   J
> 
>  
> 
>  
> 
>  
> 
> Thanks!
> 
>  
>