Skip to Content.
Sympa Menu

comanage-users - [comanage-users] Reading authorative SAML attributes from environment at enrollment

Subject: COmanage Users List

List archive

[comanage-users] Reading authorative SAML attributes from environment at enrollment

Chronological Thread 
  • From: Michiel Uitdehaag <>
  • To: <>
  • Subject: [comanage-users] Reading authorative SAML attributes from environment at enrollment
  • Date: Wed, 22 Nov 2017 11:32:12 +0100
  • Ironport-phdr: 9a23:VkFIdh/pDCTdSP9uRHKM819IXTAuvvDOBiVQ1KB42u8cTK2v8tzYMVDF4r011RmSDNWds6oMotGVmpioYXYH75eFvSJKW713fDhBt/8rmRc9CtWOE0zxIa2iRSU7GMNfSA0tpCnjYgBaF8nkelLdvGC54yIMFRXjLwp1Ifn+FpLPg8it2e2//57ebx9UiDahfLh/MAi4oQLNu8cMnIBsMLwxyhzHontJf+RZ22ZlLk+Nkhj/+8m94odt/zxftPw9+cFAV776f7kjQrxDEDsmKWE169b1uhTFUACC+2ETUmQSkhpPHgjF8BT3VYr/vyfmquZw3jSRMMvrRr42RDui9b9mRgHohikaNDA3/m/YhcNsg6xUux+hux5yzpTIbI2JOvdzfKXQds4aS2pbWcZRUjRMDIS9b4QTD+oBPPhXr43grFQArBu+GRSjC/3vyjBSnHD20rAx3uMkEQHHwAMgH9MOv2rQrNnvKacSUPy1w7TWwjXDdfxZwzj95ZPTchA8u/GMU7RwftTNyUU1EQPFikydpIr4ND2WzuQAq3WX4uVgWO61l2IrsRx9riKxyssxkoXEhY0YxkrH+Ch72oo5O9K1RU9hbdK6FJZdsTyROZFsTcM4WW5ovT43yr0Ytp6/eygH0JMnxwPDa/CZboSE+wjsVOOKITtigXJldqizhw2v8Ui6xO3wTM+030hWriZdk9nMsG4C1wDL58SaRfZw/l2t1SqV2wzO8O1IP104mbLeK5E7w74wkpQTsV7EHi/zgEj2ia6WeVkk+uip9evnZq/qpoKdN49olw7xLKQuldalDuQ3KQUORHWb+f6y1L3l40L5XK9GjvsykqXBqpDVOdwbprKlAw9Syoss9xG/DzK839Qeh3YHI0xKdAuaj4jyJV7OOuv4AOy7g1Stizdr2+vGMqP7DpXMKHjDjKnufax760FC1Ao/08pT6IxJBbEcc7rPXRqlv9vdBxkwPAHx3v3qEs5V14UCVHiJD7PDdq7erAnbyPgoJrypZYQVuTv5Y8Uk+/LjjXYwlhdJeKii3ZoabDalH+hqLkWQaHXEmcobH2EHokw4SLq52xW5TTdPaiPqDOoH7TYhBdf+AA==


I am currently investigating how I can use the authorative SAML
attributes that auth_mod_mellon passes through configurable environment
variables to the PHP application.
The intended goal is to have these environment variables override any
information in the associated COOrgIdentity records whenever the
application finds a difference. A second best would be to populate the
new OrgIdentity record with these values after completing an enrollment
flow. In either case, the user should not be able to override these
values. However, I fail to find the correct combinations of
configurations to achieve this behaviour.

I am using the 3.0.0-rc2 release. I understand that new behaviour is
introduced in the 3.1.0 release to accomodate a more flexible way of
incorporating these values, but that the 'old' way would remain
functional until the 4.0.0 release.

What I am currently doing is configuring CMP Enrollment Configuration
and defining a set of variables as passed by mod_auth_mellon to the
application. This contains the option:
'Enable Organizational Attributes Via CO Enrollment Flow'

The help text for this option seems to indicate I should enable it,
although the text is confusingly talking about features not being supported.

If I enable this and try to send out an Invitation petition, the
relevant fields are already filled (and not editable) when I create the
petition. But that means these values are derived from the current
(administrator) user and not from the invited person. In fact, I cannot
even change the e-mail address, which prevents me from sending out the
invitation to the new user. This seems a silly feature and I am unsure
of its use case.

If I disable this option, I can set 'Optional', 'Required' or 'Not
Permitted' flags for each of the variables. I am not sure what these do
exactly, but I assume it will enforce something in the enrollment flow.
Unfortunately, I get a database error on a missing co_person_id field
while creating the Invitation petition. No e-mail is sent, but the
petition is created. I did not yet check what specific SQL statement is
failing here, because I am not sure this is the correct way to go either.

Does someone have a suggestion where I should look in this respect? Do I
perhaps need to create a new Organizational Identity Source plugin to
accomodate this?

Thanks in advance,

Michiel Uitdehaag

Archive powered by MHonArc 2.6.19.

Top of Page