Skip to Content.
Sympa Menu

comanage-users - Re: [comanage-users] Collect enrollment attributes during the identity linking

Subject: COmanage Users List

List archive

Re: [comanage-users] Collect enrollment attributes during the identity linking


Chronological Thread 
  • From: Michiel Uitdehaag <>
  • To: <>
  • Subject: Re: [comanage-users] Collect enrollment attributes during the identity linking
  • Date: Wed, 22 Aug 2018 11:12:34 +0200
  • Ironport-phdr: 9a23:E0e5ThOQE2lxPDDqWmMl6mtUPXoX/o7sNwtQ0KIMzox0IvT+rarrMEGX3/hxlliBBdydt6obzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZLebxlKiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0yRD+s7bpkSAXwhSkaKTA5/mHZhM9+gq1Vrx2upQBwzpXOb42JLvdzZL/RcN0YSGdHQ81fVzZBAoS5b4YXCOQBPPpXr4n8p1QQqRu1GAejBOLzyjBVmHD23bc13P4uEQrb2wEgGtMOv2jUrNX0KqgSVfq5zLTJzTXfcvxZxzf955LSfRAuuvyMRq9wcdDfyUkpCQzFkk+cqYrhPz6M0OkGrmaV7+1lVe21im4nrRl8ojmpxscwlIbJnIQVxU7Y9Sln2oo6O8C3SFNjbd6rEZtQqyGaN5ZtTc84X25ovyM6xqUduZ6mZigKxpInyADDa/CddYiI5hTuX/uSLzdgnH9pZb2yihao/US80OHwS9O43EhKoyZdkdTBuWoB2h/R58SdVPdw8Uas1SyR2w3X7OxPPFo6mrDBK5E7x749jpoTvlrHHi/xgEj2i7KWdlk69uWo8ujoeLDmpoSGO49xhAHyKL8umtGlAeQ2KAQOWXaU+fik2L3i+032XqlKg+UrnqTWsJ3WP9gXqrSkDwNPzIou6w6zDzK839QZmXkHIkhFeBWCj4XxPlHOIez3Dfe+g1uylDdn3e3GPrz9AprQMHfDkK3ucqxy60NH0woz0Mpf55xSCr4fPPL/QEnxtNjAAh8jLwO02/rnCMl61o4GRW2PBaqZP7nUsVCS6eIgPfCAZJIOuDnjMfgl/OXjjXs4mV8GYampxoUbZGq5HvRgP0WWf2DsgtEfHmcWoAYyVvLlh0CfUW0bW3HnC6k74zg9AY2rSJrYS5q2qL2HwCqhGJBKPCZLBk3aQlnycIDRfvYHaCOfJodckyAIWLioQoBpgRSvvw/7xr4hM+vI9iAYvJvs/MNo/ePVmA108zgiXJfV6H2EU2whxjBAfDQxxq0q+UE=

Hi Nick,

I am not completely clear on the actual use case for you specific enrollment flow, so I'm responding in a general way. Also, my information stems from reading bits of the source code and working with specific combinations, so it is far from complete.

Basically, the enrollment procedure creates a COPerson record and you can populate the values of this record using the enrollment attributes. For each attribute you add in the enrollment flow, you can specify if it needs to be copied to COPerson, to OrgIdentity or to both. The default value for the attribute can be based on an environment variable, allowing you to copy Shibboleth injected SAML data, if you happen to know the exact environment prefixes, etc.

If you enable an OIS-plugin like envSource, the plugin will create a new OrgIdentity, which exists besides the OrgIdentity created based on the enrollment attributes. You can specify the environment variables as injected by, for example, Shibboleth, to populate the fields of this OrgIdentity during enrollment.
As far as I can see, there is no way to copy information from this additional OrgIdentity to the COPerson record: it is a separate identity and it can be used to 'authenticate' a person (useable in self-enrollment) or to further 'identity' a person (useable in invitation-flows). Authenticate and Identify are the only meaningfull settings for the 'Enrollment Source' based on the envSource plugin. Mismatching the enrollment source mode may lead to the situation where the flow does not continue properly.

Also, 'givenName' is a required field for both COPerson and OrgIdentity. If your flow does not supply at least this information to the OrgIdentity and COPerson, a database error may occur that can lead to your flow being stuck.

At SURFnet, we added additional code to COmanage core to support copying data from the OIS created OrgIdentity to the COPerson record. The code is contained in two different PRs:
https://github.com/Internet2/comanage-registry/pull/56
https://github.com/Internet2/comanage-registry/pull/57

This code allows you to set defaults for all attributes and specify that that default needs to be taken from any 'linked OrgIdentity'. Apply at your own risk, etc. etc.

Please note that the above code will allow you to match enrollment attributes based on OIS data at enrollment only. If upstream information changes (new email address, new postal address), the OIS record gets synchronised at login (if so enabled), but the COPerson information is not overwritten: all the various OrgIdentity and COPerson records are separate data containers.

If you want to use enrollment flows in situations where the enrollee already has a COPerson and OrgIdentity record (e.g.: account linking, COU enrollment), then no new records are created, let alone that you can copy information from one container to another.

You can always write a simple enrollment plugin that copies data from one object to another at a specific stage during enrollment. In this way, you can decide yourself when and what to copy or synchronise.

Hope this helps,

Michiel Uitdehaag


On 21-08-18 09:48, Nick Evangelou wrote:
Hello Raoul,

After reading the guide you sent me yesterday I tried to setup the envSource plugin following these instructions https://spaces.at.internet2.edu/display/COmanage/Consuming+External+Attributes+via+Web+Server+Environment+Variables#ConsumingExternalAttributesviaWebServerEnvironmentVariables-AccountLinking . After running the enrollment, I get logged out and the petition is stuck in “Collect Petitioner Attributes”. Also, I tried to set “Email Confirmation Mode” to “Review”, so the flow is similar to this https://spaces.at.internet2.edu/display/COmanage/Understanding+Registry+Enrollment+and+Linking#UnderstandingRegistryEnrollmentandLinking-SelfMatching but I don’t receive a confirmation email.
Is something wrong with these steps? If not, is any other way to solve my issue?

Best regards,
Nick


On 20 Aug 2018, at 13:43, Raoul Teeuwen <> wrote:

Hi Nick.
 
Does the text under “Attributes + Identifier values obtained from identity provider” onhttps://wiki.surfnet.nl/pages/viewpage.action?pageId=65798157 help a little? I’m not a technical member of our team, so please let me know if this does not help (enough).
 
Kindest regards,

Raoul Teeuwen
 
On 20/08/2018, 11:45, " on behalf of Nick Evangelou" < on behalf of > wrote:
 
Hello everyone, 
 
I’m using the identity linking flow described in the documentation (https://spaces.at.internet2.edu/display/COmanage/Understanding+Registry+Enrollment+and+Linking). We have defined name and email as the enrollment attributes. After the enrollment's completion a new organazational identity is created containing the defined enrollment attributes (eg. Email) with the values of the currently logged in user. So, my question is, would be possible to collect the attributes of the new linked identity?
 
Best regards,
Nick





Archive powered by MHonArc 2.6.19.

Top of Page