Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Attribute Requirements

From the SAML-message, http://rnd.feide.no/simplesamlphp simpleSAMLphp returns the attributes in an associative array. Since the different federations implement some of the various attributes slightly differently, and not all attributes are mandatory, we cannot rely on a single namespace for this. So, to combat this, we have added a way for the NREN Administrator to assign the provided attributes to the required Confusa attributes. The required attributes are also listed, with a short description about intended usage and the consequence when it is unavailable.

...

The organization is used to find the proper maps, administrators etc. It is also added to the \DN of the certificate. The most sensible attributes to use here are eduPersonOrgDN(ePODN)

or http://rnd.feide.no/content/schachomeorganization schacHomeOrganization. Which attribute is to be used can be configured on the NREN-level and only on the NREN-level. If this attribute could be configured on the subscriber-level as well, it would be impossible for Confusa to infer to which NREN a subscriber-admin belongs. If no attribute is set, Confusa cannot sign certificates.

...

The CP/CPS requires us to notify the user about a newly issued certificate through other channels than the currently active (the web interface). We therefore need the email-address to ship a receipt to. The attribute that is used for this can be configured on NREN and subscriber level by the respective admins. A reasonable attribute is http://rnd.feide.no/attribute/mailmail . If no attribute is set, Confusa cannot sign certificates for the user.

...

The entitlement is the IdP's way of notifying Confusa that the given user is entitled to certain actions. This is not a required attribute for other users than the administrators. I.e. the IdP can easily remove an administrator. However, we do not want the IdPs to wildly add new administrator, so this attribute is a necessary but not sufficient condition for getting administrator privileges.
If not set, the user cannot be administrator. The attribute is freely configurable on the NREN-level. we have disabled it on the subscriber-level to avoid having subscriber-admins lock themselves and their whole institution out of the portal. However, we recommend usage of the eduPersonEntitlement attribute.

TCS-
\
[eScience
\
|Personal
\
]-Portal

The central TCS eScience portal currently uses the following entitlement attributes:

  • urn:mace:terena.org:tcs:escience-user (may request eScience certificates)
  • urn:mace:terena.org:tcs:escience-admin (eScience institution administrator)
  • urn:mace:terena.org:tcs:personal-user (may request personal certificates)
  • urn:mace:terena.org:tcs:personal-admin (personal portal institution administrator)
Panel
Wiki Markup

...

 

ePPN

ePODN

mail

Full Name

entitlement

enforced

Log in

required

optional

optional

optional

optional

yes

Admin

required

required

optional

optional

required

yes

Create certificate

required

required

required

required

required

yes

Revoke certificate (user)

required

optional

optional

optional

optional

yes

E-Mail certificate

required

optional

required

optional

optional

yes

The 3 different Attribute Mapping cases

...

The attribute mapping process (NREN)

Image Modified

System Requirements

We try to write distro independent code. However, subtle changes between the GNU/Linux distributions may lead to the occasional bug. Confusa is tested and should work flawlessly on the following distributions:

...