Supported Attributes
- We do not provide attributes that are only single valued: Especially Displayname
- All additional names get put into CN
- In the future offer proxy to do aggregation on behalf of SP
Incoming attributes will be collected and passed on untouched:
2.2.13 eduPersonUniqueId -> Only incoming
2.2.8. eduPersonPrincipalName -> Only incoming
Other outgoing attributes:
2.2.1. eduPersonAffiliation
2.2.2. eduPersonEntitlement
2.2.10. eduPersonScopedAffiliation
2.2.12. eduPersonAssurance
2.2.14 eduPersonOrcid
3.2. cn (commonName)
3.3. description
3.4. displayName -> Via IdP (R&S)
3.6. givenName
3.13. mail
3.15. mobile -> future use?
3.24. sn (surname)
3.27. telephoneNumber -> future use?
3.31. userCertificate
x.y IsMemberOf
Support of ssh pubkey?
Attribute Scoping
IsMemberOf and eduPersonEntitlement are both scoped to the VO using an at sign
Changes needed for eduTEAMS Identity Hub
- Publish IdP proxy metadata for a single proxy endpoint
- Check incoming attributes on Backend to see if we are getting enough info to be R&S compliant
- incorporate/use discovery service
GAPS identified for Membership Manamgement
- VOOT ansible scripts
- COmanage Ansible needs changing - Basic provisioning
- Ansible for export script - Ansibelize script deployment
- Ansible for MySQL database for Master -> Slave replication
- Loadbancers Ansible
- Gui for connecting SP to CO
- Gui for onboading new VO/VOadmin
- Out of band via email intially
- We send out an invite to the invite form
- Validate if the user is in GEANT by calling external service.
- If false, present a good error message.
- Fill in form, which needs custom fields
- Define the fields
- Include SPs
- Define the fields
- Email to validate the entry
- We ok the entry
- Use provisioning plugin to provision into specific DB or LDAP OR better via API directly into Comanage.
- For initila Piot use wiki page for "form" questions + email.