Page tree
Skip to end of metadata
Go to start of metadata

The Env Organizational Identity Source Plugin is designed to pull attributes from environment variables, generally populated by web server authentication modules.


Org Identity Source ModeSupport
Manual Search and LinkingNot supported
Enrollment, AuthenticatedSupported
Enrollment, ClaimNot supported
Enrollment, SearchNot supported
Enrollment, SelectNot supported
Org Identity Sync ModeSupport
FullNot supported
QueryNot supported
UpdateNot supported
ManualNot supported


Each environment variable must be mapped to the appropriate data element to populate using the value made available in that variable.

  • An environment variable must be mapped to Identifier (System of Record ID), which will serve as the unique key for the record.
  • In order for an identifier to be used for login to Registry, the Login box must be ticked for that identifier in the configuration.
    • (warning) The System of Record ID is not intended to be a login identifier, since it is a unique, persistent key. To use an identifier as both a System of Record ID and a login identifier, populate it into both the Identifier (System of Record ID) field as well as another Identifier field, such as Network or ePPN.
  • As a valid Organizational Identity requires a Primary Name, the environment variables should collect a name from the external identity provider in order for an Organizational Identity to be created. If the environment variable mapped to Given Name (Official) is empty the value of the environment variable mapped to Identifier (System of Record ID) will be used. If the environment variable mapped to Family Name (Official) is empty the value from the localization text is used (the localization texts for the plugin are found in the Lib/lang.php file under Plugin/EnvSource).
  • (warning) Be sure to click Save when presented the initial configuration page, even if accepting the default environment variable names presented.

Deployers using mod_auth_openidc for authentication must adjust the names of expected environment variables.

Duplicate Handling

Registry v4.1.0 adds duplicate handling capabilities when EnvSource is used as an Enrollment Source. There are three available modes:

  • SOR Identifier Match: If the System of Record ID of the new Organizational Identity Source Record matches a System of Record Identifier on an existing Org Identity, the record is considered a duplicate. This is the default behavior, and is basically the behavior prior to Registry v4.1.0.
  • Any Identifier Match: If any Identifier for the new Organizational Identity Source Record matches an Active Identifier of the same type, attached to either an Org Identity or a CO Person, the record is considered a duplicate.
  • Login Identifier Match: As for Any Identifier Match, but only Identifiers flagged for login are considered.

When duplicate conditions are detected, the Petition is automatically flagged as duplicate and the enrollment terminates. The Petition is not linked to a CO Person.

Redirect on Duplicate URL may be specified to send the Petitioner to a page or destination with more information.

You may need to adjust the configuration of your web server authentication module, e.g. the Shibboleth SP, to ensure that the attributes for the authenticated user are put into the environment so that they can be consumed by Env Source. You may want to review the section "Integrate Web Server Authentication" at Registry Installation - Source.

See Also