Internet2 is investigating a security incident involving a compromise to a confluence server that affected https://spaces.at.internet2.edu on April 10, 2019, which was successfully mitigated on April 12, 2019. If you did not receive an email from us, it’s unlikely that any of the content you submitted to the Internet2 Spaces Wiki needs to be re-entered. We apologize for any inconvenience this may have caused. Should you have any questions or require further assistance, please email collaboration-support@internet2.edu.
Child pages
  • Registry Platform Configuration
Skip to end of metadata
Go to start of metadata

Sourcing Organizational Identities

COmanage Registry can source Organizational Identities from multiple sources. When these sources are the official records of an organization (usually via LDAP or SAML), they are considered authoritative.

Not all COs will be able to source Organizational Identities from authoritative sources. As such, the platform may be configured to allow Organizational Identities to be added as part of a CO Enrollment Flow.

To enable collection of Organizational Identities attributes during CO Enrollment Flows, log in to COmanage Registry as a platform administrator. Select "CMP Enrollment Configuration", check the box for "Enable Organizational Attributes Via CO Enrollment Flow", and click "Save".

(warning) As of COmanage Registry v0.9.3, this setting is enabled by default for all new installations.

Pooling Organizational Identities

(warning) As of COmanage Registry v1.0.0, this setting can no longer be changed after setup. For more information, see Organizational Identity Pooling.

Populating Organizational Identity Attributes From Authoritative Sources

COmanage Registry supports obtaining identity attributes from authoritative sources (such as via SAML assertions or LDAP directories) and loading them into Organizational Identity records as part of an Enrollment Flow.

Attributes that can be populated from an Authoritative Source are:

  • Name (type official)
  • Address (type office)
  • Email (type official)
  • Phone (type office)
  • Organizational Identity attributes: affiliation, o, ou, title

Automatic Updating of Organizational Identities

If Organizational Identity Attributes are obtained from any of the sources described below, automatic updating of organizational identities will also be enabled. Specifically, when a user logs in to COmanage Registry, any organizational identity that matches their login identifier will have the attributes listed above updated, if obtained from the external source. (If there is more than one of a given attribute, say more than one office address, all matching attributes will be updated.)

Note this only applies to the Organizational Identity. If a CO Person was created from an Enrollment Flow where attributes were copied from the Organizational Identity to the CO Person record, those CO Person attributes will not be updated.

Web Server Environment Variables

Web Server Environment Variables can be set by authentication (or other type of) modules, which Registry can then reference. For example, if you are using the Shibboleth SP, you can configure the export of attributes received by the SP into environment variables. Configuring your authentication engine is beyond the scope of this document.

Once these attributes are exposed, check Enable Environment Attribute Retrieval (Platform >> CMP Enrollment Configurations). This will display a mapping table that allows you to define which environment variable corresponds to which Organizational Identity attributes. Default names are prepopulated, however you can replace or delete any of them. How these variables are used depends on your configuration.

If you have checked Enable Organizational Attributes Via CO Enrollment Flow, then when a petition is created the corresponding attributes will be populated if

  1. The setting Ignore Authoritative Values is not checked for the Enrollment Flow
  2. For each attribute, the setting Ignore Authoritative Values is not checked for the Enrollment Attribute
  3. If there is a default value defined for the attribute, it is flagged Modifiable
  4. The environment variable is not empty
    1. This generally requires authentication so that your appropriate authentication engine can be triggered and set the variables, so the Enrollment Flow will most likely require Petitioner Enrollment Authorization to be set to anything other than None.

If the attribute is populated from the environment, that attribute will become 'Not Modifiable' within the petition.

If you have not enabled organizational attributes via CO Enrollment Flow, the values will directly populate the Organizational Identity record as part of an enrollment. However, this is not currently implemented. (CO-673)

  • No labels