See also: Special Characteristics of the COmanage CO
Sourcing Organizational Identities
COmanage Registry can source Organizational Identities from multiple sources. When these sources are the official records of an organization (usually via LDAP or SAML), they are considered authoritative.
Not all COs will be able to source Organizational Identities from authoritative sources. As such, the platform may be configured to allow Organizational Identities to be added as part of a CO Enrollment Flow.
To enable collection of Organizational Identities attributes during CO Enrollment Flows, log in to COmanage Registry as a platform administrator. Select "CMP Enrollment Configuration", check the box for "Enable Organizational Attributes Via CO Enrollment Flow", and click "Save".
As of COmanage Registry v0.9.3, this setting is enabled by default for all new installations.
Pooling Organizational Identities
As of COmanage Registry v1.0.0, this setting can no longer be changed after setup. For more information, see Organizational Identity Pooling.
Populating Organizational Identity Attributes From Authoritative Sources
COmanage Registry supports obtaining identity attributes from authoritative sources (such as via SAML assertions or LDAP directories) and loading them into Organizational Identity records as part of an Enrollment Flow.
Attributes that can be populated from an Authoritative Source are:
- Name (type
official
) - Address (type
office
) - Email (type
official
) - Phone (type
office
) - Organizational Identity attributes:
affiliation
,o
,ou
,title
Automatic Updating of Organizational Identities
If Organizational Identity Attributes are obtained from any of the sources described below, automatic updating of organizational identities will also be enabled. Specifically, when a user logs in to COmanage Registry, any organizational identity that matches their login identifier will have the attributes listed above updated, if obtained from the external source. (If there is more than one of a given attribute, say more than one office address, all matching attributes will be updated.)
Note this only applies to the Organizational Identity. If a CO Person was created from an Enrollment Flow where attributes were copied from the Organizational Identity to the CO Person record, those CO Person attributes will not be updated.
Web Server Environment Variables
As of Registry v3.1.0, this section has largely been superseded by Consuming External Attributes via Web Server Environment Variables.
Web Server Environment Variables can be set by authentication (or other type of) modules, which Registry can then reference. For example, if you are using the Shibboleth SP, you can configure the export of attributes received by the SP into environment variables. Configuring your authentication engine is beyond the scope of this document.
Once these attributes are exposed, check Enable Environment Attribute Retrieval (Platform >> CMP Enrollment Configurations). This will display a mapping table that allows you to define which environment variable corresponds to which Organizational Identity attributes. Default names are prepopulated, however you can replace or delete any of them. How these variables are used depends on your configuration.
If you have checked Enable Organizational Attributes Via CO Enrollment Flow, then when a petition is created the corresponding attributes will be populated if
- The setting Ignore Authoritative Values is not checked for the Enrollment Flow
- For each attribute, the setting Ignore Authoritative Values is not checked for the Enrollment Attribute
- If there is a default value defined for the attribute, it is flagged Modifiable
- The environment variable is not empty
- This generally requires authentication so that your appropriate authentication engine can be triggered and set the variables, so the Enrollment Flow will most likely require Petitioner Enrollment Authorization to be set to anything other than None.
If the attribute is populated from the environment, that attribute will become 'Not Modifiable' within the petition.
If you have not enabled organizational attributes via CO Enrollment Flow, the values will directly populate the Organizational Identity record as part of an enrollment. However, this is not currently implemented. (CO-673)