Date: Thu, 28 Mar 2024 19:22:28 +0000 (UTC) Message-ID: <1007092225.6853.1711653748893@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6852_2074498748.1711653748892" ------=_Part_6852_2074498748.1711653748892 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
See also: Special Characteristics of the COmanage CO
COmanage Registry can source Organizational Identities from multiple sou= rces. When these sources are the official records of an organization (usual= ly via LDAP or SAML), they are considered authoritative.
Not all COs will be able to source Organizational Identities from author= itative sources. As such, the platform may be configured to allow Organizat= ional Identities to be added as part of a CO Enrollment Flow.
To enable collection of Organizational Identities attributes during CO E= nrollment Flows, log in to COmanage Registry as a platform administrator. S= elect "CMP Enrollment Configuration", check the box for "Enable Organizatio= nal Attributes Via CO Enrollment Flow", and click "Save".
As of COma= nage Registry v0.9.3, this setting is enabled by default for all new instal= lations.
As of COma= nage Registry v1.0.0, this setting can no longer be changed after setup. Fo= r more information, see Organizational Identity Pooling.
COmanage Registry supports obtaining identity attributes from authoritat= ive sources (such as via SAML assertions or LDAP directories) and loading t= hem into Organizational Identity records as part of an Enrollment Flow.
Attributes that can be populated from an Authoritative Source are:
official
)office
)official
)office
)affiliation
, o=
code>, ou
, title
Automatic Updating of Organizational I= dentities
If Organizational Identity Attributes are obtained from any of the sourc= es described below, automatic updating of organizational identities will al= so be enabled. Specifically, when a user logs in to COmanage Registry, any = organizational identity that matches their login identifier will have the a= ttributes listed above updated, if obtained from the external source. (If t= here is more than one of a given attribute, say more than one office addres= s, all matching attributes will be updated.)
Note this only applies to the Organizational Identity. If a CO Person wa= s created from an Enrollment Flow where attributes were copied from the Organizational Identity to the= CO Person record, those CO Person attributes will not be upda= ted.
As of Registry v3.1.0, this section has largely been superseded by Consuming External Attributes via Web Server Environment V= ariables.
Web Server Environment Variables can be set by authentication (or other = type of) modules, which Registry can then reference. For example, if you ar= e using the Shibboleth SP, you can confi= gure the export of attributes received by the SP into environment variables= . Configuring your authentication engine is beyond the scope of this do= cument.
Once these attributes are exposed, check Enable Environment Attr= ibute Retrieval (Platform >> CMP Enrollment Configurations).= This will display a mapping table that allows you to define which environm= ent variable corresponds to which Organizational Identity attributes. Defau= lt names are prepopulated, however you can replace or delete any of them. H= ow these variables are used depends on your configuration.
If you have checked Enable Organizational Attributes Via CO Enro= llment Flow, then when a petition is created the corresponding att= ributes will be populated if
If the attribute is populated from the environment, that attribute will = become 'Not Modifiable' within the petition.
If you have not enabled organizational attributes via CO Enrollment Flow= , the values will directly populate the Organizational Identity record as p= art of an enrollment. However, this is not currently implemented. (C= O-673)