Jump to:
| Table of Contents | ||||||||
|---|---|---|---|---|---|---|---|---|
|
This action requires a user to be a Site Administrator.
To designate a Delegated Administrator (DA) and to assign access, logs sign into the Federation Manager and select the options from the "Delegated Administrators" from the top navigation menu to enter the Delegated Administrators management page:
Add or remove a
newDelegated Administrator
Select "
Add a Delegated Administrator
From " from the "Delegated Administrators " drop down menu.
On the Add a Delegated Administrator page, enter the person's ePPN, first and last name, email address, phone number, and job title.
page, enter the name and email address of the person you wish to designate as a DA and click "Add".
If the DA has already completed the Internet2 (I2) Identity Services registration, and the email you entered matches their email address recorded in I2 Identity Services, Federation Manager will link the records. When the link is in place, the DA's record only displays a "Remove" option (see record 2 in image above).
Related: Prepare for Delegated Administration assignment
If the DA entered has no completed I2 Identity Services' registration process, Federation Manager will send Federation Manager will an email invitation to the supplied email address (copying all other site administrators as well). The prospective DA clicks the link in the email to continue with the process.
A DA always logs into Federation Manager using a federated single sign-on identity provider. There is no local accounts/password for a DA.
About ePPN
ePPN (eduPersonPrincipalName) is a standard attribute in the InCommon Federation. ePPN is typically a human-readable user identifier. Federation Manager uses ePPN connects that person's access to Federation Manager with your IdP. By supplying the ePPN for the perspective Delegated Administrator, you are asserting that your IdP always asserts that ePPN for the same individual. Further, you are asserting that the ePPN always belongs to the intended individual. Changing a user's ePPN can cause the user to lose access or inadvertently reassign access to the wrong person.
What if my organization does not have an Identity Provider published in InCommon?
Federation Manager supports Delegated Administrator sign in using Google accounts via the Google Gateway. Because a Google account address does not always end in “@gmail.com”, enter the user's ePPN in the following format:
username+domain@google.incommon.orgFor example, if the user has a Google account address of
foo@gmail.comenter the user's ePPN in the following form:
foo+gmail.com@google.incommon.orgSee the Google Gateway wiki page for more information.
View and update a Delegated Administrator's profile
Select "Manage Delegated Administrators" from the "Delegated Administrators" drop down menu.
Click a Delegated Administrator's name to see his/her profile. The profile includes a list of Service Providers s/he can manage.
Click the "Edit" link to the right for quick access to edit the DA's profile (name, email, phone, title) information.
you enter here. The invitation contains a one time link to invite the perspective DA to sign in and complete the one-time identity registration process. As long as the registration is not complete, a "Resend Enrollment Email" remains visible next to that DA's record.
For more information about the registration process, see Internet2 Identity Services Registration Guide.
Resend Enrollment Email
The invitation to complete a I2 Identity Services registration has a 7 day expiration window. In the event a DA is unable to complete registration in that period, you can resend the invitation to a DA by clicking the "Resend Enrollment Email" button.
IMPORTANT: if the DA will be signing in via your
Remove a Delegated Administrator
To remove a DA, click "Remove" next to their entry.
Assign SP management
Assigning management of an existing SP toa Delegated Administrator
Select "Assign SP Metadata" tab from the " Delegated Administrators " drop down menu.
To allow a DA to manage an existing SP, you need to explicit grant the DA the ability to manage that SP. If you don't assign a delegated administrator to an SP, that delegated administrator will only be able to create new SP metadata.
A note about managing those ancient Delegated Administrator assignments
If you provisioned one or more delegated administrators prior to November 19, 2012 (when an upgrade to delegated administration occurred), please do the following:
- Log into the Federation Manager and click the link “Delegated Administrators”
- On the delegated administration page, click the link "Assign Metadata to Delegated Administrators"
- Next to the entityID of some SP, select the desired delegated administrator from the drop-down menu and press the “Add” button
- Repeat the previous step for every delegated administrator that needs to edit SP metadata
page.
For reach SP you wish to delegate assignment, select the DA you wish to assign from the drop down and click "Add".
A DA can create new SP metadata records. They automatically have access to manage any SP metadata they create.
| Button Hyperlink | ||||||||
|---|---|---|---|---|---|---|---|---|
|
In this section
| Children Display | ||||
|---|---|---|---|---|
|
Related content
| Content by Label | ||||||||
|---|---|---|---|---|---|---|---|---|
|
Get help
Can't find what you are looking for?
| Button Hyperlink | ||||||||
|---|---|---|---|---|---|---|---|---|
|