Jump to:
| Table of Contents | ||||||||
|---|---|---|---|---|---|---|---|---|
|
This action requires a user to be a Site Administrator.
To designate To assign a Delegated Administrator (DA) , a site administrator logs sign into the Federation Manager , clicks the menu item and select "Delegated Administrators" along the left hand side of the page.
Add a new Delegated Administrator
On the Deleted Administrators page, click the ">ADD NEW" link below the section title:
On the Add a Delegated Administrator page, enter the person's ePPN, first and last name, email address, phone number, and job title.
Federation Manager will an email invitation to the supplied email address (copying all other site administrators as well). The prospective delegated administrator clicks the link in the email to continue with the process.
Once the delegated administrator has successfully logged into the Federation Manager via SAML Web Browser SSO, a local account is provisioned. No local credentials are issued---the delegated administrator always logs in with a federated credential.
About ePPN
By supplying the ePPN for the perspective DA, you are asserting that your IdP always asserts that ePPN for the same individual. Further, you are asserting that the ePPN always belongs to the intended individual. If you don't trust the IdP to guarantee an ePPN's uniqueness, don't provision a Delegated Administrator with that ePPN.
What if my organization does not have an Identity Provider published in InCommon?
Federation Manager can support Delegated Administrator sign in using Google accounts via the Google Gateway. Because a Google account address does not always end in “@gmail.com”, enter the user's ePPN in the following format:
username+domain@google.incommon.orgFor example, if the user has a Google account address of
foo@gmail.comenter the user's ePPN in the following form:
foo+gmail.com@google.incommon.orgSee the Google Gateway wiki page for more information.
View and update a Delegated Administrator's profile
On the Deleted Administrators page, click a Delegated Administrator's name to see his/her profile, including a listing of Service Providers s/he can manage. Click the "Edit" link to the right for quick access to edit the DA's profile (name, email, phone, title) information.
Assigning privileges to a Delegated Administrator
To allow a DA to manage an existing SP, you need to explicit grant the DA the ability to manage that SP. If you don't assign a delegated administrator to an SP, that delegated administrator will only be able to create new SP metadata.
To grant a DA the ability to manage an SP, on the Delegated Administrator page, click the ">ASSIGN SP METADATA" link:
Be aware of update contention in the Delegated Administration module
The Delegated Administrator module in Federation Manager does not perform record locking when a user edits metadata. If you assign multiple DAs the ability to manage the same SP, be aware that they may simultaneously edit and submit metadata without being aware that another DA has already submitted an update request for the same entity descriptor. For this reason, we recommend assigning at most one Delegated Administrator per SP.
A note about managing those ancient Delegated Administrator assignments
If you provisioned one or more delegated administrators prior to November 19, 2012 (when an upgrade to delegated administration occurred), please do the following:
- Log into the Federation Manager and click the link “Delegated Administrators”
- On the delegated administration page, click the link "Assign Metadata to Delegated Administrators"
- Next to the entityID of some SP, select the desired delegated administrator from the drop-down menu and press the “Add” button
- Repeat the previous step for every delegated administrator that needs to edit SP metadata
from the top navigation menu to enter the Delegated Administrators management page:
Add or remove a Delegated Administrator
Add a Delegated Administrator
From the "Delegated Administrators page, enter the name and email address of the person you wish to designate as a DA and click "Add".
If the DA has already completed the Internet2 (I2) Identity Services registration, and the email you entered matches their email address recorded in I2 Identity Services, Federation Manager will link the records. When the link is in place, the DA's record only displays a "Remove" option (see record 2 in image above).
Related: Prepare for Delegated Administration assignment
If the DA entered has no completed I2 Identity Services' registration process, Federation Manager will send an email invitation to the email address you enter here. The invitation contains a one time link to invite the perspective DA to sign in and complete the one-time identity registration process. As long as the registration is not complete, a "Resend Enrollment Email" remains visible next to that DA's record.
For more information about the registration process, see Internet2 Identity Services Registration Guide.
Resend Enrollment Email
The invitation to complete a I2 Identity Services registration has a 7 day expiration window. In the event a DA is unable to complete registration in that period, you can resend the invitation to a DA by clicking the "Resend Enrollment Email" button.
IMPORTANT: if the DA will be signing in via your
Remove a Delegated Administrator
To remove a DA, click "Remove" next to their entry.
Assign SP management a Delegated Administrator
Select "Assign SP Metadata" tab from the Delegated Administrators page.
For reach SP you wish to delegate assignment, select the DA you wish to assign from the drop down and click "Add".
A DA can create new SP metadata records. They automatically have access to manage any SP metadata they create.
| Button Hyperlink | ||||||||
|---|---|---|---|---|---|---|---|---|
|
In this section
| Children Display | ||||
|---|---|---|---|---|
|
Related content
| Content by Label | ||||||||
|---|---|---|---|---|---|---|---|---|
|
Get help
Can't find what you are looking for?
| Button Hyperlink | ||||||||
|---|---|---|---|---|---|---|---|---|
|