NET+ Amazon Web Services by DLT InCommon Identity Requirements for new or transfer account provisioning.
In order to grant access to the DLT Solutions customer portal and properly assign permissions to each user, DLT requires the following attributes: and expects the described behavior, which is generally to spec.
eduPersonPrincipalName: eduPersonPrincipalName is used as the username value (example: bob@example.org)
eduPersonScopedAffiliation: Multiple values of the form value@domain, where domain matches the domain(s) for which your IdP is authoritative based on InCommon metadata. Values of “faculty” or “staff” or “employee” must be specified and sent for any requestor. (example: staff@example.edu)
eduPersonEntitlement: eduPersonEntitlement is used to allow the IdP to map authenticated users to roles within the DLT portal based on attributes. There are two primary roles and default mappings of the following form, generally based on your entityID. Users with the following attributes will be granted access.
format:[namespace][:|/path/][entitlementValue]
example: urn:mace:incommon:uiowa.edu:edu-sa
example: https://idp.mtholyoke.edu/attributes/entitlements/edu-sa
example: urn:mace:incommon:uiowa.edu:edu-req
example: https://idp.mtholyoke.edu/attributes/entitlements/edu-req
Note: DO NOT include trailing forward slashes in url format.
The following two roles are defined in DLT’s portal with the according permissions:
edu-req = Users with this role are able to see invoices and make requests.
edu-sa = Users with this role are considered administrators and are granted elevated permissions not afforded to requestors.
mail: An email address for the authenticated user (example: bob@example.edu)
sn: One or more string values containing components of the user's surname(s) or family name(s).
givenName: One or more string values containing the part of the user's name that is not their surname or middle name.
The url for the NET+ AWS account request portal is https://i2portal.zendesk.com/hc/en-us.
If any of these attributes is not in use or defined in your system, please use core:AttributeAdd and the descriptions in this document to ensure proper access control rules are applied for each user.