About Organizational Identity Sources

Organizational Identity Sources allow for the creation of Organizational Identities linked to an external source or "system of record". These sources can include LDAP servers, REST APIs, SQL databases, flat files, and so on. Custom plugins can be written for arbitrary sources.

Organizational Identity Sources can only be defined on a per-CO basis. If org identities are pooled, Organizational Identity Sources are not supported. Once configured, Organizational Identities can be created from these sources in several ways:

Manually, via People >> Organizational Identities >> Add New Org Identity From Source or by using the Search button from the list of Organizational Identity Sources.
Using an Enrollment Flow, via Enrollment Sources.
Via a batch process. (Not yet implemented; CO-76)

Organizational Identity Sources can be linked to Registry Pipelines in order to automatically create CO Person records.

When an Organizational Identity is created from a source, it is linked to that source and cannot be manually edited, not even by an administrator. However, it can be manually resynced to pull changes from the source.

If the corresponding record is removed from the Organizational Identity Source, on the next sync the Org Identity will be set to status Removed, but the Org Identity itself will remain available – it is not deleted.

If Attribute Enumerations are enabled for any attributes, permitted values for those attributes are constrained to the enumerated options. Source records containing a non-enumerated value will fail to process correctly.

Terminology

The terminology used by Registry can be a little confusing when looking at person records related to Organizational Identity Sources.

View Organizational Identity: Retrieves the current Org Identity operational record used by Registry in normal operations.
View Organizational Identity Source: Performs a live query against the Org Identity Source backend and retrieves the current data as known to the backend. ie: This is the source's current data.
View Organizational Identity Source Record: Retrieves the last data retrieved from the backend and used to create or update an Org Identity. ie: This is Registry's copy of the source data.
Add New Org Identity From Source: Create a new Org Identity based on the Org Identity Source's data. In addition, this will create an Organizational Identity Source Record.
Resync Org Identity From Source: Update the Org Identity and Organizational Identity Source Record using the latest (current) data available from the Org Identity Source.
Configuration >> Organizational Identity Sources: Manage the plugins used to define and query one or more Org Identity Sources.

Sync Modes

When called from Registry Job Shell, Organizational Identity Sources can be configured in the following sync modes:

Full: Create new Org Identities for any record in the Organizational Identity Source that does not yet have one, and update (or delete, if appropriate) existing records.
Query: Similar to Enrollment Sources Search mode, query the Organizational Identity Source for any records matching verified email addresses of all Org Identities, looking for new matching records to link. Also update (or delete, if appropriate) existing records.
- Query mode should only be used for Organizational Identity Sources attached to a Registry Pipelines configured for email address-based matching. Otherwise, linking to existing CO People may not happen correctly.
Update: Update and delete (if appropriate) records that are already synced to Org Identities.
Manual: Do not automatically sync records. Currently, manual syncing is only available on an individual record basis. (CO-1309)

Not all Organizational Identity Source plugins support all sync modes. Check the documentation for any limitations.

Syncing via Job Shell can be disabled on a per-CO basis via CO Settings >> Disable Org Identity Source Sync.

Creating ePPNs

When syncing records from an Org Identity Source, Registry can automatically create an identifier of type ePPN to be injected into the Org Identity created from the Source. This can be useful for (eg) automatically calculating the ePPN of an IdP associated with the Source. There are two settings:

EPPN Identifier Type: The Identifier of this type as found in the Org Identity created from the Source will be used as the left-hand site of the newly created ePPN.
EPPN Suffix: The specified string will be used as the right-hand side of the newly created ePPN. Do not include the @.