View Source

The Env Organizational Identity Source Plugin is designed to pull attributes from environment variables, generally populated by web server authentication modules.

Modes

Org Identity Source Mode	Support
Manual Search and Linking	Not supported
Enrollment, Authenticated	Supported
Enrollment, Claim	Not supported
Enrollment, Search	Not supported
Enrollment, Select	Not supported

Org Identity Sync Mode	Support
Full	Not supported
Query	Not supported
Update	Not supported
Manual	Not supported

Configuration

Each environment variable must be mapped to the appropriate data element to populate using the value made available in that variable.

An environment variable must be mapped to Identifier (System of Record ID), which will serve as the unique key for the record.
In order for an identifier to be used for login to Registry, the Login box must be ticked for that identifier in the configuration.
- The System of Record ID is not intended to be a login identifier, since it is a unique, persistent key. To use an identifier as both a System of Record ID and a login identifier, populate it into both the Identifier (System of Record ID) field as well as another Identifier field, such as Network or ePPN.
As a valid Organizational Identity requires a Primary Name, the environment variables should collect a name from the external identity provider in order for an Organizational Identity to be created. If the environment variable mapped to Given Name (Official) is empty the value of the environment variable mapped to Identifier (System of Record ID) will be used. If the environment variable mapped to Family Name (Official) is empty the value from the localization text pl.envsource.name.unknown is used (the localization texts for the plugin are found in the Lib/lang.php file under Plugin/EnvSource).
Be sure to click Save when presented the initial configuration page, even if accepting the default environment variable names presented.

Deployers using mod_auth_openidc for authentication must adjust the names of expected environment variables.

Duplicate Handling

Registry v4.1.0 adds duplicate handling capabilities when EnvSource is used as an Enrollment Source. There are three available modes:

SOR Identifier Match: If the System of Record ID of the new Organizational Identity Source Record matches a System of Record Identifier on an existing Org Identity, the record is considered a duplicate. This is the default behavior, and is basically the behavior prior to Registry v4.1.0.
Any Identifier Match: If any Identifier for the new Organizational Identity Source Record matches an Active Identifier of the same type, attached to either an Org Identity or a CO Person, the record is considered a duplicate.
Login Identifier Match: As for Any Identifier Match, but only Identifiers flagged for login are considered.

When duplicate conditions are detected, the Petition is automatically flagged as duplicate and the enrollment terminates. The Petition is not linked to a CO Person.

A Redirect on Duplicate URL may be specified to send the Petitioner to a page or destination with more information.

You may need to adjust the configuration of your web server authentication module, e.g. the Shibboleth SP, to ensure that the attributes for the authenticated user are put into the environment so that they can be consumed by Env Source. You may want to review the section "Integrate Web Server Authentication" at Registry Installation - Source.

Multi Value SAML Attributes Handling

Registry v4.3.0 adds multi-value SAML attributes parsing capabilities when EnvSource is used as an Enrollment Source. There are three available modes:

Shibboleth SP: The semicolon (;) delimiter will be used to break down the multi-value list
SimpleSamlPHP SP: The comma (,) delimiter will be used to break down the multi-value list
Other: This is the default behavior. When selected no multi-value processing will happen.

Currently only multi-value email attributes are supported

Modes

Configuration

Duplicate Handling

Multi Value SAML Attributes Handling

See Also