Hi,

Is it possible to expand IPA's schema to do this?



===================

Your Identity Management System (IdMS) will very likely have most of the 
attributes asked for by the federation - or will have enough information to 
synthesize the specific attribute values on the fly inside the IdP. But for 
some attributes, the IdMS might not have enough information. The following 
information should be considered for adding into your IdMS:

  *   eduPersonEntitlement: The eduPersonEntitlement attribute is a storage 
container for values representing privileges to access resources within the 
federation. It is a multi-valued string attribute. The values will have the 
form of a URI - with specific values that are yet to be defined. The attribute 
definition details are (source: Attribute Recommendation 2.1 
(PDF)<https://wiki.caudit.edu.au/confluence/download/attachments/784/auEduPerson_attribute_vocabulary_v02+1+0.pdf>,
 page 14):

Origin/ObjectClass:   eduPerson [eduPerson]
OID:                  1.3.6.1.4.1.5923.1.1.1.7
SAML attribute name:  urn:mace:dir:attribute-def:eduPersonEntitlement
LDAP syntax:          directoryString [1.3.6.1.4.1.1466.115.121.1.15]
Number of values:     Multiple
Example values:       eduPersonEntitlement: 
urn:mace:washington.edu:confocalMicroscope
                      eduPersonEntitlement: 
http://publisher.example.com/contract/GL123

  *   auEduPersonSharedToken: The auEduPersonSharedToken uniquely identifies 
users when accessing certain resources - particularly within the computational 
grid and data grid. The values should be opaque, non-reassignable and 
persistent - and transferrable when a user moves between institutions. Even 
though the values are typically created as hash-values on first use, they MUST 
be stored and each institution must be ready to accept values users already 
have when coming from another institution. The attribute can be stored in 
either the IdMS directly (preferred) or in a database. The attribute definition 
details are (source: Attribute Recommendation 2.1 
(PDF)<https://wiki.caudit.edu.au/confluence/download/attachments/784/auEduPerson_attribute_vocabulary_v02+1+0.pdf>,
 pages 9-10, with OID updated to correct value):

Origin/ObjectClass:   auEduPerson
OID:                  1.3.6.1.4.1.27856.1.2.5
SAML attribute name   
urn:mace:federation.org.au:attribute:auEduPersonSharedToken
LDAP syntax:          directoryString [1.3.6.1.4.1.27856.1.2.5]
Number of values:     Single
Example values:       ZsiAvfxa0BXULgcz7QXknbGtfxk

     *   See also the auEduPerson LDAP Schema 
Definition<https://wiki.caudit.edu.au/confluence/display/aafaueduperson/LDAP+Schema+Definitions>
 for exact LDAP definition snippets.

  *   eduPersonAssurance: This attribute represents the Levels of 
Assurance<https://tuakiri.ac.nz/confluence/display/Tuakiri/Levels+of+Assurance>.
 Either add the attribute into the IdMS directly, or start collecting enough 
information to synthesize the values later in a scripted attribute definition 
(like done for Affiliation below).  The attribute definition details are 
(source: Attribute Recommendation 2.1 
(PDF)<https://wiki.caudit.edu.au/confluence/download/attachments/784/auEduPerson_attribute_vocabulary_v02+1+0.pdf>,
 page 13):

Origin/ObjectClass:   eduPerson
OID:                  1.3.6.1.4.1.5923.1.1.1.11
SAML attribute name:  urn:oid:1.3.6.1.4.1.5923.1.1.1.11
LDAP syntax:          directoryString [1.3.6.1.4.1.1466.115.121.1.15]
Number of values:     multiple
Example values:       See AAF IdentityLoA Vocabulary

=====================



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to