Menu
▾
▴
Re: [Unity-idm-discuss] Additional attribute source
|
From: Krzysztof B. <kb...@un...> - 2017-09-10 18:08:39
|
Hi Sander, W dniu 30.08.2017 o 12:37, Sander Apweiler pisze: > Hi Krzysztof, > > sorry for the late reply. I'll try to explain it with an bigger > example. > > We have the following services: > - A: external IdP > - B: unity as proxy IdP > - C: additional attribute service > - D: some other service > > We have the following user: > - 1: admin of C > - 2: normal user, wants to use D > > Workflow: > - Any user logged in into C or D is authenticated by B > - C uses only attributes provided from B or A (through B) > - 1 can create additional attributes or role for 2 in C, > - B consumes and stores the additional attributes about 2 from C > - if 2 uses D uses attributes provided by B and C (through B) > > Or with an more concrete example. > Within C user 1 creates a quota for user 2. This quota is a storage > limitation for Nextcloud (D). Unity get this additional attribute from > C. If 2 sing in into Nextcloud unity provides the following attributes: > - unity persisten identifier > - email (provided from home IdP to unity) > - CN (provided from home IdP to unity or entered during the > registration) > - quota (provided from additional attribute source to unity) > > Hopefully it is more understandable. If not let me know and I try to > find another explanation after my holidays. OK, now I can follow the scenario :-) So in this case Unity don't have any special mean to import attributes from C which comes to my mind. You can implement this in one of two ways: A) (suggested, easiest, natural direction) use Unity's REST API and push your quota attribute from C. B) (questionable, slower, more complex maintenance) write a custom import module for Unity (we have LDAP and Host OS so far) which will fetch this information from C in JiT style (== when user logins). Best, Krzysztof |
