Menu
▾
▴
Re: [Unity-idm-discuss] attribute statement genereated attribute in attribute statement
|
From: Sander A. <sa....@fz...> - 2022-12-14 15:18:23
|
Sorry I forgot to mention: eduPersonEntitlement-external is mapped in input translation profile and eduPersonEntitlement-internal is created via two attribute statements with conflict resolution merge. Best regards, Sander On Wed, 2022-12-14 at 16:16 +0100, Sander Apweiler wrote: > Dear Krzysztof, > being more precise. We have some entitlements coming from the > upstream > IdPs as eduPersonEntitlement and stored as eduPersonEntitlement- > external. Than we have some other information like group membership > information, expressed according to AARC guideline, store on > eduPersonEntitlement-internal. In output translation profiles for > SAML > and OAuth we are merging those two values. And we would need to do > the > same von SCIM to release there the entitlements as well. During my > tests I was not able to combine here the two attributes. > > Best regards, > Sander > > On Wed, 2022-12-14 at 15:49 +0100, Krzysztof Benedyczak wrote: > > W dniu 14.12.2022 o 15:47, Krzysztof Benedyczak pisze: > > > Dear Sander, > > > > > > W dniu 13.12.2022 o 09:35, Sander Apweiler pisze: > > > > Dear Krzysztof, > > > > we are using attribute statements to create some attributes. > > > > One > > > > of > > > > them is are the internal entitlements, where we express group > > > > membership information in a specific format. When we started to > > > > configure the SCIM API, we encountered that we can release here > > > > only > > > > single attributes but can not merge two attributes like we did > > > > in > > > > SAML/Oauth output translation profiles. For this reason we > > > > created > > > > another attribute statement, which merges external and internal > > > > entitlements. Sadly this only works for the external > > > > entitlements, but > > > > not for the internals (created by attribute statements). So my > > > > questions is, can I use attributes, which was created by an > > > > attribute > > > > statement within another attribute statement? > > > > > > To answer the specific question: yes, an attribute statement > > > generating a dynamic can use a dynamic attribute generated by > > > other > > > attribute statement, however only in another group (i.e. such > > > other > > > dynamic attribute can be only accessed using the eattr variable). > > > > > > Regarding your specific problem, let me ensure if I understand it > > > completely. > > > > > > So you have internalEntitlements dynamic attribute and a regular > > > attribute with externalEntitlements. Now you want to output over > > > SCIM > > > API an attribute which will have a union of values of > > > internalEntitlments and externalEntitlments? > > > > Maybe an additional explanation: I'm asking, as I think that the > > above > > case is supported in SCIM configuration, and so I guess your > > scenario > > is > > more complex. > > > > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
