Menu
▾
▴
unity-idm-discuss
|
From: Sander A. <sa....@fz...> - 2022-12-13 08:35:27
Attachments:
smime.p7s
|
Dear Krzysztof, we are using attribute statements to create some attributes. One of them is are the internal entitlements, where we express group membership information in a specific format. When we started to configure the SCIM API, we encountered that we can release here only single attributes but can not merge two attributes like we did in SAML/Oauth output translation profiles. For this reason we created another attribute statement, which merges external and internal entitlements. Sadly this only works for the external entitlements, but not for the internals (created by attribute statements). So my questions is, can I use attributes, which was created by an attribute statement within another attribute statement? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-12-14 14:47:37
|
Dear Sander, W dniu 13.12.2022 o 09:35, Sander Apweiler pisze: > Dear Krzysztof, > we are using attribute statements to create some attributes. One of > them is are the internal entitlements, where we express group > membership information in a specific format. When we started to > configure the SCIM API, we encountered that we can release here only > single attributes but can not merge two attributes like we did in > SAML/Oauth output translation profiles. For this reason we created > another attribute statement, which merges external and internal > entitlements. Sadly this only works for the external entitlements, but > not for the internals (created by attribute statements). So my > questions is, can I use attributes, which was created by an attribute > statement within another attribute statement? To answer the specific question: yes, an attribute statement generating a dynamic can use a dynamic attribute generated by other attribute statement, however only in another group (i.e. such other dynamic attribute can be only accessed using the eattr variable). Regarding your specific problem, let me ensure if I understand it completely. So you have internalEntitlements dynamic attribute and a regular attribute with externalEntitlements. Now you want to output over SCIM API an attribute which will have a union of values of internalEntitlments and externalEntitlments? Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2022-12-14 14:49:49
|
W dniu 14.12.2022 o 15:47, Krzysztof Benedyczak pisze: > Dear Sander, > > W dniu 13.12.2022 o 09:35, Sander Apweiler pisze: >> Dear Krzysztof, >> we are using attribute statements to create some attributes. One of >> them is are the internal entitlements, where we express group >> membership information in a specific format. When we started to >> configure the SCIM API, we encountered that we can release here only >> single attributes but can not merge two attributes like we did in >> SAML/Oauth output translation profiles. For this reason we created >> another attribute statement, which merges external and internal >> entitlements. Sadly this only works for the external entitlements, but >> not for the internals (created by attribute statements). So my >> questions is, can I use attributes, which was created by an attribute >> statement within another attribute statement? > > To answer the specific question: yes, an attribute statement > generating a dynamic can use a dynamic attribute generated by other > attribute statement, however only in another group (i.e. such other > dynamic attribute can be only accessed using the eattr variable). > > Regarding your specific problem, let me ensure if I understand it > completely. > > So you have internalEntitlements dynamic attribute and a regular > attribute with externalEntitlements. Now you want to output over SCIM > API an attribute which will have a union of values of > internalEntitlments and externalEntitlments? Maybe an additional explanation: I'm asking, as I think that the above case is supported in SCIM configuration, and so I guess your scenario is more complex. |
|
From: Sander A. <sa....@fz...> - 2022-12-14 15:16:44
Attachments:
smime.p7s
|
Dear Krzysztof, being more precise. We have some entitlements coming from the upstream IdPs as eduPersonEntitlement and stored as eduPersonEntitlement- external. Than we have some other information like group membership information, expressed according to AARC guideline, store on eduPersonEntitlement-internal. In output translation profiles for SAML and OAuth we are merging those two values. And we would need to do the same von SCIM to release there the entitlements as well. During my tests I was not able to combine here the two attributes. Best regards, Sander On Wed, 2022-12-14 at 15:49 +0100, Krzysztof Benedyczak wrote: > W dniu 14.12.2022 o 15:47, Krzysztof Benedyczak pisze: > > Dear Sander, > > > > W dniu 13.12.2022 o 09:35, Sander Apweiler pisze: > > > Dear Krzysztof, > > > we are using attribute statements to create some attributes. One > > > of > > > them is are the internal entitlements, where we express group > > > membership information in a specific format. When we started to > > > configure the SCIM API, we encountered that we can release here > > > only > > > single attributes but can not merge two attributes like we did in > > > SAML/Oauth output translation profiles. For this reason we > > > created > > > another attribute statement, which merges external and internal > > > entitlements. Sadly this only works for the external > > > entitlements, but > > > not for the internals (created by attribute statements). So my > > > questions is, can I use attributes, which was created by an > > > attribute > > > statement within another attribute statement? > > > > To answer the specific question: yes, an attribute statement > > generating a dynamic can use a dynamic attribute generated by other > > attribute statement, however only in another group (i.e. such other > > dynamic attribute can be only accessed using the eattr variable). > > > > Regarding your specific problem, let me ensure if I understand it > > completely. > > > > So you have internalEntitlements dynamic attribute and a regular > > attribute with externalEntitlements. Now you want to output over > > SCIM > > API an attribute which will have a union of values of > > internalEntitlments and externalEntitlments? > > Maybe an additional explanation: I'm asking, as I think that the > above > case is supported in SCIM configuration, and so I guess your scenario > is > more complex. > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-12-14 15:18:23
Attachments:
smime.p7s
|
Sorry I forgot to mention: eduPersonEntitlement-external is mapped in input translation profile and eduPersonEntitlement-internal is created via two attribute statements with conflict resolution merge. Best regards, Sander On Wed, 2022-12-14 at 16:16 +0100, Sander Apweiler wrote: > Dear Krzysztof, > being more precise. We have some entitlements coming from the > upstream > IdPs as eduPersonEntitlement and stored as eduPersonEntitlement- > external. Than we have some other information like group membership > information, expressed according to AARC guideline, store on > eduPersonEntitlement-internal. In output translation profiles for > SAML > and OAuth we are merging those two values. And we would need to do > the > same von SCIM to release there the entitlements as well. During my > tests I was not able to combine here the two attributes. > > Best regards, > Sander > > On Wed, 2022-12-14 at 15:49 +0100, Krzysztof Benedyczak wrote: > > W dniu 14.12.2022 o 15:47, Krzysztof Benedyczak pisze: > > > Dear Sander, > > > > > > W dniu 13.12.2022 o 09:35, Sander Apweiler pisze: > > > > Dear Krzysztof, > > > > we are using attribute statements to create some attributes. > > > > One > > > > of > > > > them is are the internal entitlements, where we express group > > > > membership information in a specific format. When we started to > > > > configure the SCIM API, we encountered that we can release here > > > > only > > > > single attributes but can not merge two attributes like we did > > > > in > > > > SAML/Oauth output translation profiles. For this reason we > > > > created > > > > another attribute statement, which merges external and internal > > > > entitlements. Sadly this only works for the external > > > > entitlements, but > > > > not for the internals (created by attribute statements). So my > > > > questions is, can I use attributes, which was created by an > > > > attribute > > > > statement within another attribute statement? > > > > > > To answer the specific question: yes, an attribute statement > > > generating a dynamic can use a dynamic attribute generated by > > > other > > > attribute statement, however only in another group (i.e. such > > > other > > > dynamic attribute can be only accessed using the eattr variable). > > > > > > Regarding your specific problem, let me ensure if I understand it > > > completely. > > > > > > So you have internalEntitlements dynamic attribute and a regular > > > attribute with externalEntitlements. Now you want to output over > > > SCIM > > > API an attribute which will have a union of values of > > > internalEntitlments and externalEntitlments? > > > > Maybe an additional explanation: I'm asking, as I think that the > > above > > case is supported in SCIM configuration, and so I guess your > > scenario > > is > > more complex. > > > > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-12-15 12:25:41
|
W dniu 14.12.2022 o 16:18, Sander Apweiler pisze: > Sorry I forgot to mention: eduPersonEntitlement-external is mapped in > input translation profile and eduPersonEntitlement-internal is created > via two attribute statements with conflict resolution merge. OK. So wouldn't that work: create a 3rd dynamic attribute eduPersonEntitlement-all, which would be set by 3 attribute statements: the 2 are the same as the ones used for the -internal, plus 3rd which will add -external (should work as this is regular attribute), of course all with conflict resolution 'merge'. ? Cheers, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-12-15 12:27:53
Attachments:
smime.p7s
|
Hi Krzysztof, that's what I'm trying to do. But I did not used the external attributes. I'll try to do this ASAP. Thanks for your answers. Sander On Thu, 2022-12-15 at 13:25 +0100, Krzysztof Benedyczak wrote: > W dniu 14.12.2022 o 16:18, Sander Apweiler pisze: > > Sorry I forgot to mention: eduPersonEntitlement-external is mapped > > in > > input translation profile and eduPersonEntitlement-internal is > > created > > via two attribute statements with conflict resolution merge. > > OK. So wouldn't that work: > > create a 3rd dynamic attribute eduPersonEntitlement-all, which would > be > set by 3 attribute statements: the 2 are the same as the ones used > for > the -internal, plus 3rd which will add -external (should work as this > is > regular attribute), of course all with conflict resolution 'merge'. > > ? > > Cheers, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-12-15 14:26:46
Attachments:
smime.p7s
|
Hi Krysztof, eaatrs did not work because the information are in the same group where I need the new one. So I made it like you described in the last mail. Now I have all in one attribute and can release them in scim. Best regards, Sander On Thu, 2022-12-15 at 13:27 +0100, Sander Apweiler wrote: > Hi Krzysztof, > that's what I'm trying to do. But I did not used the external > attributes. I'll try to do this ASAP. > > Thanks for your answers. > Sander > > On Thu, 2022-12-15 at 13:25 +0100, Krzysztof Benedyczak wrote: > > W dniu 14.12.2022 o 16:18, Sander Apweiler pisze: > > > Sorry I forgot to mention: eduPersonEntitlement-external is > > > mapped > > > in > > > input translation profile and eduPersonEntitlement-internal is > > > created > > > via two attribute statements with conflict resolution merge. > > > > OK. So wouldn't that work: > > > > create a 3rd dynamic attribute eduPersonEntitlement-all, which > > would > > be > > set by 3 attribute statements: the 2 are the same as the ones used > > for > > the -internal, plus 3rd which will add -external (should work as > > this > > is > > regular attribute), of course all with conflict resolution 'merge'. > > > > ? > > > > Cheers, > > Krzysztof > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-12-15 18:44:26
|
W dniu 15.12.2022 o 15:26, Sander Apweiler pisze: > Hi Krysztof, > eaatrs did not work because the information are in the same group where > I need the new one. So I made it like you described in the last mail. > Now I have all in one attribute and can release them in scim. > Wow, great :-) Krzysztof |
Thanks for helping keep SourceForge clean.
X