Skip to content

Attribute Manipulations

Remold edited this page Jul 3, 2015 · 12 revisions

Introduction

Attribute Manipulations allows you to manipulate - per Service Provider - the attributes and their values that are sent to that SP. The following picture explains the typical setup and usage:

In the above example a user wants to log in to Google Apps and therefore clicks on Google Apps login; Google Apps makes a SAML2 Authentication Request and sends the user off with it to OpenConext Engine. Engine then does whatever it needs to do to get this user to his/her Identity Provider or IdP - probably showing a WAYF of some sorts - and finally sends the user off with a new SAML2 Authentication Request to in this example SURFguest.

The IdP receives the Authentication Request, and does whatever it needs to do to get the user logged in - probably showing a login screen - the user logs in and the IdP creates a SAML2 Response with an assertion. In this assertion are attributes about the user. For example:

  • Name: uid, Value 0: John
  • Name: schacHomeOrganization, Value 0: surfguest.nl
  • Name: groups, Value 0: students, Value 1: members

The IdP then sends the user off back to Engine with this response. Engine processes the response, including:

  • Checking if the response is valid;
  • Provisioning the user in an LDAP, if needed;
  • Obtaining consent from the user to pass these attributes to the SP;
  • Setting the NameID.

And finally, when Engine is done with the response and sends it to the SP, it calls the Attribute Manipulations component for last minute modifications. After these modifications are done, Engine is finished and sends the user with the (changed) response to Google Apps.

Attribute Manipulations have been developed for several Service Providers; the most notable being Google Apps to manipulate the subjectId.

See the Create an Attribute Manipulation page for more information on creating attribute manipulations.

General working of Attribute Manipulations

Engine can manipulate attributes in both IdP-OpenConext and OpenConext-SP flows. It is not common to perform Attribute Manipulations, but in rare cases (e.g.,Google Apps) it is required.

IdP-OpenConext

The Attribute Manipulation is performed by Engine just after a successful authentication and before the ACL and validation of the IDP's response. So in the following order:

  1. Removal of the OID attributes (rename to named attributes)
  2. AttributeManipulations
  3. ValidateRequiredAttributes

The order is important and gives the following restrictions and possibilities:

  • It is not possible to manipulate the attributes with the OID variant (the OID variants are converted to their named variant)
  • It is possible to manipulate to create / rename /modify the attributes provided by the IdP to successfully meet the OpenConext attribute requirements (UID + schacHomeOrganization)
  • All attributes can be manipulated

This allows for instance the possibility to add static attributes like schacHomeOrganization. It is also possible to adjust/remove attributes, like removal of extra email-addresses or Diacritics.

Although it is possible to manipulate the nameID, it is highly recommended NOT to manipulate it here (if needed perform this manipulation on the OpenConext-SP side)

Attribute Manipulations for IdPs are only possible when created via ServiceRegistry (JANUS)

OpenConext-SP

The Attribute Manipulation is performed just after applying the Attribute Release Policy (ARP) and before creating a new NameID (if needed) and/or add OID variants of the attributes. So in the following order:

  1. ValidateLicense;
  2. Add CO attributes (if any);
  3. AttributeReleasePolicy;
  4. AttributeManipulations;
  5. SetNameId (if transient or persistent);
  6. Add OID variants of attribute names.

The order is important and gives the following restrictions and possibilities:

  • License information is available.
  • The CO attributes are available.
  • The ARP must be set to allow the attributes needed for the manipulation.

(At the end of the manipulation it is possible to remove attributes when the needed attributes may not be provided to the SP)

  • When manipulating the NameID ($subjectId) set NameIDFormat to Unspecified (in the Metadata-tab).
  • It is not possible to manipulate the attributes with the OID variant (the OID variants are added after the manipulation).