[Freeipa-users] Extending IPA schema for Federation services.

Steven Jones Steven.Jones at vuw.ac.nz
Mon Mar 19 00:55:34 UTC 2012 

Hi,


Is it possible to expand IPA's schema to do this?



===================

Your Identity Management System (IdMS) will very likely have most of the attributes asked for by the federation - or will have enough information to synthesize the specific attribute values on the fly inside the IdP. But for some attributes, the IdMS might not have enough information. The following information should be considered for adding into your IdMS:

  *   eduPersonEntitlement: The eduPersonEntitlement attribute is a storage container for values representing privileges to access resources within the federation. It is a multi-valued string attribute. The values will have the form of a URI - with specific values that are yet to be defined. The attribute definition details are (source: Attribute Recommendation 2.1 (PDF)<https://wiki.caudit.edu.au/confluence/download/attachments/784/auEduPerson_attribute_vocabulary_v02+1+0.pdf>, page 14):

Origin/ObjectClass:   eduPerson [eduPerson]
OID:                  1.3.6.1.4.1.5923.1.1.1.7
SAML attribute name:  urn:mace:dir:attribute-def:eduPersonEntitlement
LDAP syntax:          directoryString [1.3.6.1.4.1.1466.115.121.1.15]
Number of values:     Multiple
Example values:       eduPersonEntitlement: urn:mace:washington.edu:confocalMicroscope
                      eduPersonEntitlement: http://publisher.example.com/contract/GL123

  *   auEduPersonSharedToken: The auEduPersonSharedToken uniquely identifies users when accessing certain resources - particularly within the computational grid and data grid. The values should be opaque, non-reassignable and persistent - and transferrable when a user moves between institutions. Even though the values are typically created as hash-values on first use, they MUST be stored and each institution must be ready to accept values users already have when coming from another institution. The attribute can be stored in either the IdMS directly (preferred) or in a database. The attribute definition details are (source: Attribute Recommendation 2.1 (PDF)<https://wiki.caudit.edu.au/confluence/download/attachments/784/auEduPerson_attribute_vocabulary_v02+1+0.pdf>, pages 9-10, with OID updated to correct value):

Origin/ObjectClass:   auEduPerson
OID:                  1.3.6.1.4.1.27856.1.2.5
SAML attribute name   urn:mace:federation.org.au:attribute:auEduPersonSharedToken
LDAP syntax:          directoryString [1.3.6.1.4.1.27856.1.2.5]
Number of values:     Single
Example values:       ZsiAvfxa0BXULgcz7QXknbGtfxk

     *   See also the auEduPerson LDAP Schema Definition<https://wiki.caudit.edu.au/confluence/display/aafaueduperson/LDAP+Schema+Definitions> for exact LDAP definition snippets.

  *   eduPersonAssurance: This attribute represents the Levels of Assurance<https://tuakiri.ac.nz/confluence/display/Tuakiri/Levels+of+Assurance>. Either add the attribute into the IdMS directly, or start collecting enough information to synthesize the values later in a scripted attribute definition (like done for Affiliation below).  The attribute definition details are (source: Attribute Recommendation 2.1 (PDF)<https://wiki.caudit.edu.au/confluence/download/attachments/784/auEduPerson_attribute_vocabulary_v02+1+0.pdf>, page 13):

Origin/ObjectClass:   eduPerson
OID:                  1.3.6.1.4.1.5923.1.1.1.11
SAML attribute name:  urn:oid:1.3.6.1.4.1.5923.1.1.1.11
LDAP syntax:          directoryString [1.3.6.1.4.1.1466.115.121.1.15]
Number of values:     multiple
Example values:       See AAF IdentityLoA Vocabulary

=====================



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

More information about the Freeipa-users mailing list