Hi Andy, (and list)
Bit tied up at the moment, will reply properly tomorrow to your questions. Need to think a bit as well before I answer!
Rhys.
--
Dr Rhys Smith
Chief Technical Architect, Trust & Identity
Jisc
T: +44 (0) 1235 822145
M: +44 (0) 7968 087821
Skype: rhys-smith
GPG: 0x4638C985
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
> On 28 Jun 2017, at 15:26, Andy Swiffin (Staff) <[log in to unmask]> wrote:
>
> I’m currently on the Liberate webinar I was hoping there might be a bit more technical content as we need to know how and whether liberate could consume what we have in order to do what we need.
>
> I’m ccing this to the Shib discussion list as I suspect there may be some here who would also like to know and a public discussion may be useful.
>
> Liberate needs to generate the 3 main attributes ePSA, ePTID and ePe (obviously)
>
> ePSA: We currently use scripts in resolver to generate the Staff/Student/Member based on an ldap attribute.
> For example, to generate the student value we do:
>
> if ((dUNUNIaccountTypeValue=="UG")||(dUNUNIaccountTypeValue=="PG-Taught")||(dUNUNIaccountTypeValue=="PG-Research"))
> {
> if ((status=="C")||(status=="P1")||(status=="XB")||(status=="PE")||(status=="CO")||(status=="X")||(status=="CT"))
> {
> eduPersonAffiliation.getValues().add("student");
> eduPersonAffiliation.getValues().add("member");
> }
> }
>
> How will Liberate do it?
>
> ePTID: Will liberate be able to retain our existing values so that users don’t lose their customisation?
>
> ePe: This is the complicated one. Mostly it’s just a single value so easy enough. But what about Tallis reading lists. This is a multivalued ePe, one single line string for the students and multivalues for each staff readinglist. Currently we store both in separate string attributes. For the staff one, we have a string attribute which is semicolon separated values. The IdP then tokenises that in a resolver script and pushes values into ePe viz:
>
> if (requestContext.getPeerEntityId()==("https://login.talisaspire.com/entity"))
> {
> if ((typeof dUNUNItalisePeStaff != "undefined") && (dUNUNItalisePeStaff.getValues().size()>0))
> {
> stafftalisepe=dUNUNItalisePeStaff.getValues().get(0);
> talisentitlement=stafftalisepe.split(";");
> for (values = 0; values < talisentitlement.length; values++)
> {
> eduPersonEntitlement.getValues().add(talisentitlement[values]);
> }
> }
> if ((typeof dUNUNItalisePeStudent != "undefined") && (dUNUNItalisePeStudent.getValues().size()>0))
> {
> studenttalisepe=dUNUNItalisePeStudent.getValues().get(0);
> eduPersonEntitlement.getValues().add(studenttalisepe);
> }
> }
>
> Can liberate do this? Or what else would we have to do to be able to do this?
>
> We authenticate users who enter either cn or upn in the login box, can liberate do this? (we found many users entering upn as they do for O365 after we migrated to Azure). If only one of them, we would want to use only upn for authentication now.
>
> BTW, we aren’t authenticating or providing attributes from AD (which we keep very clean of unnecessary data) but from an ADLDS instance (actually a pair) which has userproxyfull objects (not user, so it can do proxy authentication to AD) can Liberate do this?
>
> I think I heard it said in the webinar that you can also take any other LDAP attribute (givename, sn, employeeID) and punt those out in an assertion, we’re probably going to move the things that need this kind of thing somewhere else, but just in case, can you confirm this?
>
> Andy Swiffin
> Dundee
>
>
>
> The University of Dundee is a registered Scottish Charity, No: SC015096
|