Management UI Attribute Mappings - SSO
- ubisebastian
Attribute Mapping enables the transformation of attribute names and values from authentication methods. It is possible to change the case of existing attributes and also create arbitrary attributes based on logical queries about the presence or absence of method attributes and method attribute values.
Using Attribute Mappings it is also possible to perform conversion of the Finnish electronic client identifier (sähköinen asiointitunnus, SATU) to a personal identity number (henkilötunnus, HETU) via the Finnish Population Register using the vtjkysely system.
An example use of attribute mapping is for the harmonization of attribute names and data formats across different authentication methods. For example, the TUPAS authentication method sends a customer's personal identity number in a field called CUSTID when the value of CUSTTYPE is 01. If the value of CUSTTYPE is 03, the CUSTID contains a company number (y-tunnus). Using Attribute Mapping, it is possible to configure a set of rules so that customer numbers are passed to applications in a field called "hetu", and company numbers are in a field called "y-tunnus".
It is also possible to get a person's Finnish electronic client identifier (sähköinen asiointitunnus, SATU) from a Finnish Identity Card (HST-kortti) using the Ubisecure Certificate Authentication provider. This number can then be converted to a personal identity number (henkilötunnus, HETU) via the Finnish Population Register using the vtjkysely system.
Figure 1 shows an example of how attributes from different authentication providers can be mapped and transformed using Method Attribute Mapping. In the case shown, the personal identity number of citizens are presented to an application in a consistent variable called 'hetu', regardless of whether they have authenticated using a Finnish Identity Card or using their bank. Similarly, company numbers are detected and presented in a field called "y-tunnus".
| Figure 1: Method Attribute Mapping example |
Another common use for method attribute mapping is the mapping of federated identity data.
For simple Authentication Method attribute renaming, an Authorization Policy can be used. Authorization Policies determine which user attributes are passed to Web Applications. It is also possible to rename method attributes using the method tag, as described in Management UI site methods - SSO.
The attribute mappings screen (Home, Attribute Mappings) presents a list of method attribute mapping tables.
|
|---|
| Figure 2: Attribute Mappings list |
- New Mapping
Create a new method attribute mapping table - Delete Mapping
Delete selected method attribute mapping tables - Method attribute mapping table
Method attribute mapping table configuration view may be opened by clicking the name of method attribute mapping table in the list.
Main View
|
|---|
| Figure 3: Attribute Mappings main view |
- Name
Name of the method attribute mapping table - Description
Description of the method attribute mapping table - Update
Update the modified description - New
Create a new method attribute mapping table - Delete
Delete the method attribute mapping table - Rename
Rename the method attribute mapping table
Attributes View
|
|---|
| Figure 4: Attribute Mappings Attributes view |
Attributes view shows the contents of a method attribute mapping table. Each entry of the attribute mapping table consists of a name, a value, and an optional precondition.
- Attribute Mapping Entry
Click a method attribute mapping entry to edit values - Name
Name defines the name of an attribute to be set. - Value
Value may be a constant string, a method attribute enclosed in curly braces, or a combination. Method attribute names enclosed in curly braces are replaced with corresponding method attribute values. Final attribute value is a concatenation of constant strings and replaced method attribute values. Curly braces may also contain an operation defined by a prefix. Syntax and supported prefixes are described below.- Prefix-syntax
Entries may contain strings of following form: {prefix:value} Prefix defines the operation to be performed for value, which in turn may be a string, a method attribute, or an operation. If prefix is omitted, method is assumed as a default. - Supported prefixes
- method
Value refers to a method attribute. Entry is replaced with value of defined method attribute. If no prefix is defined, default is method. For example, {method:CUSTID} and {CUSTID} both refer to value of method attribute CUSTID. - uppercase
Value is transformed to upper case. For example, {uppercase:{CUSTNAME}} is replaced with value of method attribute CUSTNAME transformed to uppercase. - lowercase
Value is transformed to lower case. For example, {lowercase:{CUSTNAME}} is replaced with value of method attribute CUSTNAME transformed to lowercase. - vtj
Used only for Finnish identity number conversion. Value must be satuhetu. Entry is replaced with a result of a satu-hetu query. The utilized authentication method must be assigned with a satu-hetu-configuration and must have resolved the user's certificate. Please refer to Ubisecure Certificate or ETSI MSSP Authentication method documentation for more information about configuring soso. For example, {vtj:satuhetu} is replaced with result of satu-hetu query.
- method
- Prefix-syntax
- Precondition (optional)
Precondition may be defined for setting an attribute. Precondition syntax follows the LDAP search filter syntax. Please refer to RFC 2254 (http://www.rfc-editor.org/rfc/rfc2254.txt) for a specification of the LDAP search filter syntax.
Supported logical connectors include AND (&), OR (|), and NOT (!). Equality (=) symbol is the only supported matching operator. The value may be a constant string or an asterisk (*) symbol. Asterisk represents all non-empty values. Attribute names and values are case-sensitive, and must not contain any of the following characters: "&", "|", "!", "=", "(", and ")". Please refer to the authentication methods documentation for information about the attributes set by specific methods.
Example: CUSTTYPE=01 represents a simplest possible precondition. It consists of a single method attribute name CUSTTYPE, an equality operator, and a value 01. Precondition evaluates successfully if the value of method attribute CUSTTYPE is exactly 01. More complex preconditions may be constructed with logical operators. For example, precondition (|(CUSTTYPE=01)(CUSTTYPE=02)) evaluates successfully if the value of method attribute CUSTTYPE is either 01 or 02. - Add
Create a new attribute mapping entry - Remove
Remove selected attribute mapping entries
Methods View
|
|---|
| Figure 5: Attribute Mappings Methods view |
Methods view shows the list of available authentication methods. Selected methods are assigned with the current method attribute mapping table. Each method may be assigned with at most one attribute mapping table at a time. Therefore assigning a mapping table for a method replaces the previous assignment.
- Update
Assign the method attribute mapping table with the selected authentication methods.