Attribute Mappings - Management UI

Attribute Mapping enables the transformation of attribute names and values from authentication methods. It is possible to change the case of existing attributes and also create arbitrary attributes based on logical queries about the presence or absence of method attributes and method attribute values.

Using Attribute Mappings it is also possible to perform conversion of the Finnish electronic client identifier (sähköinen asiointitunnus, SATU) to a personal identity number (henkilötunnus, HETU) via the Finnish Population Register using the vtjkysely system.

An example use of attribute mapping is for the harmonization of attribute names and data formats across different authentication methods. For example, the TUPAS authentication method sends a customer's personal identity number in a field called CUSTID when the value of CUSTTYPE is 01. If the value of CUSTTYPE is 03, the CUSTID contains a company number (y-tunnus). Using Attribute Mapping, it is possible to configure a set of rules so that customer numbers are passed to applications in a field called "hetu", and company numbers are in a field called "y-tunnus".

It is also possible to get a person's Finnish electronic client identifier (sähköinen asiointitunnus, SATU) from a Finnish Identity Card (HST-kortti) using the Ubisecure Certificate Authentication provider. This number can then be converted to a personal identity number (henkilötunnus, HETU) via the Finnish Population Register using the vtjkysely system.

Figure 1 shows an example of how attributes from different authentication providers can be mapped and transformed using Method Attribute Mapping. In the case shown, the personal identity number of citizens are presented to an application in a consistent variable called 'hetu', regardless of whether they have authenticated using a Finnish Identity Card or using their bank. Similarly, company numbers are detected and presented in a field called "y-tunnus".

Figure 1: Method Attribute Mapping example

Another common use for method attribute mapping is the mapping of federated identity data.

For simple Authentication Method attribute renaming, an Authorization Policy can be used. Authorization Policies determine which user attributes are passed to Web Applications. It is also possible to rename method attributes using the method tag, as described in Site Methods.

The attribute mappings screen (Home, Attribute Mappings) presents a list of method attribute mapping tables.

Figure 2: Attribute Mappings list
  • New Mapping
    Create a new method attribute mapping table
  • Delete Mapping
    Delete selected method attribute mapping tables
  • Method attribute mapping table
    Method attribute mapping table configuration view may be opened by clicking the name of method attribute mapping table in the list.

Main View

Figure 3: Attribute Mappings main view
  • Name 
    Name of the method attribute mapping table
  • Description 
    Description of the method attribute mapping table
  • Update
    Update the modified description
  • New
    Create a new method attribute mapping table
  • Delete
    Delete the method attribute mapping table
  • Rename
    Rename the method attribute mapping table

Attributes View

Figure 4: Attribute Mappings Attributes view

Attributes view shows the contents of a method attribute mapping table. Each entry of the attribute mapping table consists of a name, a value, and an optional precondition.

  • Attribute Mapping Entry
    Click a method attribute mapping entry to edit values
  • Name
    Name defines the name of an attribute to be set.
  • Value
    Value may be a constant string, a method attribute enclosed in curly braces, or a combination. Method attribute names enclosed in curly braces are replaced with corresponding method attribute values. Final attribute value is a concatenation of constant strings and replaced method attribute values. Curly braces may also contain an operation defined by a prefix. Syntax and supported prefixes are described below.
    • Prefix-syntax
      Entries may contain strings of following form: {prefix:value} Prefix defines the operation to be performed for value, which in turn may be a string, a method attribute, or an operation. If prefix is omitted, method is assumed as a default.
    • Supported prefixes
      • method
        Value refers to a method attribute. Entry is replaced with value of defined method attribute. If no prefix is defined, default is method. For example, {method:CUSTID} and {CUSTID} both refer to value of method attribute CUSTID.
      • uppercase
        Value is transformed to upper case. For example, {uppercase:{CUSTNAME}} is replaced with value of method attribute CUSTNAME transformed to uppercase.
      • lowercase
        Value is transformed to lower case. For example, {lowercase:{CUSTNAME}} is replaced with value of method attribute CUSTNAME transformed to lowercase.
      • vtj
        Used only for Finnish identity number conversion. Value must be satuhetu. Entry is replaced with a result of a satu-hetu query. The utilized authentication method must be assigned with a satu-hetu-configuration and must have resolved the user's certificate. Please refer to Ubisecure Certificate or ETSI MSSP Authentication method documentation for more information about configuring soso. For example, {vtj:satuhetu} is replaced with result of satu-hetu query.
  • Precondition (optional)
    Precondition may be defined for setting an attribute. Precondition syntax follows the LDAP search filter syntax. Please refer to RFC 2254 (http://www.rfc-editor.org/rfc/rfc2254.txt) for a specification of the LDAP search filter syntax.
    Supported logical connectors include AND (&), OR (|), and NOT (!). Equality (=) symbol is the only supported matching operator. The value may be a constant string or an asterisk (*) symbol. Asterisk represents all non-empty values. Attribute names and values are case-sensitive, and must not contain any of the following characters: "&", "|", "!", "=", "(", and ")". Please refer to the authentication methods documentation for information about the attributes set by specific methods.
    Example: CUSTTYPE=01 represents a simplest possible precondition. It consists of a single method attribute name CUSTTYPE, an equality operator, and a value 01. Precondition evaluates successfully if the value of method attribute CUSTTYPE is exactly 01. More complex preconditions may be constructed with logical operators. For example, precondition (|(CUSTTYPE=01)(CUSTTYPE=02)) evaluates successfully if the value of method attribute CUSTTYPE is either 01 or 02.
  • Add
    Create a new attribute mapping entry
  • Remove
    Remove selected attribute mapping entries

Methods View

Figure 5: Attribute Mappings Methods view

Methods view shows the list of available authentication methods. Selected methods are assigned with the current method attribute mapping table. Each method may be assigned with at most one attribute mapping table at a time. Therefore assigning a mapping table for a method replaces the previous assignment.

  • Update
    Assign the method attribute mapping table with the selected authentication methods.