Attribute Provider API Hosting
SWITCH offers Attribute Provider API hosting as add-on service for edu-ID. SWITCH implements and operates the AP-API for a client organization. The hosted AP-API responds to requests from the Attribute Aggregator. The user data is fetched directly from the directory of the organization.
SWITCH supports the following types of directories:
- LDAP based directory (e.g. Active Directory, OpenLDAP, etc).
- SQL based database (e.g. PostgreSQL, MySQL/MariaDB, MS SQL Server, etc.)
- Microsoft Azure AD via Graph API
General Recommendations and requirements
Generally, access to the directory should be limited to the following IP addresses:
- 130.59.197.57
- 130.59.117.81
- 2001:620:0:3005:21a:4aff:fedf:2
- 2001:620:0:1005:21a:4aff:fede:1f
LDAP based directory
Requirements
- The LDAP directory needs to support encrypted LDAP connections via TLS/STARTTLS
- A dedicated service account is required for the AP-API
- The service account needs read-only access to all attributes that are required for the edu-ID affiliation.
- Access to other attributes, especially confidential attributes like password-hashes or other credentials, should be forbidden if possible.
- The AP-API will do all queries to the LDAP directory using the service account. (No BIND operations take place for regular users.)
- The LDAP directory needs to provide all information required to generate all edu-ID affiliation attributes supported by the client organization.
- The directory needs to provide an identifier that corresponds to the "swissEduPersonUniqueID" attribute (e.g. mS-DS-ConsistencyGuid).
SQL based database
Requirements:
- The database needs to support encrypted connections via TLS/STARTTLS
- A dedicated database user is required for the AP-API
- This database user needs read-only access to all data/tables/views that are required for the edu-ID affiliation.
- The AP-API will do all queries to the database using this database user.
- It's recommended to provide a dedicated view for the AP-API to access the required data. This simplifies the SQL queries and limiting accessible data.
- The database needs to provide all information required to generate all edu-ID affiliation attributes supported by the client organization.
- The database needs to provide an identifier that corresponds to the "swissEduPersonUniqueID" attribute.
AAD via Graph API
Reqirements:
- To configure the attribute provider API via the Graph API the following data is needed:
- A list of those attributes that should be used in affiliations.
- A dedicated technical AAD application is required for the Attribute Provider API with read-only permissions to the required attributes. The application client needs the following permissions: User.Read
- A description on how certain attributes like the eduPersonAffiliation attribute can be mapped/derived/calculated on information retrieved via the Graph API (e.g. if Graph API user has value x in attribute y, then assign 'student' and 'member' as eduPersonAffiliation value).
- The organization has to define an identifier from which the "swissEduPersonUniqueID" attribute can be derived or which extension attribute contains its value. In some cases ObjectID ("id") may be suitable for this purpose. For existing swissEduPersonUniqueID a mapping can be used.
- It has to be known what happens if users are deleted/deactivated and how this can be detected using the attributes/claims.
Attribute Mapping
An important task of the hosted Attribute Provider API is mapping the attributes in the directory to SWITCHaai compliant attributes. This mapping has to be developed by SWITCH together with the identity management staff at the university.
- In many cases the minimal set of personal attributes is sufficient. According to the core attribute specification these are: First name, last name, organizational email address, role (student|staff|faculty|alum|affiliate) and an identifier.
- The organization has to set an identifier that will never change for a member, and that will never be reused for another member of the organization. Existing affiliations will be queried by this identifier.
For the Attribute Provider API hosting we need to know:
- How attribute values are generated or mapped in case they are not available directly in the user directory. E.g. how the swissEduPersonUniqueID identifier is generated or based on what the values for eduPersonAffiliation (staff, student, faculty, affiliate) have to be set.
- How to detect that a user record is deleted or disabled.