Additional required features for IAM webservices
Additional required features
To be able to scale administration in BiomedIT, we need to automate the process how an external, authenticated & authorised user gets integrated into the ETH network and can access our secure LeoMed infrastructure.
It is also crucial that both AD and LDAPS behave identical in terms of what data they contain. Especially the mail attribute in AD should be identical to the (usually external) email address (details below).
Use case
- people from outside ETH, authenticated via Switch Edu ID
- authorised via BiomedIT portal
- typically, those people have an external email address and don't need a mailbox
- those people get an account in both Active Directory and LDAPS
- the account is part of one or many security groups
- our systems use Active Directory and LDAPS as the primary source of information, in particular the attributes
-
sn
(surname) givenName
mail
-
- external people should not have a mailbox with forward, otherwise their
mail
attribute will change to an ETH address - the mentioned security groups can be used as a mailing list to inform users about expected or unexpected downtimes, etc.
- to achieve this, the users must be
mail enabled
.
General additional functionalities
- create guests (identity and username, see below)
- update guests (see below)
- extend the validity of a guest account (e.g. + year from today)
- assign/remove user to/from a network realm
- set the password for VPN service
Active Directory
-
it should be possible to set the
mail
attribute (i.e. external/outbound email address) to personas -
the
mail
attribute should also be propagated to AD -
once the
mail
attribute is given, a so called mail-enabled user should be created -
Attributes needed for a mail-enabled user: external/outbound email address
mail=some.person@external.com
-
mailNickame=sAMAccountName
(username) proxyAddresses=SMTP:some.person@external.com
proxyAddresses=smtp:username@ethz.ch
targetAddress=SMTP:some.person@external.com
msExchRecipientTypeDetails=128
-
Attributes needed for a mail-enabled user: internal/inbound email address
mail=username@ethz.ch
-
mailNickame=sAMAccountName
(username) proxyAddresses=SMTP:username@ethz.ch
altRecipient=CN=username,OU=ETHUsers,DC=d,DC=ethz,DC=ch
msExchRecipientTypeDetails=128
-
if the user or persona has neither a Mailbox service granted nor a email address pointing to another mailbox, then the
mail
attribute and all other attributes above should not be present
creating and updating guests in more detail:
-
get & update: information for guest accounts:
- firstname
- familyname
- title
- description
- host_organization (e.g. "T6005" == Total ID Scientific IT Services)
- host_npid (ref to host identity)
- mail_technical_contact
- admin_group (e.g. "ID SIS")
- valid_until (e.g. "2021-12-31")
- valid_from (e.g. "2021-01-01")
- notification (some enum values, e.g. "guest, host")
-
create user additional information
- (all of the above)
- date_of_birth: this attribute is currently mandatory in the GUI. Can we have this non-mandatory?
- username
- password
Note: the attributes above do not necessarily reflect the attributes required/provided by the webservice.