2. The Org Identity Object

Because people in COmanage are represented by CO Person objects, it is helpful to link these objects to external representations - representations of the person in other contexts outside of COmanage (including real life!) These representations include attributes and information about the person related to the other context. In COmanage, these external representations are captured in Org Identity objects, and are connected to Sources or Systems of Record.

The attributes (information) stored in Org Identity objects typically includes

List of names - Same as for CO Person
Personal information about the person
- Date of birth
- affiliation (eduPerson)
- source organization, department, & title
Validity dates: from and through
List of identifiers
list of email addresses - Same as for CO Person
list of physical addresses - Same as for CO Person
Link to CO Person object

This object also is connected to several other structural items that we will talk about in this lesson, including

Source Information - represented by an Organizational Identity Source object, this item contains details about how the source should be processed and the data gathered from the representation of the person at the source.
Cached Source Information - represented by an Organizational Identity Source Record object, this item connects the Organizational Identity Source to the Org Identity , and is also used to cache data in COmanage from sources so that they are readily available.

About name, email address and physical address attributes

These lists of items are handled similarly to how they are used for CO Person objects. Because of their similarity, we won’t review them in this section.

About identifier attributes

Org Identity objects also use identifiers. The identifiers can be one of several different types, with the first two being the most common. These identifiers are provided by the Source.

eppn: eduPersonPrincipalName
eptid: eduPersonTargetedID
mail: RFC 4524
openid: OpenID
uid: RFC 4519 uidObject (previously userid)

Note that the next release of COmanage Registry is scheduled to add as identifiers

subject-id: SAML General Purpose Subject Identifier subject-id
pairwise-id: SAML Pairwise Subject Identifier pairwise-id
oidc-sub: OIDC sub claim

Identifiers for authentication

Identifiers attached to Org Identity objects can potentially be used for signing into COmanage. A flag set on the identifier will indicate if it is used for sign in.

The Org Identity Source Object

Now we’ll talk about sources - information from external systems - and how they are captured and used in COmanage.

The relationship between Org Identity objects and sources

The Org Identity object is related to the source where its information came from. Often the source is from an external system of record like a HR database, registrar database, LDAP directory, an authentication event such as a SAML assertion or OIDC claim, an ORCID record, or even a CSV file. COmanage keeps track of this source for several reasons:

for auditing where information about a person came from
for syncing with external systems to get the most up-to-date information
to connect with actions that may happen outside of COmanage, for example, federated authentication.
to provide information about the person provisioning access and privileges to external (“outbound”) systems.

COmanage has built-in capability to consume data and attributes from many of these sources, and can be extended to support additional sources. This information is managed through Organizational Identity Source objects and their COmanage-cached versions, Organizational Identity Source Record objects.

Systems of Record (external sources) can be from anywhere. Common ones include LDAP servers, REST APIs, SQL databases, flat files, SAML assertions, OIDC claims, and so on.

Organizational Identity Sources - Supported sources

There are several source types that are supported by COmanage:

Source Type	Description
Environment variables (Env)	Generally used to associate registered people with information and attributes generated by their use of web server authentication modules
CSV File data (File)	Used to associate registered people with information that may not be stored in a supported external system and can be provided by a CSV File
LDAP Server (LDAP)	Used to associate registered people with information from their representation on your LDAP server
ORCID Records (ORCID)	Used to associate registered people with information from their authenticated ORCID record via the ORCID API
NetForum Member Lists (netFORUM)	Used to associate registered people with information from their representation in your NetForum membership management system via the XML API (xWeb)
Salesforce (Salesforce)	Used to associate registered people with information from their representation in your Salesforce system via the Force.com REST API
API-based sources (API)	Used to associate registered people with information from other systems that can provide communication via a RESTful API (this Plugin is experimental)

Is your favorite source omitted from this list?

Not to worry! As with many features in COmanage, it is possible to extend the supported sources by creating a plug-in. We will learn more about plug-ins toward the end of the workshop.

The Identity Source AND Identity Source Record Objects

Organizational Identity Source Object

Source attributes (information), once gathered, is stored in Organizational Identity Source Objects. These objects contain details about how the source information should be processed and data gathered from the representation of the person at the source.

The information stored in Organizational Identity Source objects typically includes:

Descriptive information - A description of the source, and its status
Processing information - information about what information should be synced and under what conditions, what do if there is mis-matched information, how to handle this source when searching, and what to store when caching the source (for example, as a hash of the information or the full source record)
Connection information - which source type is connected, and identifiers for the person used at the source

In addition, specific data and attributes, customized for the source type, is attached to the Organizational Identity Source Object.

Organizational Identity Source Record Object

Information from an Organizational Identity Source is connected to a Org Identity object via an Organizational Identity Source Record object. These objects are also used to cache data from sources so that they are readily available.

In addition to the links to the related Org Identity and Organizational Identity Source objects, these objects also include information about when the data was last cached.

Hands on - Starting our person model

We will move back to our breakout groups for 10 min. Think about the sources outside of COmanage where information may be stored about the people that you described in exercise CO310-01. For each of the people from the previous exercise, discuss what information would be useful to obtain from external systems? Where would this information come from? (What is the authoritative source for this information?)

Record your insights on the Etherpad.

[10 min]

Terminology & resources

See resources and definitions for COmanage-specific terminology in this lesson.

1. The CO Person Object 3. Memberships

101: Workshop Intro & Getting to Know COmanage

201: Installing COmanage Using Docker Images

310: Modeling People in COmanage

320: Modeling Organizational Structures in COmanage

330: Linking to Systems Outside of COmanage

340: Enrollment Workflows

350: Provisioning

360: Offboarding

370: Extending COmanage Training