1- [[translation]]
2- == Translation profiles configuration
1+ [[input- translation]]
2+ === Input translation
33
44Translation profile is a named, ordered list of conditional rules. The rules are used to
5- modify the information about a principal being processed by Unity. Such situation occurs when:
6-
7- . Remote user was externally authenticated and its data is consumed by Unity. In this case
8- translation is performed by so called _input translation profiles_.
9- . Information about Unity's entity is being exposed to outside world with an IdP-like endpoint
10- as SAML web endpoint. In this case translation is performed by so called _output translation profiles_.
5+ modify the information about a principal being processed by Unity. Input translation profile is used when
6+ a remote user was externally authenticated and its data is consumed by Unity.
117
128For instance, an input translation profile can change remote attribute 'size' name to
139'width' and insert a remotely authenticated user to the local database (to a desired group)
14- if the user is not yet there. An output profile can return an additional dynamic identity named 'email'
15- with a value of an email attribute.
10+ if the user is not yet there.
1611
17- The following subsections cover both types of translation profiles in details. Though many of the features
18- are common. The profiles are managed with the Admin UI in the Server management->Translation profiles tab.
19- The profile has a name and a list of rules. Each rule has a condition and an action.
12+ A profile consists of a list of rules. Each rule has a condition and an action.
2013
2114Conditions are used to dynamically turn action execution on or off. Conditions (as well as some of the arguments
2215of translation actions have) have to be specified as _MVEL expressions_. Such expressions allow for a powerful,
@@ -35,14 +28,8 @@ the most popular condition is simply: +true+.
3528Actions are different for each type of the profile. The editor provides you with helpful interface to create them.
3629
3730
38-
39- [[input-translation]]
40- === Input translation
41-
4231An input translation profile is always associated with a _remote authenticator in its configuration_.
43- It is a mandatory setting, all remote authenticators must have one profile associated. This is because it is
44- typically not possible to provide a sensible default mapping of remote data to the configurable schema used in
45- Unity.
32+ It is a mandatory setting, all remote authenticators must have one profile associated.
4633
4734Input translation profile (both conditions and rules) operate on a data structure which is initially
4835filled by the protocol specific component. The structure can contain:
@@ -87,26 +74,17 @@ to remove all stale data: attributes, group memberships, identities. The data is
8774was previously created by the same profile, basing on input from the same remote IdP
8875and which was not reproduced during the current invocation of the profile.
8976
90- ==== Translation profile creation wizard and dry-run
91-
92- Unity provides two sophisticated features helping in input translation profile management. First of all it is possible
93- to use a translation profile creation *wizard*.
77+ ==== Translation profile testing
9478
95- The wizard can be activated from the Server management->Translation profiles view. Currently the wizard can be used
96- to create a profile basing on an available remote authenticator, so you need to configure it first in a regular way.
97- However any (even empty) translation profile can be initially set for this authenticator.
98-
99- After launching the wizard a popup window appears allowing you to select any of the remote authenticators available
100- in the system (regardless of their assignment to endpoints). The authentication is performed in a sandbox environment
101- so it is not influencing the running system. After finishing the remote authentication the popup window disappears
102- and a visual translation profile editor is displayed. The whole information received from the remote IdP is shown,
103- and can be dragged into expressions of the profile being created. After the profile is configured it must be saved
104- and can be assigned to the authenticator.
105-
106- Besides the wizard it is also possible to perform a detailed testing of an already existing translation profile.
107- This *dry run* feature is available from the same menu as the wizard and begins in the same way: with a sandboxed
108- authentication. However, the last step is different: instead of an editor a detailed information on the profile's
109- application to the data provided by remote IdP is presented, including even the relevant server's log.
79+ Unity provides a sophisticated feature helping to work with input translation profile.
80+
81+ Testing can be performed on an existing remote authenticator with some profile configured.
82+ This feature is available from the Authentication -> Facilities main view (Test button).
83+ Test begins with a sandboxed authentication in a popup window, where one can select any of the remote
84+ authentication options available in the system.
85+ After authentication (failed or successful) a detailed information on the profile's
86+ application to the data provided by remote IdP (and naturally the data itself) is presented,
87+ including even a relevant server's internal log.
11088
11189
11290==== Reference
@@ -209,71 +187,3 @@ Finally the value of the identity provided by remote IdP is available as follows
209187id
210188----
211189
212-
213-
214-
215-
216-
217- === Output translation
218-
219- An output translation profile can be associated with an IdP-like endpoint as the SAML endpoints.
220- It can be used to filter the data being exposed (so called attribute release policies can be implemented
221- with output profiles). Also it can dynamically create additional data to be returned. It is even possible to
222- store the dynamically created data back into the local Unity database, so it becomes a regular data.
223-
224- Configuration of output profiles is optional. If no profile is manually installed on an endpoint, then a so called
225- _default output profile_ is used. The default profile is simplistic: it doesn't filter anything and anly adds
226- one additional attribute: +memberOf+ with all groups of the principal as value.
227-
228- Output translation profile operate on a data structure which is initially
229- filled by Unity with all attributes and identities of the queried principal. Attributes are from the group configured
230- in the endpoint.
231-
232- MVEL context used in conditions and as value of some action parameters can use the following variables:
233-
234- . +protocol+ Name of the protocol being used
235- . +protocolSubtype+ Name of the protocol variant
236- . +requester+ Name of the requester
237- . +usedGroup+ Unity group from which attributes are served
238- . +subGroups+ All sub groups of the Unity group from which attributes are served
239- . +attr+ Map indexed with principal's attribute names. Value of each entry is a single value of the attribute.
240- If the attribute is multi-valued then the first value is returned.
241- If the attribute has no value then empty string is returned.
242- . +attrs+ Map indexed with attribute names. Value of each entry is a list of the attribute values.
243- . +attrObj+ Map indexed with attribute names. Value of each entry is a list of all values provided as
244- objects with attribute-type specific contents. Useful for inspecting complex types like email and accessing its confirmation status.
245- . +requesterAttr+, +requesterAttrs+ and +requesterObj+ attributes of the requester,
246- if it is represented by an entity in Unity. This is the case for OAuth authentication.
247- . +idsByType+ Map of identity values indexed by type.
248- . +groups+ List of all groups the user is a member.
249- . +authenticatedWith+ List of identities that were used to authenticate the user.
250- If remote authentication was used the list contains a single identity that was used
251- to map the remote user to the local entity (as chosen by the input translation profile).
252- The list can have two elements when MFA was used.
253- . +importStatus+ Map indexed with importer names which are enabled for the endpoint on which output profile
254- is executed. Status of each importer is value of map entries. The following values are possible: +notApplicable+ and
255- +success+.
256- . +idp+ Identifier of a remote IdP that was used to authenticate the current user's session.
257- In case when only a local authentication was used, the value is set to +_LOCAL+.
258-
259-
260- Example output profile:
261- ------
262- 1: Condition: idsByType contains 'userName'
263- Action: createAttribute
264- Action parameters:
265- attributeName = userid
266- expression = idsByType['userName']
267-
268- 2: Condition: true
269- Action: filterAttribute
270- Action parameters:
271- unityAttribute = email
272- ------
273-
274- The above profile in the first action creates a new attribute +userid+ with a value of user's identity
275- of the +userName+ type. The attribute is added only if the principal has such identity.
276- The second rule hides the email attribute unconditionally.
277-
278- Additional examples of expressions and conditions can be found in the <<input-translation>> above. Note however
279- that only the variables from the output MVEL context can be used.
0 commit comments