Attributes lifecycle¶
There can be multiple sources of truth when it comes to person attributes in the Onegini IdP. Depending on the configuration and the flow you are currently in the application will perform appropriate action in order to keep person profile up to date and also return all required attributes within SAML response.
Please consider following diagram to get a better understanding about attributes lifecycle in the Onegini IdP.
Legend¶
External IdP - External Identity Provider which can be used to login to the Onegini IdP or to perform Just-in-Time signup. External Identity Providers of OAuth, LDAP and SAML type can serve as person attributes sources. The person attributes returned by this instance can, depending on the configuration, be used to update existing profile or to create a new one.
External IdP Attributes Mapping - Process of translating the person's attributes returned by the external Identity Provider. Beside attributes this step requires mappings to be defined in the Identity Provider configuration page. Please look into attribute mappings chapter to get more info. All successfully mapped attributes will be synchronized with the person's profile and persisted in the Onegini IdP storage. All outstanding attributes will be put in the application session making it possible for the Onegini IdP to access them at the later stage when the SAML response is being generated. As a good example of such attribute please consider OAuth 2.0 AccessToken.
API Call - API request executed against the Onegini IdP which creates (signs up) or updates person profile. Such request carries person's attributes.
SignUp Form - The sign up form which is served by the Onegini IdP and filled out by the end-user (person). The form is considered an attributes source.
Create person / Update person - A process of creating or updating the person's profile. It consumer the attributes provided either by the API request or the web form filled out by the person.
Attributes Synchronization - Process of updating the person's profile with the attributes provided by the external Identity Provider. The attributes which are part of this step
must be mapped and processed so that the Onegini IdP can understand them. Currently attributes synchronization is supported for all identity providers which allow to map attributes (e.g. SAML, LDAP, Facebook, Google).
Attributes Synchronization can be switched on or off on the identity provider config form with Synchronise Attributes
flag.
Persisted Person's Profile - The Onegini IdP relational database storage, which holds all person related data.
Application Session State - The application session determined by the JSESSIONID header value. All attributes stored in the session will be available for certain amount of time as long as the JSESSIONID header sent by the web client is not changed.
Supply Attributes From External Services - Process of retrieving persons' attributes from external services, like DUM (Delegated User Management). Those attributes are meant ot be returned by Onegini IdP within SAML Response as custom attributes, but not persisted in the persons's profile.
SAML Response Attribute Mapping - Process of transforming person's profile attributes fetched from Persisted Person's Profile and attributes which are available at this moment in time in the Application Session State into a form ready to be returning in SAML response. Please note that all attributes originating from the session are returned as custom attributes. The mapping definitions for this process can be be defined in the Organisation or Service Provider configuration.