Release an attribute under another name

[thijskh]

EB uses standardised attribute names. However, sometimes an SP requires the attribute to be delivered under a different name. We usually use an attribute manipulation for that but want to solve this more common case in configuration.

Manage has been extended to provide a string field in the ARP where one can define the name under which an attribute must be released instead of the normal name.

   "arp_attributes" : {
      "urn:mace:dir:attribute-def:cn" : [
         {
            "release_as" : "some-example-name",
            "motivation" : "Hiervoor wordt het gebruikt",
            "value" : "*"
         }
      ]
   },

When this release_as key is present, EB will release the values of the attribute as-is, but no longer under e.g. urn:mace:dir:attribute-def:cn but rather under the name some-example-name.

Probably this is best done in either the ARP Corto filter or a new Corto output filter for this purpose.

[MKodde]

Will Manage always release a urn:mace:.. attribute substitution name? IIRC we also support the urn:oid format. Must we support that too? Or does Manage maybe indicate which format to use (aside from implicitly doing so by the value it releases)?

[thijskh]

No, the idea is that the SP can require something nonstandard, e.g. just the bare string FullName or mail, instead of properly namespaced/standardised names.

[thijskh]

To illustrate for one SP, we now have Attribute Manipulation code configured that does this:

# Required attributes

$attr_gn       = 'urn:mace:dir:attribute-def:givenName';
$attr_sn       = 'urn:mace:dir:attribute-def:sn';
$attr_mail     = 'urn:mace:dir:attribute-def:mail';

# attributes to let through (ARP)
$requiredAttributes = array(
  'FirstName',
  'LastName',
  'Email'
);

if (isset($attributes) and ($attributes !== FALSE)) {
    if (!empty($attributes[$attr_mail][0])) {
        $subjectId = $attributes[$attr_mail][0];
        $attributes['Email'] = $attributes[$attr_mail];
    }
    if (!empty($attributes[$attr_gn])) {
        $attributes['FirstName'] = $attributes[$attr_gn];
    }
    if (!empty($attributes[$attr_sn])) {
        $attributes['LastName'] = $attributes[$attr_sn];
    }
}

# Remove all other attributes
foreach ($attributes as $k => $v) {
  if (!in_array($k, $requiredAttributes)) {
    unset($attributes[$k]);
  }
}

We want to replace this per-SP manipulation code with just config.

[MKodde]

Logging wise; I suggest to add this when replacing the attribute

[2024-08-13 11:32:12] engineblock.NOTICE: Releasing attribute "urn:mace:dir:attribute-def:cn" as "ComonNaam" as specified in the release_as configuration [] {"session_id":"99d651c82bda5009e858e53d45c97d01","request_id":"66bb281c87810"}

[MKodde]

[MKodde]

During refinement we discussed the place to do this manipulation. The best place to do this is after consent.

Why? This is a technical update of the attribute. It does not matter to the user if urn:mace:...:email is renamed to attributename mailadress (or whatever is the new attribute name). This also ensures the consent screen is user friendly. As no custom attribute names will end up there.