openstack-attic/identity-api
Code Issues Proposed changes

Add `user` object to the mapping rules examples.

Browse Source 
Every rule should have a local ``user`` object that is used to
produce a unique user_id of the federated user. Not all examples of the
OS-FEDERATION extension included such object.

Change-Id: Ib1a2a956cb3638402b283ad13841f48d31814240
Closes-Bug: #1312221
This commit is contained in:
Marek Denis 2014-04-24 17:36:45 +02:00 committed by Diane Fleming
parent 8e9aef87e4
commit d88942944e
1 changed files with 66 additions and 18 deletions

84
v3/src/markdown/identity-api-v3-os-federation-ext.md

@ -79,7 +79,7 @@ Required attributes::
References a local Identity API resource, such as a `group` or `user` to
which the remote attributes will be mapped.
The object itself contains one of two structures, described below.
Each object has one of two structures, as follows.
To map a remote attribute value directly to a local attribute, identify the
local resource type and attribute:
@ -90,9 +90,11 @@ Required attributes::
}
}
This assigns identity attributes to ephemeral users.
Note that at least one rule must have a `user` attribute. If the `user`
attribute is missing when processing an assertion, the action returns
an HTTP 401 Unauthorized error.
Alternatively, for attribute type and value mapping, identify the local
For attribute type and value mapping, identify the local
resource type, attribute, and value:
{
@ -389,6 +391,11 @@ Request:
"rules": [
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"group": {
"id": "0cd5e9"
@ -396,6 +403,9 @@ Request:
}
],
"remote": [
{
"type": "UserName"
},
{
"type": "orgPersonType",
"not_any_of": [
@ -422,6 +432,11 @@ Response:
"rules": [
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"group": {
"id": "0cd5e9"
@ -429,6 +444,9 @@ Response:
}
],
"remote": [
{
"type": "UserName"
},
{
"type": "orgPersonType",
"not_any_of": [
@ -457,6 +475,11 @@ Response:
"rules": [
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"group": {
"id": "0cd5e9"
@ -464,6 +487,9 @@ Response:
}
],
"remote": [
{
"type": "UserName"
},
{
"type": "orgPersonType",
"not_any_of": [
@ -486,6 +512,11 @@ Request:
"rules": [
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"group": {
"id": "0cd5e9"
@ -493,6 +524,9 @@ Request:
}
],
"remote": [
{
"type": "UserName"
},
{
"type": "orgPersonType",
"any_one_of": [
@ -519,6 +553,11 @@ Response:
"rules": [
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"group": {
"id": "0cd5e9"
@ -526,6 +565,9 @@ Response:
}
],
"remote": [
{
"type": "UserName"
},
{
"type": "orgPersonType",
"any_one_of": [
@ -557,6 +599,11 @@ Response:
"rules": [
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"group": {
"id": "0cd5e9"
@ -564,6 +611,9 @@ Response:
}
],
"remote": [
{
"type": "UserName"
},
{
"type": "orgPersonType",
"any_one_of": [
@ -785,15 +835,15 @@ Response:
Example Mapping Rules
---------------------
### Mapping any user name
### Map identities to their own groups
This is an example of *Attribute type mappings*, where an attribute type is
mapped into a Identity API property.
This is an example of *Attribute type and value mappings*, where an attribute
type and value are mapped into a Identity API property and value.
{
"rules": [
{
"local":[
"local": [
{
"user": {
"name": "{0}"
@ -805,17 +855,7 @@ mapped into a Identity API property.
"type": "UserName"
}
]
}
]
}
### Map identities to their own groups
This is an example of *Attribute type and value mappings*, where an attribute
type and value are mapped into a Identity API property and value.
{
"rules": [
},
{
"local": [
{
@ -864,6 +904,11 @@ This is an example that is similar to the previous, but displays how multiple
"rules": [
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"group": {
"id": "85a868"
@ -871,6 +916,9 @@ This is an example that is similar to the previous, but displays how multiple
}
],
"remote": [
{
"type": "UserName"
},
{
"type": "orgPersonType",
"any_one_of": [