ID Broker architecture

Download PDF

manage-service-providers

6.3. manage-service-providers#

The tool manage-service-providers is used to add service providers and generate pseudonyms for existing users, school classes and schools. This document describes how the script works internally. Visit Backup - Provisioning API for information about how to use it.

The tool adds a mapping of the service provider name to one of the UDM properties in the set of idBrokerPseudonym0001 to idBrokerPseudonym0030, in which the corresponding pseudonym is saved. The first property, which hasn’t been added to the mapping, is chosen. The tool also generates a salt and saves it as another mapping (service provider to salt). Both are saved in a settings/data object. The values are protected by ACLs and can be read/ written by the groups id-broker-settings-secrets-read and id-broker-settings, which are created during the installation process.

After that, the script iterates over all existing users, groups and school and generates a pseudonym using the salt of the service provider, the name of the school authority as well as the entry uuid of the object on school authority side:

hash(service_provider_salt, entry_uuid , school_authority)

We save the entry_uuid inside ucsschoolRecordUID and the school_authority inside ucsschoolSourceUID for each user, school class and school.