LDAP SP-Registry

Last modified by thata@helsinki_fi on 2023/12/19 08:01

Suomeksi

The SP-Registry application is used for the management of the University of Helsinki's services related to the login.helsinki.fi single sign-on system and the LDAP2015 system. This document applies to the use of SP-Registry for LDAP service management. You can find more instructions on the management of the services related to Login.helsinki.fi on the SP-rekisteri (SAMLOIDC) page (only in Finnish, sorry).
The address of SP-Registry is https://sp-registry.it.helsinki.fi/

Use

Logging in and user rights

SP-Registry uses single sign on, so you should click the Single Sign On icon on the front page.
University employees get an automatic right to add new services. The University will verify the services before they are added to LDAP2015.
If you are not verified as a University staff member during login, please contact atk-autentikointi@helsinki.fi after login, so that an administrator can add the necessary user rights for you.
NOTE: If your support already includes a service that uses the University of Helsinki's LDAP system but you cannot see it in the menu, please contact an administrator. We will send you a link to activate your rights to update the service information.
If necessary, an administrator can also create local usernames for SP-Registry.


SP-Registry structure

Service Providers

Displays a list of services for which you have administrator's rights. You can see more information about a service by clicking its identifier. The LDAP services are on the list after the SAML services.
You can also add a new service on this page. Click 'Add a new LDAP connection' to open a form where you can enter the basic information.


Summary

Displays the service information and potential changes after the previous validation.
Potential missing information and information required for production use are also shown at the start of the page.
You can find a button at the end of the page to delete a validated service that is not in production use. You can also hide the service entirely. The service can only be restored for a maximum of one year; if you need to restore it, please contact an administrator.
The 'Organization' and 'Admin notes' fields visible on the page are only for administrators' use.


Basic information

Basic service information and notes.
Please fill these in in all languages.


Technical Attributes

Technical specifications. Most of them are self-explanatory; below, you can find further information on some, which may be unclear.


  • Does the service use a service account?
    • Almost all services that require information about the user can use the separate service account for finding information. So check this box.
    • If the service requires information other than the login but is certainly unable to use a service account, this can be provided. Fill in the form normally without checking this box, save the form and email an administrator at atk-ldap@helsinki.fi or atk-autentikointi@helsinki.fi.
  • Email address and phone number for delivering the service account credentials
    • If you obtain an LDAP username ("service account") for the service, the account and password that are created are delivered via securemail to the email address entered here and the PIN code required for opening the account is sent to the mobile number entered here. So please enter your personal email address used in the helsinki.fi domain as well as your work mobile number so that you can receive the information.
  • Publish to production servers
    • The service information is exported to the LDAP2015 system, i.e. once an administrator has approved the service changes it opens the firewall, creates the required credentials and allows access. So you should check this box in almost all instances.


Attributes

The attributes required by the service and a brief reason for using them.
Assigning attributes is always based on need. If you are not sure if an attribute is necessary, the answer is probably no.
One specific attribute worth your consideration is memberOf. You should select it, if the application gets group information from the memberOf field of the user record instead of trying to find the user in the uniqueMember field of the group record. Often, you should both select the memberOf attribute to be fetched and list the required groups on the User Groups page. If you are not sure, you might as well do both.


User Groups

The LDAP groups required by the service. You can enter the group names one at a time in their short form, e.g. "GRP-A02700-employees".


Contacts

The service contact information, i.e. technical, administrative and support contact. The first two especially are important for administrators.


Admins

On this page, you can manage the persons with access to editing the service information.
You can invite new administrators via email, in which case they will be sent an activation code, which is valid for 30 days.


Adding a new LDAP connection to SP-Registry

  1. Select 'Add a new LDAP connection' from the front page.
  2. Enter at the minimum the servers used by the service (the DNS names, i.e. names in text format, one per row) and the name of the service in Finnish. Also enter the privacy protection URL and the address of the service in the Application Portfolio. Save the form.
  3. On the Technical Attributes page, check at the minimum the 'Publish to production servers' box, because otherwise the service cannot access LDAP2015. If the service only requires authentication, you can stop here and save. Otherwise, select at least 'Does the service use a service account?' and fill in the details of the person the service account is delivered to, unless your service really cannot use a separate LDAP identifier to search for the required information. Also check the other options on this page and decide if they are required.
    1. An administrator will separately verify the services published to LDAP2015. In urgent cases, please contact atk-autentikointi@helsinki.fi or atk-ldap@helsinki.fi.
  4. Enter the attributes potentially required by the service and the reasons for using them on the Attributes page.
  5. Mark the user groups potentially required by the service on the User Groups page.
  6. Enter the details of the contact persons of the service on the Contacts page.

Removing an LDAP connection from SP-Registry and the production servers

  1. Select the connection to be removed from the front page.
  2. Select the "Technical attributes" page of the connection.
  3. Deselect "Publish to production servers".
  4. Save the changes at the end of the page.
  5. Once the changes have been validated, you can also remove the connection from SP Registry. There will be a removal link at the end of the Summary page of the connection once the service has been removed from the production servers and the changes have been validated.