The subscriber-admin's guide to the TCS-personal galaxy
The Guide is definitive. Reality is frequently inaccurate.
This guide has a Fika guarantee. It was written with the intention of capitalizing as little on your time as possible and thus giving you time for Fika. If you should miss any Fika due to configuring the portal for your NREN, please complain at tcs-portal and tell us what, in your opinion, needs improvement in the guide.
In order for you to be able to configure your institution as a subscriber a number of things must have been set-up:
- A NREN admin of your NREN must have configured the portal and added your subscriber and you as an admin according to The NREN-admin's guide to the TCS-personal galaxy.
- If the identity federation of your country does not follow a hub and spoke model, your IdP must export the right set of attributes. Please consult with your local NREN admin about the applicable mapping.
- Depending on the portal which you are trying to configure, your IdP must export special entitlement attributes. Those attributes are:
If the mapping is (halfway) correct and you have been added as a subscriber admin, you will see a menu entry like the following in the menu on the left hand side:
1. Check the attribute mapping
The mapping from attributes to information that Confusa consumes should have already been done on the NREN-level. If that's easily possible, try to configure your IdP to match the NREN-wide settings. If this is not easily possible, you find the possibility to define such an attribute mapping on the subscriber level, if you point your browser to Attributes:
You will be able to map some of the attributes keys to those you export in your institution. Please note that due to the way that your organization is detected when you log on, you can not map the attribute identifying your organization to anything else than the value that is defined on the NREN level. The unique identifier for your users (in the screenshot eduPersonPrincipalName) has been defined by the NREN admin upon adding your subscriber to the portal. If that value was totally wrong for your setup, you wouldn't have been able to log in, would you? :)
2. Define subscriber settings
If you point your browser to "Subscriber" -> "Settings", you can change the contact information for your subscriber. That contact information will include an URL and a mail address of your help-desk that may appear in the notification e-mails to end-users about certificate issuance and be shown to the end-users in informational texts across the portal. It is important that you supply mail-addresses that correspond to one or more persons who can actually react in case a reaction is required.
3. Add additional administrators
If you don't want to do all that work yourself, you can consider adding fellow administrators and "sub"-administrators. Sub-administrators are institution administrators, that can only revoke certificates, in case something unforeseen happens, but not meddle with the subscriber settings. See The hitchhiker's guide to the TCS-personal galaxy for a more detailed explanation of administrative roles and their privileges. In order to add fellow or sub-administrators you need to know their unique identifier as it is exported by your IdP (e.g. their ePPN, if the unique identifier in the mapping is configured to be the ePPN). Point your browser to "Portal" -> "Admin" and enter the unique identifier(s) of fellow and sub-administrators:
4. Have Fika!
Let the other admins, who you just added, do the work.