Description Arvid Requate 2022-08-31 17:22:32 CEST

Currently both, the Keycloak SPI extension for Ad-Hoc-Federation and the udm-directory-connector, invented in the Phoenix project, create user (and group) accounts and they store the objectGUID of the originating IAM system (Microsoft AD or ADFS) with the created object, to make it possible to track the object identity.

We want to shift this approach to a more general level, by introducing an attribute `univentionObjectIdentifier` that shall identify each identity object in an immutable manner. See https://git.knut.univention.de/groups/univention/-/epics/321 for more details about the rationale.

We also want to offer an attribute that tracks the "namespace" (or identity context) an object came from, which shall be called `univentionSourceIAM`.

To make these attributes available as UDM properties, we need to

1. Install the LDAP schema extension (probably by calling ucs_registerLDAPExtension in some joinscript)

2. Adjust UDM to define the corresponding properties in a way that they can only be set during abject creation but not modified later

In the Phoenix project we defined a preliminary schema extension https://git.knut.univention.de/univention/components/keycloak-app/-/blob/main/dependencies/adhocfederation.schema but since the attribute names changed, I guess we should also define new OIDs and also choose a different name for the objectclass (e.g. `univentionIAMObject`).

The Gitlab issue is https://git.knut.univention.de/univention/customers/dataport/upx/iam-team/-/issues/29 , so the work probably will be done by that team.