Deprovisioning - OpenConext/OpenConext-engineblock GitHub Wiki

Deprovisioning

As of version 5.8 Engineblock ships with a deprovision API. This API can be used to remove personally identifiable information from the application. This page describes the API and explain how to configure it.

Configuration

The deprovision API is configured in the application.ini file. The feature can be toggled on and off using the engineApi.features.deprovision feature toggle.

To enable the API, set the toggle to the value 1. engineApi.features.deprovision = 1

To disable the feature, leave the feature commented: ;engineApi.features.deprovision = 1

The next step is to provide credentials for accessing the API. Basic auth is used to secure the deprovision endpoint. Credentials are configured using the following ini parameters:

engineApi.users.deprovision.username = "some user"
engineApi.users.deprovision.password = "some password"

:warning: In early EB 5.8 releases the deprovision.username and password might still be mandatory settings. Failing to set them might result in 500 errors.

Usage

The endpoint is exposed on the API subdomain (engine-api.example.org). It was designed to be compatible with the OpenConext User Lifecycle command line tool.

One endpoint is exposed on the API, which is called deprovision. Deprovision allows GET and DELETE requests, providing the possibility to read user data before deprovisioning. The following table describes all possible ways to use the deprovision API

Verb	Argument	Option	Usage	Explanation
GET	`urn:collab:person:id`	-	GET /deprovision/urn:collab:person:example.com:admin	Retrieves user information
DELETE	`urn:collab:person:id`	-	DELETE /deprovision/urn:collab:person:example.com:admin	Removes the user from Engineblock. And returns the user data that has been removed.
DELETE	`urn:collab:person:id`	dry-run	DELETE /deprovision/urn:collab:person:example.com:admin/dry-run	Does not actually remove the user, but returns the user information that would have been removed.

Data is returned in JSON format. An example response might look like this:

[
   {
      "name": "user",
      "value": {
         "collab_person_id": "urn:collab:person:example.com:admin",
         "uuid": "b26c5243-6118-4943-af93-d49d2d0d315c"
      }
   },
   {
      "name": "saml_persistent_id",
      "value": []
   },
   {
      "name": "consent",
      "value": [
         {
            "user_id": "urn:collab:person:example.com:admin",
            "service_provider_entity_id": "https://manage.vm.openconext.org/shibboleth",
            "consent_given_on": "2018-06-13T00:10:15+02:00",
            "consent_type": "explicit",
            "attribute_hash": "7d65d35ebd3f137694d67230002f83b9ef630120"
         },
         {
            "user_id": "urn:collab:person:example.com:admin",
            "service_provider_entity_id": "https://teams.vm.openconext.org/shibboleth",
            "consent_given_on": "2018-06-13T00:09:18+02:00",
            "consent_type": "explicit",
            "attribute_hash": "7d65d35ebd3f137694d67230002f83b9ef630120"
         }
      ]
   }
]