Group ID not in canonical form

Note

This error only applies to primary and secondary schools.

In version 2.0 of the Feide schema we introduced group identifier values in eduPersonEntitlement. The group identifiers contain much of the same information as the information registered in groups. They are however structured differently, to allow us to look up all users belonging to a specific group.

To allow us to look up all users belonging to a specific group, we need to be able to determine the exact value that will be stored in eduPersonEntitlement for that group. It is therefore important that the eduPersonEntitlement value is encoded exactly as described in the documentation. This is what we refer to as “canonical form” in the error message

The most common problem is a failure to properly encode the local group identifier. It is important that it is converted to lowercase and then percent encoded.

Example

Consider the following group value:

urn:mace:feide.no:go:group:a::NO987654321:PRJ-%C3%85RBOK:2020-08-01:2021-06-15:student:Prosjekt%20%C3%A5rbok

This represents a group with the name “Prosjekt årbok” and local group identifier PRJ-ÅRBOK.

Note that the local group identifier in the group value is encoded as PRJ-%C3%85RBOK. %C3%85 is the precent encoding of the uppercase Å.

To build the group identifier value, we need to transform the elements from the group value to the canonical form. For example, the local group identifier needs to be stored in lowercase format and then percent encoded. A lowercase å is encoded as %C3%A5, so the local group identifier part becomes prj-%C3%A5rbok.

The full group identifer value should be:

urn:mace:feide.no:go:groupid:a:NO987654321:prj-%C3%A5rbok:2020-08-01:2021-06-15