Shibboleth feedback

47 views
Skip to first unread message

Philip Durbin

unread,
Jan 6, 2016, 4:16:12 PM1/6/16
to dataverse...@googlegroups.com
I'm organizing an small internal meeting about Shibboleth and wanted to ask you lovely people in the community what is "top of mind" for you with regard to Shibboleth.

Despite the experimental* status of Shibboleth support in Dataverse 4 I know that some of you have been trying it out and I'd love to hear what you think. Are big changes necessary before you can use it? Is it useful to you as-is? Please let me know!

If you've already sent in your feedback via issues at https://github.com/IQSS/dataverse/issues or tickets at https://help.hmdc.harvard.edu please let me know the numbers so I can quickly find them.

Thanks!


Ben Companjen

unread,
Jan 7, 2016, 6:14:09 AM1/7/16
to dataverse...@googlegroups.com
Hi Phil,

Thanks for reaching out :)

At the top of our list is implementing shib groups. We need group definitions that are more targeted than "all users from institution X (i.e. identified by identity provider X)" and therefore need to check more than one attribute in SAML messages to determine group membership. This is issue 1515 ("arbitrary attributes and regex support") and we want to contribute code for this issue, but I have to fight for the needed developer time. I foresee a change to the model of group definitions and possibly a change to the API and have asked for feedback on this list.

Second on the list is 2548 ("Shibboleth/UI/config: one-click IdP-selection, DiscoFeed-bypass"). We use an external discovery service, so a dropdown list for IdPs could be replaced by a button or link. Also, the hardcoded link to the JSON feed for IdP names should be configurable.

ORCID and ISNI support via SAML is nice (mentioned in https://github.com/IQSS/dataverse/issues/923#issuecomment-169454780), but it's not one of our priorities.

Regards,

Ben

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CABbxx8Hb2RgxExjgiYkffk3GvrEHET5p-HKT8fNEurJpyz-9Tw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Sherry Lake

unread,
Jan 7, 2016, 9:56:07 AM1/7/16
to Dataverse Users Community, philip...@harvard.edu
I have more of a question of "how would it work, if?"

If shibboleth login is the ONLY way to create a DV account, then how do we set up (or use) the default administrator? An administrator account is created on installation, can we make one of our shibboleth logged-in users be administrator (how would we do that)?. We of course want to make sure local account creation is not available (https://github.com/IQSS/dataverse/issues/2838), but would we have login access for the admin account in addition to shibboleth log in?

Thanks.
Sherry

Philip Durbin

unread,
Jan 7, 2016, 10:17:25 AM1/7/16
to dataverse...@googlegroups.com
Yes, but let me clarify the terminology.

A *superuser* account is created when you install Dataverse. This is a boolean in the "authenticateduser" table that applies to *all* users including Shibboleth users. Look for "Toggles superuser mode" at http://guides.dataverse.org/en/4.2.2/api/native-api.html#admin

In practice, a superuser is an administrator and the default one "dataverseAdmin" has "admin" in the username but I want to differentiate between being a superuser and being granted the "Admin" role, which is a collection of specific permissions. The permission rules don't apply to superusers.

Setup of Dataverse requires a local account, "dataverseAdmin" by default, but you could always remove its superuser privileges and/or scramble its password once you have Shibboleth working. Or you could keep the dataverseAdmin account working in case your Shibboleth auth goes down temporarily.

I hope this helps!

Phil

p.s. Sounds like https://github.com/IQSS/dataverse/issues/2838 is pretty important to you. /me adds it to his list.


--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Philip Durbin

unread,
Jan 7, 2016, 10:25:28 AM1/7/16
to dataverse...@googlegroups.com
Right. I've read https://groups.google.com/d/msg/dataverse-community/FviyNJ-sc0c/29bOpQ64BgAJ but no one has replied on that thread about Shibboleth groups. I'm sure you'd appreciate a reply or more comments on https://github.com/IQSS/dataverse/issues/1515 from the community.

I understand that because all of your users come from a single IdP the "institution-wide" group developed in https://github.com/IQSS/dataverse/issues/1401 are of no use to you. :(

The single IdP situation is also what led you to open https://github.com/IQSS/dataverse/issues/2548 about the login workflow. I'm not sure the best way for me to replicate the single IdP situation in development, actually.

These were both on my list already but I'm glad to confirm there's nothing new.

Thanks, Ben!

Phil


For more options, visit https://groups.google.com/d/optout.

Jonathan Crabtree

unread,
Jan 7, 2016, 10:46:35 AM1/7/16
to dataverse...@googlegroups.com
Phil/Ben

Odum has started our Shib testing and we are also interested in a defining groups based on  Shib attributes. Potentially affiliation.

We have not gone very far on that since we are still trying to migrate our existing users to Shib users during the migration.

Our situation might also be complicated by users with multiple entries for some attributes . We have some users that have multiple departments and status.
I am a good example. I am Staff at Odum and a Student in the School of Information an Library Science. 

We are planning to migrate to 4.x before dealing with these groups but that will be next on our list too.

Jon


Ben Companjen

unread,
Jan 8, 2016, 6:12:48 AM1/8/16
to dataverse...@googlegroups.com
Hi Jon,

Thanks for your feedback.

In your situation, would a SAML message include `eduPersonScopedAffiliation`, e.g. `st...@odum.unc.edu;stu...@ils.unc.edu` (I'm making up the scopes here)? 
That would be preferrable to just having assertions about your affiliations (staff, student) and organisational units (Odum, ILS) that the group membership component would have to correlate.

It reminds me that we should check the assertions that we (can) get from our partners.

Ben

Jonathan Crabtree

unread,
Jan 8, 2016, 8:56:51 AM1/8/16
to dataverse...@googlegroups.com
Ben

Yes it would be something like that.

The key would be making decisions about what is primary affiliation and primary role.
I guess you could just put the users in all affiliations and let them manually select the primary.

I have copied Don and he can give you what we get from our iDP as far as assertions

Jon



--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

Philip Durbin

unread,
Jan 8, 2016, 9:08:12 AM1/8/16
to dataverse...@googlegroups.com
Thanks, Jon. My takeaway is that while groups are important, you're like us (Harvard Dataverse) in that the priority is giving users the ability to log in to Shibboleth at all and you're willing to wait a bit to get the group stuff working. It looks like you're having a nice chat with Ben further down in this thread, which is great. I'll probably jump in at some point.

The thing that really caught my eye is "we are still trying to migrate our existing users to Shib users during the migration." I *think* you're suggesting a different approach than we're using at Harvard. When we launched Dataverse 4.0 we allowed users to choose to convert their local account to a Shibboleth account if they want to. (After logging in with Shibboleth we check for a matching email address for a builtin user and confirm their local password as developed in https://github.com/IQSS/dataverse/issues/796 .) It sounds like you're going to just convert everyone ahead of time somehow. You'll need their EPPN values I guess. Or maybe I'm completely misunderstanding what you're saying! Anyway, sounds fancy. :)

Phil




For more options, visit https://groups.google.com/d/optout.

Jonathan Crabtree

unread,
Jan 8, 2016, 9:54:06 AM1/8/16
to dataverse...@googlegroups.com
Phil

Yes you are right on groups.

We are still investigating the migration. Right now we have tons of “test” users and “DVNs” we are cleaning up. I think we want all UNC people to use Shib login one way or another. We have not got very far in making a decision on how to do that. We do not have as many as you do so it might be possible manually as you say but i am not sure yet

jon


Reply all
Reply to author
Forward
0 new messages