Issues when trying to update Shibboleth

sukdith punjasthitkul

unread,

Feb 4, 2020, 11:18:05 AM2/4/20

to Dataverse Users Community

We need to update our Shibboleth setup to point to a different endpoint. We followed the steps listed on http://guides.dataverse.org/en/latest/installation/shibboleth.html and verified DiscoFeed and Metadata URLs.

Upon testing, we were able to see the changed institution sso link, the institution login page, but upon successful institutional login, the user is brought back to a Dataverse "create user" page. It appears as if the endpoint url is also somehow tied to the user name.

We reverted back to the previous endpoint and is working as expected, but we need to move to the new Shibboleth endpoint soon. Any suggestions/recommendations on linking the current institutional user accounts in dataverse with the new endpoint?

--sukie--

James Myers

unread,

Feb 4, 2020, 11:24:39 AM2/4/20

to dataverse...@googlegroups.com

The authenticateduserlookup table contains a persistentuserid column that includes, for users authenticated through Shibboleth, a concatenation of the Shib endpoint and the user’s id/email, e.g.

https://idp.dev-aws.qdr.org/idp/shibboleth|jim....@computer.org@dev-aws.qdr.org

In order to convert existing user accounts to use the new endpoint, you’ll need to update those values. On QDR, when we’ve changed the endpoint URL, I’ve just run an sql update on that table, but there may be a more elegant way to do this through the API.

-- Jim

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/1e5aec7e-44bc-4a92-8895-165eb2bb09dd%40googlegroups.com.

Philip Durbin

unread,

Feb 4, 2020, 12:23:59 PM2/4/20

to dataverse...@googlegroups.com

Jim, thanks for jumping in. There is no API for this. I agree that an API would be much cleaner. If you have a SQL script handy, please feel free to share it. :)

Sukie, to add a bit more to what Jim is saying, the persistentuserid column is indeed on the authenticatedlookup[1] table. Like he's saying. the persistentuserid is a concatenation of the "entityID" (or "endpoint", as you say, which often looks like a URL) followed by a pipe ("|") followed by an identifier for a user that is unique to that user.

For example, if I dump a user's record with http://localhost:8080/api/admin/authenticatedUsers/jharvard I see this:

{
"status": "OK",
"data": {
"id": 5,
"identifier": "@jharvard",
"displayName": "John Harvard",
"firstName": "John",
"lastName": "Harvard",
"email": "jhar...@harvard.edu",
"superuser": false,
"persistentUserId": "https://fed.huit.harvard.edu/idp/shibboleth|bb91...@harvard.edu",
"emailLastConfirmed": "2020-02-04T16:46:05Z",
"createdTime": "2020-02-04T16:46:05Z",
"lastLoginTime": "2020-02-04T16:46:05Z",
"authenticationProviderId": "shib"
}
}

Like Jim is saying, you want to change the part *before* the pipe ("|") using a SQL script. Here's what the before and after would look like:

BEFORE:

"persistentUserId": "https://fed.huit.harvard.edu/idp/shibboleth|bb91...@harvard.edu",

AFTER:

"persistentUserId": "https://new.idp.whatever.edu/idp/shibboleth|bb91...@harvard.edu",

That is to say, I assume the eppn for the user ("bb91...@harvard.edu" or whatever) isn't changing. Just the "endpoint" is changing, I assume.

I hope this helps. Please feel free to open an issue at https://github.com/IQSS/dataverse/issues called something like "add API for changing Shibboleth endpoint for users". That way, a SQL update wouldn't be necessary.

I hope this helps,

Phil

1. http://phoenix.dataverse.org/schemaspy/latest/tables/authenticateduserlookup.html

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/BL0PR07MB3921829727CD1395E555DAA9BF030%40BL0PR07MB3921.namprd07.prod.outlook.com.

--

Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin

sukdith punjasthitkul

unread,

Feb 4, 2020, 4:40:18 PM2/4/20

to Dataverse Users Community

Hi Phil and Jim,

We updated the table entries to point to the new URL and that did the trick :)

I'll submit an API feature request; luckily our instance is currently small, but this process would be cumbersome and error-prone with a larger instance and many users.