Shibboleth attributes not working

35 views
Skip to first unread message

Gary Browne

unread,
Oct 17, 2019, 6:50:22 AM10/17/19
to dspac...@googlegroups.com

Hi all,

 

DSpace 6.3, Tomcat 7, Amazon Linux 2

 

I have implemented Shibboleth authentication. It is working but now I need to auto-allocate users to role-based groups. I have followed the documentation on the duraspace wiki but I am not clear on how claim attributes are specified so that they can be used by the authentication-shibboleth.cfg configuration.

 

In /etc/shibboleth/attribute-map.xml I have added:

 

<Attribute name="http://schemas.xmlsoap.org/ws/2008/06/identity/claims/role" id="SHIB-SCOPED-AFFILIATION"/>

 

And then in authentication-shibboleth.cfg I have:

 

authentication-shibboleth.role-header = SHIB-SCOPED-AFFILIATION

 

# Whether to ignore the attribute's scope or value.

authentication-shibboleth.role-header.ignore-scope = true

authentication-shibboleth.role-header.ignore-value = false

 

# Default mappings of roles values to a comma separated list of DSpace group

# names (Case Sensitive).

authentication-shibboleth.role.staff = staffRole

authentication-shibboleth.role.student = studentRole

 

However when I login with my staff credentials via Shibboleth/SAML I get:

 

2019-10-17 21:27:01,761 INFO  org.dspace.authenticate.ShibAuthentication @ gary....@sydney.edu.au has been authenticated via shibboleth.

2019-10-17 21:27:01,761 INFO  org.dspace.eperson.EPersonServiceImpl @ gary....@sydney.edu.au:session_id=xxxxxxxxxxxxxxxxxxxx:ip_addr=xxxxxxxxxxx:update_eperson:eperson_id=xxxxxxxxxxxxxxxxxxx

2019-10-17 21:27:01,761 INFO  org.dspace.app.xmlui.utils.AuthenticationUtil @ gary....@sydney.edu.au:session_id=xxxxxxxxxxxxxxxxxxxx:ip_addr=xxxxxxxxxxxxxxxx:login:type=explicit

2019-10-17 21:27:01,779 INFO  org.dspace.authenticate.ShibAuthentication @ Added current EPerson to special groups: []

 

So you can see authentication is successful but adding to special groups is not working (“[]”). I have confirmed that the SAML response contains the data:

 

          <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">

                <AttributeValue>staff</AttributeValue>

            </Attribute>

 

Where am I going wrong??

 

Thanks,
Gary

 

 

Gary Browne | Technical Manager, Developments
Online Services
University of Sydney Library
THE UNIVERSITY OF SYDNEY
Level 1, Fisher Library F03, The University of Sydney NSW 2006
T +61 2 9351 5946 | M +61 405 647 868
gary....@sydney.edu.au

The University of Sydney Camperdown campus stands on land of the Gadigal peoples of the Eora nation.

 

Gary Browne

unread,
Oct 17, 2019, 11:01:01 PM10/17/19
to DSpace Technical Support
Hi all,

When I looked more closely at the attribute map definition in attribute-map.xml:
<Attribute name="http://schemas.xmlsoap.org/ws/2008/06/identity/claims/role" id="SHIB-SCOPED-AFFILIATION"/>

and the actual response received from SAML:

I realised that I had specified the wrong schema!

SOLVED!

Cheers,
Gary
Reply all
Reply to author
Forward
0 new messages