Shibboleth auto group allocation doesn't work if multiple role attribute values returned by IdP
20 views
Skip to first unread message
Gary Browne
Jul 13, 2020, 7:34:05 PM7/13/20
to DSpace Technical Support
Hi all,
DSpace 6.3
Apache 2.4.41
Tomcat 7.0.84
Amazon Linux 2
I have Shibboleth auth set up, with auto group allocation. However, in some cases it appears not to be working. I haven't enough data to be sure, but I know in some cases we are receiving a SAML response which contains the role attribute like this:
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
<AttributeValue>staff</AttributeValue>
<AttributeValue>student</AttributeValue>
</Attribute>
Here's my config:
# The shibboleth header to do role-based mappings
authentication-shibboleth.role-header = SHIB-SCOPED-AFFILIATION
# Whether to ignore the attribute's scope or value.
authentication-shibboleth.role-header.ignore-scope = true
authentication-shibboleth.role-header.ignore-value = false
# Default mappings of roles values to a comma separated list of DSpace group
# names (Case Sensitive).
authentication-shibboleth.role.staff = staffsubmit
authentication-shibboleth.role.student = studentsubmit
Will DSpace do anything with a response that contains more than one AttributeValue for an Attribute (in this case, role)? It looks like in this situation, DSpace doesn't allocate the user to any groups.
Should I get the IdP to send only one attribute value? But which one!? Have any other institutions come across this issue?
Thanks for your help,
Gary
helix84
Jul 14, 2020, 2:04:25 AM7/14/20
to Gary Browne, DSpace Technical Support
I believe this case simply may not have been originally considered,
analogously to the same bug in LDAP:
https://jira.lyrasis.org/browse/DS-4388
Regards,
~~helix84
> --
> All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/
> ---
> You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/09add5d6-5940-4a6e-878d-7220bbce83f0o%40googlegroups.com.
analogously to the same bug in LDAP:
https://jira.lyrasis.org/browse/DS-4388
Regards,
~~helix84
> All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/
> ---
> You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/09add5d6-5940-4a6e-878d-7220bbce83f0o%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages