Assigning user roles upon initial Shibboleth SSO login based on Shibboleth attribute

289 views
Skip to first unread message

Alexander Ivanov

unread,
Feb 28, 2017, 6:38:59 PM2/28/17
to Dataverse Users Community

Hi all,

Here at QDR we've made a lot of progress in configuring our Shibboleth IdP and SP to provide a Single Sign On solution for our Dataverse/Drupal integration.

Our user accounts are created via forms on the Drupal site, which create records in an LDAP directory that stores the user information that is then used by the IdP for authentication.  I would like to use an LDAP field to store each user's roles, so that upon logging into Dataverse for the first time- when a user's account is created- it is also assigned the appropriate roles.

I've looked through the Dataverse Shibboleth documentation and haven't found much that pertains to assigning roles to users upon account creation.  What would we need to do to implement this functionality? If a list of roles was stored in a Shibboleth attribute, such as eduPersonScopedAffiliation or an attribute with a custom name, how can I get Dataverse to assign these roles to a newly generated user account?

Please send over your suggestions.  Thanks in advance.

My Best,
Alex


Philip Durbin

unread,
Feb 28, 2017, 10:14:43 PM2/28/17
to dataverse...@googlegroups.com
Hi Alex,

I'm glad you've made so much progress! Good job.

Here are the most relevant GitHub issues:

- Shibboleth Groups: arbitrary attributes and regex support - https://github.com/IQSS/dataverse/issues/1515
- Automatically add a shib group when a user from a new institution first logs in - https://github.com/IQSS/dataverse/issues/1403

If you're interested in implementing either or both of these, great! I'm especially interested in knowing what values you expect to store in eduPersonScopedAffiliation (please consider adding examples to #1515). Personally, I'd probably make the creation of groups manual to start and worry about automating that part later.

I hope this helps!

Phil


--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse-community@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/040b35db-c81f-4011-b88c-6549d2cf6574%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Alexander Ivanov

unread,
Mar 7, 2017, 6:28:28 PM3/7/17
to dataverse...@googlegroups.com
Hi Phil,

I just wanted to clarify that I do not want to automate the creation of groups.  I want to automate the assigning of DV roles to newly-generated user accounts for users that authenticated via SSO

http://guides.dataverse.org/en/4.4/user/dataverse-management.html#permissions

The values that I would put in eduPersonScopedAffiliation (or rather a custom attribute, which I think is more appropriate here) would be a list of roles, e.g.: "Member", "Admin,Member"

As of now we're looking to make these role assignments mirror the role assignments in Drupal.  In our Drupal application users can have multiple roles.. we're looking to create a mapping such that a user who has the Drupal roles "Administrator, Authenticated User" would have the corresponding mapped roles in Dataverse (Admin, Member) when the DV account is created.

We have five roles in Drupal that we'd like to propagate to Dataverse:
authenticated user, institution user, mcp coordinator, qdr staff, administrator

I think that I need to examine the code that auto-generates the DV account upon initial SSO login and see if it is possible to add custom functionality that would perform the role assignment for the new user based on the value of the custom SAML attribute

My Best,
Alex


On Tue, Feb 28, 2017 at 10:14 PM, Philip Durbin <philip...@harvard.edu> wrote:
Hi Alex,

I'm glad you've made so much progress! Good job.

Here are the most relevant GitHub issues:

- Shibboleth Groups: arbitrary attributes and regex support - https://github.com/IQSS/dataverse/issues/1515
- Automatically add a shib group when a user from a new institution first logs in - https://github.com/IQSS/dataverse/issues/1403

If you're interested in implementing either or both of these, great! I'm especially interested in knowing what values you expect to store in eduPersonScopedAffiliation (please consider adding examples to #1515). Personally, I'd probably make the creation of groups manual to start and worry about automating that part later.

I hope this helps!

Phil

On Tue, Feb 28, 2017 at 6:38 PM, Alexander Ivanov <al...@calmforce.com> wrote:

Hi all,

Here at QDR we've made a lot of progress in configuring our Shibboleth IdP and SP to provide a Single Sign On solution for our Dataverse/Drupal integration.

Our user accounts are created via forms on the Drupal site, which create records in an LDAP directory that stores the user information that is then used by the IdP for authentication.  I would like to use an LDAP field to store each user's roles, so that upon logging into Dataverse for the first time- when a user's account is created- it is also assigned the appropriate roles.

I've looked through the Dataverse Shibboleth documentation and haven't found much that pertains to assigning roles to users upon account creation.  What would we need to do to implement this functionality? If a list of roles was stored in a Shibboleth attribute, such as eduPersonScopedAffiliation or an attribute with a custom name, how can I get Dataverse to assign these roles to a newly generated user account?

Please send over your suggestions.  Thanks in advance.

My Best,
Alex


--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/040b35db-c81f-4011-b88c-6549d2cf6574%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

--
You received this message because you are subscribed to a topic in the Google Groups "Dataverse Users Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dataverse-community/9uGLfUazWxU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dataverse-community+unsub...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CABbxx8HKNgUK-nOg%2BZZAJR9mYa6DgZ_tattr30QbD-Qz5TLUfw%40mail.gmail.com.

Alexander Ivanov

unread,
Mar 7, 2017, 6:56:57 PM3/7/17
to dataverse...@googlegroups.com
It seems that I would be able to accomplish what I need by modifying the confirmAndCreateAccount function in Shib.java.. after the new account is created, a function should be called that reads the roles from my SAML attribute and assigns these roles to the new user

Should this be developed as a feature that can be enabled in Dataverse, or just as a customization for our instance?

To unsubscribe from this group and all its topics, send an email to dataverse-community+unsubscribe...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.

Philip Durbin

unread,
Mar 7, 2017, 8:56:33 PM3/7/17
to dataverse...@googlegroups.com
I bet you could hack something together using scripts that hit with existing Dataverse APIs, which allow you to grant roles to users (and groups) at the dataverse and dataset level.

I find the documentation a bit lacking, but you can find it at http://guides.dataverse.org/en/4.6/api/native-api.html#roles and http://guides.dataverse.org/en/4.6/api/native-api.html#dataverses

In practice, I write helper methods when using these API endpoints. I'd suggest taking a peek at the following methods...

- grantRoleOnDataset
- grantRoleOnDataverse
- getRoleAssignmentsOnDataverse
- getRoleAssignmentsOnDataset
- revokeRole

... at https://github.com/IQSS/dataverse/blob/v4.6/src/test/java/edu/harvard/iq/dataverse/api/UtilIT.java

Basically, you'd write scripts to query your Identity Provider and then assign roles on the Dataverse side. You'll need to know the "identifier" for the user on the Dataverse side to assign a role (@jsmith or whatever) but there's an API you can query to get a list of Dataverse users as JSON (listAuthenticatedUsers helper method).


I hope this helps!

Phil

To unsubscribe from this group and all its topics, send an email to dataverse-community+unsubscribe...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CABbxx8HKNgUK-nOg%2BZZAJR9mYa6DgZ_tattr30QbD-Qz5TLUfw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CAHDVj4DsCH7%2BgwFtn4XtSkTAVAtOx5qJwrfk%2BHLSh%2BN%2Bedv9%2Bw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

Durand, Gustavo

unread,
Mar 8, 2017, 1:57:23 PM3/8/17
to dataverse...@googlegroups.com
Hi Alexander,

Adding a little to this: if there's a way to solve this in a way that is for the core code, that would be best, as custom code will make it harder for you to do upgrades going forward.

That said, I don't think we want to automatically assigning roles to Shib users in the code. Reason being that in the future, if they no longer are part of that institution, we don't want them to still have that access.

I think that's why Phil suggested looking ath this issue:
- Shibboleth Groups: arbitrary attributes and regex support - https://github.com/IQSS/dataverse/issues/1515

So the idea is:
- Code would be added to allow a groups to be created based on SAML attributes
- You would create a group (not automatically) that linked to a SAML attribute, e.g. Call it "QDR Admins" and link it to your SAML attribute for Admins
- when the user logs in they would be automatically added to this group for the length of their session

How does this sound?

Gustavo





On Tue, Mar 7, 2017 at 8:56 PM, Durbin, Philip <philip...@harvard.edu> wrote:
I bet you could hack something together using scripts that hit with existing Dataverse APIs, which allow you to grant roles to users (and groups) at the dataverse and dataset level.

I find the documentation a bit lacking, but you can find it at http://guides.dataverse.org/en/4.6/api/native-api.html#roles and http://guides.dataverse.org/en/4.6/api/native-api.html#dataverses

In practice, I write helper methods when using these API endpoints. I'd suggest taking a peek at the following methods...

- grantRoleOnDataset
- grantRoleOnDataverse
- getRoleAssignmentsOnDataverse
- getRoleAssignmentsOnDataset
- revokeRole

... at https://github.com/IQSS/dataverse/blob/v4.6/src/test/java/edu/harvard/iq/dataverse/api/UtilIT.java

Basically, you'd write scripts to query your Identity Provider and then assign roles on the Dataverse side. You'll need to know the "identifier" for the user on the Dataverse side to assign a role (@jsmith or whatever) but there's an API you can query to get a list of Dataverse users as JSON (listAuthenticatedUsers helper method).
I hope this helps!

Phil

To unsubscribe from this group and all its topics, send an email to dataverse-community+unsubscribe...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.
To post to this group, send email to dataverse-community@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.
Message has been deleted
Message has been deleted

Alexander Ivanov

unread,
Mar 14, 2017, 8:51:10 AM3/14/17
to dataverse...@googlegroups.com
Hi all,

Thank you for your advice.  We are now evaluating whether or not we should implement this custom functionality for assigning roles.  It would be great to have centralized storage of the user roles in the LDAP directory, but on the other hand we only have a handful of users who would have a role higher than Authenticated User, so we can assign the roles manually for our known list of Admins and Curators.

Vyacheslav Tikhonov, I am interested in seeing your implementation using postgres triggers. Please email me the relevant files directly if you get the chance.

Btw, Vyacheslav Tikhonov's emails got auto-deleted from this thread.  This is the same problem that I was having a few months ago before Phil added my email address to a whitelist.  Hmmm, I'm starting to think that posters with Russian names are automatically flagged as spammers in Google Groups.. thanks a lot, Putin

My Best,
Alex


On Thu, Mar 9, 2017 at 4:24 AM, Vyacheslav Tikhonov <4tik...@gmail.com> wrote:
Hi Alexander,

We're using postgres triggers for the same task, it allows to accomplish what you want without modification of the source code.

Best,
Slava
To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Dataverse Users Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dataverse-community/9uGLfUazWxU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dataverse-community+unsubscribe...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Dataverse Users Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dataverse-community/9uGLfUazWxU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dataverse-community+unsub...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/ee1937b3-2543-488f-b567-4f121503fa18%40googlegroups.com.

Vyacheslav Tikhonov

unread,
Mar 16, 2017, 11:36:49 AM3/16/17
to Dataverse Users Community
Hi Alexander,

We have users with different affiliation coming from Shibboleth so we've created groups with the same affiliation. Every time when new user is authenticating the trigger is adding him in the right group:

DROP TRIGGER IF EXISTS group_trigger on explicitgroup;


CREATE TRIGGER group_trigger AFTER INSERT ON explicitgroup

FOR EACH ROW EXECUTE PROCEDURE groupmonitor();


CREATE OR REPLACE FUNCTION groupmonitor() RETURNS TRIGGER AS $group_table$

    BEGIN

        insert into explicitgroup_authenticateduser select e.id, a.id from explicitgroup as e, authenticateduser as a where e.displayname=a.affiliation and NOT EXISTS (select 1 from explicitgroup_authenticateduser where a.id = containedauthenticatedusers_id and e.id = explicitgroup_id);


        RETURN NEW;

    END;

$group_table$ LANGUAGE plpgsql;


You can assign roles for group users in the Permissions of every dataverse.

Best,
Slava
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Dataverse Users Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dataverse-community/9uGLfUazWxU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dataverse-community+unsub...@googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Dataverse Users Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dataverse-community/9uGLfUazWxU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

Alexander Ivanov

unread,
Mar 19, 2017, 9:03:59 PM3/19/17
to dataverse...@googlegroups.com
Thank you, Slava!

To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Dataverse Users Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dataverse-community/9uGLfUazWxU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dataverse-community+unsubscribe...@googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Dataverse Users Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dataverse-community/9uGLfUazWxU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dataverse-community+unsubscribe...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Dataverse Users Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dataverse-community/9uGLfUazWxU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse-community@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/1b721cb8-3c42-4403-8625-d92e3fdad1ab%40googlegroups.com.

Valentina Pasquale

unread,
Aug 5, 2019, 9:09:12 AM8/5/19
to Dataverse Users Community
Hi Alex,

we have a very similar question to the one you posted on March 2017 to the DV Community Group (see below). What we would like to do is to assign any new Shibboleth user to the corresponding group at first login.
I was wondering whether you solved that issue in the meantime and how. Did you use the solution proposed by Slava based on postgres triggers' & groups? Which Shibboleth attribute are you using in this case to pass the group from LDAP to DV?
Does anyone else have further suggestions?

Thanks a lot for your help.

Best,

Valentina

James Myers

unread,
Aug 5, 2019, 10:49:12 AM8/5/19
to dataverse...@googlegroups.com

Valentina,

QDR has implemented single sign on across Drupal and Dataverse, but it hasn’t moved forward with assigning groups. As part of SSO, we added another shibboleth attribute to the set that Dataverse can read, which we use to store/convey the version of a ‘terms and conditions’ document a user has signed. I expect something similar could be done to read an attribute related to affiliation and assign the group, but that would take new code. I think I talked with Slava about their code at the 2018 Dataverse meeting, but we didn’t implement anything.

 

-- Jim

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/ffd19ac6-9687-46ae-971c-21fd50948822%40googlegroups.com.

Reply all
Reply to author
Forward
0 new messages