uid a required Shibboleth attribute?

[Eunice Soh]

Hello,

would like to seek some advice. 

The guide[1] mentions the following required Shib attributes:

• Shib-Identity-Provider
• eppn
• givenName
• sn
• (e)mail

[1]https://guides.dataverse.org/en/latest/installation/shibboleth.html#shibboleth-attributes

How is the username of Shib user derived, e.g. 

• from eppn - are text after "@" stripped, if uid is not provided; 
• if uid is provided, it's used for username? uid seem to be shown in the test metadata, see link => uid: rick.

What I'm asking, in essence, is if uid a required Shibboleth attribute? Or is it an optional but good to have one?

Thanks,

Eunice

[Philip Durbin]

Whoops, I just replied to a variation on this question. You can see that reply here: https://groups.google.com/g/dataverse-community/c/X3Rwvo6zG8E/m/ZvAOfuE9BAAJ

uid is not required but it is used, if available, to come up with a username. This isn't documented but please feel free to create a GitHub issue to document this. The mail attribute is used otherwise.

Here's the code: https://github.com/IQSS/dataverse/blob/v5.10/src/main/java/edu/harvard/iq/dataverse/authorization/providers/shib/ShibUtil.java#L136

Here are the tests: https://github.com/IQSS/dataverse/blob/v5.10/src/test/java/edu/harvard/iq/dataverse/authorization/providers/shib/ShibUtilTest.java#L133

In short, if uid is available, use it. If not, use mail before the "@" sign.

There's also so logic elsewhere to add a number to the end if the username is not unique: https://github.com/IQSS/dataverse/blob/v5.10/src/main/java/edu/harvard/iq/dataverse/authorization/AuthenticationServiceBean.java#L619-L631

I hope this helps,

Phil

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/66221eda-4ecc-42ad-a072-4d58cfed26f9n%40googlegroups.com.

--

Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin

[Eunice Soh]

Thanks Phil! This is helpful.

Three follow up questions.

- For shib users, is the username fixed upon first login, or does it change if the eppn (string before "@")/uid changes, as with other profile attributes when a user logins in subsequently?

The second/third are more of Shibboleth-specific questions, if it's alright to ask here, just in case anyone knows.

- For shibboleth2.xml, some may use AttributeResolver to create/transform to create new/replace variables[1]. 

For example, some users already have givenName and sn, whereas for other users it is null. All have displayName. In this case, will users with non-null givenName and sn have their givenName and sn replaced with the <AttributeResolver> defined below? The Shib docs isn't quite clear on this.

<AttributeResolver type="Transform" source="displayName">

    <Regex match="(.+) (.+)" dest="givenName">$1</Regex>

    <Regex match="(.+) (.+)" dest="sn">$2</Regex>

</AttributeResolver>

- For multiple <AttributeResolver> elements specified, are they transformed sequentially, or only one element is used in transforming the attribute (with the first or last taking precedence?). The Shib docs isn't quite clear on this.

e.g.,

<AttributeResolver type="Template" sources="givenName sn" dest="displayName">
    <Template>$givenName $sn</Template>
</AttributeResolver>

<AttributeResolver type="Transform" source="displayName">
    <Regex match="^(.+) (.+)$" dest="givenName">$1</Regex>
    <Regex match="^(.+) (.+)$" dest="sn">$2</Regex>
    <Regex match="^(.+) (.+)$">$2, $1</Regex>
</AttributeResolver>

Should probably do a test on the last two cases. But if anyone knows offhand it would be helpful

[1] https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334474/TransformAttributeResolver

Kind regards,

Eunice 

[Philip Durbin]

No, like all usernames, they are fixed once they are set and users can't change them afterwards. Subsequent Shib logins have no effect on the username. Superusers can change the username if necessary: https://guides.dataverse.org/en/5.10/admin/user-administration.html#change-user-identifier

Sorry, I haven't used AttributeResolver. A good place to ask about this is the Shib mailing list: https://shibboleth.net/mailman/listinfo/users

(Or maybe someone else here on the Dataverse list knows.)

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/046deb8b-b421-430e-b103-e69c7942edffn%40googlegroups.com.

[Eunice Soh]

Thank so much Phil!

[Eunice Soh]

Hi Phil,

would you mind sharing the code where usernames are fixed but other attributes updated? Could only find this line here for Shib logins: https://github.com/IQSS/dataverse/blob/92a14a8a43b37b0f76e83b5401c2829fad3725c7/src/main/java/edu/harvard/iq/dataverse/Shib.java#L364. 

[Philip Durbin]

Sure, here's a good place to start:

internalUserIdentifer = ShibUtil.generateFriendlyLookingUserIdentifer(usernameAssertion, emailAddress);

https://github.com/IQSS/dataverse/blob/v5.10/src/main/java/edu/harvard/iq/dataverse/Shib.java#L212

Then later it gets passed to the authSvc.createAuthenticatedUser method with generateUniqueIdentifier set to true.

It's a little confusing because in the code and the database the username is often called an identifier. In the authenticateduser database table it's the useridentifer field.

Hope this helps,

Phil

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/fa0c172b-5ab9-427e-ab7f-e0534d26fd2bn%40googlegroups.com.