SSO: OIDC vs SAML 2.0

[Richard Dennis]

Dear Philip and Dataverse Community,

Our current Test Dataverse Environment

• VMware Test Environment running Dataverse version 5.0
• Standard out-of-the-box configuration and settings.
• Local Dataverse Authentication

Questions relating to SSO: SAML version 2.0 / OIDC

Please note: We have not yet determined which SSO protocol we will use, SAML 2.0 or OIDC. A comment or two about which is a better fit for Dataverse would be pretty helpful. Our IT Group supports both, so I am looking for a better fit for Dataverse and ease of implementation.

1a. The installation guide is somewhat confusing in this area, hence the reason for my question, Can I install OIDC /SAML 2.0 after I have configured, installed, and started to allow local authentication on Dataverse? 

1b. Is it possible to install OIDC post-installation of Dataverse? If so, what steps should / would I have to follow to accomplish this task?

1c. Is it possible to install SAML 2.0 post-installation of Dataverse? If so, what steps should / would I have to follow to accomplish this task?

Thanks in advance for your assistance with this task.

Regards,

Richard

Richard Dennis

Special Advisor - Data Steward

Royal Danish Library Copenhagen University Library

[Philip Durbin]

Hi Richard,

The Installation Guide has grown organically and I can understand how parts can be confusing. Please feel free to open an issue and list specifics there if you can.

OIDC support was added by a contributor and I've never set it up myself but from what I know it works great and can certainly be set up post-installation. The part I'm unsure about is if a user can convert themselves from local authentication (builtinuser) to OIDC or not. This can ease your transition.

In terms of steps (assuming your OIDC provider is all set up), on the Dataverse side you need to load up a JSON file describing the OIDC provider: https://guides.dataverse.org/en/5.5/installation/oidc.html#how-to-use

For SAML/Shibboleth, the story is the same. You can definitely set it up post-installation and there's a GUI that users can use to convert their accounts from builtin to shib: https://guides.dataverse.org/en/5.5/user/account.html#convert-your-dataverse-installation-account-to-use-your-institutional-log-in

The steps for SAML/Shibboleth can be found here: https://guides.dataverse.org/en/5.5/installation/shibboleth.html

If you run into any trouble, please just let us know.

Thanks,

Phil

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/273d9b92-654c-48e3-b3a5-40e06bea382fn%40googlegroups.com.

--

Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin

[Richard Dennis]

Hello Phil,

Thank you so very much for all your help.

I am leaning toward advising the IT Department to use SAML/Shibboleth because a GUI interface allows me to convert current accounts to shib post-installation. 

The library is closely collaborating with the IT Department as such, and there are a few more questions I need to have answers for

.

The IT Department has what is called Onboarding, most of the questions I can answer, but there is are a few questions that I need help with.

Perhaps these questions make more sense to you.

1. OIDC. Enter Redirect URI, possibly jwks (Key Set) URL (if token encryption is to be used), Assuming we decided to go with OIDC.

2. SAML2: Metadata URL - path to SAML metadata XML file Assuming we decide to go with SAML

3. GW (Gateway. Specify IP: port and whether the site is running HTTP or HTTPS. We are running HTTPS

4. Claims? Have claims attributes been agreed upon? Are there mandatory claims that need to be filled out?

1 and 2 are most important questions as this information is required information for the onboarding process SSO.

As soon as we complete the process, I will look at the documentation and recommend possible text changes.

Many thanks for all your help.

Regards,

Richard 

Special Advisor - Data Steward

Copenhagen University Library

[Philip Durbin]

Hi Richard,

I talked some more with the contributor who implemented OIDC support, Oliver Bertuch, at https://chat.dataverse.org (you're welcome to join us) and he jogged my memory about a few things.

I'm pretty sure you can convert accounts from builtin/local to OIDC with a GUI. Please see the attached screenshot ("convert your account") which is one of many from this issue that documents pretty well the OIDC workflow: https://github.com/IQSS/dataverse/issues/6701

I don't know the answer to "OIDC. Enter Redirect URI, possibly jwks (Key Set) URL" but I'd suggest popping in chat to see what Oliver has to say. Dataverse expects "issuer: <issuer url> | clientId: <client id> | clientSecret: <client secret>" which I would hope maps on to these somehow. Please see https://guides.dataverse.org/en/5.5/installation/oidc.html

Yes, for SAML, you'll need to give your Identity Provider (IdP) the metadata generated by Dataverse. The URL for this is something like https://demo.dataverse.org/Shibboleth.sso/Metadata and you can find docs on this at https://guides.dataverse.org/en/5.5/installation/shibboleth.html#exchange-metadata-with-your-identity-provider

Yes, you'll want to run HTTPS. It sounds like you're all set there.

I'm not familiar with claims in SAML and I'm not aware of anything to worry about.

I hope this helps. Please keep the questions coming.

Thanks,

Phil

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/e4ce147a-0c59-4173-bf52-8b605df60f1dn%40googlegroups.com.