Hi, DSpace v5.2/JSPUI.
I've set up Shibboleth authentication for a new v5.2 installation - the authentication part appears to be working well, but I'm struggling with automatically placing authenticated users into role based groups based on their (scoped) affiliation and I'm hoping someone might be able to help. I've configured authentication-shibboleth.cfg to add "staff" users into the group "ALL_Collections_Submit" (and I've double checked the group name/case etc): # The shibboleth header to do role-based mappings role-header = affiliation # Whether to ignore the attribute's scope or value. role-header.ignore-scope = true # Default mappings of roles values to a comma separated list of DSpace group # names (Case Sensitive). #role.faculty = Faculty, Member role.staff = ALL_Collections_Submit #role.student = Students, Member - when I authenticate, I can see in the dspace logs that the shib authentication module is picking up the affiliation header (amongst others): 2015-06-09 09:53:05,024 INFO org.dspace.app.webui.servlet.ShibbolethServlet @ header:affiliation=st...@stir.ac.uk;mem...@stir.ac.uk 2015-06-09 09:53:05,024 INFO org.dspace.app.webui.servlet.ShibbolethServlet @ header:unscoped-affiliation= 2015-06-09 09:53:05,025 INFO org.dspace.app.webui.servlet.ShibbolethServlet @ header:entitlement= 2015-06-09 09:53:05,025 INFO org.dspace.app.webui.servlet.ShibbolethServlet @ header:targeted-id= 2015-06-09 09:53:05,026 INFO org.dspace.app.webui.servlet.ShibbolethServlet @ header:persistent-id= 2015-06-09 09:53:05,027 INFO org.dspace.app.webui.servlet.ShibbolethServlet @ header:sn=White 2015-06-09 09:53:05,027 INFO org.dspace.app.webui.servlet.ShibbolethServlet @ header:givenname=Michael 2015-06-09 09:53:05,028 INFO org.dspace.app.webui.servlet.ShibbolethServlet @ header:mail=michael.wh...@stir.ac.uk - but, even though the authentication is successful (and creates a new ePerson record for that user using the supplied header data if they don't already exist in the system), I can't seem to get the auto population of this group working. I only have a handful of test collections in this DSpace currently: 0 Anonymous 1 Administrator 2 Test_Collection_SUBMIT 3 ALL_Collections_Submit - where ALL_Collections_Submit has group deposit permissions to Test_Collection_SUBMIT. If I manually add a user to the "ALL_Collections_Submit" group, then when I log on as that user via Shibboleth, I do get the appropriate deposit permissions for "Test_Collection_SUBMIT" (so the group logic seems OK), but it doesn't work if relying on Shibboleth to dynamically add the user to the "ALL_Collections_Submit" group . . . . I also tried amending the shibboleth attribute filter policy to only supply "st...@stir.ac.uk", just in case it was the semi colon separated list of scoped affiliations that was behind the problem, but it still didn't work . . . . Does anyone have any thoughts on what I might be missing? Do others have this working as intended? Have I misunderstood or done something stupid? Thanks in advance for any thoughts or insights anyone might have. Cheers, Mike Michael White eLearning Developer Information Services T: (01786) 466877 E: michael.wh...@stir.ac.uk A: S8, Library, University of Stirling, Stirling, FK9 4LA -- The University is ranked in the QS World Rankings of the top 5% of universities in the world (QS World University Rankings, 2014) The University of Stirling is a charity registered in Scotland, number SC 011159. ------------------------------------------------------------------------------ _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
