Hi Mark / Tim.
Thank you so much for your insights.
I think I have the flow right, but it seems that it is the
implementation that is foiling me.
Firstly, I forgot to mention that is authenticating against ADFS, and
looking at the Shibboleth Plugin, it seems as if it would not quite work
for me. I already have spring.security.saml integrated into DSpace, and
want to follow the exact route that Mark has described, namely:
an implementation of AuthenticationMethod;
UI code to collect user credentials (if needed);
UI code to validate a user's identity with a DSpace EPerson and
call AuthenticationService to complete session creation.
I am struggling to understand how to include my own UI code in DSpace.
For example, I am trying to follow the Shibboleth flow, which is very
close to what I need. In that code, the loginPageURL is generated base
on whether lazy sessions are defined or not. If not, the loginPageURL is
the current URL with /shibboleth-login tacked onto it.
This obviously re-directs the browser to that URL, but this is where I
cannot trace what is happening. Where is the link that tells DSpace that
/shibboleth-login is a class, and which class. I have grepped through
the deployed code, and cannot find that mapping anywhere. It is this
that is currently stumping me. If I could find that, I could continue
tracing the route and implementing my own.
Kind Regards.
Shaun.
On 2018/10/04 18:50, Tim Donohue wrote:
Hi Shaun,
Mark has some good suggestions. I'll also add that (obviously) you
need to list your Plugin in
the "plugin.sequence.org.dspace.authenticate.AuthenticationMethod"
configuration, for it to be picked up & recognized.
Also, just a sidenote... have you tried using our Shibboleth Plugin
with your SAML authentication? I know Shibboleth is not exactly the
same as SAML, but it is an implementation of SAML. At the very least,
you might be able to look closely at the Shibboleth Plugin to see how
it does things (and do the same things for your SAML plugin):
https://wiki.duraspace.org/display/DSDOC5x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication
Good luck,
Tim
On Thu, Oct 4, 2018 at 9:31 AM Mark H. Wood <mwoodiu...@gmail.com
<mailto:mwoodiu...@gmail.com>> wrote:
On Thursday, October 4, 2018 at 4:29:42 AM UTC-4, Shaun Donovan
wrote:
I am struggling to write a SAML authentication plugin. I have
tried to make sense of the documentation regarding this, but
cannot get it to work.
Basically, I write an implementation of AuthenticationMethod,
and configure DSpace to use it. So far so good, I can see that
my code is being accessed when I click on "Login". The only
code accessed is method getSpecialGroups() and loginPageURL()
However, the "authenticate" method is never called through the
process, and DSpace responds with "No Authentication Method
Found" (if method "loginPageUrl" returns null).
If I set method "loginPageUrl" to return a string (for example
request.getContextPath() +"/saml-login"), I simply get a "Page
Not Found", so somewhere I am missing a mapping that tells the
authentication process to access my "authenticate" method
through a different URL?
In AuthenticationServiceImpl.java I see that the
authentication process iterates through the stackable list of
AuthenticationMethods and calls their "authenticate" method,
but then why does it not call mine?
loginPageUrl() returns the URI for the page to which the user
should be sent in order to collect credentials for validation. It
could be a DSpace page (and you would need to create that page) or
it could go off to some other service which eventually returns to
DSpace (which seems likely for SAML). At some point, having
authenticated the user's credentials, the specific authentication
plugin will call AuthenticationService.authenticate() or
.authenticateImplicit(), which calls authenticate() on all stacked
'AuthenticationMethod's.
For example, here we have a plugin that returns a URI to our CAS
service as loginPageUrl, adding the return-to-DSpace URI that CAS
needs. The service bounces the user back to DSpace, adding a
service ticket to the request. The return URI that we supply is
mapped to an XMLUI Action we wrote, which validates the ticket,
maps it to a DSpace EPerson, and calls
AuthenticationService.authenticate(), which calls our
AuthenticationMethod.authenticate() (and others').
So a complete authentication plugin has several parts:
o an implementation of AuthenticationMethod;
o UI code to collect user credentials (if needed);
o UI code to validate a user's identity with a DSpace EPerson and
call AuthenticationService to complete session creation.
--
All messages to this mailing list should adhere to the DuraSpace
Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/
---
You received this message because you are subscribed to the Google
Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to dspace-tech+unsubscr...@googlegroups.com
<mailto:dspace-tech+unsubscr...@googlegroups.com>.
To post to this group, send email to dspace-tech@googlegroups.com
<mailto:dspace-tech@googlegroups.com>.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
--
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org
--
All messages to this mailing list should adhere to the DuraSpace Code
of Conduct: https://duraspace.org/about/policies/code-of-conduct/
---
You received this message because you are subscribed to the Google
Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to dspace-tech+unsubscr...@googlegroups.com
<mailto:dspace-tech+unsubscr...@googlegroups.com>.
To post to this group, send email to dspace-tech@googlegroups.com
<mailto:dspace-tech@googlegroups.com>.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
--
All messages to this mailing list should adhere to the DuraSpace Code of
Conduct: https://duraspace.org/about/policies/code-of-conduct/
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.