Hi all,
When I looked more closely at the attribute map definition in
attribute-map.xml:
<Attribute name="http://schemas.xmlsoap.org/ws/2008/06/identity/claims/role";
id="SHIB-SCOPED-AFFILIATION"/>
and the actual response received from SAML:
<Attribute Name="
http://schemas.microsoft.com/ws/2008/06/identity/claims/role";>
I realised that I had specified the wrong schema!
SOLVED!
Cheers,
Gary
On Thursday, October 17, 2019 at 9:50:22 PM UTC+11, Gary Browne wrote:
>
> Hi all,
>
>
>
> DSpace 6.3, Tomcat 7, Amazon Linux 2
>
>
>
> I have implemented Shibboleth authentication. It is working but now I need
> to auto-allocate users to role-based groups. I have followed the
> documentation on the duraspace wiki but I am not clear on how claim
> attributes are specified so that they can be used by the
> authentication-shibboleth.cfg configuration.
>
>
>
> In /etc/shibboleth/attribute-map.xml I have added:
>
>
>
> <Attribute name="
> http://schemas.xmlsoap.org/ws/2008/06/identity/claims/role";
> id="SHIB-SCOPED-AFFILIATION"/>
>
>
>
> And then in authentication-shibboleth.cfg I have:
>
>
>
> authentication-shibboleth.role-header = SHIB-SCOPED-AFFILIATION
>
>
>
> # Whether to ignore the attribute's scope or value.
>
> authentication-shibboleth.role-header.ignore-scope = true
>
> authentication-shibboleth.role-header.ignore-value = false
>
>
>
> # Default mappings of roles values to a comma separated list of DSpace
> group
>
> # names (Case Sensitive).
>
> authentication-shibboleth.role.staff = staffRole
>
> authentication-shibboleth.role.student = studentRole
>
>
>
> However when I login with my staff credentials via Shibboleth/SAML I get:
>
>
>
> 2019-10-17 21:27:01,761 INFO org.dspace.authenticate.ShibAuthentication @
> gary.bro...@sydney.edu.au has been authenticated via shibboleth.
>
> 2019-10-17 21:27:01,761 INFO org.dspace.eperson.EPersonServiceImpl @
> gary.bro...@sydney.edu.au:session_id=xxxxxxxxxxxxxxxxxxxx:ip_addr=xxxxxxxxxxx:update_eperson:eperson_id=xxxxxxxxxxxxxxxxxxx
>
> 2019-10-17 21:27:01,761 INFO
> org.dspace.app.xmlui.utils.AuthenticationUtil @
> gary.bro...@sydney.edu.au:session_id=xxxxxxxxxxxxxxxxxxxx:ip_addr=xxxxxxxxxxxxxxxx:login:type=explicit
>
> 2019-10-17 21:27:01,779 INFO org.dspace.authenticate.ShibAuthentication @
> Added current EPerson to special groups: []
>
>
>
> So you can see authentication is successful but adding to special groups
> is not working (“[]”). I have confirmed that the SAML response contains the
> data:
>
>
>
> <Attribute Name="
> http://schemas.microsoft.com/ws/2008/06/identity/claims/role";>
>
> <AttributeValue>staff</AttributeValue>
>
> </Attribute>
>
>
>
> Where am I going wrong??
>
>
>
> Thanks,
> Gary
>
>
>
>
>
> Gary Browne | Technical Manager, Developments
> Online Services
> University of Sydney Library
> THE UNIVERSITY OF SYDNEY
> Level 1, Fisher Library F03, The University of Sydney NSW 2006
> T +61 2 9351 5946 | M +61 405 647 868
> E gary.bro...@sydney.edu.au
> <https://webmail.sydney.edu.au/owa/redir.aspx?C=OXYu29eFmlOiJviVN3CHunM5oGoASVvNNYb-H0ZnmZGiO6bY9qPUCA..&URL=mailto%3agary.browne%40sydney.edu.au>
>
> The University of Sydney Camperdown campus stands on land of the Gadigal
> peoples of the Eora nation.
>
>
>
--
All messages to this mailing list should adhere to the DuraSpace Code of
Conduct: https://duraspace.org/about/policies/code-of-conduct/
---
You received this message because you are subscribed to the Google Groups
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/dspace-tech/2fc8b20b-4c71-4c09-9508-18533c28c038%40googlegroups.com.
