Hi Matthias, Unfortunately I don't have any (good) help, but we noticed this too and filed an issue at https://github.com/DSpace/DSpace/issues/9226<https://github.com/DSpace/DSpace/issues/9226>. If you have any extra information to share to what we mentioned you can add it there as well.
Our temporary workaround was to remove the if condition surrounding the code on lines 187 and 188 of https://github.com/DSpace/DSpace/blob/main/dspace-api/src/main/java/org/dspace/authenticate/AuthenticationServiceImpl.java before building our backend. This removes the benefits of a recent bugfix regarding authentication methods (https://github.com/DSpace/DSpace/pull/9130), but in our context it was worth it because we needed Shibboleth and IP-based special groups to work in tandem and a more robust fix was not in the cards for us at the time. I'm happy to talk more off-list about what we specifically did to make this work with our 7.6.1 instance. Cheers, Ed Hill Pronouns: He/Him (pronoun statement<https://pronouns.colostate.edu/>) Developer and Applications Administrator (970) 491-3197 Colorado State University Libraries [cid:624bf406-8f32-4fd8-acfd-eaee7925891d] ________________________________ From: [email protected] <[email protected]> on behalf of Matthias Letsch <[email protected]> Sent: Tuesday, March 12, 2024 10:02 AM To: DSpace Technical Support <[email protected]> Subject: [dspace-tech] Shibboleth vs. IP Group mapping: Conflicting group mappings from different authentication methods ** Caution: EXTERNAL Sender ** Hello, 1. We have Shibboleth enabled and all epersons logging in via Shibboleth are mapped to the group "Submitters" which gives access to our submission form. authentication-shibboleth.default-roles = Submitters 2. We also have some items which should only be accessible in our campus network. Therefore IP authentication is activated with a mapping to the "Internal Bitstream Read" group: authentication-ip.Internal\ Bitstream\ Read = ... Now, if both authentication methods are activated and a person newly registered via shibboleth which also happens to be in the campus network, the eperson no longer receives the Submitters group, but only the Internal Bitstream Read group. If I deactivate authentication-ip, the eperson receives the Submitters group again. The aim should be that the eperson is assigned to both groups when both methods are activated. How is this possible? Thank you and kind regards, Matthias -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/b42a5033-532e-4b7d-a2d4-2760a8ae37dfn%40googlegroups.com<https://groups.google.com/d/msgid/dspace-tech/b42a5033-532e-4b7d-a2d4-2760a8ae37dfn%40googlegroups.com?utm_medium=email&utm_source=footer>. -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/DM6PR07MB78198162210BC75333F1ED45F62B2%40DM6PR07MB7819.namprd07.prod.outlook.com.
