Hello All,
I have a problem with Shibboleth role mapping in DSpace. Although mapping to
the default role works as intended, DSpace seems unable to retrieve the roles
released in the role header by the IDP. So basically everybody gets mapped to
the default role.
I added some extra logging to ShibAuthentication.getSpecialGroups to trace what
is happening. Judging from the log, the role header is visible to
ShibbolethServlet, but not to ShibAuthentication.getSpecialGroups. Actually, no
Shibboleth headers seem to be available from within that context, so I ask
myself whether Shibboleth role mapping could be expected to work. Is this a
known problem?
Some information about my setup follows below:
=================================================================================
Selected entries in dspace.cfg:
authentication.shib.email-header = eppn
authentication.shib.email-use-tomcat-remote-user = true
authentication.shib.autoregister = true
authentication.shib.role-header = affiliation
authentication.shib.role-header.ignore-scope = true
authentication.shib.default-roles = member
=================================================================================
Selected lines from ShibAuthentication.getSpecialGroups:
String roleHeader = ConfigurationManager
.getProperty("authentication.shib.role-header");
boolean roleHeader_ignoreScope = ConfigurationManager
.getBooleanProperty("authentication.shib.role-header.ignore-scope");
if (roleHeader == null || roleHeader.trim().length() == 0)
roleHeader = "Shib-EP-UnscopedAffiliation"; // fall back to default
String emailHeader =
ConfigurationManager.getProperty("authentication.shib.email-header");
String epers = request.getHeader(emailHeader);
log.info("Now mapping role header " + roleHeader);
String affiliations = request.getHeader(roleHeader);
// try again with all lower case...maybe has better luck
if (affiliations == null)
affiliations = request.getHeader(roleHeader.toLowerCase());
// default role when fully authN but not releasing any roles?
String defaultRoles = ConfigurationManager
.getProperty("authentication.shib.default-roles");
if (affiliations == null && defaultRoles != null)
{
log.warn("Could not resolve " + roleHeader + " for email " + epers
+ "! Resorting to default " + defaultRoles);
affiliations = defaultRoles;
}
=================================================================================
Select lines from dspace.log:
2010-10-21 21:13:30,242 INFO org.dspace.app.webui.servlet.ShibbolethServlet @
header:[email protected];[email protected]
2010-10-21 21:13:30,242 INFO org.dspace.app.webui.servlet.ShibbolethServlet @
header:unscoped-affiliation=
2010-10-21 21:13:30,242 INFO org.dspace.app.webui.servlet.ShibbolethServlet @
header:primary-affiliation=
2010-10-21 21:13:30,276 INFO org.dspace.authenticate.ShibAuthentication @ Now
mapping role header affiliation
2010-10-21 21:13:30,276 WARN org.dspace.authenticate.ShibAuthentication @
Could not resolve affiliation for email null! Resorting to default member
Regards,
Ylva Gavel
Ylva Gavel, PhD
Systemprogrammerare / Systems Programmer
Karolinska Institutet
Universitetsbiblioteket / University Library
Fe 200 (Berzelius väg 7B)
SE-171 77 Stockholm
+46 8 524 84 125
[email protected]<mailto:[email protected]>
http://ki.se/ub och http://saga.kib.ki.se
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
