In case anyone is interested, the cause of my problem was this setting in
the config:
#### Session invalidation #####
# Enable or disable session invalidation upon login or logout.
# This feature is enabled by default to help prevent session hijacking
# but may cause problems for shibboleth, etc
#
# webui.session.invalidate = true
We switched that to false and our users were mapped to the group upon
login.
Thanks!
-Sarah Ryder
Web Development
Hampshire College
413.559.5477
On Fri, 8 Apr 2011, Lehtilä Tapani wrote:
As far as I know, the attributes may differ in different Shibboleth
installation. I suggest you set the log level in DEBUG at
config/log4j.properties. Then you can check from DSpace logs what the real
attributes are after you have logged in.
In our case the settings which need to be configured are
authentication.shib.role-header and authentication.shib.role.[role_name],
role_name can be for example Staff and Students. That role_name you can check
from role-header attribute.
P.S. Remember to change that log level back to info, because it will collect a
lot of logs at debug level.
Tapani
--
Tapani Lehtilä, Tampere University of Technology / Library
[email protected] +358 40 849 0208
P.O.Box 537, 33101 Tampere Finland
Street address:
Korkeakoulunkatu 10, 33720 Tampere, Finland
-----Original Message-----
From: Kevin P. Foote [mailto:[email protected]]
Sent: Thursday, April 07, 2011 11:39 PM
To: Sarah Ryder
Cc: [email protected]
Subject: Re: [Dspace-tech] auto add shib users to group
I believe there is one more setting in there somewhere ..
it relates to what your consuming as the "role" attribute I believe..
cant remember off the top of my head.
In my case i'm using ePPA
------
thanks
kevin.foote
On Thu, 7 Apr 2011, Sarah Ryder wrote:
->
-> Hi folks
->
-> We're using Shibboleth authentication w/ DSpace 1.7.1 and we'd like
to
-> make it so that all of our users are added to a DSpace group when
they
-> login. Does anyone know if this is possible and how?
->
-> I assumed that the following lines in dspace.cfg (see below) would
allow
-> for this, so I set:
-> authentication.shib.default-roles = member
-> authentication.shib.role.member = hampusers
->
-> I already created the group called hampusers, but no users are added
to
-> the group when they login. I picked the word member to use for the
role,
-> but I picked that out of thin air just assuming that it could be any
word.
->
-> I also don't see anything regarding roles in the dspace log when
users
-> authenticate.
->
-> Any insight or help would be much appreciated. Thanks!
->
-> # when user is fully authN on IdP but would not like to release
-> # his/her roles to DSpace (for privacy reason?), what should be
-> # the default roles be given to such users?
-> # The values are separated by semi-colon or comma
-> # authentication.shib.default-roles = Staff, Walk-ins
-> authentication.shib.default-roles = member
->
-> # The following mappings specify role mapping between IdP and Dspace.
-> # the left side of the entry is IdP's role (prefixed with
-> # "authentication.shib.role.") which will be mapped to
-> # the right entry from DSpace. DSpace's group as indicated on the
-> # right entry has to EXIST in DSpace, otherwise user will be
identified
-> # as 'anonymous'. Multiple values on the right entry should be
separated
-> # by comma. The values are CASE-Sensitive. Heuristic one-to-one
mapping
-> # will be done when the IdP groups entry are not listed below (i.e.
-> # if "X" group in IdP is not specified here, then it will be mapped
-> # to "X" group in DSpace if it exists, otherwise it will be mapped
-> # to simply 'anonymous')
-> #
-> # Given sufficient demand, future release could support regex for the
-> mapping
-> # special characters need to be escaped by \
-> #authentication.shib.role.Senior\ Researcher = Researcher, Staff
-> #authentication.shib.role.Librarian = Administrator
-> authentication.shib.role.member = hampusers
->
->
-> -Sarah Ryder
-> Web Development
-> Hampshire College
-> 413.559.5477
->
-> ---------------------------------------------------------------------
---------
-> Xperia(TM) PLAY
-> It's a major breakthrough. An authentic gaming
-> smartphone on the nation's most reliable network.
-> And it wants your games.
-> http://p.sf.net/sfu/verizon-sfdev
-> _______________________________________________
-> DSpace-tech mailing list
-> [email protected]
-> https://lists.sourceforge.net/lists/listinfo/dspace-tech
->
------------------------------------------------------------------------
------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
