Hi, > I can't seem to get the auto population of this > group working.
Just to add to what I've already said - I upped the log level to DEBUG and ran some more tests, but that didn't seem to shine any additional light. So I've been looking through the Shibboleth authentication code (in ShibAuthentication.java) - In the code I can see the function: public int[] getSpecialGroups(Context context, HttpServletRequest request) - which appears to be the code that adds the user to the special group(s). This code contains lots of INFO and DEBUG logging lines, but I'm not seeing any of these lines appearing in my logs - suggesting that this code to populate the special groups isn't actually being called . . . . . ? It certainly isn't called from within ShibAuthentication.java as far as I can tell . . . . Am I missing some config somewhere to turn this feature on? It all looks like it should work, so I feel like I'm missing something obvious (assuming this feature is working for others)? Any pointers welcome! Cheers, Mike Michael White eLearning Developer Information Services T: (01786) 466877 E: michael.wh...@stir.ac.uk A: S8, Library, University of Stirling, Stirling, FK9 4LA > -----Original Message----- > From: Michael White > Sent: 09 June 2015 10:17 > To: dspace-tech@lists.sourceforge.net > Subject: Shibboleth and role based groups? > > Hi, > > DSpace v5.2/JSPUI. > > I've set up Shibboleth authentication for a new v5.2 installation - the > authentication part appears to be working well, but I'm struggling with > automatically placing authenticated users into role based groups based on > their (scoped) affiliation and I'm hoping someone might be able to help. > > I've configured authentication-shibboleth.cfg to add "staff" users into the > group "ALL_Collections_Submit" (and I've double checked the group > name/case etc): > > # The shibboleth header to do role-based mappings role-header = affiliation > > # Whether to ignore the attribute's scope or value. > role-header.ignore-scope = true > > # Default mappings of roles values to a comma separated list of DSpace group > # names (Case Sensitive). > #role.faculty = Faculty, Member > role.staff = ALL_Collections_Submit > #role.student = Students, Member > > - when I authenticate, I can see in the dspace logs that the shib > authentication > module is picking up the affiliation header (amongst others): > > 2015-06-09 09:53:05,024 INFO > org.dspace.app.webui.servlet.ShibbolethServlet @ > header:affiliation=st...@stir.ac.uk;mem...@stir.ac.uk > 2015-06-09 09:53:05,024 INFO > org.dspace.app.webui.servlet.ShibbolethServlet @ header:unscoped- > affiliation= > 2015-06-09 09:53:05,025 INFO > org.dspace.app.webui.servlet.ShibbolethServlet @ header:entitlement= > 2015-06-09 09:53:05,025 INFO > org.dspace.app.webui.servlet.ShibbolethServlet @ header:targeted-id= > 2015-06-09 09:53:05,026 INFO > org.dspace.app.webui.servlet.ShibbolethServlet @ header:persistent-id= > 2015-06-09 09:53:05,027 INFO > org.dspace.app.webui.servlet.ShibbolethServlet @ header:sn=White > 2015-06-09 09:53:05,027 INFO > org.dspace.app.webui.servlet.ShibbolethServlet @ > header:givenname=Michael > 2015-06-09 09:53:05,028 INFO > org.dspace.app.webui.servlet.ShibbolethServlet @ > header:mail=michael.wh...@stir.ac.uk > > - but, even though the authentication is successful (and creates a new > ePerson record for that user using the supplied header data if they don't > already exist in the system), I can't seem to get the auto population of this > group working. > > I only have a handful of test collections in this DSpace currently: > > 0 Anonymous > 1 Administrator > 2 Test_Collection_SUBMIT > 3 ALL_Collections_Submit > > - where ALL_Collections_Submit has group deposit permissions to > Test_Collection_SUBMIT. > > If I manually add a user to the "ALL_Collections_Submit" group, then when I > log on as that user via Shibboleth, I do get the appropriate deposit > permissions > for "Test_Collection_SUBMIT" (so the group logic seems OK), but it doesn't > work if relying on Shibboleth to dynamically add the user to the > "ALL_Collections_Submit" group . . . . > > I also tried amending the shibboleth attribute filter policy to only supply > "st...@stir.ac.uk", just in case it was the semi colon separated list of > scoped > affiliations that was behind the problem, but it still didn't work . . . . > > Does anyone have any thoughts on what I might be missing? Do others have > this working as intended? Have I misunderstood or done something stupid? > > Thanks in advance for any thoughts or insights anyone might have. > > Cheers, > > Mike > > Michael White > eLearning Developer > Information Services > > T: (01786) 466877 > E: michael.wh...@stir.ac.uk > A: S8, Library, University of Stirling, Stirling, FK9 4LA -- The University is ranked in the QS World Rankings of the top 5% of universities in the world (QS World University Rankings, 2014) The University of Stirling is a charity registered in Scotland, number SC 011159. ------------------------------------------------------------------------------ _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
