philip.webs...@sheffield.ac.uk wrote on 2020-10-06 17:44:51:
> Hi,
>
> I'm trying to set up the Aspace-Oauth plugin on ArchivesSpace 2.8.0 to
> enable SAML logins via our institutional IDP. So far, I've managed to get
> the plugin linked to our dev IDP and configured to download the SAML
> metadata. Our IT department has requested that all security assertions are
> at least signed, and preferably encrypted.
>
> I've also generated a private key and certificate using the commands listed
> in the README.md file in the github repo
> (https://github.com/lyrasis/aspace-oauth).
>
> openssl genrsa -out rsaprivkey.pem 2048
>
> openssl req -new -x509 -key rsaprivkey.pem -out rsacert.pem
You can reuse the web server certificate if you already have one.
>
> The documentation is quite sparse, and doesn't really explain what to do
> next. The config sample given in the README.md has the following parameters
> defined in the example:
>
> # OPTIONAL: for encrypted assertions
>
> :certificate=> "PUBLIC CERT",
>
> :private_key=> "PRIVATE KEY",
>
>
>
> What are the expected values for "PUBLIC CERT" and "PRIVATE KEY"? Should
> these be the paths of the rsaprivkey.pem and rsacert.pem files, or am I
> expected to paste the ASCII contents of the .pem files straight into the
> config file?
Both ArchivesSpace and OmniAuth documentation is very sparse but
OmniAuth's own Ruby tests suggest that you need to paste the contents.
> Once this is set up, I also have to define the name identifier format. The
> default setting in the config is
>
> "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", and further down
> there is
>
> email: ["urn:oid:0.9.2342.19200300.100.1.3"]. I do want to populate the
> email field in the user records in ArchiveSpace's database, but at my
> institution we prefer to use eduPersonPrincipalName
> (urn:oid:1.3.6.1.4.1.5923.1.1.1.6) as an identifier instead of email
> address.
>
>
> Hopefully, ArchivesSpace Oauth will support this, and I assume I can just
> substitute "eduPersonPrincipalName" in place of "emailAddress" in the config
> file.
Yes, this should work with any unique attribute.
> The README.md file also refers to some 'project documentation', but I
> haven't been able to find this anywhere on the community documentation. Is
> there any other documentation other than the README, and if so, where is it?
>
>
>
> Once this is all set up, I'll have to send some metadata to our IT
> department. I'm hoping that there is an endpoint somewhere that I can point
> a browser at and get the generated metadata for the service, so I can just
> pass that on. Again, it's not clear if such a thing exists - or how I'd go
> about accessing it.
OmniAuth docs at
https://github.com/omniauth/omniauth-saml/blob/master/README.md#sp-metadata
suggest the URL will be /auth/saml/metadata on your server.
I am really looking forward to hearing how this worked out, adding SAML
authentication is something I'm trying to schedule for one of my next
sprints.
p
___
Archivesspace_Users_Group mailing list
Archivesspace_Users_Group@lyralists.lyrasis.org
http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group
