-
Notifications
You must be signed in to change notification settings - Fork 492
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shibboleth Groups: arbitrary attributes and regex support #1515
Comments
"All roads lead to Groups" was the message from the "Enabling Cross-University Collaboration with Harvard IAM: TIER, InCommon, and Grouper" talk at yesterday's 2015 Harvard IT Summit. Meanwhile, it would be very interesting to have other Dataverse installations (@akio-sone and @bencomp I'm looking at you) work with their IdPs to get real life SAML assertions about group information we could test with while designing this feature. We can set up some unit tests for regular expressions that match and don't match. |
We've started testing with Shibboleth (as you may have noticed). As samples of real-life SAML assertions for groups there are:
As we have only one IdP and a dataverse for each participating institution that we want researchers from that institution to have access to, we think groups like these are our best bet. Yes, we're looking at groups of people who have both (/all) assertions, so an explicit group of ShibGroups will not fit here.
|
I just wanted to point out that @bencomp also started a Shibboleth groups use cases thread on the mailing list if anyone would prefer to comment there. In short, this feature is still being designed and feedback is welcome. |
@pdurbin can this one be closed? |
@djbrooke we should leave this issue open. Harvard can't make use of this feature until a deal is worked out with HarvardKey people to release more information about what department or lab people are in but Odum and DANS are both interested in this feature. See also the "2014-06-19 meeting with Jon Crabtree about iRODS and Shibboleth" doc at https://docs.google.com/a/harvard.edu/document/d/1Rk1MqclTz4LpVxfzZJc2dWRaCRVNbO6n_HuAhgwyEII/edit?usp=sharing . Other installations of Dataverse might be interested in this feature as well. |
This feature was just requested at https://help.hmdc.harvard.edu/Ticket/Display.html?id=244044 |
I changed my mind. Let's close this until we decide to start working on it. |
Related: #4776 |
I have a question about what affiliation is. If I list myself as a user I'd get: "affiliation":"University of California, Los Angeles". I tried that to create an affiliated group for UCLA. It doesn't display when I try listing Shibboleth groups ( curl http://localhost:8080/api/admin/groups/shib) so my interpretation of affiliation probably isn't correct. As an aside it looks like only email and IdP work, affiliation did work. I'm trying to create a shibboleth group of UCLA affiliated users. |
@jmjamison I believe you're looking for https://guides.dataverse.org/en/5.13/installation/shibboleth.html#institution-wide-shibboleth-groups but if you still have questions, please open a fresh issue. Thanks! |
We are very interested in this feature, so we can add user rights based on not just university but also student versus employee relationship/status. @pdurbin |
@Asbjoedt it makes complete sense that you (and others) are interested in this feature but I'm not so sure it lines up with work that's currently funded at IQSS (but I don't really know). Yes, a PR would be appreciated. However, before that if the community could come up with some sort of design doc that would be nice as well, to make sure everyone is one the same page. |
Also - Dataverse is transitioning to only supporting OIDC directly, with Shiboleth support requiring something like Keycloak that can bridge between Shiboleth and OIDC (if your Shiboleth provider doesn't also provide OIDC directly). OIDC and Keycloak also support the idea of groups, so I think the basic feature request is still viable, but anyone implementing should probably work with OIDC. |
@qqmyers excellent point. @Asbjoedt you can get a sense of our auth plans from Dataverse Single Page Application: Authentication Analysis and Design Summary, one many re-arch docs. |
In #1401 I implemented institution-wide Shibboleth groups (i.e. "you logged in with your Harvard account") which is a decent start (though we want the creation to be automated in #1403) but what we really want is for people installing Dataverse to be able create a group based on any arbitrary Shibboleth attribute ("eduPersonScopedAffiliation", "Organization", whatever). Also, rather than an exact string match, we want to support regular expressions.
The text was updated successfully, but these errors were encountered: