Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Shibboleth Groups: arbitrary attributes and regex support #1515

Closed
pdurbin opened this issue Feb 26, 2015 · 14 comments
Closed

Shibboleth Groups: arbitrary attributes and regex support #1515

pdurbin opened this issue Feb 26, 2015 · 14 comments

Comments

@pdurbin
Copy link
Member

pdurbin commented Feb 26, 2015

In #1401 I implemented institution-wide Shibboleth groups (i.e. "you logged in with your Harvard account") which is a decent start (though we want the creation to be automated in #1403) but what we really want is for people installing Dataverse to be able create a group based on any arbitrary Shibboleth attribute ("eduPersonScopedAffiliation", "Organization", whatever). Also, rather than an exact string match, we want to support regular expressions.

@pdurbin
Copy link
Member Author

pdurbin commented Jun 5, 2015

"All roads lead to Groups" was the message from the "Enabling Cross-University Collaboration with Harvard IAM: TIER, InCommon, and Grouper" talk at yesterday's 2015 Harvard IT Summit. Meanwhile, it would be very interesting to have other Dataverse installations (@akio-sone and @bencomp I'm looking at you) work with their IdPs to get real life SAML assertions about group information we could test with while designing this feature. We can set up some unit tests for regular expressions that match and don't match.

@bencomp
Copy link
Contributor

bencomp commented Sep 18, 2015

We've started testing with Shibboleth (as you may have noticed). As samples of real-life SAML assertions for groups there are:

  • affiliation: faculty && HomeOrg: universityX.nl
  • HomeOrg: universityY.nl && eduPersonEntitlement: urn:x-surfnet:dataverse.nl:researcher

As we have only one IdP and a dataverse for each participating institution that we want researchers from that institution to have access to, we think groups like these are our best bet. Yes, we're looking at groups of people who have both (/all) assertions, so an explicit group of ShibGroups will not fit here.

HomeOrg is urn:mace:terena.org:attribute-def:schacHomeOrganization. The value urn:x-surfnet:dataverse.nl:researcher for eduPersonEntitlement may be among other values.
(You might think that we should use scoped affiliations, but we don't get those as far as I can tell. The latter example shows not everyone thinks the supported values for affiliation are so clearly defined that it maps to the roles in their access control system.)

@pdurbin
Copy link
Member Author

pdurbin commented Oct 9, 2015

I just wanted to point out that @bencomp also started a Shibboleth groups use cases thread on the mailing list if anyone would prefer to comment there. In short, this feature is still being designed and feedback is welcome.

@djbrooke
Copy link
Contributor

djbrooke commented Oct 7, 2016

@pdurbin can this one be closed?

@pdurbin
Copy link
Member Author

pdurbin commented Oct 15, 2016

@djbrooke we should leave this issue open. Harvard can't make use of this feature until a deal is worked out with HarvardKey people to release more information about what department or lab people are in but Odum and DANS are both interested in this feature. See also the "2014-06-19 meeting with Jon Crabtree about iRODS and Shibboleth" doc at https://docs.google.com/a/harvard.edu/document/d/1Rk1MqclTz4LpVxfzZJc2dWRaCRVNbO6n_HuAhgwyEII/edit?usp=sharing . Other installations of Dataverse might be interested in this feature as well.

@pdurbin
Copy link
Member Author

pdurbin commented Nov 28, 2016

This feature was just requested at https://help.hmdc.harvard.edu/Ticket/Display.html?id=244044

@pdurbin
Copy link
Member Author

pdurbin commented Jun 28, 2017

I changed my mind. Let's close this until we decide to start working on it.

@pdurbin
Copy link
Member Author

pdurbin commented Jul 13, 2018

Related: #4776

@jmjamison
Copy link
Contributor

jmjamison commented Jun 5, 2023

I have a question about what affiliation is. If I list myself as a user I'd get: "affiliation":"University of California, Los Angeles". I tried that to create an affiliated group for UCLA. It doesn't display when I try listing Shibboleth groups ( curl http://localhost:8080/api/admin/groups/shib) so my interpretation of affiliation probably isn't correct.

As an aside it looks like only email and IdP work, affiliation did work.

I'm trying to create a shibboleth group of UCLA affiliated users.

@pdurbin
Copy link
Member Author

pdurbin commented Jun 13, 2023

@jmjamison I believe you're looking for https://guides.dataverse.org/en/5.13/installation/shibboleth.html#institution-wide-shibboleth-groups but if you still have questions, please open a fresh issue. Thanks!

@Asbjoedt
Copy link

We are very interested in this feature, so we can add user rights based on not just university but also student versus employee relationship/status.

@pdurbin
Are there any plans to add it to IQSS' roadmap, or would the community realistically have to do a PR on this in the near to mid future (1-2 years)?

@pdurbin
Copy link
Member Author

pdurbin commented Dec 12, 2023

@Asbjoedt it makes complete sense that you (and others) are interested in this feature but I'm not so sure it lines up with work that's currently funded at IQSS (but I don't really know). Yes, a PR would be appreciated. However, before that if the community could come up with some sort of design doc that would be nice as well, to make sure everyone is one the same page.

@qqmyers
Copy link
Member

qqmyers commented Dec 12, 2023

Also - Dataverse is transitioning to only supporting OIDC directly, with Shiboleth support requiring something like Keycloak that can bridge between Shiboleth and OIDC (if your Shiboleth provider doesn't also provide OIDC directly). OIDC and Keycloak also support the idea of groups, so I think the basic feature request is still viable, but anyone implementing should probably work with OIDC.

@pdurbin
Copy link
Member Author

pdurbin commented Dec 12, 2023

@qqmyers excellent point. @Asbjoedt you can get a sense of our auth plans from Dataverse Single Page Application: Authentication Analysis and Design Summary, one many re-arch docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants