Attempting to have duplicate IdP EntityID's in shibd...two instituions sharing an ID system

[laulandn]

We have mutliple members of the Texas A&M System using our system. Unfortunately one of them (Texas A&M Galveston) doesn't have their own ID system, and shares uses the main University's Shibboleth IdP. We are trying to keep them separate but not having any luck.
Since Dataverse goes by EntityID, and Texas A&M Galveston doesn't have their own, they can't have a separate shib group, and the login screen only shows one icon.
We have both entries in the pulldown login menu because we have another copy of the TAMU IdP info for TAMUG, just with a different icon and name.
So, this is looking like a losing battle, but I wanted to see what you guys think about situations like this. And let you know what happens when someone tries something like this, if only to tell them it won't work.
Thank!

[pdurbin]

@laulandn woof. This is something I didn't anticipate. It's somewhat related to #2548.

[laulandn]

Yeah, a user would choose "Texas A&M System" and then a new screen would should members of that System. That second screen wouldn't be part of Dataverse. Not sure if that's an experience we'd want tho, I'll check with project owners. Thanks!

[pdurbin]

@laulandn sure. Another related issue is #1515 but no one has championed it and I didn't want it to be open in my name. The general idea is to be able to have Shibboleth groups based on more granularity than just the EntityID used to log in. A few weeks ago I went to the Harvard IT Summit and heard that a tool called Grouper ( https://www.internet2.edu/products-services/trust-identity/grouper/ ) is now being used at Harvard that might some day help us figure out which groups people are part of. I'm not sure what tools other institutions are using for groups.

[laulandn]

Yeah, I'd tried doing something like that before realizing it wasn't supported yet. :)

[pdurbin]

@laulandn is this issue something that someone like @nwoodward or another developer that's part of TDL would be interested in working on? I'm asking because I don't think it's an especially high priority for the dev team at IQSS.

[laulandn]

We have about 20 members in our consortium, and this affected only two of them, so we've solved it by not attempting to separate "Texas A & M Galveston" from "Texas A & M" (parent of A &M System) users.

The trick is that there are a good handful of other A & M System member universities that have their own authentication system...so far the Galveston branch is the only one that doesn't.

So unless this pops up again, which isn't likely, we're found a solutuion.

Thanks!

[pdurbin]

@laulandn cool. Do you want to close this issue, then? We're hovering at 808 open issues at the moment. 😄

We can always open it up again or open a new one in the future when there's time to work on a solution. For now I've added a link to #1515 back to this ticket because that's the one that I'd probably refer to when it comes to more specific shib groups.

[laulandn]

Yep, go ahead and close it...one less!

[pdurbin]

Thanks! Closing!