UI/UX for Shibboleth login #794
Comments
|
I'm not too knowledgeable about the workings of Shibboleth and the implementation at SURFnet (called SURFconext), but I am pretty sure SURFconext acts as an IdP on behalf of the universities and other connected organisations. It means we only have to ask the network participants to flip the switch to allow us using the SAML attributes. There is more administration involved between us, the SP, and the source IdPs, but it's been in production for years. It looks like SURFconext is our Centralized Discovery Service - though I don't know if they use this particular software. |
|
Just FYI about "Solutions for IdP Discovery" by DASISH (Digital Services Infrastructure for Social Sciences and Humanities): |
|
Phil, // Project // Documentation On 8/1/2014 12:02 PM, Philip Durbin wrote:
Akio Sone |
|
Hi all, // documentation esp. see the section of "Visual Customization"
https://federation.northcarolina.edu/wayf/index.php?fed=FED_SHIB_UNC_PROD&version=dropdown
https://federation.northcarolina.edu/wayf/index.php?fed=FED_SHIB_UNC_PROD&version=images On 8/1/2014 12:02 PM, Philip Durbin wrote:
Akio Sone |
Nice! I like the images. Thanks, @akio-sone! |
Ok, we just had a design meeting and that Google Doc is now full of notes. |
|
@mheppler and @eaquigley I wanted to remind you of the related "Make it clear at signup that display names for users will be searchable" ticket at #749. |
|
I just found an interesting "picker" at http://cdn.discojuice.org/discovery via http://discojuice.org/getting-started/#whatis via https://wiki.univie.ac.at/display/federation/Discovery+Services via http://shibboleth.1660669.n2.nabble.com/Centralized-Discovery-Service-The-Discovery-Service-should-not-be-called-directly-tp7604250p7604280.html Screenshot attached. |
|
I really like the advice at http://discovery.refeds.org
As far as specific software to use, they have this to say:
EDS ( https://shibboleth.net/products/embedded-discovery-service.html ) is what I've been demo'ing at https://apitest.dataverse.org and was first suggested to me in INC00953080. So far I've only used a hard-coded list of IdPs with it (TestShib and Harvard). We've been playing with the RPM version (shibboleth-embedded-ds-1.0.2-2.2.noarch), but here's the latest: http://shibboleth.net/downloads/embedded-discovery-service/latest/ |
|
Phil this looks great. I like this one too https://vho.aaf.edu.au/ Login into the virtual home dashboard, they have mixed drop down and search, and you can see/choose the organization at the drop down, but at the same time you can filter. |
I played around with EDS a bit more and loaded up a long list of institutions based on XML from https://spaces.internet2.edu/display/InCFederation/Metadata+Aggregates Here's how it looks on https://apitest.dataverse.org
Note that the three most recent selections are remembered and put at the top as explained at http://discovery.refeds.org/demo/good/step-three/ The screenshot also shows the filtering that can be done. These are mostly American universities and colleges. We'd need to figure out what federations are out there and how best to pull the latest metadata for each country (or however these federations are organized). Another next step for EDS is figuring how how to put the picker right on the login page (next to local login) rather than having a separate page. |
eaquigley
modified the milestones:
In Review - Dataverse 4.0,
Beta 7 (Permissions & Auth Branch) - Dataverse 4.0
|
@mheppler can you please take a look at the auth branch? With everything fully set up in Vagrant and re-configured not to use my pagekite, I expect you to see something like this the screenshot below. |
- please not that this required upgrading to a pre-release version of Shibboleth EDS (revision 110)
|
@mheppler I worked on the GUI a bit more (still need help, obviously) but it now looks a little closer to the mockup at https://iqssharvard.mybalsamiq.com/projects/loginwithshibboleth/Login (screenshot attached). Please note that this required upgrading to a pre-release version of Shibboleth Embedded Discovery Service (EDS) as noted in the showListFirst (EDS v1.1.0 and later) thread I started on the Shibboleth mailing list. Notes that EDS stores a cookie to remember up to three previous selections.
|
|
@pdurbin looks good! |
|
There's still more I'd like to do with Shibboleth, especially reworking the back-end and moving the code into For the next beta push, the UX seems to be more or less what we want. We now show a Terms of Use page (see also #878). (If you log in with the TestShib IdP you always see the TOS page because we create a new user ever time, as I explained to @esotiri .) @mheppler I know you have this ticket now but I think the UI is good enough. I'm going to pass it QA. |
|
This ticket represents an initial step in the delivery of Shibboleth and will be used to learn more from users and IdPs about practical issues that may affect design. After speaking with Phil, this is my understanding of what functionality will be delivered. This does not reflect the full design intention for this feature and the UI component requirements have not been reviewed for this deliverable. Features:
|
|
Phil will probably add more, but here are my notes:
Not a "local user", an "Identified User". Local users are users from an idp that just happened to be bundled with Dataverse, for all the system cares. When a local user is created, a corresponding Identified User is created as well. Also, in this release we have options to disable sign up (ODUM wanted this), and to direct users to a specified sign up page (e.g. go register at your department's LDAP server). -- Michael On 7 Oct, 2014, at 11:01 PM, kcondon notifications@github.com wrote:
|
|
tested works |
This morning @mheppler and I talked about what the login might look like for Shibboleth users. I showed him the simple Embedded Discovery Service (EDS) "picker" from the Shibboleth project I installed on a test server that allows me to enumerate IdPs for users to be able to choose from. Currently, the only choices are the Identity Provider (IdP) from http://testshib.org and a test IdP from Harvard.
In reality it's much more likely that rather than hard-coding a list of Shibboleth IdPs, we will dynamically pull an approved list from http://www.incommon.org/participants/ for US Institutions and other lists (?) for non-US. http://www.hathitrust.org for example, seems to pull from a long list of US institutions but http://www.hathitrust.org/shibboleth indicates they support some institutions in Spain. If you click the login link from http://dataverse.nl you'll see a searchable list of Dutch universities. In the Shibboleth world, you see the acronym WAFY for "Where Are You From" for this process.
We plan to have a design meeting for all the UX/UI for Shibboleth login and will be taking notes here: https://docs.google.com/a/harvard.edu/document/d/14VkVa9hJftwVEgMkC7314m0alUwwIHCBJokgGYO1Ra8/edit?usp=sharing
The text was updated successfully, but these errors were encountered: