diff --git a/doc/release-notes/6514-shib-updates b/doc/release-notes/6514-shib-updates new file mode 100644 index 00000000000..561358c6b8d --- /dev/null +++ b/doc/release-notes/6514-shib-updates @@ -0,0 +1 @@ +New DB option :ShibAffiliationAttribute \ No newline at end of file diff --git a/doc/sphinx-guides/source/installation/config.rst b/doc/sphinx-guides/source/installation/config.rst index bfa66b97eb1..6bf03cef215 100644 --- a/doc/sphinx-guides/source/installation/config.rst +++ b/doc/sphinx-guides/source/installation/config.rst @@ -1777,6 +1777,53 @@ You can set the value of "#THIS PAGE#" to the URL of your Dataverse homepage, or ``curl -X PUT -d true http://localhost:8080/api/admin/settings/:ShibPassiveLoginEnabled`` +:ShibAffiliationAttribute ++++++++++++++++++++++++++ + +The Shibboleth affiliation attribute holds information about the affiliation of the user (e.g. "OU") and is read from the DiscoFeed at each login. ``:ShibAffiliationAttribute`` is a name of a Shibboleth attribute in the Shibboleth header which Dataverse will read from instead of DiscoFeed. If this value is not set or empty, Dataverse uses the DiscoFeed. + +If the attribute is not yet set for the Shibboleth, please consult the Shibboleth Administrators at your institution. Typically it requires changing of the `/etc/shibboleth/attribute-map.xml` file by adding an attribute request, e.g. + +``` + + + +``` + +In order to implement the change, you should restart Shibboleth and Apache2 services: + +``` +sudo service shibd restart +sudo service apache2 restart +``` + +To check if the attribute is sent, you should log in again to Dataverse and check Shibboleth's transaction log. You should see something like this: + +``` +INFO Shibboleth-TRANSACTION [25]: Cached the following attributes with session (ID: _9d1f34c0733b61c0feb0ca7596ef43b2) for (applicationId: default) { +INFO Shibboleth-TRANSACTION [25]: givenName (1 values) +INFO Shibboleth-TRANSACTION [25]: ou (1 values) +INFO Shibboleth-TRANSACTION [25]: sn (1 values) +INFO Shibboleth-TRANSACTION [25]: eppn (1 values) +INFO Shibboleth-TRANSACTION [25]: mail (1 values) +INFO Shibboleth-TRANSACTION [25]: displayName (1 values) +INFO Shibboleth-TRANSACTION [25]: } +``` + +If you see the attribue you requested in this list, you can set the attribute in Dataverse. + +To set ``:ShibAffiliationAttribute``: + +``curl -X PUT -d "ou" http://localhost:8080/api/admin/settings/:ShibAffiliationAttribute`` + +To delete ``:ShibAffiliationAttribute``: + +``curl -X DELETE http://localhost:8080/api/admin/settings/:ShibAffiliationAttribute`` + +To check the current value of ``:ShibAffiliationAttribute``: + +``curl -X GET http://localhost:8080/api/admin/settings/:ShibAffiliationAttribute`` + .. _:ComputeBaseUrl: :ComputeBaseUrl diff --git a/src/main/java/edu/harvard/iq/dataverse/Shib.java b/src/main/java/edu/harvard/iq/dataverse/Shib.java index 8af9a22d783..d5ff8d88de5 100644 --- a/src/main/java/edu/harvard/iq/dataverse/Shib.java +++ b/src/main/java/edu/harvard/iq/dataverse/Shib.java @@ -11,9 +11,12 @@ import edu.harvard.iq.dataverse.authorization.providers.shib.ShibUserNameFields; import edu.harvard.iq.dataverse.authorization.providers.shib.ShibUtil; import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser; +import edu.harvard.iq.dataverse.settings.SettingsServiceBean; import edu.harvard.iq.dataverse.util.BundleUtil; import edu.harvard.iq.dataverse.util.JsfHelper; import edu.harvard.iq.dataverse.util.SystemConfig; +import org.apache.commons.lang.StringUtils; + import java.io.IOException; import java.sql.Timestamp; import java.util.ArrayList; @@ -50,6 +53,8 @@ public class Shib implements java.io.Serializable { GroupServiceBean groupService; @EJB UserNotificationServiceBean userNotificationService; + @EJB + SettingsServiceBean settingsService; HttpServletRequest request; @@ -205,7 +210,11 @@ public void init() { internalUserIdentifer = ShibUtil.generateFriendlyLookingUserIdentifer(usernameAssertion, emailAddress); logger.fine("friendly looking identifer (backend will enforce uniqueness):" + internalUserIdentifer); - String affiliation = shibService.getAffiliation(shibIdp, shibService.getDevShibAccountType()); + String shibAffiliationAttribute = settingsService.getValueForKey(SettingsServiceBean.Key.ShibAffiliationAttribute); + String affiliation = (StringUtils.isNotBlank(shibAffiliationAttribute)) + ? getValueFromAssertion(shibAffiliationAttribute) + : shibService.getAffiliation(shibIdp, shibService.getDevShibAccountType()); + if (affiliation != null) { affiliationToDisplayAtConfirmation = affiliation; friendlyNameForInstitution = affiliation; diff --git a/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java index 473bea561b4..165944acfdb 100644 --- a/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java +++ b/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java @@ -411,7 +411,13 @@ Whether Harvesting (OAI) service is enabled * Lifespan, in minutes, of a login user sessionĀ  * (both DataverseSession and the underlying HttpSession) */ - LoginSessionTimeout; + LoginSessionTimeout, + + /** + * Shibboleth affiliation attribute which holds information about the affiliation of the user (e.g. ou) + */ + ShibAffiliationAttribute + ; @Override public String toString() {