From bce3c33ec3f40a89bb3d7529b4bc97e57a2c1bb2 Mon Sep 17 00:00:00 2001 From: Peter Kiraly Date: Fri, 6 Mar 2020 14:51:35 +0100 Subject: [PATCH 1/6] Issue #6514: Implement affiliation reading from Shibboleth attribute. --- .../source/installation/config.rst | 17 +++++++++++++++++ .../java/edu/harvard/iq/dataverse/Shib.java | 11 ++++++++++- .../dataverse/settings/SettingsServiceBean.java | 8 +++++++- 3 files changed, 34 insertions(+), 2 deletions(-) diff --git a/doc/sphinx-guides/source/installation/config.rst b/doc/sphinx-guides/source/installation/config.rst index bfa66b97eb1..154f0bbff3e 100644 --- a/doc/sphinx-guides/source/installation/config.rst +++ b/doc/sphinx-guides/source/installation/config.rst @@ -1777,6 +1777,23 @@ You can set the value of "#THIS PAGE#" to the URL of your Dataverse homepage, or ``curl -X PUT -d true http://localhost:8080/api/admin/settings/:ShibPassiveLoginEnabled`` +:ShibAffiliationAttribute ++++++++++++++++++++++++++ + +Shibboleth affiliation attribute which holds information about the affiliation of the user (e.g. "ou"). In case of Shibboleth affiliation string is read from the DiscoFeed at each login. ``:ShibAffiliationAttribute`` is a name of a Shibboleth attribute, which takes place in Shibboleth header, and Dataverse will read the affiliation string from that. If this value is not set or empty, Dataverse uses the DiscoFeed. + +To set ``:ShibAffiliationAttribute``: + +``curl -X PUT -d "ou" http://localhost:8080/api/admin/settings/:ShibAffiliationAttribute`` + +To delete ``:ShibAffiliationAttribute``: + +``curl -X DELETE http://localhost:8080/api/admin/settings/:ShibAffiliationAttribute`` + +To check the current value of ``:ShibAffiliationAttribute``: + +``curl -X GET http://localhost:8080/api/admin/settings/:ShibAffiliationAttribute`` + .. _:ComputeBaseUrl: :ComputeBaseUrl diff --git a/src/main/java/edu/harvard/iq/dataverse/Shib.java b/src/main/java/edu/harvard/iq/dataverse/Shib.java index 8af9a22d783..d5ff8d88de5 100644 --- a/src/main/java/edu/harvard/iq/dataverse/Shib.java +++ b/src/main/java/edu/harvard/iq/dataverse/Shib.java @@ -11,9 +11,12 @@ import edu.harvard.iq.dataverse.authorization.providers.shib.ShibUserNameFields; import edu.harvard.iq.dataverse.authorization.providers.shib.ShibUtil; import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser; +import edu.harvard.iq.dataverse.settings.SettingsServiceBean; import edu.harvard.iq.dataverse.util.BundleUtil; import edu.harvard.iq.dataverse.util.JsfHelper; import edu.harvard.iq.dataverse.util.SystemConfig; +import org.apache.commons.lang.StringUtils; + import java.io.IOException; import java.sql.Timestamp; import java.util.ArrayList; @@ -50,6 +53,8 @@ public class Shib implements java.io.Serializable { GroupServiceBean groupService; @EJB UserNotificationServiceBean userNotificationService; + @EJB + SettingsServiceBean settingsService; HttpServletRequest request; @@ -205,7 +210,11 @@ public void init() { internalUserIdentifer = ShibUtil.generateFriendlyLookingUserIdentifer(usernameAssertion, emailAddress); logger.fine("friendly looking identifer (backend will enforce uniqueness):" + internalUserIdentifer); - String affiliation = shibService.getAffiliation(shibIdp, shibService.getDevShibAccountType()); + String shibAffiliationAttribute = settingsService.getValueForKey(SettingsServiceBean.Key.ShibAffiliationAttribute); + String affiliation = (StringUtils.isNotBlank(shibAffiliationAttribute)) + ? getValueFromAssertion(shibAffiliationAttribute) + : shibService.getAffiliation(shibIdp, shibService.getDevShibAccountType()); + if (affiliation != null) { affiliationToDisplayAtConfirmation = affiliation; friendlyNameForInstitution = affiliation; diff --git a/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java index 473bea561b4..165944acfdb 100644 --- a/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java +++ b/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java @@ -411,7 +411,13 @@ Whether Harvesting (OAI) service is enabled * Lifespan, in minutes, of a login user sessionĀ  * (both DataverseSession and the underlying HttpSession) */ - LoginSessionTimeout; + LoginSessionTimeout, + + /** + * Shibboleth affiliation attribute which holds information about the affiliation of the user (e.g. ou) + */ + ShibAffiliationAttribute + ; @Override public String toString() { From bd3f1d6803c36115976fcade9fb4d3a1bd1cd1b1 Mon Sep 17 00:00:00 2001 From: Peter Kiraly Date: Fri, 6 Mar 2020 15:35:11 +0100 Subject: [PATCH 2/6] #6514: extend documentation. --- .../source/installation/config.rst | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/doc/sphinx-guides/source/installation/config.rst b/doc/sphinx-guides/source/installation/config.rst index 154f0bbff3e..95cedf8ca32 100644 --- a/doc/sphinx-guides/source/installation/config.rst +++ b/doc/sphinx-guides/source/installation/config.rst @@ -1782,6 +1782,36 @@ You can set the value of "#THIS PAGE#" to the URL of your Dataverse homepage, or Shibboleth affiliation attribute which holds information about the affiliation of the user (e.g. "ou"). In case of Shibboleth affiliation string is read from the DiscoFeed at each login. ``:ShibAffiliationAttribute`` is a name of a Shibboleth attribute, which takes place in Shibboleth header, and Dataverse will read the affiliation string from that. If this value is not set or empty, Dataverse uses the DiscoFeed. +If the attribute is not yet set for the Shibboleth, please consult the Shibboleth administrators how o set it. Typically it requires changing of `/etc/shibboleth/attribute-map.xml` file by adding an attribute request, e.g. + +``` + + + +``` + +In order to take place the change, you should restart Shibboleth and Apache2 services: + +``` +sudo service shibd restart +sudo service apache2 restart +``` + +To check if the attribute is sent, you should log in again to Dataverse and check Shibboleth's transaction log. You should see something like this: + +``` +INFO Shibboleth-TRANSACTION [25]: Cached the following attributes with session (ID: _9d1f34c0733b61c0feb0ca7596ef43b2) for (applicationId: default) { +INFO Shibboleth-TRANSACTION [25]: givenName (1 values) +INFO Shibboleth-TRANSACTION [25]: ou (1 values) +INFO Shibboleth-TRANSACTION [25]: sn (1 values) +INFO Shibboleth-TRANSACTION [25]: eppn (1 values) +INFO Shibboleth-TRANSACTION [25]: mail (1 values) +INFO Shibboleth-TRANSACTION [25]: displayName (1 values) +INFO Shibboleth-TRANSACTION [25]: } +``` + +If you see the attribue you requested in this list, you can set the attribute in Dataverse. + To set ``:ShibAffiliationAttribute``: ``curl -X PUT -d "ou" http://localhost:8080/api/admin/settings/:ShibAffiliationAttribute`` From b67125ba2282f58db0a238e6b824ae09f90f8f5f Mon Sep 17 00:00:00 2001 From: Danny Brooke Date: Fri, 6 Mar 2020 10:10:30 -0500 Subject: [PATCH 3/6] adding release note file, some basic doc updates --- doc/release-notes/6514-shib-updates | 0 doc/sphinx-guides/source/installation/config.rst | 6 +++--- 2 files changed, 3 insertions(+), 3 deletions(-) create mode 100644 doc/release-notes/6514-shib-updates diff --git a/doc/release-notes/6514-shib-updates b/doc/release-notes/6514-shib-updates new file mode 100644 index 00000000000..e69de29bb2d diff --git a/doc/sphinx-guides/source/installation/config.rst b/doc/sphinx-guides/source/installation/config.rst index 95cedf8ca32..9fc2cf3cd11 100644 --- a/doc/sphinx-guides/source/installation/config.rst +++ b/doc/sphinx-guides/source/installation/config.rst @@ -1780,9 +1780,9 @@ You can set the value of "#THIS PAGE#" to the URL of your Dataverse homepage, or :ShibAffiliationAttribute +++++++++++++++++++++++++ -Shibboleth affiliation attribute which holds information about the affiliation of the user (e.g. "ou"). In case of Shibboleth affiliation string is read from the DiscoFeed at each login. ``:ShibAffiliationAttribute`` is a name of a Shibboleth attribute, which takes place in Shibboleth header, and Dataverse will read the affiliation string from that. If this value is not set or empty, Dataverse uses the DiscoFeed. +The Shibboleth affiliation attribute holds information about the affiliation of the user (e.g. "ou"). The Shibboleth affiliation string is read from the DiscoFeed at each login. ``:ShibAffiliationAttribute`` is a name of a Shibboleth attribute, which takes place in Shibboleth header, and Dataverse will read the affiliation string from that. If this value is not set or empty, Dataverse uses the DiscoFeed. -If the attribute is not yet set for the Shibboleth, please consult the Shibboleth administrators how o set it. Typically it requires changing of `/etc/shibboleth/attribute-map.xml` file by adding an attribute request, e.g. +If the attribute is not yet set for the Shibboleth, please consult the Shibboleth administrators how to set it. Typically it requires changing of the `/etc/shibboleth/attribute-map.xml` file by adding an attribute request, e.g. ``` @@ -1790,7 +1790,7 @@ If the attribute is not yet set for the Shibboleth, please consult the Shibbolet ``` -In order to take place the change, you should restart Shibboleth and Apache2 services: +In order to implement the change, you should restart Shibboleth and Apache2 services: ``` sudo service shibd restart From cf237af1a2a0d526f32ccbdfb16a552a123a378c Mon Sep 17 00:00:00 2001 From: Danny Brooke Date: Mon, 9 Mar 2020 21:44:50 -0400 Subject: [PATCH 4/6] doc edits --- doc/sphinx-guides/source/installation/config.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/sphinx-guides/source/installation/config.rst b/doc/sphinx-guides/source/installation/config.rst index 9fc2cf3cd11..6bf03cef215 100644 --- a/doc/sphinx-guides/source/installation/config.rst +++ b/doc/sphinx-guides/source/installation/config.rst @@ -1780,9 +1780,9 @@ You can set the value of "#THIS PAGE#" to the URL of your Dataverse homepage, or :ShibAffiliationAttribute +++++++++++++++++++++++++ -The Shibboleth affiliation attribute holds information about the affiliation of the user (e.g. "ou"). The Shibboleth affiliation string is read from the DiscoFeed at each login. ``:ShibAffiliationAttribute`` is a name of a Shibboleth attribute, which takes place in Shibboleth header, and Dataverse will read the affiliation string from that. If this value is not set or empty, Dataverse uses the DiscoFeed. +The Shibboleth affiliation attribute holds information about the affiliation of the user (e.g. "OU") and is read from the DiscoFeed at each login. ``:ShibAffiliationAttribute`` is a name of a Shibboleth attribute in the Shibboleth header which Dataverse will read from instead of DiscoFeed. If this value is not set or empty, Dataverse uses the DiscoFeed. -If the attribute is not yet set for the Shibboleth, please consult the Shibboleth administrators how to set it. Typically it requires changing of the `/etc/shibboleth/attribute-map.xml` file by adding an attribute request, e.g. +If the attribute is not yet set for the Shibboleth, please consult the Shibboleth Administrators at your institution. Typically it requires changing of the `/etc/shibboleth/attribute-map.xml` file by adding an attribute request, e.g. ``` From c2133b10bcf9919e4c2557a87171f597891e2c7d Mon Sep 17 00:00:00 2001 From: Danny Brooke Date: Mon, 9 Mar 2020 21:45:48 -0400 Subject: [PATCH 5/6] add release note --- doc/release-notes/6514-shib-updates | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/release-notes/6514-shib-updates b/doc/release-notes/6514-shib-updates index e69de29bb2d..6935fd1fc99 100644 --- a/doc/release-notes/6514-shib-updates +++ b/doc/release-notes/6514-shib-updates @@ -0,0 +1 @@ +New JVM option :ShibAffiliationAttribute \ No newline at end of file From 5a27cdf4d599fb1ad08b5ed1ab537dc54d430df1 Mon Sep 17 00:00:00 2001 From: Danny Brooke Date: Tue, 10 Mar 2020 09:54:15 -0400 Subject: [PATCH 6/6] changing JVM option to DB option --- doc/release-notes/6514-shib-updates | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/release-notes/6514-shib-updates b/doc/release-notes/6514-shib-updates index 6935fd1fc99..561358c6b8d 100644 --- a/doc/release-notes/6514-shib-updates +++ b/doc/release-notes/6514-shib-updates @@ -1 +1 @@ -New JVM option :ShibAffiliationAttribute \ No newline at end of file +New DB option :ShibAffiliationAttribute \ No newline at end of file