Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shibboleth: Institution-wide Shibboleth groups #1401

Closed
pdurbin opened this issue Jan 31, 2015 · 10 comments
Closed

Shibboleth: Institution-wide Shibboleth groups #1401

pdurbin opened this issue Jan 31, 2015 · 10 comments
Assignees
@kcondon
Labels
Type: Feature a feature request UX & UI: Design This issue needs input on the design of the UI and from the product owner
Milestone
Beta 13 - Dataver...

Comments

@pdurbin
Copy link
Member

pdurbin commented Jan 31, 2015

As explained in the Shibboleth Functional Requirements Document for Dataverse 4.0, we plan to support Institution-wide Shibboleth groups.

In practice this means creating a groups with names like "All Harvard PIN/Shibboleth Users" or "All testshib.org Shibboleth Users" that pay attention to the "Shib-Identity-Provider" Shibboleth attribute to see if you authenticated via harvard.edu, testshib.org, etc.

You should be able to assign roles to these groups by clicking the "Assign Roles to Users/Groups" button.
@pdurbin pdurbin added Type: Feature a feature request UX & UI: Design This issue needs input on the design of the UI and from the product owner Status: Dev labels Jan 31, 2015
@pdurbin pdurbin self-assigned this Jan 31, 2015
@pdurbin pdurbin added this to the Beta 12 - Dataverse 4.0 milestone Jan 31, 2015
pdurbin added a commit that referenced this issue Jan 31, 2015
@pdurbin
added institution-wide Shibboleth groups #1401
4a4310b
pdurbin added a commit that referenced this issue Jan 31, 2015
@pdurbin
prevent deletion of shib groups with role assignments #1401
78513ed
@pdurbin
Copy link
Member Author

pdurbin commented Jan 31, 2015

As of 4a4310b you can log into dvn-build with the "TestShib IdP" and see that you are part of the "All testshib.org Shibboleth Users (&shib/1)" group with the debugging output I added to the screen when Shibboleth is enabled:

testshib

These are the commands I used to enable Shibboleth and create the testshib group:

curl -X PUT -d yes $HOST/s/settings/:ShibEnabled

curl -s -X POST -H 'Content-type:application/json' --upload-file data/shibGroupTestShib.json "$HOST/api/groups/shib?key=$ADMIN_KEY"

@pdurbin
Copy link
Member Author

pdurbin commented Feb 2, 2015

Per @scolapasta I'm giving this to QA but please note that there is something going on with permissions first reported in #1380 such that Shibboleth users aren't seeing the "Add Data" button when they should. "No effect".

This ticket is more about the creation of Shibboleth groups, and assigning roles like this:

shibrole

Please note that we'd like to automate the addition of Shibboleth groups in #1403

@pdurbin pdurbin removed their assignment Feb 2, 2015
@bencomp
Copy link
Contributor

bencomp commented Feb 5, 2015

In the Dataverse.nl situation, all users come through the same IdP: SURFconext. We look at the value of the Organization attribute to determine the user's organisation. Can that attribute be used as well?

@bencomp
Copy link
Contributor

bencomp commented Feb 5, 2015

Oh, and 👍 !

@pdurbin
Copy link
Member Author

pdurbin commented Feb 5, 2015

We look at the value of the Organization attribute to determine the user's organisation. Can that attribute be used as well?

I have a todo in the code that at runtime I should store a hash of "potentially interesting" attributes. I guess this hash should be backed by a table that can be managed by users who have the superuser boolean set to "true".

@kcondon kcondon assigned pdurbin and unassigned kcondon Feb 19, 2015
@kcondon
Copy link
Contributor

kcondon commented Feb 19, 2015

@pdurbin I think you meant to pass me #796. I tested that one and then passed along to Mike. Giving you back this one.

@pdurbin pdurbin assigned kcondon and unassigned pdurbin Feb 20, 2015
@pdurbin
Copy link
Member Author

pdurbin commented Feb 20, 2015

@kcondon no, a while back I purposely put this in QA per my comment back then: #1401 (comment)

@mheppler
Copy link
Contributor

@pdurbin, no GitHub Issues commenting on vacation.

On Fri, Feb 20, 2015 at 10:24 AM, Philip Durbin notifications@github.com
wrote:

@kcondon https://github.com/kcondon no, a while back I purposely put
this in QA per my comment back then: #1401 (comment)
#1401 (comment)


Reply to this email directly or view it on GitHub
#1401 (comment).

@kcondon
Copy link
Contributor

kcondon commented Feb 26, 2015

Shib groups can be created and assigned roles. Closing

@kcondon kcondon closed this as completed Feb 26, 2015
@pdurbin pdurbin mentioned this issue Feb 26, 2015
Closed
@pdurbin
Copy link
Member Author

pdurbin commented Feb 26, 2015

We look at the value of the Organization attribute to determine the user's organisation. Can that attribute be used as well?

@bencomp not as of this writing but I just opened #1515 about this

@pdurbin pdurbin mentioned this issue May 3, 2015
Closed
@pdurbin pdurbin mentioned this issue Jan 6, 2016
Closed
This was referenced Feb 9, 2016
Closed
Closed
Closed
@pdurbin pdurbin mentioned this issue Mar 3, 2016
Closed
@pdurbin pdurbin mentioned this issue Sep 2, 2016
Closed
@pdurbin pdurbin mentioned this issue Nov 2, 2016
Closed
@donsizemore donsizemore mentioned this issue Mar 18, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kcondon kcondon

Labels
Type: Feature a feature request UX & UI: Design This issue needs input on the design of the UI and from the product owner
Projects
None yet
Milestone
Beta 13 - Dataverse 4.0
Development

No branches or pull requests
4 participants
@pdurbin @mheppler @bencomp @kcondon