Authentication support for Feide

[philippconzett]

We want users to be able to authenticate with Feide.

• [ ] Users must be able to log in using their Feide user name and password.
• [ ] User information (name, email, affiliation) will be passed on to Dataverse. (Currently affiliation is not passed on.)

Alternatively, we could use eduGAIN, which includes Feide. @4tikhonov has also mentioned EGI. What are the advantages of EGI compared to eduGAIN?

For background information about issues with authentication in DataverseNO, see this Dataverse GitHub issue: https://github.com/IQSS/dataverse/issues/4334.

[raymondandreassen]

Hi, just to answer a question I received by mail.

Feide is web. Web works perfectly from Azure. So yes, a service in Azure could use Feide as user authentication. How to enable it? I am not sure if a Feide service is locked to a certain IP address, however the returnurl parameter must be valid. This can be done by changing DNS or the login form request a different return url (also, must be valid and accepted by all parties).

Just as a note on the side, UIT Feide will soon use Azure AD as backend. (I guess by 1/1/2022). This means nothing to your project and users outside UIT (choosing a different organisation).

Se also: Unit om Feide "Det er mulig å knytte tjenesten til innlogging gjennom Feide."

[philippconzett]

Thanks, @raymondandreassen

@Louis-wr @4tikhonov It would be good to get this up and running before our nest meeting on September 22. If I remember this correctly, the Feide integration we currently are using in DataverseNO is based on Shibboleth. I guess we need to switch the Feide integration to OAuth if we also want to enable authentication through ORCID (which is based on OAuth), because one cannot use two different protocols (e.g. Shibboleth and OAuth) in the same Dataverse installation?

In our test instance, we need to use test Feide (test-idP), as we currently do at test.dataverse.no (see https://test.dataverse.no/loginpage.xhtml;jsessionid=e3aae346ee2922cb6d0ec7db79a6?redirectPage=%2Fdataverse.xhtml). Once we have this in place, ITA / @raymondandreassen needs to approve our test instance to use test Feide for UiT affiliates.

So, we need to

• [ ] get our dockerized test instance up and running;
• [ ] get a URL for it;
• [ ] integrate it with test Feide;
• [ ] approve our test instance to use test Feide for UiT affiliates;
• [ ] test it.

Please complete/edit this list as needed.

Please have a look at the different authentication integration options in Dataverse as described in the installation guide (https://guides.dataverse.org/en/latest/installation/):

• Shibboleth
• OAuth Login Options
• OpenID Connect Login Options

For background information about issues with authentication in DataverseNO, see this Dataverse GitHub issue: https://github.com/IQSS/dataverse/issues/4334.

[philippconzett]

We will also need to fix the problems we have with our current Feide integration. Only a part of the metadata is provided correctly to Dataverse. For example, instead of the affiliation of the user (e.g. UiT The Arctic University of Norway), “Feide” is provided as affiliation.

[philippconzett]

Answer from Stig Wennevold (ITA/UiT):

The feide-login for dataverse.no is set up differently from a typical service, which is probably why you have issues with the return values. I would guess the intention is to offer choice of federations at some later stage ? We will probably need to involve Uninett in the debugging, but if you could outline what you are trying to achieve long term and and example of the data returned after logon it will be helpful.

[philippconzett]

Ideally, we want to use Feide through a globally federated service like eduGAIN. (@4tikhonov has also mentioned EGI. What are the advantages of EGI compared to eduGAIN?) I see that the CLARINO repository (based on DSpace) at UiB (cf. https://repo.clarino.uib.no/xmlui/) uses a federated service (eduGAIN?) combined with Uninet's DiscoJuice. Not sure whether this is still maintained by Uninett or if there are any other solution we should opt for.

A common odd thing with Feide in federated login services like eduGAIN is that the system usually asks you to search for your institution, but as a user from Norway, you won't get any hit on your institution, because "Feide" would be the only relevant "institution" in your case.

[philippconzett]

Stig Wennevold (ITA/UiT):

What attributes do you see as returned from Feide after logon ? When I try to logon to dataverse; Feide claims it will release amongst other things this info about me:

Distinguished name (DN) of person's home organization: dc=uit,dc=no Distinguished name (DN) of the person's home organizational unit: ou=RING,ou=ITA,ou=FAdm,ou=UiT,cn=organization,dc=uit,dc=no Distinguished name (DN) of person's primary Organizational Unit: ou=RING,ou=ITA,ou=FAdm,ou=UiT,cn=organization,dc=uit,dc=no Home organization domain name: uit.no

This is just a small subset of the org-info that could be released and from the way the service is registered in Feide I see nothing that should prevent more attrs being returned. Do you ask for a specific list of attrs in the code dataverse uses to connect to Feide ? As far as I cant tell you should be able to get all attrs listed below; maybe som of them would be useful :

(I’ve not cc’ed everyone on this email, if after at bit of back and forth we find something useful you could put a summary in git as needed )

• Affiliation at home organization eduPersonAffiliation • Primary affiliation at home organization eduPersonPrimaryAffiliation • Affiliation and institution at home organization eduPersonScopedAffiliation • Unique identifier of organizational unit eduPersonOrgUnitDN:norEduOrgUnitUniqueIdentifier • List of schools feideSchoolList • Names of organizational units eduPersonOrgUnitDN:ou • Email address of organizational unit eduPersonOrgUnitDN:mail • Organization number eduPersonOrgDN:norEduOrgNIN • Realm of home organization schacHomeOrganization • Name of home organization eduPersonOrgDN:o • Legal name of home organization eduPersonOrgDN:eduOrgLegalName • Organization email address eduPersonOrgDN:mail • Common name of organizational unit eduPersonOrgUnitDN:cn • Distinguished name of organizational unit eduPersonOrgUnitDN • Distinguished name of primary organizational unit eduPersonPrimaryOrgUnitDN • Postal address of educational unit eduPersonOrgUnitDN:postalAddress • Telephone number of organizational unit eduPersonOrgUnitDN:telephoneNumber • Acronym for the organizational unit eduPersonOrgUnitDN:norEduOrgAcronym • Common name of home organization eduPersonOrgDN:cn • Distinguished name of home organization eduPersonOrgDN • Unique identifier of home organization eduPersonOrgDN:norEduOrgUniqueIdentifier • Postal address of home organization eduPersonOrgDN:postalAddress • Telephone number of home organization eduPersonOrgDN:telephoneNumber • Home page of home organization eduPersonOrgDN:eduOrgHomePageURI • Acronym for the educational institution eduPersonOrgDN:norEduOrgAcronym • Version of norEdu specification of home organization eduPersonOrgDN:norEduOrgSchemaVersion

[philippconzett]

As the user information is set up currently in the Dataverse software, we only need the following information

• Given Name
• Family Name
• Email address
• Affiliation, but as the real affiliation, e.g. “UiT The Arctic University of Norway”, not “Feide”.

[philippconzett]

I suggest we just start with implementing eduGAIN. I guess they have a test environment. @Louis-wr could you figure that out?

[philippconzett]

Stig Wennevold (ITA/UiT):

Whether the value “feide” is incorrect depends on which attribute you use to try and find the home institution today; but in either case the info you need is encoded in a number of the attributes that may be passed, and even indirectly in some that the logon process claim are released.

If eduPersonOrg:o is available to the code It should contain the name directly; if not something like eduPersonOrgUnitDN will contain dc=uit,dc=no which could be used via a lookup to find the name (this is inelegant, scales badly and seems unnecessary however)

probably the easiest way to get further is to have whoever wrote / maintains the dataverse code look at how the attrs currently used are fetched and try to see what others are available (ideally in a test version, or very carefully in prod 😉 )

[philippconzett]

@Louis-wr Can you figure out what we need to have in place to test eduGAIN? Slava shared these links in our meeting today: https://guides.dataverse.org/en/latest/installation/oidc.html OpenID https://openid.net/specs/openid-connect-federation-1_0.html

[Louis-wr]

Feide Oauth configuration : curl -X POST -H 'Content-type: application/json; charset=utf-8' --upload-file ./feide.json http://localhost:8080/api/admin/authenticationProviders feide.json

{
    "id":"feide",
    "factoryAlias":"oidc",
    "title":"Feide",
    "subtitle":"",
    "factoryData":"type: oidc | issuer: https://auth.dataporten.no | clientId: <clientId> | clientSecret: <clientSecret>",
    "enabled":true
}

[Louis-wr]

desired feide attributes:

userinfo-name givenName sn

userid-feide) uid

groups-org eduPersonOrgDN:eduOrgLegalName eduPersonPrimaryAffiliation eduPersonPrimaryOrgUnitDN

documentation: https://docs.feide.no/reference/schema/attributegroups/index.html https://docs.feide.no/reference/schema/noredu/noredu_ch03.html#eduorglegalname

[Louis-wr]

Currently the dataverseNO is not communicating properly with feide and is not getting the correct attributes. Suggested remediation: Using the groups api, not the userinfo endpoint https://docs.feide.no/reference/oauth_oidc/groups_data_model.html, in particular the examples at https://docs.feide.no/reference/oauth_oidc/groups_data_model.html#example-1-employee-in-uninett https://docs.feide.no/reference/apis/groups_api.html

GET request toward https://groups-api.dataporten.no/groups/ with a valid token