Refine Shibboleth Configuration for Dryad

[marisastrong]

There are some inconsistencies with the Dryad Shibboleth SP configuration that could use some cleaning up

• [x] verify what attributes from Shibboleth that Dryad is storing, if any
• [ ] update the Dryad Incommon Metadata to only request necessary attributes. We currently request eppn, mail, displayName, and givenName. Based on what we are storing we do not need all of these
• [ ] Update the Shibboleth configuration file attribute-map.xml to only reference the necessary attributes
• [ ] Update the stage InCommon metadata entityID to be dryad-stg, not dash-stg
• [ ] update documentation "Institutional Members: Requirements for Set Up" to reflect these changes
• [ ] update the attribute file we send to member institutions for configuring their IdP

[sfisher]

Hi Marisa. I've gone through all our login code and we are not storing anything we receive from shibboleth. We only use shibboleth to test for a successful login from the campus/provider they select and set their account tenant to the institution they successfully validated against.

But it's a little more complicated than that because we use the third-party gem OmniAuth to do our logins, so it may ask for more than we use in our code since it assumes you're logging in to get some account info.

This is how we've configured it, so I think we need to have an eppn and it automatically supplies information with a login (the info_fields) and we're mapping email from shibboleth to a field called mail.

I honestly don't know what OmniAuth really needs, but I assume it probably at least needs a user id field when logging in and we're using eppn as a user id. My guess is that the other fields are probably not needed at all since we don't use them in our code, but IDK if OmniAuth makes any assumptions internally in its own code. We could test and find out if we have a provider that only supplies an eppn to us. Maybe we might not even need that.

  provider :shibboleth,
           callback_path: '/stash/auth/shibboleth/callback',
           request_type: :header,
           host: StashEngine.app.shib_sp_host,
           uid_field: 'eppn',
           path_prefix: '/stash/auth',
           info_fields: {
             email: 'mail',
             identity_provider: 'shib_identity_provider'
           }

[sfisher]

I'm not sure the status of this, though we have had questions from potential partners about the information we obtain from InCommon.

I think this may go into our backlog to reduce what is requested and troubleshoot and verify. People are more concerned about privacy than ever lately.