Closed anarchivist closed 2 years ago
I started looking into this yesterday. SSO is already set up in LibAuth for Stanford SAML. I updated the README in #1 to add LibAuth details, but the salient points are:
Springshare is a member of the InCommon Federation, which makes set up of the Shibboleth service provider (SP) fairly easy in terms of Stanford. See more information at the MaIS Confluence page on SSO/SAML login with vendor systems.
As a third party system we think that Springshare/LibAuth falls under the UIT attribute release policy for InCommon Research and Scholarship, rather than the general SAML ARP. What this means in practice is that we have access to eduPersonAffiliation, and not suAffiliation's list of privilege groups.
Under Admin --> LibAuth Authentication --> Group Permissions, I've set up a new group with the following configuration:
Attribute Name | Allowed Value(s): |
---|---|
urn:oid:1.3.6.1.4.1.5923.1.1.1.1 (a.k.a. eduPersonAffiliation) |
student |
I think this should do it, but I will note that this does not allow us to disambiguate further between types of students (undergrad, grad, and postdoc). I submitted a SNOW ticket (RITM00312036) to ask for the release of suAffiliation; the SPDB entry was created by GSB staff.
From UIT:
suAffiliation is a Stanford-only attribute; most of InCommon SPs could not make use of it. ex: Imagine they have a lot of IdPs and each uses its own attribute.. it would be a nightmare for SP.
So please make sure your InCommon SP can actually utilize the values; most of InCommon SPs would stick to eduPersonAffiliation. If you are sure your SP can use suAffiliation, we will release them.
I've submitted a support ticket to Springshare asking them to confirm.
Springshare confirmed that they can consume any released attributes; the ticket for UIT MaIS was updated to pass this information along.
The suAffiliation
attribute is now released: https://spdb.stanford.edu/spconfigs/5889/attributes
With this change the config is now:
Attribute Name | Allowed Value(s): |
---|---|
suAffiliation |
stanford:student stanford:student:onleave stanford:student:postdoc |
We could fall back to the initial config if need be. Once I confirm details of the a11y testing and tell Mario to flip the switch in the LibCal config, this should be ready to go.
Latest from Mario:
I do have one minor tweak, can we remove Postdocs from the conversation at this point? This was my mistake. In other works, please just limit SSO room reservations on LibCal to only students (undergraduates + graduates).
Added a new separate config ("Students (Grads/Undergrads) only (no postdocs)"):
Attribute Name | Allowed Value(s): |
---|---|
suAffiliation |
stanford:student stanford:student:onleave |
This should be working; handing off to Mario to test. Will reopen or create a new ticket if this needs more work.
From Mario:
This is currently blocked by #2.