sul-dlss / libapps

Custom styling and configuration for Springshare apps
1 stars 0 forks source link

LibCal: SSO for space booking #3

Closed anarchivist closed 2 years ago

anarchivist commented 2 years ago

From Mario:

This is regarding limiting SSO room reservations on LibCal to only students (undergraduates + graduates and postdocs). This is a requirement that was requested by Phil.

I believe these changes are done at the top Libapps admin level and it may require some UIT involvement? I’m not 100% sure how to proceed, but Sarah graciously mentioned that she would help.

Link to Green Library LibCal Group Study Room Reservation: https://appointments.library.stanford.edu/spaces?lid=15456

Springhsare Resources on how to limit SSO: https://buzz.springshare.com/producthighlights/libcal-beyond-library/student-authentication https://buzz.springshare.com/producthighlights/libcal-libraries/authentication

We plan to go live this summer, and soft launch before the fall quarter. It would be great if we could get the SSO requirement in place by July 29, 2022. Once we have the SSO requirement live, Ali and the UX testing group (Ellie, Jib, Astrid, Mario) can test the function out with students.

However, we need this SSO requirement to be verifiable and live before Mike gives the final sign off.

This is currently blocked by #2.

anarchivist commented 2 years ago

I started looking into this yesterday. SSO is already set up in LibAuth for Stanford SAML. I updated the README in #1 to add LibAuth details, but the salient points are:

Springshare is a member of the InCommon Federation, which makes set up of the Shibboleth service provider (SP) fairly easy in terms of Stanford. See more information at the MaIS Confluence page on SSO/SAML login with vendor systems.

As a third party system we think that Springshare/LibAuth falls under the UIT attribute release policy for InCommon Research and Scholarship, rather than the general SAML ARP. What this means in practice is that we have access to eduPersonAffiliation, and not suAffiliation's list of privilege groups.

anarchivist commented 2 years ago
Test results from LibAuth as of 2022-07-14: ```php ( [auth] => 1 [raw_response] => Array ( [urn:oid:2.16.840.1.113730.3.1.241] => M.A. Matienzo [urn:oid:2.5.4.42] => M.A. [urn:oid:1.3.6.1.4.1.5923.1.1.1.11] => Array ( [0] => https://refeds.org/assurance/ID/unique [1] => https://refeds.org/assurance [2] => https://refeds.org/assurance/ATP/ePA-1m [3] => https://refeds.org/assurance/ID/eppn-unique-no-reassign [4] => https://refeds.org/assurance/IAP/low [5] => https://refeds.org/assurance/IAP/medium [6] => https://refeds.org/assurance/profile/cappuccino ) [urn:oasis:names:tc:SAML:attribute:subject-id] => 22329390b8f546b684abddb126c30d26@stanford.edu [persistentId] => zCQbXEZ0uMGhlA45YD6uK6n/n/E= [urn:mace:dir:attribute-def:suDisplayNameLF] => Matienzo, M.A. [urn:oid:1.3.6.1.4.1.5923.1.1.1.16] => https://orcid.org/0000-0003-3270-1306 [urn:oasis:names:tc:SAML:attribute:pairwise-id] => BJY63IJSNDDPCW7LMR4LMTYMP5263EVU@stanford.edu [urn:oid:2.5.4.4] => Matienzo [urn:oid:0.9.2342.19200300.100.1.1] => matienzo [urn:oid:1.3.6.1.4.1.5923.1.1.1.1] => Array ( [0] => staff [1] => member ) [urn:oid:0.9.2342.19200300.100.1.3] => matienzo@stanford.edu [urn:oid:2.5.4.3] => Array ( [0] => M.A. Matienzo [1] => m a matienzo ) [urn:oid:1.3.6.1.4.1.5923.1.1.1.9] => Array ( [0] => member@stanford.edu [1] => staff@stanford.edu ) [urn:oid:1.3.6.1.4.1.5923.1.1.1.6] => matienzo@stanford.edu [groups] => Array ( [0] => users [1] => members ) ) [urn:oid:2.16.840.1.113730.3.1.241] => M.A. Matienzo [urn:oid:2.5.4.42] => M.A. [urn:oid:1.3.6.1.4.1.5923.1.1.1.11] => Array ( [0] => https://refeds.org/assurance/ID/unique [1] => https://refeds.org/assurance [2] => https://refeds.org/assurance/ATP/ePA-1m [3] => https://refeds.org/assurance/ID/eppn-unique-no-reassign [4] => https://refeds.org/assurance/IAP/low [5] => https://refeds.org/assurance/IAP/medium [6] => https://refeds.org/assurance/profile/cappuccino ) [urn:oasis:names:tc:SAML:attribute:subject-id] => 22329390b8f546b684abddb126c30d26@stanford.edu [persistentId] => zCQbXEZ0uMGhlA45YD6uK6n/n/E= [urn:mace:dir:attribute-def:suDisplayNameLF] => Matienzo, M.A. [urn:oid:1.3.6.1.4.1.5923.1.1.1.16] => https://orcid.org/0000-0003-3270-1306 [urn:oasis:names:tc:SAML:attribute:pairwise-id] => BJY63IJSNDDPCW7LMR4LMTYMP5263EVU@stanford.edu [urn:oid:2.5.4.4] => Matienzo [urn:oid:0.9.2342.19200300.100.1.1] => matienzo [urn:oid:1.3.6.1.4.1.5923.1.1.1.1] => Array ( [0] => staff [1] => member ) [urn:oid:0.9.2342.19200300.100.1.3] => matienzo@stanford.edu [urn:oid:2.5.4.3] => Array ( [0] => M.A. Matienzo [1] => m a matienzo ) [urn:oid:1.3.6.1.4.1.5923.1.1.1.9] => Array ( [0] => member@stanford.edu [1] => staff@stanford.edu ) [urn:oid:1.3.6.1.4.1.5923.1.1.1.6] => matienzo@stanford.edu [groups] => Array ( [0] => users [1] => members ) [lastname] => Matienzo [firstname] => M.A. [email] => matienzo@stanford.edu [userid] => matienzo@stanford.edu ) ```

Under Admin --> LibAuth Authentication --> Group Permissions, I've set up a new group with the following configuration:

Attribute Name Allowed Value(s):
urn:oid:1.3.6.1.4.1.5923.1.1.1.1 (a.k.a. eduPersonAffiliation) student

I think this should do it, but I will note that this does not allow us to disambiguate further between types of students (undergrad, grad, and postdoc). I submitted a SNOW ticket (RITM00312036) to ask for the release of suAffiliation; the SPDB entry was created by GSB staff.

anarchivist commented 2 years ago

From UIT:

suAffiliation is a Stanford-only attribute; most of InCommon SPs could not make use of it. ex: Imagine they have a lot of IdPs and each uses its own attribute.. it would be a nightmare for SP.

So please make sure your InCommon SP can actually utilize the values; most of InCommon SPs would stick to eduPersonAffiliation. If you are sure your SP can use suAffiliation, we will release them.

I've submitted a support ticket to Springshare asking them to confirm.

anarchivist commented 2 years ago

Springshare confirmed that they can consume any released attributes; the ticket for UIT MaIS was updated to pass this information along.

anarchivist commented 2 years ago

The suAffiliation attribute is now released: https://spdb.stanford.edu/spconfigs/5889/attributes

Test results from LibAuth as of 2022-07-15: ```php ( [auth] => 1 [raw_response] => Array ( [urn:oid:2.16.840.1.113730.3.1.241] => M.A. Matienzo [urn:oid:2.5.4.3] => Array ( [0] => m a matienzo [1] => M.A. Matienzo ) [urn:oid:2.5.4.42] => M.A. [urn:mace:dir:attribute-def:suDisplayNameLF] => Matienzo, M.A. [urn:oasis:names:tc:SAML:attribute:pairwise-id] => BJY63IJSNDDPCW7LMR4LMTYMP5263EVU@stanford.edu [urn:oid:1.3.6.1.4.1.5923.1.1.1.1] => Array ( [0] => member [1] => staff ) [urn:oid:1.3.6.1.4.1.5923.1.1.1.11] => Array ( [0] => https://refeds.org/assurance/ID/unique [1] => https://refeds.org/assurance/profile/cappuccino [2] => https://refeds.org/assurance/IAP/medium [3] => https://refeds.org/assurance/IAP/low [4] => https://refeds.org/assurance/ID/eppn-unique-no-reassign [5] => https://refeds.org/assurance/ATP/ePA-1m [6] => https://refeds.org/assurance ) [urn:oid:2.5.4.4] => Matienzo [urn:oasis:names:tc:SAML:attribute:subject-id] => 22329390b8f546b684abddb126c30d26@stanford.edu [urn:oid:0.9.2342.19200300.100.1.3] => matienzo@stanford.edu [urn:oid:1.3.6.1.4.1.5923.1.1.1.9] => Array ( [0] => staff@stanford.edu [1] => member@stanford.edu ) [persistentId] => zCQbXEZ0uMGhlA45YD6uK6n/n/E= [urn:oid:1.3.6.1.4.1.5923.1.1.1.16] => https://orcid.org/0000-0003-3270-1306 [urn:oid:0.9.2342.19200300.100.1.1] => matienzo [urn:oid:1.3.6.1.4.1.5923.1.1.1.6] => matienzo@stanford.edu [suAffiliation] => stanford:staff [groups] => Array ( [0] => users [1] => members ) ) [urn:oid:2.16.840.1.113730.3.1.241] => M.A. Matienzo [urn:oid:2.5.4.3] => Array ( [0] => m a matienzo [1] => M.A. Matienzo ) [urn:oid:2.5.4.42] => M.A. [urn:mace:dir:attribute-def:suDisplayNameLF] => Matienzo, M.A. [urn:oasis:names:tc:SAML:attribute:pairwise-id] => BJY63IJSNDDPCW7LMR4LMTYMP5263EVU@stanford.edu [urn:oid:1.3.6.1.4.1.5923.1.1.1.1] => Array ( [0] => member [1] => staff ) [urn:oid:1.3.6.1.4.1.5923.1.1.1.11] => Array ( [0] => https://refeds.org/assurance/ID/unique [1] => https://refeds.org/assurance/profile/cappuccino [2] => https://refeds.org/assurance/IAP/medium [3] => https://refeds.org/assurance/IAP/low [4] => https://refeds.org/assurance/ID/eppn-unique-no-reassign [5] => https://refeds.org/assurance/ATP/ePA-1m [6] => https://refeds.org/assurance ) [urn:oid:2.5.4.4] => Matienzo [urn:oasis:names:tc:SAML:attribute:subject-id] => 22329390b8f546b684abddb126c30d26@stanford.edu [urn:oid:0.9.2342.19200300.100.1.3] => matienzo@stanford.edu [urn:oid:1.3.6.1.4.1.5923.1.1.1.9] => Array ( [0] => staff@stanford.edu [1] => member@stanford.edu ) [persistentId] => zCQbXEZ0uMGhlA45YD6uK6n/n/E= [urn:oid:1.3.6.1.4.1.5923.1.1.1.16] => https://orcid.org/0000-0003-3270-1306 [urn:oid:0.9.2342.19200300.100.1.1] => matienzo [urn:oid:1.3.6.1.4.1.5923.1.1.1.6] => matienzo@stanford.edu [suAffiliation] => stanford:staff [groups] => Array ( [0] => users [1] => members ) [lastname] => Matienzo [firstname] => M.A. [email] => matienzo@stanford.edu [userid] => matienzo@stanford.edu ) ```
anarchivist commented 2 years ago

With this change the config is now:

Attribute Name Allowed Value(s):
suAffiliation stanford:student
stanford:student:onleave
stanford:student:postdoc

We could fall back to the initial config if need be. Once I confirm details of the a11y testing and tell Mario to flip the switch in the LibCal config, this should be ready to go.

anarchivist commented 2 years ago

Latest from Mario:

I do have one minor tweak, can we remove Postdocs from the conversation at this point? This was my mistake. In other works, please just limit SSO room reservations on LibCal to only students (undergraduates + graduates).

Added a new separate config ("Students (Grads/Undergrads) only (no postdocs)"):

Attribute Name Allowed Value(s):
suAffiliation stanford:student
stanford:student:onleave
anarchivist commented 2 years ago

This should be working; handing off to Mario to test. Will reopen or create a new ticket if this needs more work.

screenshot2