Page History
...
Existing Authentication Methods include
- 104567551 Authentication by Password (class:
org.dspace.authenticate.PasswordAuthentication
) (DEFAULT) - Open ID Connect (OIDC) Authentication (class:
org.dspace.authenticate.OidcAuthentication)
- Shibboleth Authentication 104567551 (class:
org.dspace.authenticate.ShibAuthentication
) - 104567551 LDAP Authentication (class:
org.dspace.authenticate.LDAPAuthentication
) - ORCID Authentication (class:
org.dspace.authenticate.OrcidAuthentication
) - IP Address based Authentication (class:
org.dspace.authenticate.IPAuthentication
) - 104567551 X.509 Certificate Authentication (class:
org.dspace.authenticate.X509Authentication
)
An authentication method is a class that implements the interface org.dspace.authenticate.AuthenticationMethod
. It authenticates
a user by evaluating the credentials (e.g. username and password) he or she presents and checking that they are valid.
The basic authentication procedure in the DSpace Web UI is this:
- A request is received from an end-user's browser that, if fulfilled, would lead to an action requiring authorization taking place.
- If the end-user is already authenticated:
- If the end-user is allowed to perform the action, the action proceeds
- If the end-user is NOT allowed to perform the action, an authorization error is displayed.
- If the end-user is NOT authenticated, i.e. is accessing DSpace anonymously:
- The parameters etc. of the request are stored.
- The Web UI's
startAuthentication
method is invoked. - First it tries all the authentication methods which do
implicit
authentication (i.e. they work with just the information already in the Web request, such as an X.509 client certificate). If one of these succeeds, it proceeds from Step 2 above. - If none of the implicit methods succeed, the UI responds by putting up a "login" page to collect credentials for one of the
explicit
authentication methods in the stack. The servlet processing that page then gives the proffered credentials to each authentication method in turn until one succeeds, at which point it retries the original operation from Step 2 above.
Please see the source filesAuthenticationManager.java
andAuthenticationMethod.java
for more details about this mechanism.
Authentication by Password
Enabling Authentication by Password
By default, this authentication method is enabled in DSpace.
However, to enable Authentication by Password, you must ensure the org.dspace.authenticate.PasswordAuthentication
class is listed as one of the AuthenticationMethods in the following configuration:
...
Configuration File:
...
[dspace]/config/modules/authentication.cfg
...
Property:
...
plugin.sequence.org.dspace.authenticate.AuthenticationMethod
Authentication by Password
Enabling Authentication by Password
By default, this authentication method is enabled in DSpace.
However, to enable Authentication by Password, you must ensure the org.dspace.authenticate.PasswordAuthentication
class is listed as one of the AuthenticationMethods in the following configuration:
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
|
Configuring Authentication by Password
The default method org.dspace.authenticate.PasswordAuthentication
has the following properties:
- Use of inbuilt e-mail address/password-based log-in. This is achieved by sending login information to the "/api/authn/login" endpoint of the REST API, in order to obtain a JSON Web Token. This JSON Web token must be sent on every later request which requires authentication.
- Users can register themselves (i.e. add themselves as e-people without needing approval from the administrators), and can set their own passwords when they do this
- Users are not members of any special (dynamic) e-person groups
- You can restrict the domains from which new users are able to register. To enable this feature, uncomment the following line from dspace.cfg:
authentication.password.domain.valid = example.com
Example options might be '@example.com
' to restrict registration to users with addresses ending in @example.com, or '@example.com, .ac.uk
' to restrict registration to users with addresses ending in @example.com or with addresses in the .ac.uk domain.
A full list of all available Password Authentication Configurations:
Configuration File: |
|
---|---|
Property: |
|
Example Value: | user.registration = false |
Informational Note: | This option allows you to disable all self-registration. When set to "false", no one will be able to register new accounts with your system. Default is "true". |
Property: |
|
Example Value: |
|
Informational Note: | This option allows you to limit self-registration to email addresses ending in a particular domain value. The above example would limit self-registration to individuals with "@mit.edu" email addresses and all ".ac.uk" email addresses. (This setting only works when user.registration=true) |
Property: |
|
Example Value: |
|
Informational Note: | This option allows you to automatically add all password authenticated user sessions to a specific DSpace Group (the group must exist in DSpace) for the remainder of their logged in session. |
Property: |
|
...
Example Value:
Code Block |
---|
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.PasswordAuthentication |
Configuring Authentication by Password
The default method org.dspace.authenticate.PasswordAuthentication
has the following properties:
- Use of inbuilt e-mail address/password-based log-in. This is achieved by forwarding a request that is attempting an action requiring authorization to the password log-in servlet,
/password-login
. The password log-in servlet (org.dspace.app.webui.servlet.PasswordServlet
) contains code that will resume the original request if authentication is successful, as per step 3. described above. - Users can register themselves (i.e. add themselves as e-people without needing approval from the administrators), and can set their own passwords when they do this
- Users are not members of any special (dynamic) e-person groups
- You can restrict the domains from which new users are able to register. To enable this feature, uncomment the following line from dspace.cfg:
authentication.password.domain.valid = example.com
Example options might be '@example.com
' to restrict registration to users with addresses ending in @example.com, or '@example.com, .ac.uk
' to restrict registration to users with addresses ending in @example.com or with addresses in the .ac.uk domain.
A full list of all available Password Authentication Configurations:
Configuration File: |
| |
---|---|---|
Property: |
| |
Example Value: |
| |
Informational Note: | This option allows you to limit self-registration to email addresses ending in a particular domain value. The above example would limit self-registration to individuals with "@mit.edu" email addresses and all ".ac.uk" email addresses. | |
Property: |
| |
Example Value: |
| |
Informational Note: | This option allows you to automatically add all password authenticated user sessions to a specific DSpace Group (the group must exist in DSpace) for the remainder of their logged in sessionspecifies the hashing algorithm to be used in converting plain-text passwords to more secure password digests. The example value is the default. You may select any digest algorithm available through java.security.MessageDigest on your system. At least MD2, MD5, SHA-1, SHA-256, SHA-384, and SHA-512 should be available, but you may have installed others. Most sites will not need to adjust this. | |
Property: |
| digestAlgorithm
|
Example Value: |
| digestAlgorithm = SHA-512
|
Informational Note: | This option specifies | the hashing algorithm to be used in converting plain-text passwords to more secure password digests. The example value is the default. You may select any digest algorithm available through java.security.MessageDigest on your system. At least MD2, MD5, SHA-1, SHA-256, SHA-384, and SHA-512 should be available, but you may have installed others. Most sites will not need to adjust this.
Shibboleth Authentication
Warning | ||
---|---|---|
| ||
This section still has to be updated with the latest contents of DSpace 7 Shibboleth Configuration |
Enabling Shibboleth Authentication
To enable Shibboleth Authentication, you must ensure the org.dspace.authenticate.ShibAuthentication
class is listed as one of the AuthenticationMethods in the following configuration:
...
Configuration File:
...
[dspace]/config/modules/authentication.cfg
...
Property:
...
plugin.sequence.org.dspace.authenticate.AuthenticationMethod
...
Example Value:
Code Block |
---|
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.ShibAuthentication |
Configuring Shibboleth Authentication
Shibboleth is a distributed authentication system for securely authenticating users and passing attributes about the user from one or more identity providers. In the Shibboleth terminology DSpace is a Service Provider which receives authentication information and then based upon that provides a service to the user. To use Shibboleth, DSpace requires that you use Apache installed with the mod_shib module acting as a proxy for all HTTP requests for your servlet container (typically Tomcat). DSpace will receive authentication information from the mod_shib module through HTTP headers.
Before DSpace will work with Shibboleth, you must have the following:
- An Apache web server with the "mod_shib" module installed. As mentioned, this mod_shib module acts as a proxy for all HTTP requests for your servlet container (typically Tomcat). Any requests to DSpace that require authentication via Shibboleth should be redirected to 'shibd' (the shibboleth daemon) by this "mod_shib" module. Details on installing/configuring mod_shib in Apache are available at: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig We also have a sample Apache + mod_shib configuration provided below.
- An external Shibboleth IdP (Identity Provider). Using mod_shib, DSpace will only act as a Shibboleth SP (Service Provider). The actual Shibboleth Authentication & Identity information must be provided by an external IdP. If you are using Shibboleth at your institution already, then there already should be a Shibboleth IdP available. More information about Shibboleth IdPs versus SPs is available at: https://wiki.shibboleth.net/confluence/display/SHIB2/UnderstandingShibboleth
For more information on installing and configuring a Shibboleth Service Provider see: https://wiki.shibboleth.net/confluence/display/SHIB2/Installation
Note about Shibboleth Active vs Lazy Sessions:
When configuring your Shibboleth Service Provider there are two Shibboleth paradigms you may use: Active or Lazy Sessions. Active sessions is where the mod_shib module is configured to product an entire URL space. No one will be able to access that URL without first authenticating with Shibboleth. Using this method you will need to configure shibboleth to protect the URL: "/shibboleth-login". The alternative, Lazy Session does not protect any specific URL. Instead Apache will allow access to any URL, and when the application wants to it may initiate an authenticated session.
The Lazy Session method is preferable for most DSpace installations, as you usually want to provide public access to (most) DSpace content, while restricting access to only particular areas (e.g. administration UI/tools, private Items, etc.). When Active Sessions are enabled your entire DSpace site will be access restricted. In other words, when using Active Sessions, Shibboleth will require everyone to first authenticate before they can access any part of your repository (which essentially results in a "dark archive", as anonymous access will not be allowed).
Apache "mod_shib" Configuration (required)
As mentioned above, you must have Apache with the "mod_shib" module installed in order for DSpace to be able to act as a Shibboleth Service Provider (SP). The mod_shib module acts as a proxy for all HTTP requests for your servlet container (typically Tomcat). Any requests to DSpace that require authentication via Shibboleth should be redirected to 'shibd' (the shibboleth daemon) by this "mod_shib" module. Details on installing/configuring mod_shib in Apache are available at: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig General information about installing/configuring Shibboleth Service Providers (SPs) can be found at: https://wiki.shibboleth.net/confluence/display/SHIB2/Installation
A few extra notes/hints when configuring mod_shib & Apache:
- The Shibboleth setting "ShibUseHeaders" is no longer required to be set to "On", as DSpace will correctly utilize attributes instead of headers.
- When "ShibUseHeaders" is set to "Off" (which is recommended in the mod_shib documentation), proper configuration of Apache to pass attributes to Tomcat (via either mod_jk or mod_proxy) can be a bit tricky, SWITCH has some great documentation on exactly what you need to do. We will eventually paraphrase/summarize this documentation here, but for now, the SWITCH page will have to do.
- When initially setting up Apache & mod_shib, https://www.testshib.org/ provides a great testing ground for your configurations. This site provides a sample/demo Shibboleth IdP (as well as a sample Shibboleth SP) which you can test against. It acts as a "sandbox" to get your configurations working properly, before you point DSpace at your production Shibboleth IdP.
...
a regular expression which all new passwords MUST validate against. By default, DSpace just requires a new password to be 8 or more characters (see above example value). However, sites can modify this regex in order to require more robust passwords of all users. One example of a complex rule is:
This example requires all users to adopt a more complex password:
|
Open ID Connect (OIDC) Authentication
Info |
---|
Open ID Connect (OIDC) Authentication is only available in DSpace 7.2 or above. |
Enabling OIDC Authentication
To enable OIDC Authentication, you must ensure the org.dspace.authenticate.OidcAuthentication
class is listed as one of the AuthenticationMethods in the following configuration:
Configuration File: |
| |
---|---|---|
Property: |
| |
Example Value: |
(NOTE: This setting may be repeated to support multiple AuthenticationMethods) (WARNING: it's easy to miss, the "camel case" for |
Configuring OIDC Authentication
OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. There are many server implementations of OpenID Connect, including Keycloak and AWS Cognito.
Configuration File: |
|
---|---|
Property: |
|
Example Value: |
|
Informational Note: | (Optional) The root URL of the OpenID Connect server. This is optional, as it's only used to fill out each of the "-endpoint" configs below (see below). |
Property: | authentication-oidc.auth-server-realm |
Example Value: | authentication-oidc.auth-server-realm = dspace-realm |
Informational Note: | (Optional) The realm to authenticate against on the OpenID Connect server. This is optional, as it's only used to fill out each of the "-endpoint" configs below (see below). So, for some setups, it may be easier to configure the "-endpoint" configs directly INSTEAD OF the "auth-server-url" and "auth-server-realm" |
Property: | authentication-oidc.token-endpoint |
Example Value: | authentication-oidc.token-endpoint = ${authentication-oidc.auth-server-url}/auth/realms/${authentication-oidc.auth-server-realm}/protocol/openid-connect/token |
Informational Note: | (Required) The URL of the OIDC Token endpoint. This defaults to using the configured "auth-server-url" and "auth-server-realm" to determine the likely OIDC path for this endpoint (see example above for the default value). However, if that default path is incorrect, you may choose to hardcode the correct URL in this field. |
Property: | authentication-oidc.authorize-endpoint |
Example Value: | authentication-oidc.authorize-endpoint = ${authentication-oidc.auth-server-url}/auth/realms/${authentication-oidc.auth-server-realm}/protocol/openid-connect/auth |
Informational Note: | (Required) The URL of the OIDC Authorize endpoint. This defaults to using the configured "auth-server-url" and "auth-server-realm" to determine the likely OIDC path for this endpoint (see example above for the default value). However, if that default path is incorrect, you may choose to hardcode the correct URL in this field. |
Property: | authentication-oidc.user-info-endpoint |
Example Value: | authentication-oidc.user-info-endpoint = ${authentication-oidc.auth-server-url}/auth/realms/${authentication-oidc.auth-server-realm}/protocol/openid-connect/userinfo |
Informational Note: | (Required) The URL of the OIDC Userinfo endpoint. This defaults to using the configured "auth-server-url" and "auth-server-realm" to determine the likely OIDC path for this endpoint (see example above for the default value). However, if that default path is incorrect, you may choose to hardcode the correct URL in this field. |
Property: | authentication-oidc.client-id |
Example Value: | authentication-oidc.client-id = our-dspace |
Informational Note: | (Required) The registered OIDC client id for our DSpace server's use. No default value. |
Property: | authentication-oidc.client-secret |
Example Value: | authentication-oidc.client-secret = some-sort-of-hash |
Informational Note: | (Required) The registered OIDC client secret for our DSpace server's use. No default value. |
Property: | authentication-oidc.redirect-url |
Example Value: | authentication-oidc.redirect-url = ${dspace.server.url}/api/authn/oid |
Informational Note: | The URL users will be redirected to after a successful login. The example above is the default value, and it usually does not need to be updated. |
Property: | authentication-oidc.scopes |
Example Value: | authentication-oidc.scopes = openid,email,profile |
Informational Note: | The scopes to request from the OIDC server. The example above is the default value |
Property: | authentication-oidc.can-self-register |
Example Value: | authentication-oidc.can-self-register = true |
Informational Note: | Specify if the user can self register using OIDC (true|false). If not specified, true is assumed. If this is set to false, then only users with an existing EPerson in DSpace will be able to authenticate through OIDC. When set to true, an EPerson will be automatically created for each person who successfully authenticates through OIDC. |
Property: | authentication-oidc.user-info.email |
Example Value: | authentication-oidc.user-info.email = email |
Informational Note: | Specify the attribute present in the user info json related to the user's email. The default value is "email" |
Property: | authentication-oidc.user-info.first-name |
Example Value: | authentication-oidc.user-info.first-name = given_name |
Informational Note: | Specify the attribute present in the user info json related to the user's first/given name. The default value is "given_name" |
Property: | authentication-oidc.user-info.last-name |
Example Value: | authentication-oidc.user-info.last-name = family_name |
Informational Note: | Specify the attribute present in the user info json related to the user's last/family name. The default value is "family_name" |
Sample/Test OIDC Configuration
One way to easily test OIDC Authentication is to use the PhantAuth test site at https://www.phantauth.net/. This site allows you to create a random OIDC client & a random OIDC user to authenticate as. So, it can be used to verify that DSpace's OIDC authentication is working in your system, but obviously is only meant for development/testing purposes.
To configure DSpace to use PhantAuth for authentication just requires the following updates to your local.cfg:
Code Block | ||
---|---|---|
| ||
# Enable OIDC
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.OidcAuthentication
# Settings for OIDC authentication
# Based on instructions at https://www.phantauth.net/doc/integration
authentication-oidc.authorize-endpoint = https://phantauth.net/auth/authorize
authentication-oidc.token-endpoint = https://phantauth.net/auth/token
authentication-oidc.user-info-endpoint = https://phantauth.net/auth/userinfo
# Obtain a random client-id and client-secret via https://phantauth.net/client
# Find the "client_id" and "client_secret" returned, and place those values in these next two configs.
authentication-oidc.client-id =
authentication-oidc.client-secret =
# Because PhantAuth uses random users, you MUST ensure self registration is enabled
# (This is the default setting though, which is why it's commented out)
# authentication-oidc.can-self-register = true |
Shibboleth Authentication
Enabling Shibboleth Authentication
To enable Shibboleth Authentication, you must ensure the org.dspace.authenticate.ShibAuthentication
class is listed as one of the AuthenticationMethods in the following configuration:
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
(NOTE: This setting may be repeated to support multiple AuthenticationMethods) |
Configuring Shibboleth Authentication
Shibboleth is a distributed authentication system for securely authenticating users and passing attributes about the user from one or more identity providers. In the Shibboleth terminology DSpace is a Service Provider which receives authentication information and then based upon that provides a service to the user. To use Shibboleth, DSpace requires that you use Apache installed with the mod_shib module acting as a proxy for all HTTP requests for your servlet container (typically Tomcat). DSpace will receive authentication information from the mod_shib module through HTTP headers.
Before DSpace will work with Shibboleth, you must have the following:
- An Apache web server with the "mod_shib" module installed. As mentioned, this mod_shib module acts as a proxy for all HTTP requests for your servlet container (typically Tomcat). Any requests to DSpace that require authentication via Shibboleth should be redirected to 'shibd' (the shibboleth daemon) by this "mod_shib" module. Details on installing/configuring mod_shib in Apache are available at: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig We also have a sample Apache + mod_shib configuration provided below.
- An external Shibboleth IdP (Identity Provider). Using mod_shib, DSpace will only act as a Shibboleth SP (Service Provider). The actual Shibboleth Authentication & Identity information must be provided by an external IdP. If you are using Shibboleth at your institution already, then there already should be a Shibboleth IdP available. More information about Shibboleth IdPs versus SPs is available at: https://wiki.shibboleth.net/confluence/display/SHIB2/UnderstandingShibboleth
For more information on installing and configuring a Shibboleth Service Provider see: https://wiki.shibboleth.net/confluence/display/SHIB2/Installation
Note about Shibboleth Active vs Lazy Sessions:
When configuring your Shibboleth Service Provider there are two Shibboleth paradigms you may use: Active or Lazy Sessions. Active sessions is where the mod_shib module is configured to product an entire URL space. No one will be able to access that URL without first authenticating with Shibboleth. Using this method you will need to configure shibboleth to protect the URL: "/shibboleth-login". The alternative, Lazy Session does not protect any specific URL. Instead Apache will allow access to any URL, and when the application wants to it may initiate an authenticated session.
The Lazy Session method is preferable for most DSpace installations, as you usually want to provide public access to (most) DSpace content, while restricting access to only particular areas (e.g. administration UI/tools, private Items, etc.). When Active Sessions are enabled your entire DSpace site will be access restricted. In other words, when using Active Sessions, Shibboleth will require everyone to first authenticate before they can access any part of your repository (which essentially results in a "dark archive", as anonymous access will not be allowed).
Apache "mod_shib" Configuration (required)
As mentioned above, you must have Apache with the "mod_shib" module installed in order for DSpace to be able to act as a Shibboleth Service Provider (SP). The mod_shib module acts as a proxy for all HTTP requests for your servlet container (typically Tomcat). Any requests to DSpace that require authentication via Shibboleth should be redirected to 'shibd' (the shibboleth daemon) by this "mod_shib" module. Details on installing/configuring mod_shib in Apache are available at: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig General information about installing/configuring Shibboleth Service Providers (SPs) can be found at: https://wiki.shibboleth.net/confluence/display/SHIB2/Installation
A few extra notes/hints when configuring mod_shib & Apache:
- In Debian based environments, "mod_shib" tends to be in a package named something like "libapache2-mod-shib2"
- The Shibboleth setting "ShibUseHeaders" is no longer required to be set to "On", as DSpace will correctly utilize attributes instead of headers.
- When "ShibUseHeaders" is set to "Off" (which is recommended in the mod_shib documentation), proper configuration of Apache to pass attributes to Tomcat (via either mod_jk or mod_proxy) can be a bit tricky, SWITCH has some great documentation on exactly what you need to do. We will eventually paraphrase/summarize this documentation here, but for now, the SWITCH page will have to do.
- When initially setting up Apache & mod_shib, https://samltest.id/ provides a great testing ground for your configurations. This site provides a sample/demo Shibboleth IdP (as well as a sample Shibboleth SP) which you can test against. It acts as a "sandbox" to get your configurations working properly, before you point DSpace at your production Shibboleth IdP.
- You also may wish to review the Shibboleth setup in our "dspace-shibboleth" Docker setup which the development team uses for testing (and it uses https://samltest.id as the IdP). It may provide you with good examples/hints on getting everything setup. However, keep in mind this code has not been tested in Production scenarios.
Below, we have provided a sample Apache configuration. However, as every institution has their own specific Apache setup/configuration, it is highly likely that you will need to tweak this configuration in order to get it working properly. Again, see the official mod_shib documentation for much more detail about each of these settings: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig These configurations are meant to be added to an Apache <VirtualHost> which acts as a proxy to your Tomcat (or other servlet container) running DSpace. More information on Apache VirtualHost settings can be found at: https://httpd.apache.org/docs/2.2/vhosts/
Code Block |
---|
#### SAMPLE MOD_SHIB CONFIGURATION FOR APACHE2 (it may require local modifications based on your Apache setup) ####
# While this sample VirtualHost is for HTTPS requests (recommended for Shibboleth, obviously),
# you may also need/want to create one for HTTP (*:80)
<VirtualHost *:443>
...
# PLEASE NOTE: We have omitted many Apache settings (ServerName, LogLevel, SSLCertificateFile, etc)
# which you may need/want to add to your VirtualHost
# As long as Shibboleth module is installed, enable all Shibboleth/mod_shib related settings
<IfModule mod_shib>
# Shibboleth recommends turning on UseCanonicalName
# See "Prepping Apache" in https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
UseCanonicalName On
# Most DSpace instances will want to use Shibboleth "Lazy Session", which ensures that users
# can access DSpace without first authenticating via Shibboleth.
# This section turns on Shibboleth "Lazy Session". Also ensures that once they have authenticated
# (by accessing /Shibboleth.sso/Login path), then their Shib session is kept alive
<Location />
AuthType shibboleth
ShibRequireSession Off
require shibboleth
# If your "shibboleth2.xml" file specifies an <ApplicationOverride> setting for your
# DSpace Service Provider, then you may need to tell Apache which "id" to redirect Shib requests to.
# Just uncomment this and change the value "my-dspace-id" to the associated @id attribute value.
#ShibRequestSetting applicationId my-dspace-id
</Location>
# If a user attempts to access the DSpace shibboleth endpoint, force them to authenticate via Shib.
<Location "/server/api/authn/shibboleth">
Order deny,allow
Allow from all
AuthType shibboleth
ShibRequireSession On
# Please note that setting ShibUseHeaders to "On" is a potential security risk.
# You may wish to set it to "Off". See the mod_shib docs for details about this setting:
# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions
# Here's a good guide to configuring Apache + Tomcat when this setting is "Off":
# https://www.switch.ch/de/aai/support/serviceproviders/sp-access-rules.html#javaapplications
ShibUseHeaders On
Require shibboleth
</Location>
# If a user attempts to access the DSpace login endpoint, ensure Shibboleth is supported but other auth methods can be too.
<Location "/server/api/authn/login">
Order deny,allow
Allow from all
AuthType shibboleth
# For DSpace, this is required to be off otherwise the available auth methods will be not visible
ShibRequireSession Off
# Please note that setting ShibUseHeaders to "On" is a potential security risk.
# You may wish to set it to "Off". See the mod_shib docs for details about this setting:
# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions
# Here's a good guide to configuring Apache + Tomcat when this setting is "Off":
# https://www.switch.ch/de/aai/support/serviceproviders/sp-access-rules.html#javaapplications
ShibUseHeaders On
</Location>
# Ensure /Shibboleth.sso path (in Apache) can be accessed
# By default it may be inaccessible if your Apache security is tight.
<Location "/Shibboleth.sso">
Order deny,allow
Allow from all
# Also ensure Shibboleth/mod_shib responds to this path
SetHandler shib
</Location>
# Finally, you may need to ensure requests to /Shibboleth.sso are NOT redirected
# to Tomcat (as they need to be handled by mod_shib instead).
# NOTE: THIS SETTING IS LIKELY ONLY NEEDED IF YOU ARE USING mod_proxy TO REDIRECT
# ALL REQUESTS TO TOMCAT (e.g. ProxyPass /server ajp://localhost:8009/server)
ProxyPass /Shibboleth.sso !
</IfModule>
...
# You will likely need Proxy settings to ensure Apache is proxying requests to Tomcat for the DSpace REST API
# The below is just an example of proxying for REST API only. It requires installing & enabling "mod_proxy" and "mod_proxy_ajp"
## Proxy / Forwarding Settings ##
<Proxy *>
AddDefaultCharset Off
Order allow,deny
Allow from all
</Proxy>
# Proxy all requests to /server to Tomcat via AJP
ProxyPass /server ajp://localhost:8009/server
ProxyPassReverse /server ajp://localhost:8009/server
# Optionally, also proxy Angular UI (if on same server). This requires "mod_proxy_http"
#ProxyPass / http://localhost:4000/
#ProxyPassReverse / http://localhost:4000/
</VirtualHost> |
Sample shibboleth2.xml Configuration
In addition, here's a sample "ApplicationOverride" configuration for "shibboleth2.xml". This particular "ApplicationOverride" is configured to use the Test IdP provided by https://samltest.id/ and is just meant as an example. In order to enable it for testing purposes, you must specify ShibRequestSetting applicationId samltest
in your Apach mod_shib
configuration (see above). An additional, more detailed example is provided in our "dspace-shibboleth" Docker configurations at https://github.com/DSpace/DSpace/blob/main/dspace/src/main/docker/dspace-shibboleth/shibboleth2.xml
Code Block |
---|
<!-- *** Sample Shibboleth Settings for https://samltest.id/ *** -->
<!-- This provides a simple sample of how you could configure -->
<!-- shibboleth2.xml for DSpace sites. -->
<!-- TO ENABLE: You'd need to specify "applicationId" as "samltest" in -->
<!-- your mod_shib settings, e.g. -->
<!-- <Location /> -->
<!-- ... |
Code Block |
---|
#### SAMPLE MOD_SHIB CONFIGURATION FOR APACHE2 (it may require local modifications based on your Apache setup) ####
# While this sample VirtualHost is for HTTPS requests (recommended for Shibboleth, obviously),
# you may also need/want to create one for HTTP (*:80)
<VirtualHost *:443>
...
# PLEASE NOTE: We have omitted many Apache settings (ServerName, LogLevel, SSLCertificateFile, etc)
# which you may need/want to add to your VirtualHost
# As long as Shibboleth module is installed, enable all Shibboleth/mod_shib related settings
<IfModule mod_shib>
# Shibboleth recommends turning on UseCanonicalName
# See "Prepping Apache" in https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
UseCanonicalName On
# Most DSpace instances will want to use Shibboleth "Lazy Session", which ensures that users
# can access DSpace without first authenticating via Shibboleth.
# This section turns on Shibboleth "Lazy Session". Also ensures that once they have authenticated
# (by accessing /Shibboleth.sso/Login path), then their Shib session is kept alive
<Location />
AuthType shibboleth
ShibRequireSession Off
require shibboleth
# If your "shibboleth2.xml" file specifies an <ApplicationOverride> setting for your
# DSpace Service Provider, then you may need to tell Apache which "id" to redirect Shib requests to.
# Just uncomment this and change the value "my-dspace-id" to the associated @id attribute value.
#ShibRequestSetting applicationId my-dspace-id
</Location>
# If a user attempts to access the DSpace shibboleth login page, force them to authenticate via Shib
<Location "/shibboleth-login">
AuthType shibboleth
ShibRequireSession On
# Please note that setting ShibUseHeaders to "On" is a potential security risk.
# You may wish to set it to "Off". See the mod_shib docs for details about this setting:
# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions
# Here's a good guide to configuring Apache + Tomcat when this setting is "Off":
# https://www.switch.ch/de/aai/support/serviceproviders/sp-access-rules.html#javaapplications
ShibUseHeaders On
require valid-user
</Location>
# Ensure /Shibboleth.sso path (in Apache) can be accessed
# By default it may be inaccessible if your Apache security is tight.
<Location "/Shibboleth.sso">
Order deny,allow
Allow from all
# Also ensure Shibboleth/mod_shib responds to this path
SetHandler shib
</Location>
# Finally, you may need to ensure requests to /Shibboleth.sso are NOT redirected
# to Tomcat (as they need to be handled by mod_shib instead).
# NOTE: THIS SETTING IS LIKELY ONLY NEEDED IF YOU ARE USING mod_proxy TO REDIRECT
# ALL REQUESTS TO TOMCAT (e.g. ProxyPass / ajp://localhost:8009/)
# ProxyPass /Shibboleth.sso !
</IfModule>
...
</VirtualHost> |
Sample shibboleth2.xml Configuration
In addition, here's a sample "ApplicationOverride" configuration for "shibboleth2.xml". This particular "ApplicationOverride" is configured to use the Test IdP provided by http://www.testshib.org/ and is just meant as an example. In order to enable it for testing purposes, you must specify ShibRequestSetting applicationId testshib
in your Apach mod_shib
configuration (see above).
Code Block |
---|
<!-- *** Sample Shibboleth Settings for http://www.testshib.org/ *** --> <!-- This provides a simple sampleShibRequestSetting ofapplicationId howsamltest you could configure --> <!--> shibboleth2.xml for DSpace sites. <!-- </Location> --> <!-- TO ENABLE: You'd need to specify "applicationId" as "testshib" in --> <!-- your mod_shib settings, e.g. --> <ApplicationOverride id="samltest" entityID="http://[mydspace.edu]/shibboleth" REMOTE_USER="eppn persistent-id targeted-id"> <!-- We'll use a TEST IdP, hosted by the awesome https://samltest.id/ testing service. --> <!-- <Location /> See also: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO --> <!-- DSPACE 7 requires Shibboleth to use "SameSite=None" property for its Cookies --> <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true" cookieProps="; path=/; SameSite=None; secure; HttpOnly"> --<SSO entityID="https://samltest.id/saml/idp"> <!-- ... SAML2 SAML1 </SSO> </Sessions> <!-- Loads and trusts a metadata file that describes the IdP and how to communicate with it. --> <!-- ShibRequestSetting applicationId testshib By default, metadata is retrieved from the TEST IdP at https://samltest.id/ --> <!--> and is cached in a local file <!named "samltest-metadata.xml". --> </Location> <!-- See also: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataProvider --> <MetadataProvider type="XML" uri="https://samltest.id/saml/idp" --> backingFilePath="samltest-metadata.xml" reloadInterval="180000"/> <ApplicationOverride id="testshib" entityID </ApplicationOverride> |
Sample attribute-map.xml Configuration (for samltest.id)
In order to use the above example for https://samltest.id/, you may also need to modify your attribute-map.xml to support their attributes. Again, a more complete example is in our "dspace-shibboleth" Docker configurations at https://github.com/DSpace/DSpace/blob/main/dspace/src/main/docker/dspace-shibboleth/attribute-map.xml
Code Block |
---|
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://mydspace.edu/shibboleth" REMOTE_USER="principal-id"> <!-- We'll use a TEST IdP, hosted by the awesome http://www.testshib.org/ testing service. --www.w3.org/2001/XMLSchema-instance"> <!-- Custom Attributes specific to samltest.id --> <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/> <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/> <Attribute name="urn:oid:2.5.4.4" id="sn"/> <!-- See also: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO --<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/> <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true"<Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/> <Attribute name="urn:oid:2.5.4.42" id="givenName"/> <SSO entityID<Attribute name="https://idpsamltest.testshib.orgid/idp/shibboleth"attributes/role" id="role"/> ... <!-- In addition to the attribute mapping, SAML2DSpace SAML1 expects the following Shibboleth Headers to </SSO>be set: </Sessions> - SHIB-NETID - <!-- Loads and trusts a metadata file that describes the IdP and how to communicate with it. -->SHIB-MAIL - SHIB-GIVENNAME - <!-- By default, metadata is retrieved from the TEST IdP at http://www.testshib.org --> <!-- and is cached in a local file named "testshib-idp-metadata.xml". --SHIB-SURNAME These are set by mapping the respective IdP attribute (left hand side) to the header attribute (right hand side). --> <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="SHIB-NETID"/> <Attribute name="urn:mace:dir:attribute-def:uid" id="SHIB-NETID"/> <!-- See also: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataProvider -- <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="SHIB-MAIL"/> <MetadataProvider type="XML" uri="http://www.testshib.org/metadata/testshib-providers.xml"<Attribute name="urn:mace:dir:attribute-def:mail" id="SHIB-MAIL"/> <Attribute name="urn:oid:2.5.4.42" id="SHIB-GIVENNAME"/> <Attribute name="urn:mace:dir:attribute-def:givenName" id="SHIB-GIVENNAME"/> <Attribute backingFilePath="testshib-idp-metadata.xml" reloadInterval="180000name="urn:oid:2.5.4.4" id="SHIB-SURNAME"/> <Attribute </ApplicationOverride>name="urn:mace:dir:attribute-def:sn" id="SHIB-SURNAME"/> </Attributes> |
DSpace Shibboleth Configuration Options
...
If you are currently using Email based authentication (either 1 or 2) and want to upgrade to NetID based authentication then there is an easy path. Simply enable shibboleth to pass the NetID attribute and set the netid-header below to the correct value. When a user attempts to log in to DSpace first DSpace will look for an EPerson with the passed NetID, however when this fails DSpace will fall back to email based authentication. Then DSpace will update the user's EPerson account record to set their netted NetID so all future authentications for this user will be based upon nettedNetID. One thing to note is that DSpace will prevent an account from switching NetIDs. If an account all ready already has a NetID set and then they try and authenticate with a different NetID the authentication will fail.
...
The values extracted (a user may have multiple roles) will be used to look up which groups to place the user into. The groups are defined as "authentication-shibboleth.role.<role-name>" which is a comma separated list of DSpace groupsup which groups to place the user into. The groups are defined as "authentication-shibboleth.role.<role-name>" which is a comma separated list of DSpace groups.
Note | ||
---|---|---|
| ||
In addition to the below settings, you may need to ensure your Shibboleth IdP is trusted by the DSpace backend by adding it to your For example, if your IdP is https://samltest.id/, then you need to append that URL to the comma-separated list of "allowed-origins" like:
More information on this configuration can be found in the REST API documentation. |
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
| ||
Informational Note: | Whether to use lazy sessions or active sessions. For more DSpace instances, you will likely want to use lazy sessions. Active sessions will force every user to authenticate via Shibboleth before they can access your DSpace (essentially resulting in a "dark archive"). | ||
Property: |
| ||
Example Value: | authentication-shibboleth. | ||
Informational Note: | The url to start a shibboleth session (only for lazy sessions). Generally this setting will be "/Shibboleth.sso/Login" | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Force HTTPS when authenticating (only for lazy sessions). Generally this is recommended to be "true". | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where shibboleth will supply a user's NetID. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where the shibboleth will supply a user's email address. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Used when a netid or email headers are not available should Shibboleth authentication fall back to using Tomcat's remote user feature? Generally this is not recommended. See the "Authentication Methods" section above. | ||
Property: |
| ||
Example Value | authentication-shibboleth.reconvert.attributes = false | ||
Informational Note: | Shibboleth attributes are by default UTF-8 encoded. Some servlet container automatically converts the attributes from ISO-8859-1 (latin-1) to UTF-8. As the attributes already were UTF-8 encoded it may be necessary to reconvert them. If you set this property true, DSpace converts all shibboleth attributes retrieved from the servlet container from UTF-8 to ISO-8859-1 and uses the result as if it were UTF-8. This procedure restores the shibboleth attributes if the servlet container wrongly converted them from ISO-8859-1 to UTF-8. Set this true, if you notice character encoding problems within shibboleth attributes. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Should we allow new users to be registered automatically? | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | SWORD compatibility will allow this authentication method to work when using SWORD. SWORD relies on username and password based authentication and is entirely incapable of supporting shibboleth. This option allows you to authenticate username and passwords for SWORD sessions with out adding another authentication method onto the stack. You will need to ensure that a user has a password. One way to do that is to create the user via the create-administrator command line command and then edit their permissions. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where the shibboleth will supply a user's given name. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where the shibboleth will supply a user's surname. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Additional user attributes mapping, multiple attributes may be stored for each user. The left side is the Shibboleth-based metadata Header and the right side is the eperson metadata field to map the attribute to. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | If the eperson metadata field is not found, should it be automatically created? | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The shibboleth header to do role-based mappings (see section on roll based mapping section above)Shibboleth header holding the user's Shibboleth roles. See the "Role-based Groups" section above for more info. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Weather Whether to ignore the attributeroles' s scope scopes (everything after the @ sign for scoped attributes) | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Weather Whether to ignore the attributeroles' s value values (everything before the @ sign for scoped attributes) | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Mapping of affiliation values to DSpace groups. See the "Role-based Groups" section above for more info. |
LDAP Authentication
| |
Informational Note: | Mapping of affiliation values to DSpace groups. See the "Role-based Groups" section above for more info. |
Property: |
|
Example Value: |
|
Informational Note: | These roles are assumed if no roles were sent by Shibboleth or there was no header with name matching the value of |
LDAP Authentication
Introduction to LDAP specific terminology
If you are unfamiliar with LDAP, the following introduction to some of its terminology might come in handy:
https://stackoverflow.com/questions/18756688/what-are-cn-ou-dc-in-an-ldap-search
Enabling LDAP Authentication
...
If you want to give any special privileges to LDAP users, create a stackable authentication method to automatically put people who have a netid into a special group. You might also want to give certain email addresses special privileges. Refer to the Custom Authentication Code section below for more information about how to do this.
...
Configuration File: |
| ||||||
---|---|---|---|---|---|---|---|
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | This setting will enable or disable LDAP authentication in DSpace. With the setting off, users will be required to register and login with their email address. With this setting on, users will be able to login and register with their LDAP user ids and passwords. | ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | This will turn LDAP autoregistration on or off. With this on, a new EPerson object will be created for any user who successfully authenticates against the LDAP server when they first login. With this setting off, the user must first register to get an EPerson object by entering their ldap username and password and filling out the forms. | ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | This is the url to your institution's LDAP server. You may or may not need the /o=myu.edu part at the end. Your server may also require the ldaps:// protocol. (This field has no default value) NOTE: As of DSpace 6, commas (,) are now a special character in the Configuration system. Therefore, be careful to escape any required commas in this configuration by adding a backslash (\) before each comma, e.g. "\," | ||||||
Property: |
| ||||||
Example Value: | authentication-ldap.starttls = false | ||||||
Informational Note: | Should we issue StartTLS after establishing TCP connection in order to initiate an encrypted connection?
| ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Explanation: | This is the unique identifier field in the LDAP directory where the username is stored. (This field has no default value) | ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | This is the LDAP object context to use when authenticating the user. By default, DSpace will use this value to create the user's DN in order to attempt to authenticate them. It is appended to the id_field and username. For example If your users do NOT all exist under a single "object_context" in LDAP, then you should ignore this setting and INSTEAD use the Hierarchical LDAP Authentication settings below (especially see " NOTE: As of DSpace 6, commas (,) are now a special character in the Configuration system. Therefore, be careful to escape any required commas in this configuration by adding a backslash (\) before each comma, e.g. "\," | ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | This is the search context used when looking up a user's LDAP object to retrieve their data for autoregistering. With NOTE: As of DSpace 6, commas (,) are now a special character in the Configuration system. Therefore, be careful to escape any required commas in this configuration by adding a backslash (\) before each comma, e.g. "\," | ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | This is the LDAP object field where the user's email address is stored. "mail" is the most common for LDAP servers. (This field has no default value) If the "email_field" is unspecified, or the user has no email address in LDAP, his/her username (id_field value) will be saved as the email in DSpace (or appended to | ||||||
Property: | authentication-ldap.netid_email_domain | ||||||
Example Value: | authentication-ldap.netid_email_domain = @example.com | ||||||
Informational Note: | If your LDAP server does not hold an email address for a user (i.e. no Please note: this field will only be used if " | ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | This is the LDAP object field where the user's last name is stored. " | ||||||
Property: | authentication-ldap.givenname_field | ||||||
Example Value: |
| ||||||
Informational Note: | This is the LDAP object field where the user's given names are stored. I'm not sure how common the givenName field is in different LDAP instances. If the field is not found the field will be left blank in the new eperson object. (This field has no default value) | ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | This is the field where the user's phone number is stored in the LDAP directory. If the field is not found the field will be left blank in the new eperson object. (This field has no default value) | ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | If specified, all user sessions successfully logged in via LDAP will automatically become members of this DSpace Group (for the remainder of their current, logged in session). This DSpace Group must already exist (it will not be automatically created). | ||||||
Property: |
login.groupmap.* | ||||||
Example Value: | authentication-ldap.login.groupmap.1 = ou=Students:ALL_STUDENTS authentication-ldap.login.groupmap.2 = ou=Employees:ALL_EMPLOYEES authentication-ldap.login.groupmap.3 = ou=Faculty:ALL_FACULTY | ||||||
Informational Note: | The left part of the value (before the ":") must correspond to a portion of a user's DN (unless " For example, if the authenticated user's DN in LDAP is in the following form:
that user would get assigned to the ALL_STUDENTS DSpace group for the remainder of their current session. However, if that same user later graduates and is employed by the university, their DN in LDAP may change to:
Upon logging into DSpace after that DN change, the authenticated user would now be assigned to the ALL_EMPLOYEES DSpace group for the remainder of their current session. Note: This option can be used independently from the login.specialgroup option, which will put all LDAP users into a single DSpace group. Both options may be used together. | ||||||
Property: | authentication-ldap.login.groupmap.attribute | ||||||
Example Value: | authentication-ldap.login.groupmap.attribute = group | ||||||
Informational Note: | The value of the "
For example:
The above would ensure that any authenticated users where their LDAP "group" attribute equals "mathematics" would be added to the DSpace Group named "Mathematics_Group" for the remainder of their current session. However, if that same user logged in later with a new LDAP "group" value of "computer science", he/she would no longer be a member of the "Mathematics_Group" in DSpace. |
...
Hierarchical LDAP Authentication shares all the above standard LDAP configurations, but has some additional settings.
...
Configuration File: |
|
---|---|
Property: |
|
Example Value: |
|
Informational Note: | This is the search scope value for the LDAP search during autoregistering ( Please note that " |
Property: |
|
Example Value: |
|
Informational Note: | If true, DSpace will anonymously search LDAP (in the " |
Property: |
|
Example Value: |
|
Informational Note: | The full DN and password of a user allowed to connect to the LDAP server and search (in the " NOTE: As of DSpace 6, commas (,) are now a special character in the Configuration system. Therefore, be careful to escape any required commas in this configuration by adding a backslash (\) before each comma, e.g. "\," |
ORCID Authentication
Enabling ORCID Authentication
Note |
---|
Enabling ORCID Authentication requires also enabling Configurable Entities and Researcher Profiles |
To enable ORCID Authentication, see the documentation for enabling the ORCID Integration. You do not need to enable ORCID synchronization, but you currently must enable Researcher Profiles and Configurable Entities.
IP Authentication
Enabling IP Authentication
...