Page History
...
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
|
...
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
|
...
Configuration File: |
|
---|---|
Property: |
|
Example Value: |
|
Informational Note: | This option allows you to limit self-registration to email addresses ending in a particular domain value. The above example would limit self-registration to individuals with "@mit.edu" email addresses and all ".ac.uk" email addresses. |
Property: |
|
Example Value: |
|
Informational Note: | This option allows you to automatically add all password authenticated users to a specific DSpace Group (the group must exist in DSpace) for the remainder of their logged in session. |
Property: |
|
Example Value: |
|
Informational Note: | This option specifies the hashing algorithm to be used in converting plain-text passwords to more secure password digests. The example value is the default. You may select any digest algorithm available through java.security.MessageDigest on your system. At least MD2, MD5, SHA-1, SHA-256, SHA-384, and SHA-512 should be available, but you may have installed others. Most sites will not need to adjust this. |
...
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
|
...
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
| ||
Informational Note: | Whether to use lazy sessions or active sessions. For more DSpace instances, you will likely want to use lazy sessions. Active sessions will force every user to authenticate via Shibboleth before they can access your DSpace (essentially resulting in a "dark archive"). | ||
Property: |
| ||
Example Value: | authentication-shibboleth. | ||
Informational Note: | The url to start a shibboleth session (only for lazy sessions). Generally this setting will be "/Shibboleth.sso/Login" | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Force HTTPS when authenticating (only for lazy sessions). Generally this is recommended to be "true". | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where shibboleth will supply a user's NetID. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where the shibboleth will supply a user's email address. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Used when a netid or email headers are not available should Shibboleth authentication fall back to using Tomcat's remote user feature? Generally this is not recommended. See the "Authentication Methods" section above. | ||
Property: |
| ||
Example Value | authentication-shibboleth.reconvert.attributes = false | ||
Informational Note: | Shibboleth attributes are by default UTF-8 encoded. Some servlet container automatically converts the attributes from ISO-8859-1 (latin-1) to UTF-8. As the attributes already were UTF-8 encoded it may be necessary to reconvert them. If you set this property true, DSpace converts all shibboleth attributes retrieved from the servlet container from UTF-8 to ISO-8859-1 and uses the result as if it were UTF-8. This procedure restores the shibboleth attributes if the servlet container wrongly converted them from ISO-8859-1 to UTF-8. Set this true, if you notice character encoding problems within shibboleth attributes. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Should we allow new users to be registered automatically? | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | SWORD compatibility will allow this authentication method to work when using SWORD. SWORD relies on username and password based authentication and is entirely incapable of supporting shibboleth. This option allows you to authenticate username and passwords for SWORD sessions with out adding another authentication method onto the stack. You will need to ensure that a user has a password. One way to do that is to create the user via the create-administrator command line command and then edit their permissions. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where the shibboleth will supply a user's given name. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where the shibboleth will supply a user's surname. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Additional user attributes mapping, multiple attributes may be stored for each user. The left side is the Shibboleth-based metadata Header and the right side is the eperson metadata field to map the attribute to. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | If the eperson metadata field is not found, should it be automatically created? | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The shibboleth header to do role-based mappings (see section on roll based mapping section above) | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Weather to ignore the attribute's scope (everything after the @ sign for scoped attributes) | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Weather to ignore the attribute's value (everything before the @ sign for scoped attributes) | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Mapping of affiliation values to DSpace groups. See the "Role-based Groups" section above for more info. |
...
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
|
...
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
|
...
Once enabled, you are then able to map DSpace groups to IP addresses in authentication-ip.cfg
by setting ip.GROUPNAME = iprange[, iprange ...]
, e.g:
Code Block |
---|
authentication-ip.MY_UNIVERSITY = 10.1.2.3, \ # Full IP
13.5, \ # Partial IP
11.3.4.5/24, \ # with CIDR
12.7.8.9/255.255.128.0, \ # with netmask
2001:18e8::32 # IPv6 too |
...
- See the HTTPS installation instructions to configure your Web server. If you are using HTTPS with Tomcat, note that the
<Connector>
tag must include the attributeclientAuth="true"
so the server requests a personal Web certificate from the client. Add the
org.dspace.authenticate.X509Authentication
pluginfirst
to the list of stackable authentication methods in the value of the configuration keyplugin.sequence.org.dspace.authenticate.AuthenticationMethod
Configuration File:
[dspace]/config/modules/authentication.cfg
Property:
plugin.sequence.org.dspace.authenticate.AuthenticationMethod
Example Value:
Code Block plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \ org.dspace.authenticate.X509Authentication plugin.sequence.org.dspace.authenticate.X509Authentication,AuthenticationMethod \ = org.dspace.authenticate.PasswordAuthentication
...
You must also configure DSpace with the same CA certificates as the web server, so it can accept and interpret the clients' certificates. It can share the same keystore file as the web server, or a separate one, or a CA certificate in a file by itself. Configure it by oneof these methods, either the Java keystore
Code Block authentication-x509.keystore.path = path to Java keystore file authentication-x509.keystore.password = password to access the keystore
...or the separate CA certificate file (in PEM or DER format):
Code Block authentication-x509.ca.cert = path to certificate file for CA whose client certs to accept.
- Choose whether to enable auto-registration: If you want users who authenticate successfully to be automatically registered as new E-Persons if they are not already, set the
autoregister
configuration property totrue
. This lets you automatically accept all users with valid personal certificates. The default isfalse
.
Warning |
---|
TODO: document the remaining authentication-x509.* properties |
Example of a Custom Authentication Method
...
You can create your own custom authentication method and add it to the stack. Use the most similar existing method as a model, e.g. org.dspace.authenticate.PasswordAuthentication
for an "explicit" method (with credentials entered interactively) or org.dspace.authenticate.X509Authentication
for an implicit method.encapsulatets