All Versions
- DSpace 7.x (Current Release)
- DSpace 8.x (Unreleased)
- DSpace 6.x (EOL)
- DSpace 5.x (EOL)
- More Versions...
...
Since many institutions and organizations have existing authentication systems, DSpace has been designed to allow these to be easily integrated into an existing authentication infrastructure. It keeps a series, or "stack", of authentication methods, so each one can be tried in turn. This makes it easy to add new authentication methods or rearrange the order without changing any existing code. You can also share authentication code with other sites.
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b874bdf0-6f7f-43df-a626-d4dc36bbd589"><ac:plain-text-body><![CDATA[ | Configuration File: | | ]]></ac:plain-text-body></ac:structured-macro> |
---|---|---|---|
Property: | | ||
Example Value: |
|
...
However, to enable Authentication by Password, you must ensure the org.dspace.authenticate.PasswordAuthentication
class is listed as one of the AuthenticationMethods in the following configuration:
Configuration File: | | ||
---|---|---|---|
Property: |
| ||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="94bb809b-15ce-4d01-8aaf-7ae37f520a26"><ac:plain-text-body><![CDATA[ | Configuration File: | | ]]></ac:plain-text-body></ac:structured-macro> |
Property: |
| ||
Example Value: |
|
...
A full list of all available Password Authentication Configurations:
Configuration File: | | ||
---|---|---|---|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8f3c3139-e3eb-4485-bf60-463ec5c6bae0"><ac:plain-text-body><![CDATA[ | Configuration File: | | ]]></ac:plain-text-body></ac:structured-macro> |
Property: | | ||
Example Value: | | ||
Informational Note: | This option allows you to limit self-registration to email addresses ending in a particular domain value. The above example would limit self-registration to individuals with "@mit.edu" email addresses and all ".ac.uk" email addresses. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | This option allows you automatically add all password authenticated users to a specific DSpace Group (the group must exist in DSpace) for the remainder of their logged in session. |
...
To enable Shibboleth Authentication, you must ensure the org.dspace.authenticate.ShibAuthentication
class is listed as one of the AuthenticationMethods in the following configuration:
Configuration File: |
| <ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d2649e0e-2cd3-4b45-b453-b74ca2e906a8"><ac:plain-text-body><![CDATA[ | Configuration File: |
| ]]></ac:plain-text-body></ac:structured-macro> |
---|---|---|---|---|---|
Property: | | ||||
Example Value: |
|
...
Info | ||
---|---|---|
| ||
Detailed instructions for installing Shibboleth on DSpace 1.5.x may be found at https://mams.melcoe.mq.edu.au/zope/mams/pubs/Installation/dspace15. |
Once it has been enabled (see above), Shibboleth Authentication is configured via its own {{\ Wiki Markup [dspace
\]/config/modules/authentication-shibboleth.cfg
}} file.
DSpace requires an email address as the user's credentials. There are two ways of providing email to DSpace from Shibboleth:
...
A full list of all available Shibboleth Configurations:
...
Configuration File: | | ]]></ac:plain-text-body></ac:structured-macro> | |||
---|---|---|---|---|---|
Property: | | ||||
Example Value: | | ||||
Informational Note: | The option specifies that the email comes from the mentioned header. This value is CASE-Sensitive. | ||||
Property: | | ||||
Example Value: | | ||||
Informational Note: | Optional. Specify the header that carries the user's first name. This is going to be used for the creation of new-user. | ||||
Property: | | ||||
Example Value: | | ||||
Informational Note: | Optional. Specify the header that carries user's last name. This is used for creation of new user. | ||||
Property: | | ||||
Example Value: | | ||||
Informational Note: | This option forces the software to acquire the email from Tomcat. | ||||
Property: | | ||||
Example Value: | | ||||
Informational Note: | Option will allow new users to be registered automatically if the IdP provides sufficient information (and the user does not exist in DSpace). | ||||
Property: |
| ||||
Example Value: |
or
| ||||
Informational Note: | These two options specify which attribute that is responsible for providing user's roles to DSpace and unscope the attributes if needed. When not specified, it is defaulted to 'Shib-EP-UnscopedAffiliation', and ignore-scope is defaulted to 'false'. The value is specified in AAP.xml (Shib 1.3.x) or attribute-filter.xml (Shib 2.x). The value is CASE-Sensitive. The values provided in this header are separated by semi-colon or comma. If your service provider (SP) only provides scoped role header, you need to set | ||||
Property: | | ||||
Example Value: | | ||||
Informational Note: | When user is fully authN or IdP but would not like to release his/her roles to DSpace (for privacy reasons?), what should the default roles be given to such user. The values are separated by semi-colon or comma. | ||||
Property: |
| ||||
Example Value: |
| ||||
Informational Note: | The following mappings specify role mapping between IdP and Dspace. The left side of the entry is IdP's role (prefixed with 'role.') which will be mapped to the right entry from DSpace. DSpace's group as indicated on the right entry has to EXIST in DSpace, otherwise user will be identified as 'anonymous'. Multiple values on the right entry should be separated by comma. The values are CASE-Sensitive. Heuristic one-to-one mapping will be done when the IdP groups entry are not listed below (i.e. if 'X' group in IdP is not specified here, then it will be mapped to 'X' group in DSpace if it exists, otherwise it will be mapped to simply 'anonymous'). Given sufficient demand, future release could support regex for the mapping special characters need to be escaped by '\' |
...
The values extracted (a user may have multiple roles) will be used to look up which groups to place the user into. The groups are defined as "authentication.shib.role.<role-name>" which is a comma separated list of DSpace groups.
Configuration File: | | ||
---|---|---|---|
Property: |
| ||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ebe933bd-d8c6-43c2-a18b-1bcc8aa38b6f"><ac:plain-text-body><![CDATA[ | Configuration File: | | ]]></ac:plain-text-body></ac:structured-macro> |
Property: |
| ||
Example Value: | | ||
Informational Note: | Whether to use lazy sessions or active sessions. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | The url to start a shibboleth session (only for lazy sessions) | ||
Property: | | ||
Example Value: | | ||
Informational Note: | Force HTTPS when authenticating (only for lazy sessions) | ||
Property: | | ||
Example Value: | | ||
Informational Note: | The HTTP header where shibboleth will supply a user's NetID. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | The HTTP header where the shibboleth will supply a user's email address. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | Used when a netid or email heades are not available should shibboleth authentication fall back to using Tomcat's remote user feature. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | Should we allow new users to be registered automatically? | ||
Property: | | ||
Example Value: | | ||
Informational Note: | Sword compatability will allow this authentication method to work when using sword. Sort relies on username and password based authentication and is entirely incapable of supporting shibboleth. This option allows you to authenticate username and passwords for sword sessions with out adding another authentication method onto the stack. You will need to ensure that a user has a password. One way to do that is to create the user via the create-administrator command line command and then edit their permissions. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | The HTTP header where the shibboleth will supply a user's given name. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | The HTTP header where the shibboleth will supply a user's sur name. | ||
Property: | | ||
Example Value: |
| ||
Informational Note: | Additional user attributes mapping, multiple attributes may be stored | ||
Property: | | ||
Example Value: | | ||
Informational Note: | If the eperson metadata field is not found, should it be automatically created? | ||
Property: | | ||
Example Value: | | ||
Informational Note: | The shibboleth header to do role-based mappings (see section on roll based mapping section above) | ||
Property: | | ||
Example Value: | | ||
Informational Note: | Weather to ignore the attribute's scope (everything after the @ sign for scoped attributes) | ||
Property: | | ||
Example Value: | | ||
Informational Note: | Weather to ignore the attribute's value (everything before the @ sign for scoped attributes) | ||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="53f1bf1e-91a2-4e96-a1a8-440de885104b"><ac:plain-text-body><![CDATA[ | Property: | | ]]></ac:plain-text-body></ac:structured-macro> |
Property: | | ||
Example Value: |
| ||
Informational Note: | Mapping of affiliation values to DSpace groups.(See the roll based mapping section above) |
...
The values extracted (a user may have multiple roles) will be used to look up which groups to place the user into. The groups are defined as "role.<role-name>" which is a comma separated list of DSpace groups.
Configuration File: | | |||
---|---|---|---|---|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="677cb8d5-1075-403e-b054-bbfcbf32f917"><ac:plain-text-body><![CDATA[ | Configuration File: | | ]]></ac:plain-text-body></ac:structured-macro> | |
Property: | | |||
Example Value: | | |||
Informational Note: | Whether to use lazy sessions or active sessions. | |||
Property: | | |||
Example Value: | | |||
Informational Note: | The url to start a shibboleth session (only for lazy sessions) | |||
Property: | | |||
Example Value: | | |||
Informational Note: | Force HTTPS when authenticating (only for lazy sessions) | |||
Property: | | |||
Example Value: | | |||
Informational Note: | The HTTP header where shibboleth will supply a user's NetID. | |||
Property: | | |||
Example Value: | | |||
Informational Note: | The HTTP header where the shibboleth will supply a user's email address. | |||
Property: | | |||
Example Value: | | |||
Informational Note: | Used when a netid or email heades are not available should shibboleth authentication fall back to using Tomcat's remote user feature. | |||
Property: | | |||
Example Value: | | |||
Informational Note: | Should we allow new users to be registered automatically? | |||
Property: | | |||
Example Value: | | |||
Informational Note: | Sword compatability will allow this authentication method to work when using sword. Sort relies on username and password based authentication and is entirely incapable of supporting shibboleth. This option allows you to authenticate username and passwords for sword sessions with out adding another authentication method onto the stack. You will need to ensure that a user has a password. One way to do that is to create the user via the create-administrator command line command and then edit their permissions. | |||
Property: | | |||
Example Value: | | |||
Informational Note: | The HTTP header where the shibboleth will supply a user's given name. | |||
Property: | | |||
Example Value: | | |||
Informational Note: | The HTTP header where the shibboleth will supply a user's sur name. | |||
Property: | | |||
Example Value: |
| |||
Informational Note: | Additional user attributes mapping, multiple attributes may be stored | |||
Property: | | |||
Example Value: | | |||
Informational Note: | If the eperson metadata field is not found, should it be automatically created? | |||
Property: | | |||
Example Value: | | |||
Informational Note: | The shibboleth header to do role-based mappings (see section on roll based mapping section above) | |||
Property: | | |||
Example Value: | | |||
Informational Note: | Weather to ignore the attribute's scope (everything after the @ sign for scoped attributes) | |||
Property: | | |||
Example Value: | | |||
Informational Note: | Weather to ignore the attribute's value (everything before the @ sign for scoped attributes) | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="20fb84b7-cfa2-413d-8957-80210dad5714"><ac:plain-text-body><![CDATA[ | Property: | | ]]></ac:plain-text-body></ac:structured-macro> | |
Property: | | |||
Example Value: | Example Value: |
| ||
Informational Note: | Mapping of affiliation values to DSpace groups.(See the roll based mapping section above) |
...
To enable LDAP Authentication, you must ensure the org.dspace.authenticate.LDAPAuthentication
class is listed as one of the AuthenticationMethods in the following configuration:
Configuration File: | | ||
---|---|---|---|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="99f344f2-94b6-4b45-b211-e9539893ac27"><ac:plain-text-body><![CDATA[ | Configuration File: | | ]]></ac:plain-text-body></ac:structured-macro> |
Property: | | ||
Example Value: |
|
...
Here is an explanation of each of the different LDAP configuration parameters:
Configuration File: | | ||
---|---|---|---|
Property: | | ||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f0d5f0a8-aa3b-4370-99cc-26bd3b3b38cf"><ac:plain-text-body><![CDATA[ | Configuration File: | | ]]></ac:plain-text-body></ac:structured-macro> |
Property: | | ||
Example Value: | | ||
Informational Note: | This setting will enable or disable LDAP authentication in DSpace. With the setting off, users will be required to register and login with their email address. With this setting on, users will be able to login and register with their LDAP user ids and passwords. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | This will turn LDAP autoregistration on or off. With this on, a new EPerson object will be created for any user who successfully authenticates against the LDAP server when they first login. With this setting off, the user must first register to get an EPerson object by entering their ldap username and password and filling out the forms. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | This is the url to your institution's LDAP server. You may or may not need the /o=myu.edu part at the end. Your server may also require the ldaps:// protocol. | ||
Property: | | ||
Example Value: | | ||
Explanation: | This is the unique identifier field in the LDAP directory where the username is stored. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | This is the object context used when authenticating the user. It is appended to the id_field and username. For example | ||
Property: | | ||
Example Value: | | <ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5c5b6700-c890-4c94-92ce-2288cec00f18"><ac:plain-text-body><![CDATA[ | Informational Note: |
Informational Note: | This is the search This is the search context used when looking up a user's LDAP object to retrieve their data for autoregistering. With | ||
]]></ac:plain-text-body></ac:structured-macro> | Property: | | |
Example Value: | | ||
Informational Note: | This is the LDAP object field where the user's email address is stored. "mail" is the default and the most common for LDAP servers. If the mail field is not found the username will be used as the email address when creating the eperson object. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | This is the LDAP object field where the user's last name is stored. "sn" is the default and is the most common for LDAP servers. If the field is not found the field will be left blank in the new eperson object. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | This is the LDAP object field where the user's given names are stored. I'm not sure how common the givenName field is in different LDAP instances. If the field is not found the field will be left blank in the new eperson object. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | This is the field where the user's phone number is stored in the LDAP directory. If the field is not found the field will be left blank in the new eperson object. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | If required, a group name can be given here, and all users who log into LDAP will automatically become members of this group. This is useful if you want a group made up of all internal authenticated users. (Remember to log on as the administrator, add this to the "Groups" with read rights). |
...
To enable Hierarchical LDAP Authentication, you must ensure the org.dspace.authenticate.LDAPHierarchicalAuthentication
class is listed as one of the AuthenticationMethods in the following configuration:
Configuration File: | | ||
---|---|---|---|
Property: |
| ||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d230c8d0-f1fb-4997-a738-66ebbe6ce2da"><ac:plain-text-body><![CDATA[ | Configuration File: | | ]]></ac:plain-text-body></ac:structured-macro> |
Property: |
| ||
Example Value: |
|
...
You can optionally specify the search scope. If anonymous access is not enabled on your LDAP server, you will need to specify the full DN and password of a user that is allowed to bind in order to search for the users.
Configuration File: | | ||
---|---|---|---|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="77ef16c1-dfb8-40fa-b5f3-b1dcab0c6a5b"><ac:plain-text-body><![CDATA[ | Configuration File: | | ]]></ac:plain-text-body></ac:structured-macro> |
Property: | | ||
Example Value: | | ||
Informational Note: | This is the search scope value for the LDAP search during autoregistering. This will depend on your LDAP server setup. This value must be one of the following integers corresponding to the following values: | ||
Property: | | ||
Example Value: | | ||
Informational Note: | The full DN and password of a user allowed to connect to the LDAP server and search for the DN of the user trying to log in. If these are not specified, the initial bind will be performed anonymously. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | If your LDAP server does not hold an email address for a user, you can use the following field to specify your email domain. This value is appended to the netid in order to make an email address. E.g. a netid of 'user' and |
...
To enable IP Authentication, you must ensure the org.dspace.authenticate.IPAuthentication
class is listed as one of the AuthenticationMethods in the following configuration:
Configuration File: |
| <ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="33c22b44-fe40-43db-a41e-d638687c902e"><ac:plain-text-body><![CDATA[ | Configuration File: |
|
---|---|---|---|---|
Property: | | |||
Example Value: |
|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0d7ae43b-2a80-4bdf-b066-a17bc78dd6ad"><ac:plain-text-body><![CDATA[ | Configuration File: |
| ]]></ac:plain-text-body></ac:structured-macro> |
|
---|
Once enabled, you are then able to map DSpace groups to IP addresses in Once enabled, you are then able to map DSpace groups to IP addresses in {{ Wiki Markup authentication-ip.cfg
}} by setting {{ip.GROUPNAME
=
iprange
\[,
iprange
...
\]
}}, e.g:
Code Block |
---|
ip.MY_UNIVERSITY = 10.1.2.3, \ # Full IP 13.5, \ # Partial IP 11.3.4.5/24, \ # with CIDR 12.7.8.9/255.255.128.0, \ # with netmask 2001:18e8::32 # IPv6 too |
...
<Connector>
tag must include the attribute clientAuth="true"
so the server requests a personal Web certificate from the client.org.dspace.authenticate.X509Authentication
plugin first
to the list of stackable authentication methods in the value of the configuration key plugin.sequence.org.dspace.authenticate.AuthenticationMethod.authenticate.AuthenticationMethod
Configuration File: | | ]]></ac:plain-text-body></ac:structured-macro> | |
---|---|---|---|
Property: | | ||
Example Value: |
|
...
Configuration File: |
|
---|
Code Block |
---|
keystore.path = path to Java keystore file keystore.password = password to access the keystore |
Code Block |
---|
ca.cert = path to certificate file for CA whose client certs to accept. |
autoregister
configuration property to true
. This lets you automatically accept all users with valid personal certificates. The default is false
....