Page History

...

• Authentication by Password (class: org.dspace.authenticate.PasswordAuthentication) (DEFAULT)
• Open ID Connect (OIDC) Authentication (class: org.dspace.authenticate.OidcAuthentication)
• Shibboleth Authentication (class: org.dspace.authenticate.ShibAuthentication)
• LDAP Authentication (class: org.dspace.authenticate.LDAPAuthentication)
• ORCID Authentication (class: org.dspace.authenticate.OrcidAuthentication)
• IP Address based Authentication (class: org.dspace.authenticate.IPAuthentication)
• X.509 Certificate Authentication (class: org.dspace.authenticate.X509Authentication)

An authentication method is a class that implements the interface org.dspace.authenticate.AuthenticationMethod. It authenticates a user by evaluating the credentials (e.g. username and password) he or she presents and checking that they are valid.

The basic authentication procedure in the DSpace Web UI is this:

1. A request is received from an end-user's browser that, if fulfilled, would lead to an action requiring authorization taking place.
2. If the end-user is already authenticated:
   • If the end-user is allowed to perform the action, the action proceeds
   • If the end-user is NOT allowed to perform the action, an authorization error is displayed.
   • If the end-user is NOT authenticated, i.e. is accessing DSpace anonymously:
3. The parameters etc. of the request are stored.
4. The Web UI's startAuthentication method is invoked.
5. First it tries all the authentication methods which do implicit authentication (i.e. they work with just the information already in the Web request, such as an X.509 client certificate). If one of these succeeds, it proceeds from Step 2 above.
6. If none of the implicit methods succeed, the UI responds by putting up a "login" page to collect credentials for one of the explicit authentication methods in the stack. The servlet processing that page then gives the proffered credentials to each authentication method in turn until one succeeds, at which point it retries the original operation from Step 2 above.
   Please see the source files AuthenticationManager.java and AuthenticationMethod.java for more details about this mechanism.

Authentication by Password

Enabling Authentication by Password

By default, this authentication method is enabled in DSpace.

However, to enable Authentication by Password, you must ensure the org.dspace.authenticate.PasswordAuthentication class is listed as one of the AuthenticationMethods in the following configuration:

Authentication by Password

Enabling Authentication by Password

By default, this authentication method is enabled in DSpace.

However, to enable Authentication by Password, you must ensure the org.dspace.authenticate.PasswordAuthentication class is listed as one of the AuthenticationMethods in the following configuration:

plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.PasswordAuthentication

Configuring Authentication by Password

The default method org.dspace.authenticate.PasswordAuthentication has the following properties:

• Use of inbuilt e-mail address/password-based log-in. This is achieved by sending login information to the "/api/authn/login" endpoint of the REST API, in order to obtain a JSON Web Token.  This JSON Web token must be sent on every later request which requires authentication.
• Users can register themselves (i.e. add themselves as e-people without needing approval from the administrators), and can set their own passwords when they do this
• Users are not members of any special (dynamic) e-person groups
• You can restrict the domains from which new users are able to register. To enable this feature, uncomment the following line from dspace.cfg: authentication.password.domain.valid = example.com Example options might be '@example.com' to restrict registration to users with addresses ending in @example.com, or '@example.com, .ac.uk' to restrict registration to users with addresses ending in @example.com or with addresses in the .ac.uk domain.

A full list of all available Password Authentication Configurations:

plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.PasswordAuthentication

Configuring Authentication by Password

The default method org.dspace.authenticate.PasswordAuthentication has the following properties:

• Use of inbuilt e-mail address/password-based log-in. This is achieved by forwarding a request that is attempting an action requiring authorization to the password log-in servlet, /password-login. The password log-in servlet (org.dspace.app.webui.servlet.PasswordServlet) contains code that will resume the original request if authentication is successful, as per step 3. described above.
• Users can register themselves (i.e. add themselves as e-people without needing approval from the administrators), and can set their own passwords when they do this
• Users are not members of any special (dynamic) e-person groups
• You can restrict the domains from which new users are able to register. To enable this feature, uncomment the following line from dspace.cfg: authentication.password.domain.valid = example.com Example options might be '@example.com' to restrict registration to users with addresses ending in @example.com, or '@example.com, .ac.uk' to restrict registration to users with addresses ending in @example.com or with addresses in the .ac.uk domain.

A full list of all available Password Authentication Configurations:

Shibboleth Authentication

Enabling Shibboleth Authentication

To enable Shibboleth Authentication, you must ensure the org.dspace.authenticate.ShibAuthentication class is listed as one of the AuthenticationMethods in the following configuration:

Open ID Connect (OIDC) Authentication

Enabling OIDC Authentication

To enable OIDC Authentication, you must ensure the org.dspace.authenticate.OidcAuthentication class is listed as one of the AuthenticationMethods in the following configuration:

Configuring Shibboleth Authentication

Shibboleth is a distributed authentication system for securely authenticating users and passing attributes about the user from one or more identity providers. In the Shibboleth terminology DSpace is a Service Provider which receives authentication information and then based upon that provides a service to the user. To use Shibboleth, DSpace requires that you use Apache installed with the mod_shib module acting as a proxy for all HTTP requests for your servlet container (typically Tomcat). DSpace will receive authentication information from the mod_shib module through HTTP headers.

Before DSpace will work with Shibboleth, you must have the following:

1. An Apache web server with the "mod_shib" module installed. As mentioned, this mod_shib module acts as a proxy for all HTTP requests for your servlet container (typically Tomcat).  Any requests to DSpace that require authentication via Shibboleth should be redirected to 'shibd' (the shibboleth daemon) by this "mod_shib" module.  Details on installing/configuring mod_shib in Apache are available at: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig   We also have a sample Apache + mod_shib configuration provided below.
2. An external Shibboleth IdP (Identity Provider).  Using mod_shib, DSpace will only act as a Shibboleth SP (Service Provider). The actual Shibboleth Authentication & Identity information must be provided by an external IdP.  If you are using Shibboleth at your institution already, then there already should be a Shibboleth IdP available. More information about Shibboleth IdPs versus SPs is available at: https://wiki.shibboleth.net/confluence/display/SHIB2/UnderstandingShibboleth

For more information on installing and configuring a Shibboleth Service Provider see: https://wiki.shibboleth.net/confluence/display/SHIB2/Installation

Note about Shibboleth Active vs Lazy Sessions:

When configuring your Shibboleth Service Provider there are two Shibboleth paradigms you may use: Active or Lazy Sessions. Active sessions is where the mod_shib module is configured to product an entire URL space. No one will be able to access that URL without first authenticating with Shibboleth. Using this method you will need to configure shibboleth to protect the URL: "/shibboleth-login". The alternative, Lazy Session does not protect any specific URL. Instead Apache will allow access to any URL, and when the application wants to it may initiate an authenticated session.

The Lazy Session method is preferable for most DSpace installations, as you usually want to provide public access to (most) DSpace content, while restricting access to only particular areas (e.g. administration UI/tools, private Items, etc.).  When Active Sessions are enabled your entire DSpace site will be access restricted.  In other words, when using Active Sessions, Shibboleth will require everyone to first authenticate before they can access any part of your repository (which essentially results in a "dark archive", as anonymous access will not be allowed).

Apache "mod_shib" Configuration (required)

As mentioned above, you must have Apache with the "mod_shib" module installed in order for DSpace to be able to act as a Shibboleth Service Provider (SP). The mod_shib module acts as a proxy for all HTTP requests for your servlet container (typically Tomcat).  Any requests to DSpace that require authentication via Shibboleth should be redirected to 'shibd' (the shibboleth daemon) by this "mod_shib" module.  Details on installing/configuring mod_shib in Apache are available at: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig  General information about installing/configuring Shibboleth Service Providers (SPs) can be found at: https://wiki.shibboleth.net/confluence/display/SHIB2/Installation

A few extra notes/hints when configuring mod_shib & Apache:

• In Debian based environments, "mod_shib" tends to be in a package named something like "libapache2-mod-shib2"
• The Shibboleth setting "ShibUseHeaders" is no longer required to be set to "On", as DSpace will correctly utilize attributes instead of headers.
  • When "ShibUseHeaders" is set to "Off" (which is recommended in the mod_shib documentation), proper configuration of Apache to pass attributes to Tomcat (via either mod_jk or mod_proxy) can be a bit tricky, SWITCH has some great documentation on exactly what you need to do. We will eventually paraphrase/summarize this documentation here, but for now, the SWITCH page will have to do.
• When initially setting up Apache & mod_shib, https://samltest.id/ provides a great testing ground for your configurations. This site provides a sample/demo Shibboleth IdP (as well as a sample Shibboleth SP) which you can test against. It acts as a "sandbox" to get your configurations working properly, before you point DSpace at your production Shibboleth IdP.
• You also may wish to review the Shibboleth setup in our "dspace-shibboleth" Docker setup which the development team uses for testing (and it uses https://samltest.id as the IdP).  It may provide you with good examples/hints on getting everything setup. However, keep in mind this code has not been tested in Production scenarios.

...

Configuring OIDC Authentication

OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. There are many server implementations of OpenID Connect, including Keycloak and AWS Cognito.

Sample/Test OIDC Configuration

One way to easily test OIDC Authentication is to use the PhantAuth test site at https://www.phantauth.net/.  This site allows you to create a random OIDC client & a random OIDC user to authenticate as.  So, it can be used to verify that DSpace's OIDC authentication is working in your system, but obviously is only meant for development/testing purposes.

To configure DSpace to use PhantAuth for authentication just requires the following updates to your local.cfg:

# Enable OIDC
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.OidcAuthentication

# Settings for OIDC authentication
# Based on instructions at https://www.phantauth.net/doc/integration
authentication-oidc.authorize-endpoint = https://phantauth.net/auth/authorize
authentication-oidc.token-endpoint = https://phantauth.net/auth/token
authentication-oidc.user-info-endpoint = https://phantauth.net/auth/userinfo

# Obtain a random client-id and client-secret via https://phantauth.net/client
# Find the "client_id" and "client_secret" returned, and place those values in these next two configs.
authentication-oidc.client-id = 
authentication-oidc.client-secret = 

# Because PhantAuth uses random users, you MUST ensure self registration is enabled 
# (This is the default setting though, which is why it's commented out)
# authentication-oidc.can-self-register = true

Shibboleth Authentication

Enabling Shibboleth Authentication

To enable Shibboleth Authentication, you must ensure the org.dspace.authenticate.ShibAuthentication class is listed as one of the AuthenticationMethods in the following configuration:

plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.ShibAuthentication

Configuring Shibboleth Authentication

Shibboleth is a distributed authentication system for securely authenticating users and passing attributes about the user from one or more identity providers. In the Shibboleth terminology DSpace is a Service Provider which receives authentication information and then based upon that provides a service to the user. To use Shibboleth, DSpace requires that you use Apache installed with the mod_shib module acting as a proxy for all HTTP requests for your servlet container (typically Tomcat). DSpace will receive authentication information from the mod_shib module through HTTP headers.

Before DSpace will work with Shibboleth, you must have the following:

1. An Apache web server with the "mod_shib" module installed. As mentioned, this mod_shib module acts as a proxy for all HTTP requests for your servlet container (typically Tomcat).  Any requests to DSpace that require authentication via Shibboleth should be redirected to 'shibd' (the shibboleth daemon) by this "mod_shib" module.  Details on installing/configuring mod_shib in Apache are available at: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig   We also have a sample Apache + mod_shib configuration provided below.
2. An external Shibboleth IdP (Identity Provider).  Using mod_shib, DSpace will only act as a Shibboleth SP (Service Provider). The actual Shibboleth Authentication & Identity information must be provided by an external IdP.  If you are using Shibboleth at your institution already, then there already should be a Shibboleth IdP available. More information about Shibboleth IdPs versus SPs is available at: https://wiki.shibboleth.net/confluence/display/SHIB2/UnderstandingShibboleth

For more information on installing and configuring a Shibboleth Service Provider see: https://wiki.shibboleth.net/confluence/display/SHIB2/Installation

Note about Shibboleth Active vs Lazy Sessions:

When configuring your Shibboleth Service Provider there are two Shibboleth paradigms you may use: Active or Lazy Sessions. Active sessions is where the mod_shib module is configured to product an entire URL space. No one will be able to access that URL without first authenticating with Shibboleth. Using this method you will need to configure shibboleth to protect the URL: "/shibboleth-login". The alternative, Lazy Session does not protect any specific URL. Instead Apache will allow access to any URL, and when the application wants to it may initiate an authenticated session.

The Lazy Session method is preferable for most DSpace installations, as you usually want to provide public access to (most) DSpace content, while restricting access to only particular areas (e.g. administration UI/tools, private Items, etc.).  When Active Sessions are enabled your entire DSpace site will be access restricted.  In other words, when using Active Sessions, Shibboleth will require everyone to first authenticate before they can access any part of your repository (which essentially results in a "dark archive", as anonymous access will not be allowed).

Apache "mod_shib" Configuration (required)

As mentioned above, you must have Apache with the "mod_shib" module installed in order for DSpace to be able to act as a Shibboleth Service Provider (SP). The mod_shib module acts as a proxy for all HTTP requests for your servlet container (typically Tomcat).  Any requests to DSpace that require authentication via Shibboleth should be redirected to 'shibd' (the shibboleth daemon) by this "mod_shib" module.  Details on installing/configuring mod_shib in Apache are available at: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig  General information about installing/configuring Shibboleth Service Providers (SPs) can be found at: https://wiki.shibboleth.net/confluence/display/SHIB2/Installation

A few extra notes/hints when configuring mod_shib & Apache:

• In Debian based environments, "mod_shib" tends to be in a package named something like "libapache2-mod-shib2"
• The Shibboleth setting "ShibUseHeaders" is no longer required to be set to "On", as DSpace will correctly utilize attributes instead of headers.
  • When "ShibUseHeaders" is set to "Off" (which is recommended in the mod_shib documentation), proper configuration of Apache to pass attributes to Tomcat (via either mod_jk or mod_proxy) can be a bit tricky, SWITCH has some great documentation on exactly what you need to do. We will eventually paraphrase/summarize this documentation here, but for now, the SWITCH page will have to do.
• When initially setting up Apache & mod_shib, https://samltest.id/ provides a great testing ground for your configurations. This site provides a sample/demo Shibboleth IdP (as well as a sample Shibboleth SP) which you can test against. It acts as a "sandbox" to get your configurations working properly, before you point DSpace at your production Shibboleth IdP.
• You also may wish to review the Shibboleth setup in our "dspace-shibboleth" Docker setup which the development team uses for testing (and it uses https://samltest.id as the IdP).  It may provide you with good examples/hints on getting everything setup. However, keep in mind this code has not been tested in Production scenarios.

Below, we have provided a sample Apache configuration.  However, as every institution has their own specific Apache setup/configuration, it is highly likely that you will need to tweak this configuration in order to get it working properly. Again, see the official mod_shib documentation for much more detail about each of these settings: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig  These configurations are meant to be added to an Apache <VirtualHost> which acts as a proxy to your Tomcat (or other servlet container) running DSpace.  More information on Apache VirtualHost settings can be found at: https://httpd.apache.org/docs/2.2/vhosts/

#### SAMPLE MOD_SHIB CONFIGURATION FOR APACHE2 (it may require local modifications based on your Apache setup) ####
# While this sample VirtualHost is for HTTPS requests (recommended for Shibboleth, obviously), 
# you may also need/want to create one for HTTP (*:80)
<VirtualHost *:443>
   ...
   # PLEASE NOTE: We have omitted many Apache settings (ServerName, LogLevel, SSLCertificateFile, etc) 
   # which you may need/want to add to your VirtualHost
   
   # As long as Shibboleth module is installed, enable all Shibboleth/mod_shib related settings
   <IfModule mod_shib>
       # Shibboleth recommends turning on UseCanonicalName
       # See "Prepping Apache" in https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig

...

#### SAMPLE MOD_SHIB CONFIGURATION FOR APACHE2 (it may require local modifications based on your Apache setup) ####
# While this sample VirtualHost is for HTTPS requests (recommended for Shibboleth, obviously), 
# you may also need/want to create one for HTTP (*:80)
<VirtualHost *:443>
   ...
   # PLEASE NOTE: We have omitted many Apache settings (ServerName, LogLevel, SSLCertificateFile, etc) 
   # which you may need/want to add to your VirtualHost
   
   # As long as Shibboleth module is installed, enable all Shibboleth/mod_shib related settings
   <IfModule mod_shib>
       # Shibboleth recommends turning on UseCanonicalName
       # See "Prepping Apache" in https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
       UseCanonicalName On

       # Most DSpace instances will want to use Shibboleth "Lazy Session", which ensures that users 
       # can access DSpace without first authenticating via Shibboleth. 
       # This section turns on Shibboleth "Lazy Session". Also ensures that once they have authenticated
       # (by accessing /Shibboleth.sso/Login path), then their Shib session is kept alive
       <Location />
         AuthType shibboleth
         ShibRequireSession Off
         require shibboleth
         # If your "shibboleth2.xml" file specifies an <ApplicationOverride> setting for your 
         # DSpace Service Provider, then you may need to tell Apache which "id" to redirect Shib requests to. 
         # Just uncomment this and change the value "my-dspace-id" to the associated @id attribute value.
         #ShibRequestSetting applicationId my-dspace-id
       </Location>

       UseCanonicalName# On

If a user attempts to access  # Mostthe DSpace instancesshibboleth willendpoint, wantforce to usethem Shibbolethto "Lazy Session", which ensures that users 
authenticate via Shib.
       <Location "/server/api/authn/shibboleth">
  # can access DSpace without first authenticating via Shibboleth. Order deny,allow
       #  This sectionAllow turnsfrom onall
 Shibboleth "Lazy Session". Also ensures that once they haveAuthType authenticatedshibboleth
         #ShibRequireSession (byOn
 accessing /Shibboleth.sso/Login path), then their Shib session is kept# alive
Please note that setting ShibUseHeaders to "On" <Locationis />
a potential security risk. 
      AuthType shibboleth
  # You may wish to set it ShibRequireSessionto "Off
". See the mod_shib docs for details about this require shibbolethsetting:
         # If your "shibboleth2.xml" file specifies an <ApplicationOverride> setting for your 
         # DSpace Service Provider, then you may need to tell Apache which "id" to redirect Shib requests to. https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions
         # Here's a good guide to configuring Apache + Tomcat when this setting is "Off": 
         # https://www.switch.ch/de/aai/support/serviceproviders/sp-access-rules.html#javaapplications 
         # Just uncomment this and change the value "my-dspace-id" to the associated @id attribute value.ShibUseHeaders On
         #ShibRequestSetting applicationId my-dspace-idRequire shibboleth
       </Location>

       # If a user attempts to access the DSpace shibbolethlogin endpoint, ensure Shibboleth forceis themsupported tobut authenticateother viaauth Shib.
methods can be too.
       <Location "/server/api/authn/shibbolethlogin">
          Order deny,allow
          Allow from all
          AuthType shibboleth
          # For DSpace, this is Allowrequired fromto all
be off otherwise the available auth methods will be AuthTypenot shibbolethvisible
          ShibRequireSession OnOff
          # Please note that setting ShibUseHeaders to "On" is a potential security risk. 
          # You may wish to set it to "Off". See the mod_shib docs for details about this setting:
          # https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions
          # Here's a good guide to configuring Apache + Tomcat when this setting is "Off": 
          # https://www.switch.ch/de/aai/support/serviceproviders/sp-access-rules.html#javaapplications
 
         ShibUseHeaders On
         Require shibboleth
       </Location>

       # If a
 user attempts to access the DSpace login# endpoint,Ensure ensure /Shibboleth.sso ispath supported(in but other auth methods Apache) can be too.
       <Location "/server/api/authn/login">
          Order deny,allowaccessed
       # By default Allowit frommay all
be inaccessible if your Apache security is tight.
   AuthType shibboleth
   <Location "/Shibboleth.sso">
      # For DSpace, this is required to be off otherwise the available auth methods will be not visibleOrder deny,allow
         Allow from all
         # ShibRequireSessionAlso Off
     ensure Shibboleth/mod_shib responds to this path
     # Please note that settingSetHandler ShibUseHeadersshib
 to "On" is a potential security risk. </Location>
 
       #   # YouFinally, you may wishneed to setensure itrequests to "Off". See the mod_shib docs for details about this setting:
          # https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions
   /Shibboleth.sso are NOT redirected 
       # to Tomcat (as they need to be handled by mod_shib instead).
       # Here's a good guide to configuring Apache + Tomcat when this setting is "Off":NOTE: THIS SETTING IS LIKELY ONLY NEEDED IF YOU ARE USING mod_proxy TO REDIRECT
       # ALL REQUESTS TO # https://www.switch.ch/de/aai/support/serviceproviders/sp-access-rules.html#javaapplications
TOMCAT (e.g. ProxyPass /server ajp://localhost:8009/server)
       ProxyPass /Shibboleth.sso !
  ShibUseHeaders On </IfModule>
 
   ...


   # You will likely </Location>
need Proxy settings to ensure Apache is proxying requests 
to Tomcat for the DSpace REST API
   # Ensure /Shibboleth.sso path (in Apache) can be accessed
       # By default it may be inaccessible if your Apache security is tight.
       <Location "/Shibboleth.sso">
   The below is just an example of proxying for REST API only. It requires installing & enabling "mod_proxy" and "mod_proxy_ajp"
   ## Proxy / Forwarding Settings ##
   <Proxy *>
      AddDefaultCharset Off
      Order allow,deny,allow
         Allow from all
   </Proxy>

   # Proxy all #requests Also ensureto Shibboleth/mod_shibserver respondsto toTomcat thisvia pathAJP
   ProxyPass      SetHandler shib/server ajp://localhost:8009/server
   ProxyPassReverse    </Location>
 
      /server ajp://localhost:8009/server

   # FinallyOptionally, youalso mayproxy needAngular to ensure requests to /Shibboleth.sso are NOT redirected 
       # to Tomcat (as they need to be handled by mod_shib instead).
       # NOTE: THIS SETTING IS LIKELY ONLY NEEDED IF YOU ARE USING mod_proxy TO REDIRECT
       # ALL REQUESTS TO TOMCAT (e.g. ProxyPass /server ajp://localhost:8009/server)
       ProxyPass /Shibboleth.sso !
   </IfModule>
 
   ...


   # You will likely need Proxy settings to ensure Apache is proxying requests to Tomcat for the DSpace REST API
   # The below is just an example of proxying for REST API only. It requires installing & enabling "mod_proxy" and "mod_proxy_ajp"
   ## Proxy / Forwarding Settings ##
   <Proxy *>
      AddDefaultCharset Off
      Order allow,deny
      Allow from all
   </Proxy>

   # Proxy all requests to /server to Tomcat via AJP
   ProxyPass /server ajp://localhost:8009/server
   ProxyPassReverse /server ajp://localhost:8009/server

   # Optionally, also proxy Angular UI (if on same server). This requires "mod_proxy_http"
   #ProxyPass / http://localhost:4000/
   #ProxyPassReverse / http://localhost:4000/
</VirtualHost>

Sample shibboleth2.xml Configuration

In addition, here's a sample "ApplicationOverride" configuration for "shibboleth2.xml". This particular "ApplicationOverride" is configured to use the Test IdP provided by https://samltest.id/ and is just meant as an example.  In order to enable it for testing purposes, you must specify ShibRequestSetting applicationId samltest in your Apach mod_shib configuration (see above).  An additional, more detailed example is provided in our "dspace-shibboleth" Docker configurations at https://github.com/DSpace/DSpace/blob/main/dspace/src/main/docker/dspace-shibboleth/shibboleth2.xml

UI (if on same server). This requires "mod_proxy_http"
   #ProxyPass / http://localhost:4000/
   #ProxyPassReverse / http://localhost:4000/
</VirtualHost>

Sample shibboleth2.xml Configuration

In addition, here's a sample "ApplicationOverride" configuration for "shibboleth2.xml". This particular "ApplicationOverride" is configured to use the Test IdP provided by https://samltest.id/ and is just meant as an example.  In order to enable it for testing purposes, you must specify ShibRequestSetting applicationId samltest in your Apach mod_shib configuration (see above).  An additional, more detailed example is provided in our "dspace-shibboleth" Docker configurations at https://github.com/DSpace/DSpace/blob/main/dspace/src/main/docker/dspace-shibboleth/shibboleth2.xml

        <!-- *** Sample Shibboleth Settings for  https://samltest.id/  ***     -->
        <!-- This provides a simple sample of how you could configure            -->
        <!-- shibboleth2.xml for DSpace sites.                                   -->
        <!-- TO ENABLE: You'd need to specify "applicationId" as "samltest" in   -->
        <!-- your mod_shib settings, e.g.                                        -->

        <!-- *** Sample Shibboleth Settings for  https://samltest.id/  *** <Location />                                                        -->
        <!-- This provides a simple sample of how you... could configure            -->
        <!-- shibboleth2.xml for DSpace sites.                                   -->
        <!--  TO ENABLE: You'd need to specify "applicationId" as "samltest" in   -->
   ShibRequestSetting applicationId samltest                  <!-- your mod_shib settings, e.g.  -->
        <!-- </Location>                              -->
        <!-- <Location />                 -->
        <ApplicationOverride id="samltest" entityID="http://[mydspace.edu]/shibboleth" REMOTE_USER="eppn persistent-id targeted-id">

            <!-- We'll use a TEST IdP, hosted by the awesome https://samltest.id/ testing  service. -->
            <!-- See    ...                   also: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
            <!-- DSPACE 7 requires Shibboleth to use "SameSite=None" property for its Cookies -->
            <Sessions lifetime="28800"                             -->
timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true" cookieProps="; path=/; SameSite=None; secure; HttpOnly">
         <!--     ShibRequestSetting applicationId samltest<SSO entityID="https://samltest.id/saml/idp">
                 SAML2 SAML1
      -->
        <!-- </Location>SSO>
            </Sessions>

            <!-- Loads and trusts a metadata file that describes the IdP and how to communicate with it. -->
                <!-->
 By default, metadata is retrieved from the <ApplicationOverride id="samltest" entityID="httpTEST IdP at https://[mydspacesamltest.edu]id/shibboleth" REMOTE_USER="eppn persistent-id targeted-id">

            <!-- We'lland useis acached TESTin IdP,a hostedlocal byfile the awesome https://samltest.id/ testing servicenamed "samltest-metadata.xml". -->
            <!-- See also: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSONativeSPMetadataProvider -->
            <MetadataProvider type="XML" uri="https://samltest.id/saml/idp"
                <!-- DSPACE 7 requires Shibboleth to use "SameSite=None" property for its Cookies -->
    backingFilePath="samltest-metadata.xml" reloadInterval="180000"/>
       <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true" cookieProps="; path=/; SameSite=None; secure; HttpOnly">
               <SSO entityID="https://samltest.id/saml/idp">
                 SAML2 SAML1
               </SSO>
            </Sessions>

            <!-- Loads and trusts a metadata file that describes the IdP and how to communicate with it. -->
            <!-- By default, metadata is retrieved from the TEST IdP at  </ApplicationOverride>

Sample attribute-map.xml Configuration (for samltest.id)

In order to use the above example for https://samltest.id/, you may also need to modify your attribute-map.xml to support their attributes. Again, a more complete example is in our "dspace-shibboleth" Docker configurations at https://github.com/DSpace/DSpace/blob/main/dspace/src/main/docker/dspace-shibboleth/attribute-map.xml

<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <!-- Custom Attributes specific to samltest.id -->
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
    <Attribute name="https://samltest.id/attributes/ --role" id="role"/>
  
    ...


      <!-- andIn isaddition cachedto inthe aattribute localmapping, fileDSpace named "samltest-metadata.xml". -->
     expects the following Shibboleth Headers to be set:
       <!-- See also: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataProvider - SHIB->NETID
           - SHIB-MAIL
 <MetadataProvider type="XML" uri="https://samltest.id/saml/idp"
        - SHIB-GIVENNAME
           - SHIB-SURNAME
     backingFilePath="samltest-metadata.xml" reloadInterval="180000"/>
   These are set by  </ApplicationOverride>

Sample attribute-map.xml Configuration (for samltest.id)

In order to use the above example for https://samltest.id/, you may also need to modify your attribute-map.xml to support their attributes. Again, a more complete example is in our "dspace-shibboleth" Docker configurations at https://github.com/DSpace/DSpace/blob/main/dspace/src/main/docker/dspace-shibboleth/attribute-map.xml

<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <!-- Custom Attributes specific to samltest.id --mapping the respective IdP attribute (left hand side) to the header attribute (right hand side).
    -->
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="SHIB-NETID"/>
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1mace:dir:attribute-def:uid" id="uidSHIB-NETID"/>
    
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mailSHIB-MAIL"/>
    <Attribute name="urn:oid:2.5.4.4:mace:dir:attribute-def:mail" id="snSHIB-MAIL"/>
    
    <Attribute name="urn:oid:2.165.840.1.113730.3.1.2414.42" id="displayNameSHIB-GIVENNAME"/>
    <Attribute name="urn:oid:2.5.4.20:mace:dir:attribute-def:givenName" id="telephoneNumberSHIB-GIVENNAME"/>
    
    <Attribute name="urn:oid:2.5.4.424" id="givenNameSHIB-SURNAME"/>
    <Attribute name="https://samltest.id/attributes/roleurn:mace:dir:attribute-def:sn" id="role"SHIB-SURNAME"/>
  
    ...

</Attributes>

DSpace Shibboleth Configuration Options

...

If you are currently using Email based authentication (either 1 or 2) and want to upgrade to NetID based authentication then there is an easy path. Simply enable shibboleth to pass the NetID attribute and set the netid-header below to the correct value. When a user attempts to log in to DSpace first DSpace will look for an EPerson with the passed NetID, however when this fails DSpace will fall back to email based authentication. Then DSpace will update the user's EPerson account record to set their netted NetID so all future authentications for this user will be based upon nettedNetID. One thing to note is that DSpace will prevent an account from switching NetIDs. If an account all ready already has a NetID set and then they try and authenticate with a different NetID the authentication will fail.

...

...

authentication-shibboleth.eperson.metadata = \
 SHIB-telephone => phone, \
 SHIB-cn => cn

authentication-shibboleth.role.faculty = Faculty, Member
authentication-shibboleth.role.staff = Staff, Member
authentication-shibboleth.role.student = Students, Member.student = Students, Member

LDAP Authentication

Introduction to LDAP specific terminology

...

ORCID Authentication

Enabling ORCID Authentication

To enable ORCID Authentication, see the documentation for enabling the ORCID Integration.  You do not need to enable ORCID synchronization, but you currently must enable Researcher Profiles and Configurable Entities.

IP Authentication

Enabling IP Authentication

...