...
- If running DSpace in the ROOT context: http://dspace.example.com/shibboleth-login
- If running DSpace in a differentc context: http://dspace.example.com/xmlui/shibboleth-login (adjust xmlui as appropriate)
Edit dspace.cfg: Set the authentication method:
Code Block |
---|
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.ShibAuthentication |
Edit the rest of the Shibboleth settings. You will need to ask your Shibboleth administrator for some of these
...
:
Code Block |
---|
#### Shibboleth Authentication Configuration Settings #### # Check https://mams.melcoe.mq.edu.au/zope/mams/pubs/Installation/dspace15/view # for installation detail. # # DSpace requires email as user's credential. There are 2 ways of providing # email to DSpace: # 1) by explicitly specifying to the user which attribute (header) # carries the email address. # 2) by turning on the user-email-using-tomcat=true which means # the software will try to acquire the user's email from Tomcat # The first option takes PRECEDENCE when specified. Both options can # be enabled to allow fallback. # this option below specifies that the email comes from the mentioned header. # The value is CASE-Sensitive. authentication.shib.email-header = MAIL # optional. Specify the header that carries user's first name # this is going to be used for creation of new-user authentication.shib.firstname-header = SHIB-EP-GIVENNAME # optional. Specify the header that carries user's last name # this is used for creation of new user authentication.shib.lastname-header = SHIB-EP-SURNAME # this option below forces the software to acquire the email from Tomcat. authentication.shib.email-use-tomcat-remote-user = true # should we allow new users to be registered automtically # if the IdP provides sufficient info (and user not exists in DSpace) authentication.shib.autoregister = true # these two header here specify which attribute that is responsible # for providing user's roles to DSpace and unscope the attributes if needed. # When not specified, it is defaulted to 'Shib-EP-UnscopedAffiliation', and # ignore-scope is defaulted to 'false'. # The value is specified in AAP.xml (Shib 1.3.x) or # attribute-filter.xml (Shib 2.x). The value is CASE-Sensitive. # The values provided in this header are separated by semi-colon or comma. # If your sp only provides scoped role header, you need to set # authentication.shib.role-header.ignore-Scope as true. # for example if you only get Shib-EP-ScopedAffiliation instead of Shib-EP-ScopedAffiliation, # you have to make your setting as: # authentication.shib.role-header = Shib-EP-ScopedAffiliation # authentication.shib.role-header.ignore-scope = true # authentication.shib.role-header = Shib-EP-UnscopedAffiliation authentication.shib.role-header.ignore-scope = false # when user is fully authN on IdP but would not like to release # his/her roles to DSpace (for privacy reason?), what should be # the default roles be given to such users? # The values are separated by semi-colon or comma # authentication.shib.default-roles = Staff, Walk-ins # The following mappings specify role mapping between IdP and Dspace. # the left side of the entry is IdP's role (prefixed with # "authentication.shib.role.") which will be mapped to # the right entry from DSpace. DSpace's group as indicated on the # right entry has to EXIST in DSpace, otherwise user will be identified # as 'anonymous'. Multiple values on the right entry should be separated # by comma. The values are CASE-Sensitive. Heuristic one-to-one mapping # will be done when the IdP groups entry are not listed below (i.e. # if "X" group in IdP is not specified here, then it will be mapped # to "X" group in DSpace if it exists, otherwise it will be mapped # to simply 'anonymous') # # Given sufficient demand, future release could support regex for the mapping # special characters need to be escaped by \ authentication.shib.role.Senior\ Researcher = Researcher, Staff authentication.shib.role.Librarian = Administrator |
...