[ENG-10178] Add Washington State Univ (wsu) with SSO to OSF4I#102
[ENG-10178] Add Washington State Univ (wsu) with SSO to OSF4I#102felliott wants to merge 7 commits intoCenterForOpenScience:developfrom
Conversation
| <!-- Washington State University --> | ||
| <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="login"/> <!-- eppn? --> | ||
| <!-- ldapiness ensues... --> | ||
| <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="email"/> | ||
| <Attribute name="urn:oid:2.5.4.42" id="firstName"/> | ||
| <Attribute name="urn:oid:2.5.4.4" id="lastName"/> | ||
| <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/> |
There was a problem hiding this comment.
As discussed, all of these attributes are already defined in the map so we no longer need to redefine them.
Future improvements: we definitely need a place either in the configuration or in a spread sheet keeping track of what attributes each institution uses.
| <Attribute name="urn:oid:2.5.4.42" id="firstName"/> | ||
| <Attribute name="urn:oid:2.5.4.4" id="lastName"/> | ||
| <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/> | ||
| <Attribute name="urn:oid:2.5.4.11" id="department"/> |
There was a problem hiding this comment.
As discussed, move this to where we map departments for institutions and put a comment.
<!-- Washington State University (WSU) -->
<Attribute name="urn:oid:2.5.4.11" id="department"/>
etc/cas/config/instn-authn-prod.xsl
Outdated
| <familyName><xsl:value-of select="//attribute[@name='lastName']/@value"/></familyName> | ||
| <givenName><xsl:value-of select="//attribute[@name='firstName']/@value"/></givenName> |
There was a problem hiding this comment.
As discussed, the attribute name in Shibboleth mapping should be sN for last name and givenName for first name. However, due to CAS turns header (what Shibboleth send to CAS after success SAML authentication) into lower case, it has to be sn and givenname here.
etc/cas/config/instn-authn-prod.xsl
Outdated
| <familyName><xsl:value-of select="//attribute[@name='lastName']/@value"/></familyName> | ||
| <givenName><xsl:value-of select="//attribute[@name='firstName']/@value"/></givenName> | ||
| <middleNames/> | ||
| <departmentRaw><xsl:value-of select="//attribute[@name='department']/@value"/></departmentRaw> |
There was a problem hiding this comment.
As discussed, let's move <departmentRaw> after <suffix/>.
In addition, we also need to add <eduPerson>false</eduPerson> after <departmentRaw> so that CAS will take the value as it is instead of trying to parse the department name from the raw value.
etc/cas/config/shibboleth2-prod.xml
Outdated
| <MetadataProvider type="XML" | ||
| uri="https://login.wsu.edu/app/exk196cuygihbtIwD2p8/sso/saml/metadata" | ||
| backingFilePath="wsu-prod-idp-metadata.xml" | ||
| reloadInterval="180000" /> |
There was a problem hiding this comment.
One thing I missed, one day is a recommended refresh interval from InCommon. Although they are OKTA, but the same refresh best-practice still applies. For now let's only apply this to new institutions. We will have a separate ticket updating existing ones.
reloadInterval="86400" />| <Attribute name="urn:oid:1.3.6.1.4.1.14519.1.1" id="institutionalidentity"/> | ||
|
|
||
| <!-- Washington State University --> | ||
| <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="login"/> <!-- eppn? --> |
There was a problem hiding this comment.
No longer relevant since we are going to remove this. Still want to point out that identity attribute usually have default id="eppn".
In this case urn:oid:1.3.6.1.4.1.5923.1.1.1.6 is the attribute for eduPersonPrincipalName (i.e. eppn) See: https://wiki.refeds.org/display/STAN/eduPerson+%28202208%29+v4.4.0#eduPerson(202208)v4.4.0-eduPersonPrincipalName
2 participants
Ticket
ENG-10178
Purpose
Add Okta-based Washington State Univ (wsu) with SSO to OSF4I
Changes
See diff
Dev Notes
N/A
QA Notes
N/A
Dev-Ops Notes
See ticket