philip.webs...@sheffield.ac.uk wrote on 2020-10-06 17:44:51: > Hi, > > I'm trying to set up the Aspace-Oauth plugin on ArchivesSpace 2.8.0 to > enable SAML logins via our institutional IDP. So far, I've managed to get > the plugin linked to our dev IDP and configured to download the SAML > metadata. Our IT department has requested that all security assertions are > at least signed, and preferably encrypted. > > I've also generated a private key and certificate using the commands listed > in the README.md file in the github repo > (https://github.com/lyrasis/aspace-oauth). > > openssl genrsa -out rsaprivkey.pem 2048 > > openssl req -new -x509 -key rsaprivkey.pem -out rsacert.pem
You can reuse the web server certificate if you already have one. > > The documentation is quite sparse, and doesn't really explain what to do > next. The config sample given in the README.md has the following parameters > defined in the example: > > # OPTIONAL: for encrypted assertions > > :certificate => "PUBLIC CERT", > > :private_key => "PRIVATE KEY", > > > > What are the expected values for "PUBLIC CERT" and "PRIVATE KEY"? Should > these be the paths of the rsaprivkey.pem and rsacert.pem files, or am I > expected to paste the ASCII contents of the .pem files straight into the > config file? Both ArchivesSpace and OmniAuth documentation is very sparse but OmniAuth's own Ruby tests suggest that you need to paste the contents. > Once this is set up, I also have to define the name identifier format. The > default setting in the config is > > "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", and further down > there is > > email: ["urn:oid:0.9.2342.19200300.100.1.3"]. I do want to populate the > email field in the user records in ArchiveSpace's database, but at my > institution we prefer to use eduPersonPrincipalName > (urn:oid:1.3.6.1.4.1.5923.1.1.1.6) as an identifier instead of email > address. > > > Hopefully, ArchivesSpace Oauth will support this, and I assume I can just > substitute "eduPersonPrincipalName" in place of "emailAddress" in the config > file. Yes, this should work with any unique attribute. > The README.md file also refers to some 'project documentation', but I > haven't been able to find this anywhere on the community documentation. Is > there any other documentation other than the README, and if so, where is it? > > > > Once this is all set up, I'll have to send some metadata to our IT > department. I'm hoping that there is an endpoint somewhere that I can point > a browser at and get the generated metadata for the service, so I can just > pass that on. Again, it's not clear if such a thing exists - or how I'd go > about accessing it. OmniAuth docs at https://github.com/omniauth/omniauth-saml/blob/master/README.md#sp-metadata suggest the URL will be /auth/saml/metadata on your server. I am really looking forward to hearing how this worked out, adding SAML authentication is something I'm trying to schedule for one of my next sprints. p _______________________________________________ Archivesspace_Users_Group mailing list Archivesspace_Users_Group@lyralists.lyrasis.org http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group