Michael,
I'm not sure about actual documentation, but there are definitely at least two
different ways to do this that I am aware of. And they should both work with
2.2.1
The first technique requires no modification to the VCL code but potentially
more work with your Shibboleth IdM group.
Basically any user who logs in via Shibboleth and who has the 'affiliation'
attribute defined (this is different than the VCL notion of affiliation) will
be added to the corresponding group(s). For instance, if, when a user logs in,
$_SERVER['affiliation'] is set as "staff", then the user will be added to the
"shib-staff@MYAFFILIATION" group. If the attribute is multi-valued:
"staff;researcher;visitingfaculty", then the user will be put into the
following groups: "shib-staff", "shib-researcher" and "shib-visitingfaculty".
This will require coordination with your IdM group.
You can then add each of these user groups to the relevant location(s) in the
privilege tree, granting each group the privileges that you think most
appropriate.
The second approach (this is the approach I used with 2.2.1) is to make a
single modification in the VCL code.
If you look at the file in .ht-inc/authmethods/shibauth.php, in the
updateShibGroups() function, you will see some lines between 181 and 187 that
are commented out. They provide an example for how to do this. Though, in my
code, the only line I added to handle all of this was the following:
array_push($newusergroups, getUserGroupID('All users', $affilid));
If you inserted this immediately after the commented section of code, you would
be all set.
Of course, this method adds all users to a single group, while the first method
adds users to different groups, depending on their Shib attributes. There are
pros and cons either way.
And like with the first method, you will need to add the group (whether you
call it "All users" or not) to the privilege tree. For that, I made an All
Users node and then added the "All Users" user group to that node with the
appropriate permissions.
For both methods, I should also note that you will need to add both a computer
group and an image group to the appropriate node in the privilege tree. There
is some documentation on this in a few different places, but these pages might
help:
https://cwiki.apache.org/confluence/display/VCL/Example+-+Granting+Two+Sets+of+Users+Access+to+Two+Different+Sets+of+Images
https://cwiki.apache.org/confluence/display/VCL/Granting+Access+to+a+New+Image
Hope that helps,
Aaron
On Sep 6, 2012, at 5:27 PM, Michael Jinks <[email protected]> wrote:
> I think I've seen a document, that I can't find now, describing a way to
> back VCL user groups with Shibboleth. Am I making that up? Can someone
> point me in the right direction?
>
> Won't do us much good until we can get Shib accounts working generally,
> but if there's coordination we'll need to do with our IdM group, I'd
> like to get the ball rolling.
>
> Thanks.
>
> --
> Michael Jinks :: [email protected]
> University of Chicago IT Services
