From df6603fe208f03685554650a0782b7400ca034ee Mon Sep 17 00:00:00 2001 From: Longze Chen Date: Wed, 2 Nov 2022 03:20:04 -0400 Subject: [PATCH 1/6] Add/Update Institution SSO Guide * Add institution SSO guide (an as-is port from old-cas) * Bring institution SSO guide up-to-date --- README_INSTITUTION_SSO_INTEGRATION_GUIDE.md | 81 +++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 README_INSTITUTION_SSO_INTEGRATION_GUIDE.md diff --git a/README_INSTITUTION_SSO_INTEGRATION_GUIDE.md b/README_INSTITUTION_SSO_INTEGRATION_GUIDE.md new file mode 100644 index 0000000..be2a759 --- /dev/null +++ b/README_INSTITUTION_SSO_INTEGRATION_GUIDE.md @@ -0,0 +1,81 @@ +# Connecting to the Open Science Framework (OSF) via our Shibboleth/SAML Service Provider + +This article provides general information about the COS's Shibboleth/SAML SSO integration for organizations who have signed the *OSF for Institutions Offer of Services* letter. + +## What is Single Sign-On? + +In general, Single Sign-On, or SSO, allows users authenticated with one trusted system (e.g. university network) to also authenticate using those same “home” credentials with another trusted network (e.g. OSF). In the case of the second authentication, users are not asked to log in again, but instead the authenticated credentials are shared between systems. + +## Who can use Single Sign-On with OSF? + +Organizations that have implemented a SAML 2.0 Identity Provider (IdP) and signed the *OSF for Institutions Offer of Services* are eligible to use this feature. + +### A few notes: + +* Current OSF users who have already set up accounts with a different login, will be able to retain those credentials and choose to login with personal or institutional credentials. + +* Users’ authentication to the OSF service using SSO cannot also use the “forgot Password” link on the OSF website to remind them of their credentials, as their user credentials are specific to and managed by their organization. + +* OSF also provides extra features such as Shared SSO, Selective SSO and Institutional Dashboard, which all require extra configurations. This guide does not include technical guide for them since they are institution and/or SSO specific. + +## Technical Implementation + +### Institutions registered with the InCommon Federation + +The InCommon Federation provides secure single sign-on access to cloud and local services, and global collaboration tools. COS is a [Research & Scholarship Entity Category (R&S)](https://refeds.org/category/research-and-scholarship) Service Provider (SP) registered with the [InCommon Federation](https://www.incommon.org/federation/). + +> * SP Entity ID: `https://accounts.osf.io/shibboleth` +> * Required Attributes: +> * `eduPersonPrincipalName` for user's institutional identity +> * `mail` for user's email +> * `displayName` for user's full name (or a pair of `givenName` **AND** `sn` for user's first and last name) + +* Note that only COS's production SP server is registered with the InCommon Federation. Both IdP and SP being registered with InCommon makes it no longer necessary to configure a test server before going production. If you need to connect to COS's test SP server, follow the notes mentioned in **Other Institutions** below. + + +### Institutions registered with eduGAIN Participants + +[eduGAIN](https://edugain.org/) is a global service that provides an efficient, flexible way for participating federations, and their affiliated users and services, to interconnect. The InCommon Federation is the U.S. participant. If your institution is registered with your local participant, you can use the above guide. Note that you may need to enable **interfederation** if it is an option and if it is disabled by default. Learn more about eduGAIN from [what is eduGAIN](https://edugain.org/about-edugain/what-is-edugain/), [key concepts](https://edugain.org/about-edugain/key-concepts/), [participants](https://technical.edugain.org/status) and [usage guide](https://edugain.org/participants/how-to-use-edugain/); learn more about interfederation from [InCommon's perspective](https://spaces.at.internet2.edu/display/federation/Interfederation+and+eduGAIN). + +### Other Institutions + +For institutions that are not registered with any participant of eduGAIN, COS offers a [SAML 2.0](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) Service Provider (SP) using [Shibboleth 2.0](https://wiki.shibboleth.net/confluence/display/SHIB2/Home). Follow the following guide to manually configure your IdP server. + +* Ensure that your IT administrators have loaded COS's SP metadata into your IdP. + * Production: https://accounts.osf.io/Shibboleth.sso/Metadata + * Entity ID: `https://accounts.osf.io/shibboleth` + + * Test and/or staging: https://accounts.test.osf.io/Shibboleth.sso/Metadata + * Entity ID: `https://accounts.test.osf.io/shibboleth` + +* Ensure that your IT administrators are releasing the three required pieces of information listed below. Inform COS of the attribute name you use for each of them. + * Required Attribute + * Unique identifier for the user + * User's institutional email + * Either of the follwoing two + * User's full name + * User's first **AND** last name + * Attribute name and format + * We strongly recommend using URNs that are already configured and mapped in our SP server. Athough we support many format, `eduPerson`(https://wiki.refeds.org/display/STAN/eduPerson) is the preferred one. Here are the URNs for aformentioned required attributes. + * For identity, there are two options, please let us know which one you choose. + * `urn:oid:1.3.6.1.4.1.5923.1.1.1.6`: this is the `eppn` which needs to be scoped with the default delimiter `@`. + * This attribute looks like an email; it may or may not be an actual email; but it **SHOULD NOT** be used for the email attribute. + * `urn:oid:0.9.2342.19200300.100.1.1`: this is the `uid` which doesn't need to be scoped + * For the email, use `urn:oid:0.9.2342.19200300.100.1.3`, which is the `mail` + * For the full name, use `urn:oid:2.16.840.1.113730.3.1.241`, which is the `displayName` + * For the first name, use `urn:oid:2.5.4.42`, which is the `givenName` + * For the last name, use `urn:oid:2.5.4.4`, which is the `sn` + +* Provide COS with the metadata URL for your IdP server. + +* Provide COS with the entiry ID for your IdP server, which should be the same as the one defined in your metadata. + +* It is recommended that a temporary institution test account is created for COS engineers if possible, which will significantly aid and accelerate the process. + +### For All Institutions + +Inform COS of the user you would like to test with; your COS contact will ensure your account is ready to go and will send you a link to test the SSO configuration setup for your institution. + +## Alternative SSO Options + +COS strongly recommends using SAML SSO when connecting to the OSF. However, if this is not available at your institution, inform COS of alternative SSO options you have. From e3014283b2d9a8eff30a0773fa2d20ab0f8635b0 Mon Sep 17 00:00:00 2001 From: Longze Chen Date: Tue, 8 Nov 2022 16:56:05 -0500 Subject: [PATCH 2/6] Sync prod and test instn-authn.xsl between repo and helm charts --- etc/cas/config/instn-authn-prod.xsl | 153 +++++++++++++++++++++++++--- etc/cas/config/instn-authn-test.xsl | 152 +++++++++++++++++++++++++-- 2 files changed, 286 insertions(+), 19 deletions(-) diff --git a/etc/cas/config/instn-authn-prod.xsl b/etc/cas/config/instn-authn-prod.xsl index 0fe3aa6..6a6cb55 100644 --- a/etc/cas/config/instn-authn-prod.xsl +++ b/etc/cas/config/instn-authn-prod.xsl @@ -5,7 +5,6 @@ - @@ -13,6 +12,18 @@ + + + albion + + + + + + + + + asu @@ -85,6 +96,8 @@ + + false @@ -135,6 +148,18 @@ + + + eur + + + + + + + + + ferris @@ -157,6 +182,21 @@ + + + + + + gatech + + + + + + + + + false @@ -183,6 +223,18 @@ + + + harvard + + + + + + + + + iit @@ -267,6 +319,18 @@ + + + nesta + + + + + + + + + nyu @@ -294,6 +358,20 @@ pu + + + + + + + + + false + + + + + purdue @@ -424,7 +502,7 @@ - + uc @@ -485,6 +563,32 @@ + + + uom + + + true + + + + + + + + + + + umb + + + + + + + + + umd @@ -521,6 +625,18 @@ + + + uol + + + + + + + + + usc @@ -533,14 +649,14 @@ - - + + sc - - + + @@ -619,6 +735,20 @@ + + + vua + + + + + + + + + false + + wustl @@ -646,11 +776,11 @@ cord - + - - + + @@ -660,9 +790,8 @@ - - - + + diff --git a/etc/cas/config/instn-authn-test.xsl b/etc/cas/config/instn-authn-test.xsl index b3c847c..a6f7f70 100644 --- a/etc/cas/config/instn-authn-test.xsl +++ b/etc/cas/config/instn-authn-test.xsl @@ -5,7 +5,6 @@ - @@ -13,6 +12,18 @@ + + + albion + + + + + + + + + brown @@ -61,6 +72,8 @@ + + false @@ -99,6 +112,18 @@ + + + eur + + + + + + + + + ferristest @@ -111,7 +136,6 @@ - ferris @@ -124,7 +148,6 @@ - fsu @@ -135,6 +158,21 @@ + + + + + + gatech + + + + + + + + + false @@ -149,6 +187,18 @@ + + + harvard + + + + + + + + + iit @@ -221,6 +271,18 @@ + + + nesta + + + + + + + + + nyu @@ -257,6 +319,18 @@ + + + purdue + + + + + + + + + ua @@ -403,6 +477,44 @@ + + + umb + + + + + + + + + + + + uol + + + + + + + + + + + + uom + + + + + + + + true + + + usc @@ -415,6 +527,18 @@ + + + sc + + + + + + + + + utdallas @@ -475,6 +599,20 @@ + + + vua + + + + + + + + + false + + Error: Unknown Identity Provider '' @@ -490,11 +628,11 @@ cord - + - - + + @@ -503,7 +641,7 @@ - + From c4d368454c5fc4b25654a3fc75f5672721da1abf Mon Sep 17 00:00:00 2001 From: Longze Chen Date: Tue, 8 Nov 2022 17:00:59 -0500 Subject: [PATCH 3/6] Fix local OSFI CAS SSO: rename fakecas to osftype0 --- README.md | 4 ++-- etc/cas/config/local/cas-local.properties | 2 +- etc/cas/services/local/casarxiv-203948234207239.json | 2 +- etc/cas/services/local/osf-203948234207230.json | 2 +- etc/cas/services/local/preprints-203948234207240.json | 2 +- etc/cas/services/local/registries-203948234207340.json | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index e2f26e2..f6f514b 100644 --- a/README.md +++ b/README.md @@ -123,7 +123,7 @@ Details coming soon ... Details coming soon ... -#### `fakeCAS` Login (Local Development Only) +#### `fakeCAS` Login for institution `osftype0` (Local Development Only) With OSF CAS running locally as the authentication server for OSF, the previously disabled `fakeCAS` can be re-configured to serve as an identity provider. Simply update `fakecas` in OSF's [docker-compose.yaml](https://github.com/CenterForOpenScience/osf.io/blob/dc87c86b2afb7ad4e801b23c6428e3d2169e3e36/docker-compose.yml#L235-L247) to listen on port `8081`. @@ -147,7 +147,7 @@ Related `cas.propeties` settings can be found [here](https://github.com/CenterFo cas.authn.osf-postgres.institution-clients[2]=${cas.authn.pac4j.cas[2].client-name} cas.authn.pac4j.cas[2].login-url=http://192.168.168.167:8081/login -cas.authn.pac4j.cas[2].client-name=fakecas +cas.authn.pac4j.cas[2].client-name=osftype0 cas.authn.pac4j.cas[2].protocol=CAS30 cas.authn.pac4j.cas[2].callback-url-type=QUERY_PARAMETER ``` diff --git a/etc/cas/config/local/cas-local.properties b/etc/cas/config/local/cas-local.properties index 64e31ac..1f909d8 100644 --- a/etc/cas/config/local/cas-local.properties +++ b/etc/cas/config/local/cas-local.properties @@ -275,7 +275,7 @@ cas.authn.pac4j.cas[1].protocol=SAML cas.authn.pac4j.cas[1].callback-url-type=QUERY_PARAMETER # cas.authn.pac4j.cas[2].login-url=http://192.168.168.167:8081/login -cas.authn.pac4j.cas[2].client-name=fakecas +cas.authn.pac4j.cas[2].client-name=osftype0 cas.authn.pac4j.cas[2].protocol=CAS30 cas.authn.pac4j.cas[2].callback-url-type=QUERY_PARAMETER ######################################################################################################################## diff --git a/etc/cas/services/local/casarxiv-203948234207239.json b/etc/cas/services/local/casarxiv-203948234207239.json index dbbc71a..deaa3a0 100644 --- a/etc/cas/services/local/casarxiv-203948234207239.json +++ b/etc/cas/services/local/casarxiv-203948234207239.json @@ -25,7 +25,7 @@ "java.util.ArrayList", [ "cord", - "fakecas", + "osftype0", "okstate", "orcid" ] diff --git a/etc/cas/services/local/osf-203948234207230.json b/etc/cas/services/local/osf-203948234207230.json index 5ba8cf7..4d4ee73 100644 --- a/etc/cas/services/local/osf-203948234207230.json +++ b/etc/cas/services/local/osf-203948234207230.json @@ -25,7 +25,7 @@ "java.util.ArrayList", [ "cord", - "fakecas", + "osftype0", "okstate", "orcid" ] diff --git a/etc/cas/services/local/preprints-203948234207240.json b/etc/cas/services/local/preprints-203948234207240.json index 5928bc2..96e1382 100644 --- a/etc/cas/services/local/preprints-203948234207240.json +++ b/etc/cas/services/local/preprints-203948234207240.json @@ -25,7 +25,7 @@ "java.util.ArrayList", [ "cord", - "fakecas", + "osftype0", "okstate", "orcid" ] diff --git a/etc/cas/services/local/registries-203948234207340.json b/etc/cas/services/local/registries-203948234207340.json index 160d223..ee94238 100644 --- a/etc/cas/services/local/registries-203948234207340.json +++ b/etc/cas/services/local/registries-203948234207340.json @@ -25,7 +25,7 @@ "java.util.ArrayList", [ "cord", - "fakecas", + "osftype0", "okstate", "orcid" ] From d99fc3e22e8f39748b085cbe3267a9f98bfcb83b Mon Sep 17 00:00:00 2001 From: Longze Chen Date: Tue, 8 Nov 2022 17:11:33 -0500 Subject: [PATCH 4/6] Migrate OKState SSO from CAS to SAML --- README.md | 8 +++---- etc/cas/config/cas.properties | 5 ---- etc/cas/config/instn-authn-prod.xsl | 23 ++++++++++--------- etc/cas/config/instn-authn-test.xsl | 23 ++++++++++--------- etc/cas/config/local/cas-local.properties | 11 +++------ .../local/casarxiv-203948234207239.json | 1 - .../services/local/osf-203948234207230.json | 1 - .../local/preprints-203948234207240.json | 1 - .../local/registries-203948234207340.json | 1 - ...alFromNonInteractiveCredentialsAction.java | 2 +- .../templates/casInstitutionLoginView.html | 6 +---- 11 files changed, 33 insertions(+), 49 deletions(-) diff --git a/README.md b/README.md index f6f514b..56bb2da 100644 --- a/README.md +++ b/README.md @@ -146,10 +146,10 @@ Related `cas.propeties` settings can be found [here](https://github.com/CenterFo cas.authn.osf-postgres.institution-clients[2]=${cas.authn.pac4j.cas[2].client-name} -cas.authn.pac4j.cas[2].login-url=http://192.168.168.167:8081/login -cas.authn.pac4j.cas[2].client-name=osftype0 -cas.authn.pac4j.cas[2].protocol=CAS30 -cas.authn.pac4j.cas[2].callback-url-type=QUERY_PARAMETER +cas.authn.pac4j.cas[1].login-url=http://192.168.168.167:8081/login +cas.authn.pac4j.cas[1].client-name=osftype0 +cas.authn.pac4j.cas[1].protocol=CAS30 +cas.authn.pac4j.cas[1].callback-url-type=QUERY_PARAMETER ``` ### OAuth 2.0 Server diff --git a/etc/cas/config/cas.properties b/etc/cas/config/cas.properties index 34c5696..dae3712 100644 --- a/etc/cas/config/cas.properties +++ b/etc/cas/config/cas.properties @@ -260,11 +260,6 @@ cas.authn.pac4j.cas[0].login-url=${CAS_CORD_LOGIN_URL:https://bprdeis.cord.edu:8 cas.authn.pac4j.cas[0].client-name=cord cas.authn.pac4j.cas[0].protocol=SAML cas.authn.pac4j.cas[0].callback-url-type=QUERY_PARAMETER -# -cas.authn.pac4j.cas[1].login-url=${CAS_OKSTATE_LOGIN_URL:https://stwcas.okstate.edu/cas/login} -cas.authn.pac4j.cas[1].client-name=okstate -cas.authn.pac4j.cas[1].protocol=SAML -cas.authn.pac4j.cas[1].callback-url-type=QUERY_PARAMETER ######################################################################################################################## ######################################################################################################################## diff --git a/etc/cas/config/instn-authn-prod.xsl b/etc/cas/config/instn-authn-prod.xsl index 6a6cb55..53eba68 100644 --- a/etc/cas/config/instn-authn-prod.xsl +++ b/etc/cas/config/instn-authn-prod.xsl @@ -343,6 +343,18 @@ + + + okstate + + + + + + + + + ou @@ -783,17 +795,6 @@ - - - okstate - - - - - - - - Error: Unknown Identity Provider '' diff --git a/etc/cas/config/instn-authn-test.xsl b/etc/cas/config/instn-authn-test.xsl index a6f7f70..a6c9a93 100644 --- a/etc/cas/config/instn-authn-test.xsl +++ b/etc/cas/config/instn-authn-test.xsl @@ -295,6 +295,18 @@ + + + okstate + + + + + + + + + ou @@ -635,17 +647,6 @@ - - - okstate - - - - - - - - Error: Unknown Identity Provider '' diff --git a/etc/cas/config/local/cas-local.properties b/etc/cas/config/local/cas-local.properties index 1f909d8..c3ed142 100644 --- a/etc/cas/config/local/cas-local.properties +++ b/etc/cas/config/local/cas-local.properties @@ -269,15 +269,10 @@ cas.authn.pac4j.cas[0].client-name=cord cas.authn.pac4j.cas[0].protocol=SAML cas.authn.pac4j.cas[0].callback-url-type=QUERY_PARAMETER # -cas.authn.pac4j.cas[1].login-url=https://stwcas.okstate.edu/cas/login -cas.authn.pac4j.cas[1].client-name=okstate -cas.authn.pac4j.cas[1].protocol=SAML +cas.authn.pac4j.cas[1].login-url=http://192.168.168.167:8081/login +cas.authn.pac4j.cas[1].client-name=osftype0 +cas.authn.pac4j.cas[1].protocol=CAS30 cas.authn.pac4j.cas[1].callback-url-type=QUERY_PARAMETER -# -cas.authn.pac4j.cas[2].login-url=http://192.168.168.167:8081/login -cas.authn.pac4j.cas[2].client-name=osftype0 -cas.authn.pac4j.cas[2].protocol=CAS30 -cas.authn.pac4j.cas[2].callback-url-type=QUERY_PARAMETER ######################################################################################################################## ######################################################################################################################## diff --git a/etc/cas/services/local/casarxiv-203948234207239.json b/etc/cas/services/local/casarxiv-203948234207239.json index deaa3a0..cfdebcb 100644 --- a/etc/cas/services/local/casarxiv-203948234207239.json +++ b/etc/cas/services/local/casarxiv-203948234207239.json @@ -26,7 +26,6 @@ [ "cord", "osftype0", - "okstate", "orcid" ] ], diff --git a/etc/cas/services/local/osf-203948234207230.json b/etc/cas/services/local/osf-203948234207230.json index 4d4ee73..d14b374 100644 --- a/etc/cas/services/local/osf-203948234207230.json +++ b/etc/cas/services/local/osf-203948234207230.json @@ -26,7 +26,6 @@ [ "cord", "osftype0", - "okstate", "orcid" ] ], diff --git a/etc/cas/services/local/preprints-203948234207240.json b/etc/cas/services/local/preprints-203948234207240.json index 96e1382..f36d602 100644 --- a/etc/cas/services/local/preprints-203948234207240.json +++ b/etc/cas/services/local/preprints-203948234207240.json @@ -26,7 +26,6 @@ [ "cord", "osftype0", - "okstate", "orcid" ] ], diff --git a/etc/cas/services/local/registries-203948234207340.json b/etc/cas/services/local/registries-203948234207340.json index ee94238..deb7ce0 100644 --- a/etc/cas/services/local/registries-203948234207340.json +++ b/etc/cas/services/local/registries-203948234207340.json @@ -26,7 +26,6 @@ [ "cord", "osftype0", - "okstate", "orcid" ] ], diff --git a/src/main/java/io/cos/cas/osf/web/flow/login/OsfPrincipalFromNonInteractiveCredentialsAction.java b/src/main/java/io/cos/cas/osf/web/flow/login/OsfPrincipalFromNonInteractiveCredentialsAction.java index c74ca52..a5b973f 100644 --- a/src/main/java/io/cos/cas/osf/web/flow/login/OsfPrincipalFromNonInteractiveCredentialsAction.java +++ b/src/main/java/io/cos/cas/osf/web/flow/login/OsfPrincipalFromNonInteractiveCredentialsAction.java @@ -106,7 +106,7 @@ * * For 1) only, the success event will trigger authentication with pac4j's authentication handler. * - * 2) In the case of institution pac4j authentication delegation (e.g. OKState and Concordia), if credential with a + * 2) In the case of institution pac4j authentication delegation (e.g. Concordia), if credential with a * matching client is found, extract the client info, principal ID and authentication attributes and store them into * the {@code OsfPostgresCredential#delegationAttributes} object. * diff --git a/src/main/resources/templates/casInstitutionLoginView.html b/src/main/resources/templates/casInstitutionLoginView.html index 760d63c..51f4756 100644 --- a/src/main/resources/templates/casInstitutionLoginView.html +++ b/src/main/resources/templates/casInstitutionLoginView.html @@ -91,11 +91,7 @@

submitButton.style.backgroundColor = "#efefef"; return; } - if (institutionLoginUrl === "okstate") { - /**/ - } else if (institutionLoginUrl === "cord") { + if (institutionLoginUrl === "cord") { /**/ From 60de4d9ea4058c1b43d2a7920476c39327053c1b Mon Sep 17 00:00:00 2001 From: Longze Chen Date: Wed, 9 Nov 2022 10:34:27 -0500 Subject: [PATCH 5/6] Use lower case for attribute names due to apache header handling Note: this applies to SAML SSO institutions only and thus affect the switch from CAS to SAML for okstate --- etc/cas/config/instn-authn-prod.xsl | 2 +- etc/cas/config/instn-authn-test.xsl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/cas/config/instn-authn-prod.xsl b/etc/cas/config/instn-authn-prod.xsl index 53eba68..f61f09e 100644 --- a/etc/cas/config/instn-authn-prod.xsl +++ b/etc/cas/config/instn-authn-prod.xsl @@ -350,7 +350,7 @@ - + diff --git a/etc/cas/config/instn-authn-test.xsl b/etc/cas/config/instn-authn-test.xsl index a6c9a93..00c6d37 100644 --- a/etc/cas/config/instn-authn-test.xsl +++ b/etc/cas/config/instn-authn-test.xsl @@ -302,7 +302,7 @@ - + From 44fcb3f70c4ca82a29f8df1f146f413b587cd9f0 Mon Sep 17 00:00:00 2001 From: Longze Chen Date: Wed, 9 Nov 2022 14:37:37 -0500 Subject: [PATCH 6/6] Update change log for release 22.1.0 --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 288be47..6bdec0b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,15 @@ We follow the CalVer (https://calver.org/) versioning scheme: YY.MINOR.MICRO. +22.1.0 (11-09-2022) +=================== + +* Added the institution SSO integration guide +* Synchronized the repo copy of institutions-auth.xsl against helm charts +* Updated local configs for fakeCAS IdP with institution osftype0 +* Migrated okstate SSO from CAS to SAML +* Updated readme accordingly + 22.0.7 (10-06-2022) ===================