Shib-seeded groups?

[Michael Jinks <mj...@uchicago.edu>]

I think I've seen a document, that I can't find now, describing a way to
back VCL user groups with Shibboleth.  Am I making that up?  Can someone
point me in the right direction?

Won't do us much good until we can get Shib accounts working generally,
but if there's coordination we'll need to do with our IdM group, I'd
like to get the ball rolling.

Thanks.

-- 
Michael Jinks :: mjinks@uchicago.edu
University of Chicago IT Services

Re: Shib-seeded groups?

[Aaron Coburn <ac...@amherst.edu>]

Michael,

I'm not sure about actual documentation, but there are definitely at least two different ways to do this that I am aware of. And they should both work with 2.2.1

The first technique requires no modification to the VCL code but potentially more work with your Shibboleth IdM group.

Basically any user who logs in via Shibboleth and who has the 'affiliation' attribute defined (this is different than the VCL notion of affiliation) will be added to the corresponding group(s). For instance, if, when a user logs in, $_SERVER['affiliation'] is set as "staff", then the user will be added to the "shib-staff@MYAFFILIATION" group. If the attribute is multi-valued: "staff;researcher;visitingfaculty", then the user will be put into the following groups: "shib-staff", "shib-researcher" and "shib-visitingfaculty". This will require coordination with your IdM group.

You can then add each of these user groups to the relevant location(s) in the privilege tree, granting each group the privileges that you think most appropriate.

The second approach (this is the approach I used with 2.2.1) is to make a single modification in the VCL code.

If you look at the file in .ht-inc/authmethods/shibauth.php, in the updateShibGroups() function, you will see some lines between 181 and 187 that are commented out. They provide an example for how to do this. Though, in my code, the only line I added to handle all of this was the following:

  array_push($newusergroups, getUserGroupID('All users', $affilid));

If you inserted this immediately after the commented section of code, you would be all set.

Of course, this method adds all users to a single group, while the first method adds users to different groups, depending on their Shib attributes. There are pros and cons either way.

And like with the first method, you will need to add the group (whether you call it "All users" or not) to the privilege tree. For that, I made an All Users node and then added the "All Users" user group to that node with the appropriate permissions.

For both methods, I should also note that you will need to add both a computer group and an image group to the appropriate node in the privilege tree. There is some documentation on this in a few different places, but these pages might help:

  https://cwiki.apache.org/confluence/display/VCL/Example+-+Granting+Two+Sets+of+Users+Access+to+Two+Different+Sets+of+Images

  https://cwiki.apache.org/confluence/display/VCL/Granting+Access+to+a+New+Image

Hope that helps,
Aaron



On Sep 6, 2012, at 5:27 PM, Michael Jinks <mj...@uchicago.edu> wrote:

> I think I've seen a document, that I can't find now, describing a way to
> back VCL user groups with Shibboleth.  Am I making that up?  Can someone
> point me in the right direction?
> 
> Won't do us much good until we can get Shib accounts working generally,
> but if there's coordination we'll need to do with our IdM group, I'd
> like to get the ball rolling.
> 
> Thanks.
> 
> -- 
> Michael Jinks :: mjinks@uchicago.edu
> University of Chicago IT Services