topic Re: Shibboleth CRU account in Nuxeo Forum

Shibboleth CRU account

Jean-Michel_HER — Tue, 09 May 2017 14:27:25 GMT

Hi,

We're trying to setup Shibboleth Authentication with Nuxeo 6.0 and Renater as wayf. Our ldap's users are identified with their UID but we would like to allow abroad connexion with the way of the CRU (compte réseau universel). But CRU account use email adress as key. How could we configure shibboleth add-on to allow on one part authentication with UID (LDAP) and on the other part authentication with email (CRU accounts) ?

Thanks in advance

Re: Shibboleth CRU account

pibou_Bouvret — Tue, 09 May 2017 16:45:25 GMT

You can have a look at the sample configuration of ShibbolethAuthenticationService

http://explorer.nuxeo.com/nuxeo/site/distribution/Nuxeo%20DM-8.2/viewExtensionPoint/org.nuxeo.ecm.platform.shibboleth.service.ShibbolethAuthenticationService--config

You can define a uid mapping from shib attributes varying according to the idp of the user.

A configuration could be to map the uid for your idp and a default one using eppn or email.

Re: Shibboleth CRU account

Jean-Michel_HER — Wed, 10 May 2017 13:49:29 GMT

Hi pibou Bouvret,

Thank you for your answer, i really appreciate !

Indeed, i've already tried many configurations but the only one that perform correctly is "default"

I've read here that i need to patch ShibbolethAuthenticationPlugin.java to obtain what i expected. (+ fieldMap.put("username", userId);)

In V6, code extract is: ` public UserIdentificationInfo handleRetrieveIdentity( HttpServletRequest httpRequest, HttpServletResponse httpResponse) { if (getService() == null) { return null; }

    String userId = getService().getUserID(httpRequest);
    if (userId == null || "".equals(userId)) {
        return null;
    }
    Session userDir = null;
    try {
        UserManager userManager = Framework.getService(UserManager.class);
        userDir = Framework.getService(DirectoryService.class).open(
                userManager.getUserDirectoryName());
        Map<String, Object> fieldMap = getService().getUserMetadata(
                userManager.getUserIdField(), httpRequest);
        DocumentModel entry = userDir.getEntry(userId);
        if (entry == null) {
            // patch RB :
            fieldMap.put("username", userId);
            // fin patch RB
            userDir.createEntry(fieldMap);
        } else {
            entry.getDataModel(userManager.getUserSchemaName()).setMap(
                    fieldMap);
            userDir.updateEntry(entry);
        }
    } catch (Exception e) {
        log.error("Failed to get or create user entry", e);
    } finally {
        if (userDir != null) {
            try {
                userDir.close();
            } catch (DirectoryException e) {
                log.error("Error while closing directory session", e);
            }
        }
    }

    return new UserIdentificationInfo(userId, userId);

In 8.2 version, ShibbolethAuthenticationPlugin.java is quite different. Sadly i can't understand how it operate.

Even though i can't manage multiple keys in v 6.0, if i choose mail, my CRU user log in Nuxeo with his account (an account was created before for him, since we're in multi directory mode), but this user can't retrieve folders where he have rights.

If you can give me some advices ...

Re: Shibboleth CRU account

pibou_Bouvret — Wed, 10 May 2017 15:01:56 GMT

Don't you have the EPPN transmitted by the CRU IDP ? It should according to https

Re: Shibboleth CRU account

pibou_Bouvret — Wed, 10 May 2017 15:05:33 GMT

https

Re: Shibboleth CRU account

Jean-Michel_HER — Wed, 10 May 2017 15:34:08 GMT

Bonjour Pibou,

Re: Shibboleth CRU account

pibou_Bouvret — Wed, 10 May 2017 15:54:08 GMT

According to the Renater docs, the EPPN is provided if it is required by your SP

Re: Shibboleth CRU account

Jean-Michel_HER — Thu, 11 May 2017 15:45:19 GMT

Hi Pibou, merci,