Versions Compared

Old Version 13

changes.mady.by.user Ray Lee

Saved on

compared with

New Version 14

changes.mady.by.user Ray Lee

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Request the metadata URL of the IdP from its administrator. Also communicate the attributes that need to be released (made available) in the SAML response from the IdP. CollectionSpace requires the following attributes:

    • Email address. When a user first logs in using SSO, this is used to associate the user on the IdP to an existing CollectionSpace user account. If no account exists with a username that is equal to the email address, the log in fails. (There is currently no auto-registration feature for users on the IdP that do not have an existing CSpace account.) This can be released as either an attribute or the NameID of the SAML assertion. Ask the administrator of the IdP for the attribute name that will be used (or if it will be the NameID of the assertion).

    • User ID. This should be a persistent identifier used by the IdP to uniquely and permanently identify a user. This can be the same attribute as the user’s email, but only if the user’s email on the IdP is never expected to change. When a user first logs in using SSO, and their CSpace account is successfully located using the email address, this ID is stored, and subsequent logins will be able to associate a user on the IdP to a CSpace user using this ID, even if the user’s email changes on the IdP. This can be released as either an attribute or the NameID of the SAML assertion. Ask the administrator of the IdP for the attribute name that will be used (or if it will be the NameID of the assertion).

    • Full name. The user’s full name. This is not currently used, but will be used in the future to auto-register new CSpace users, when that feature is implemented. Ask the administrator of the IdP for the attribute name that will be used.

  2. Configure SSO for CSpace using the instructions below. Add a relying party registration, setting the metadata URL of the provider to the URL received in Step 1. Configure the locations to probe for the email address and user id, using the information received in Step 1.

  3. Start CollectionSpace.

  4. Provide the metadata URL of the SAML relying party added in step 2 to administrator of the IdP.

  5. The administrator of the IdP communicates that the connection is ready. Test a login. When a SAML assertion is received from the IdP, the NameID and attributes are logged to cspace-services.log. Confirm that the expected NameID and attributes are received.

Creating a file to store local configuration

...