Login authorization attribute for SAML-based SSO
Description
Priority
TBDLabels
Fix versions
Development Team
Assignee
Tod OlsonSolution Architect
Parent Field Value
Parent Status
Checklist
hideTestRail: Results
Activity
Julian Ladisch September 21, 2020 at 10:10 AM
Thanks, now I better understand. This is not a bug but a new feature. User stories ( https://folio-org.atlassian.net/wiki/display/COMMUNITY/Getting+Started+for+Product+Owners ) can be added to explain how FOLIO's SSO configuration settings UI should be extended.
Tod Olson September 16, 2020 at 8:29 PMEdited
(That description update was only partial, was not supposed to go out yet. There's a lot of set up before I can finish that.)
@Julian Ladisch In our current situation, we have exactly one attribute value that indicates a user is authorized to log into OLE:
ucisMemberOf: uc:org:library:applications:ole:authorized
Membership in that group is managed in our central IdM infrastructure, the rules are based information from the HR system, but the only thing release is this attribute that says "authorized for OLE." All of the complexity takes place in the IdM/IdP infrastructure. For the SP, it is a simple binary check. (Access to campus wireless, campus VPN, and many other entitlements are managed in a similar way.)
The idea is that we could, optionally, configure the FOLIO SP to require a specific attribute value in order to authorize login. In this case, we would configure FOLIO to authorize login only if an attribute with the value uc:org:library:applications:ole:authorized (or the FOLIO version of that value) is present.
Julian Ladisch September 16, 2020 at 10:41 AM
As a FOLIO tenant administrator I would like to disable the login of a FOLIO user that still has a valid SSO account.
How to reproduce:
1. Configure the Tenant SSO settings to have
SAML attribute: UserID
User property: External System ID
2. To enable SSO login for a FOLIO user put the SSO UserID into the External System ID field of the user's record.
3. To disable SSO login for a FOLIO user remove the SSO UserID from the External System ID field of the user's record.
Expected:
When the user logs into FOLIO using SSO the login is rejected.
Actual:
The login is rejected with this error message: "No user found by externalSystemId == foo"
@Tod Olson Can you rewrite your issue using https://folio-org.atlassian.net/wiki/display/COMMUNITY/Standard+Bug+Write-Up+Format ?
Most universities in Germany are unwilling to store additional authorisation information in the Identity Provider (IdP). Therefore all service providers (SPs) that use SSO need to manage and store all authorisation information, and FOLIO as a SP need to be capable to do the authorisation.
Your use case seems to be different. Can you give a complete example which fields your IdP passes on to the SP and how the SP (= FOLIO) can determine whether the user is authorised?
Details
Details
Reporter
Tod Olson
Overview:
Allow each tenant to define a SAML attribute that is required for login authorization.
If the SAML-based login at the SSO server is successful but the attribute is missing mod-login-saml rejects the login into FOLIO.
Additional Information:
Currently, mod-login-saml checks only for SAML authorization. That means anyone with campus SSO credentials can log in, and we rely on a lack of FOLIO permissions to prevent any activity. Better to simply not allow login if a user is unauthorized. In a SAML SSO environment, that would be done by checking for an attribute that explicitly grants login authorization.
URL:
Interested parties: