Federation-based SSO authentication - basic support

Description

Current situation or problem:
Currently FOLIO requires the manual coordination of one-to-one trust relationships every time we have a new FOLIO SP or take down an old one, or whenever the SP or IdP updates metadata. Instead, provide basic support for the major Higher Ed SAML federations such as InCommon and/or eduGAIN so we can stop the manual coordination of one-to-one trust relationships.

In scope:

Configure FOLIO SP with the URI for federation metadata and the entityId of the campus IdP and use that to retrieve and configure the IdP metadata.
Periodically check the federation metadata for updates and automatically bring in updates to the IdP metadata. The checking interval should be configurable as policies may differ between federations.

Out of scope:

Authentication of users from IdPs in the federation other than the IdP specifically indicated.
Support for authentication against multiple IdPs.

Use case(s):
Proposed solution/stories (optional):

Links to additional information:

Questions/Comments:

Priority

Labels

library_dependentround_ivusermanagement

Fix versions

None

Development Team

None

Assignee

Tod Olson

Solution Architect

None

Parent

UXPROD-778 Authentication and Authorization Beyond Basic and SAML (LDAP, OAUTH, Grouper)

Parent Field Value

None

Parent Status

None

Attachments

Linked issues

is defined by

MODLOGSAML-78

Extract IdP metadata from federation metadata

MODLOGSAML-79

Refresh IdP metadata periodically

relates to

UXPROD-551

Authenticate user via SAML (Shibboleth)

Checklist

hide

TestRail: Results

Activity

Show:

Tim Auger April 28, 2023 at 4:40 PM

talk with Vince and Olamide about this and UXPROD's for oauth and related.

Tod Olson October 14, 2020 at 6:24 PM

A mockup of a revised SSO settings page is attached:

The primary change is adding a text input for the IdP's entityID, this will be required to identify the desired IdP in the file of federation metadata. This brings up a question for the back-end devs: do you need a switch to say this is a federated configuration, or can you infer that from the presence of the IdP entityID and the multiple EntityDescriptor entities?

There is a secondary change in the wireframe for clarity in the UI: clearly mark the IdP and SP configuration areas, and tweak the labels for clarity.

Tod Olson May 18, 2020 at 1:48 PM

Re-opened. Confirmed that the Open Athens authentication is not federation-aware, just one-off manual trust agreement between and SP and IdP. (Thanks, Craig McNally!)

Hkaplanian June 15, 2019 at 7:20 PM

Since FOLIO can connect to OpenAthens, I believe this is taken care of and can be closed.

Hkaplanian June 15, 2019 at 7:19 PM

I believe this is done since we can connect via OpenAthens. Closing for now.

Details

Reporter

Cate Boerema(Deactivated)

PO Rank

Front End Estimate

Medium < 5 days

Front End Estimator

Jakub Skoczen

Back End Estimate

XL < 15 days

Back End Estimator

Jakub Skoczen

Rank: FLO (MVP Sum 2020)

Rank: 5Colleges (Full Jul 2021)

Rank: Cornell (Full Sum 2021)

Rank: Chalmers (Impl Aut 2019)

Rank: GBV (MVP Sum 2020)

Rank: hbz (TBD)

Rank: Hungary (MVP End 2020)

Rank: TAMU (MVP Jan 2021)

Rank: Chicago (MVP Sum 2020)

Rank: Leipzig (ERM Aut 2019)

Rank: MO State (MVP June 2020)

Rank: U of AL (MVP Oct 2020)

Rank: Leipzig (Full TBD)

Rank: Lehigh (MVP Summer 2020)

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created May 7, 2018 at 12:37 PM

Updated January 24, 2025 at 4:13 PM

Configure

TestRail: Cases

TestRail: Runs