Authentication and Authorization Beyond Basic and SAML (LDAP, OAUTH, Grouper) (UXPROD-778)

[UXPROD-1612] Make the SAML(SSO) metadata file available through a public (Edge) URL in order to enable automatic configuration of the iDP Created: 25/Jun/18  Updated: 26/Oct/23

Status: Blocked
Project: UX Product
Components: None
Affects versions: None
Fix versions: None
Parent: Authentication and Authorization Beyond Basic and SAML (LDAP, OAUTH, Grouper)

Type: New Feature Priority: P3
Reporter: Theodor Tolstoy (One-Group.se) Assignee: Jakub Skoczen
Resolution: Unresolved Votes: 0
Labels: circ_po_small
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Blocks
is blocked by MODLOGSAML-44 remove required permissions from /sam... Blocked
Relates
relates to UIORG-165 Not able to regenerate Saml SP xml me... Closed
Potential Workaround: HK: Right now, this can be done manually. Not ideal, but it works.
CPT: Chalmers has this working manually. See description in this JIRA issue.
Epic Link: Authentication and Authorization Beyond Basic and SAML (LDAP, OAUTH, Grouper)
Back End Estimate: Large < 10 days
Estimation Notes and Assumptions: Assume the API to donwload the SAML MD file already exists and must be made publicly accessible.
Kiwi Planning Points (DO NOT CHANGE): 1
Rank: Chalmers (Impl Aut 2019): R2
Rank: Chicago (MVP Sum 2020): R4
Rank: Cornell (Full Sum 2021): R2
Rank: Duke (Full Sum 2021): R4
Rank: 5Colleges (Full Jul 2021): R4
Rank: GBV (MVP Sum 2020): R4
Rank: Hungary (MVP End 2020): R4
Rank: Lehigh (MVP Summer 2020): R2
Rank: MO State (MVP June 2020): R4
Rank: TAMU (MVP Jan 2021): R4
Rank: U of AL (MVP Oct 2020): R4

 Description   

Today you need to be logged in in order to obtain the metadata file that you will have to send to your iDP manager, usually the University's central IT department.

The file can only be obtained via Settings -> Tenant -> SSO settings -> Download Metadata.

From time to time the certs/signatures changes, and so also the metadata file.

In order to enable the IdP to auto update its settings with this new metadata file,the file could must be available via an "unauthenticated" url as well as via the user interface. This information does not have to be hidden behind login since it only contains public information.



 Comments   
Comment by Theodor Tolstoy (One-Group.se) [ 21/Mar/19 ]

Hi Cate Boerema, HkaplanianJakub Skoczen VBar

I think we need some eyes on this one.
To my understanding, if SSO is to be considered functional for FOLIO, I think we need the possibility to do this in time for Chalmers Go-Live. Sooner rather than later since every update in the platform code base means that the current SSO setup becomes useless and needs to be reconfigured with the IdP administrators.

To get some security around it, could we perhaps add this to the edge api:s?

What are your thoughts?

Comment by Cate Boerema (Inactive) [ 21/Mar/19 ]

I think this might have gotten lost in the FOLIO project. I've switched it to a UXPROD. Can you add the Chalmers ranking to this, Theodor Tolstoy (One-Group.se)? Is it needed for go live?

Comment by Theodor Tolstoy (One-Group.se) [ 21/Mar/19 ]

I absolutely think this is needed given the expected cadence that new code will get into their tenant. But I might be missing something in how this is working.

Comment by Cate Boerema (Inactive) [ 21/Mar/19 ]

Hi Marc Johnson looks like this might need to get done in Q2. Could you please provide a backend estimate and any comments you have on this? Is there any frontend work needed on this?

Comment by Marc Johnson [ 21/Mar/19 ]

Cate Boerema Sorry, I have almost no context on the SAML login module and how it is integrated at present, so am unlikely to be able to offer much advice on this, apologies

Maybe Jakub Skoczen can help direct this to someone with more context?

Comment by Theodor Tolstoy (One-Group.se) [ 22/Mar/19 ]

So, as I understand it, the other way is also something to think of for the future.
So In the best of worlds, the SP (FOLIO) can react to changes in the IdP as well.

Comment by Cate Boerema (Inactive) [ 22/Mar/19 ]

Thanks for the estimat Jakub Skoczen! I am tagging this as Q2 2019 so it is considered in the cap planning (no guarantees yet)

Comment by Cate Boerema (Inactive) [ 23/Apr/19 ]

Hi Jakub Skoczen. Just wanted to check on this one, as it's targeted for Q2, needed by Chalmers to go live and I don't see any user stories or work items. This is on your radar, right?

Comment by Theodor Tolstoy (One-Group.se) [ 20/Jun/19 ]

Ping Jakub Skoczen!

Comment by Jakub Skoczen [ 08/Jul/19 ]

Created MODLOGSAML-44 Blocked for this issue

Comment by Debra Howell [ 02/Oct/20 ]

The upgrade to mod-login-saml 2.0.1 from 2.0.0 required us to have Cornell's Identity Management team upload new metadata when installed. But earlier versions didn’t require it. Ideally FOLIO wouldn’t make this a necessary manual step every time we upgrade.

Generated at Fri Feb 09 00:17:00 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.