Authentication and Authorization Beyond Basic and SAML (LDAP, OAUTH, Grouper) (UXPROD-778)

[UXPROD-556] Federation-based SSO authentication - basic support Created: 07/May/18  Updated: 28/Apr/23

Status: Open
Project: UX Product
Components: None
Affects versions: None
Fix versions: None
Parent: Authentication and Authorization Beyond Basic and SAML (LDAP, OAUTH, Grouper)

Type: New Feature Priority: P3
Reporter: Cate Boerema (Inactive) Assignee: Tod Olson
Resolution: Unresolved Votes: 0
Labels: library_dependent, round_iv, usermanagement
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Attachments: PNG File FOLIO SSO settings UI.png    
Issue links:
Defines
is defined by MODLOGSAML-78 Extract IdP metadata from federation ... Open
is defined by MODLOGSAML-79 Refresh IdP metadata periodically Open
Relates
relates to UXPROD-551 Authenticate user via SAML (Shibboleth) Closed
Epic Link: Authentication and Authorization Beyond Basic and SAML (LDAP, OAUTH, Grouper)
Front End Estimate: Medium < 5 days
Front End Estimator: Jakub Skoczen
Back End Estimate: XL < 15 days
Back End Estimator: Jakub Skoczen
Development Team: None
Kiwi Planning Points (DO NOT CHANGE): 4
PO Rank: 0
Rank: Chalmers (Impl Aut 2019): R5
Rank: Chicago (MVP Sum 2020): R1
Rank: Cornell (Full Sum 2021): R5
Rank: Duke (Full Sum 2021): R1
Rank: 5Colleges (Full Jul 2021): R1
Rank: FLO (MVP Sum 2020): R5
Rank: GBV (MVP Sum 2020): R2
Rank: hbz (TBD): R2
Rank: Hungary (MVP End 2020): R1
Rank: Lehigh (MVP Summer 2020): R1
Rank: Leipzig (Full TBD): R1
Rank: Leipzig (ERM Aut 2019): R5
Rank: MO State (MVP June 2020): R4
Rank: TAMU (MVP Jan 2021): R1
Rank: U of AL (MVP Oct 2020): R4

 Description   

Current situation or problem:
Currently FOLIO requires the manual coordination of one-to-one trust relationships every time we have a new FOLIO SP or take down an old one, or whenever the SP or IdP updates metadata. Instead, provide basic support for the major Higher Ed SAML federations such as InCommon and/or eduGAIN so we can stop the manual coordination of one-to-one trust relationships.

In scope:

  • Configure FOLIO SP with the URI for federation metadata and the entityId of the campus IdP and use that to retrieve and configure the IdP metadata.
  • Periodically check the federation metadata for updates and automatically bring in updates to the IdP metadata. The checking interval should be configurable as policies may differ between federations.

Out of scope:

  • Authentication of users from IdPs in the federation other than the IdP specifically indicated.
  • Support for authentication against multiple IdPs.

Use case(s):
Proposed solution/stories (optional):

Links to additional information:

Questions/Comments:



 Comments   
Comment by Hkaplanian [ 15/Jun/19 ]

I believe this is done since we can connect via OpenAthens. Closing for now.

Comment by Hkaplanian [ 15/Jun/19 ]

Since FOLIO can connect to OpenAthens, I believe this is taken care of and can be closed.

Comment by Tod Olson [ 18/May/20 ]

Re-opened. Confirmed that the Open Athens authentication is not federation-aware, just one-off manual trust agreement between and SP and IdP. (Thanks, Craig McNally!)

Comment by Tod Olson [ 14/Oct/20 ]

A mockup of a revised SSO settings page is attached:

The primary change is adding a text input for the IdP's entityID, this will be required to identify the desired IdP in the file of federation metadata. This brings up a question for the back-end devs: do you need a switch to say this is a federated configuration, or can you infer that from the presence of the IdP entityID and the multiple EntityDescriptor entities?

There is a secondary change in the wireframe for clarity in the UI: clearly mark the IdP and SP configuration areas, and tweak the labels for clarity.

Comment by Tim Auger [ 28/Apr/23 ]

Tim Auger talk with Vince and Olamide about this and UXPROD's for oauth and related.

Generated at Fri Feb 09 00:08:46 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.