<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Fri Feb 09 00:24:01 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[UXPROD-2444] Login authorization attribute for SAML-based SSO</title>
                <link>https://folio-org.atlassian.net/browse/UXPROD-2444</link>
                <project id="10000" key="UXPROD">UX Product</project>
                    <description>&lt;p&gt;&lt;b&gt;Overview:&lt;/b&gt;&lt;br/&gt;
Allow each tenant to define a SAML attribute that is required for login authorization.&lt;br/&gt;
If the SAML-based login at the SSO server is successful but the attribute is missing mod-login-saml rejects the login into FOLIO.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Additional Information:&lt;/b&gt;&lt;br/&gt;
Currently, mod-login-saml checks only for SAML authorization. That means anyone with campus SSO credentials can log in, and we rely on a lack of FOLIO permissions to prevent any activity. Better to simply not allow login if a user is unauthorized. In a SAML SSO environment, that would be done by checking for an attribute that explicitly grants login authorization.&lt;/p&gt;

&lt;p&gt;URL: &lt;br/&gt;
&lt;b&gt;Interested parties:&lt;/b&gt; &lt;/p&gt;</description>
                <environment></environment>
        <key id="11755">UXPROD-2444</key>
            <summary>Login authorization attribute for SAML-based SSO</summary>
                <type id="10002" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10322?size=medium">New Feature</type>
                            <parent id="10073">UXPROD-778</parent>
                                    <priority id="10005" iconUrl="https://dev.folio.org/assets/jira-priority/tbd.svg">TBD</priority>
                        <status id="1" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/open.png" description="The issue is open and ready for the assignee to start work on it.">Open</status>
                    <statusCategory id="2" key="new" colorName="blue-gray"/>
                                    <resolution id="-1">Unresolved</resolution>
                                                        <assignee accountid="557058:b787c0f1-34df-41c2-8585-c4aed346caec">Tod Olson</assignee>
                                                                <reporter accountid="557058:b787c0f1-34df-41c2-8585-c4aed346caec">Tod Olson</reporter>
                                    <labels>
                    </labels>
                <created>Thu, 28 May 2020 21:52:43 +0000</created>
                <updated>Wed, 10 Feb 2021 09:58:39 +0000</updated>
                                                                                <due></due>
                            <votes>0</votes>
                                    <watches>2</watches>
                                                                <comments>
                                                            <comment id="17968" author="5ee89462f7aa140abd82d11d" created="Wed, 16 Sep 2020 10:41:18 +0000"  >&lt;p&gt;As a FOLIO tenant administrator I would like to disable the login of a FOLIO user that still has a valid SSO account.&lt;/p&gt;

&lt;p&gt;How to reproduce:&lt;br/&gt;
1. Configure the Tenant SSO settings to have&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;SAML attribute: UserID&lt;/li&gt;
	&lt;li&gt;User property: External System ID&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;2. To enable SSO login for a FOLIO user put the SSO UserID into the External System ID field of the user&apos;s record.&lt;/p&gt;

&lt;p&gt;3. To disable SSO login for a FOLIO user remove the SSO UserID from the External System ID field of the user&apos;s record.&lt;/p&gt;

&lt;p&gt;Expected:&lt;br/&gt;
When the user logs into FOLIO using SSO the login is rejected.&lt;br/&gt;
Actual:&lt;br/&gt;
The login is rejected with this error message: &quot;No user found by externalSystemId == foo&quot;&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ab787c0f1-34df-41c2-8585-c4aed346caec&quot; class=&quot;user-hover&quot; rel=&quot;557058:b787c0f1-34df-41c2-8585-c4aed346caec&quot; data-account-id=&quot;557058:b787c0f1-34df-41c2-8585-c4aed346caec&quot; accountid=&quot;557058:b787c0f1-34df-41c2-8585-c4aed346caec&quot; rel=&quot;noreferrer&quot;&gt;Tod Olson&lt;/a&gt; Can you rewrite your issue using &lt;a href=&quot;https://folio-org.atlassian.net/wiki/display/COMMUNITY/Standard+Bug+Write-Up+Format&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/wiki/display/COMMUNITY/Standard+Bug+Write-Up+Format&lt;/a&gt; ?&lt;/p&gt;

&lt;p&gt;Most universities in Germany are unwilling to store additional authorisation information in the Identity Provider (IdP). Therefore all service providers (SPs) that use SSO need to manage and store all authorisation information, and FOLIO as a SP need to be capable to do the authorisation.&lt;/p&gt;

&lt;p&gt;Your use case seems to be different. Can you give a complete example which fields your IdP passes on to the SP and how the SP (= FOLIO) can determine whether the user is authorised?&lt;/p&gt;</comment>
                                                            <comment id="17969" author="557058:b787c0f1-34df-41c2-8585-c4aed346caec" created="Wed, 16 Sep 2020 20:29:06 +0000"  >&lt;p&gt;(That description update was only partial, was not supposed to go out yet. There&apos;s a lot of set up before I can finish that.)&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt; In our current situation, we have exactly one attribute value that indicates a user is authorized to log into OLE:&lt;/p&gt;

&lt;p&gt;&lt;tt&gt;ucisMemberOf: uc:org:library:applications:ole:authorized&lt;/tt&gt;&lt;/p&gt;

&lt;p&gt;Membership in that group is managed in our central IdM infrastructure, the rules are based information from the HR system, but the only thing release is this attribute that says &quot;authorized for OLE.&quot; All of the complexity takes place in the IdM/IdP infrastructure. For the SP, it is a simple binary check. (Access to campus wireless, campus VPN, and many other entitlements are managed in a similar way.) &lt;/p&gt;

&lt;p&gt;The idea is that we could, optionally, configure the FOLIO SP to require a specific attribute value in order to authorize login. In this case, we would configure FOLIO to authorize login only if an attribute with the value &lt;tt&gt;uc:org:library:applications:ole:authorized&lt;/tt&gt; (or the FOLIO version of that value) is present.&lt;/p&gt;</comment>
                                                            <comment id="17970" author="5ee89462f7aa140abd82d11d" created="Mon, 21 Sep 2020 10:10:47 +0000"  >&lt;p&gt;Thanks, now I better understand. This is not a bug but a new feature. User stories ( &lt;a href=&quot;https://folio-org.atlassian.net/wiki/display/COMMUNITY/Getting+Started+for+Product+Owners&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/wiki/display/COMMUNITY/Getting+Started+for+Product+Owners&lt;/a&gt; ) can be added to explain how FOLIO&apos;s SSO configuration settings UI should be extended.&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10168"><![CDATA[None]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10014" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue key="$xmlutils.escape($text)">Authentication and Authorization Beyond Basic and SAML (LDAP, OAUTH, Grouper)</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10045" key="com.atlassian.jira.plugin.system.customfieldtypes:textarea">
                        <customfieldname>Potential Workaround</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Continue to rely on an absence of FOLIO permissions.</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i017kb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10071" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Rank: 5Colleges (Full Jul 2021)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10226"><![CDATA[R4]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10067" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Rank: Chalmers (Impl Aut 2019)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10205"><![CDATA[R3]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10068" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Rank: Chicago (MVP Sum 2020)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10210"><![CDATA[R3]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10069" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Rank: Cornell (Full Sum 2021)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10216"><![CDATA[R4]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10070" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Rank: Duke (Full Sum 2021)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10221"><![CDATA[R4]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10074" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Rank: GBV (MVP Sum 2020)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10241"><![CDATA[R4]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10085" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Rank: MO State (MVP June 2020)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10297"><![CDATA[R4]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10089" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Rank: TAMU (MVP Jan 2021)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10316"><![CDATA[R3]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10091" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Rank: U of AL (MVP Oct 2020)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10327"><![CDATA[R4]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 16 Sep 2020 10:41:18 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                </customfields>
    </item>
</channel>
</rss>