-
Notifications
You must be signed in to change notification settings - Fork 18
Shibboleth accounts email, netid and idp
For more details about federated logins (Shibboleth) visit the linked page, what's important in this section is that Shibboleth adds user's attributes into the http request headers.
EPerson (class that represents users in clarin-dspace) requires an email and emails must be unique (no two epersons can have the same email).
With default settings, federated users are autoregistered (automatically created). The process of search/creation is described below.
Firstly, finding an eperson is done using "netid" (that's also a database column name). The value is either eppn[idp] or eptid[idp] (eptid is equal to persistent-id in this context) where eppn and _eptid _ are attributes sent by IdPs and idp is the entityid of an IdP. If no user is found using "netid", mail attribute is tried (see note1 below). If successful, it might "assign" a shibboleth identity to a previously created local account.
Attributes in the user profile (fname/lname) are updated from the attributes sent by IdPs.
The search by email can find an eperson that already has a "netid" but the netid is different to the current one. Usually this means that user has an account with multiple IdPs and is using a different organization than the last time. But there are also IdPs that let you create an account without even verifying your email (we block these, see https://lindat.mff.cuni.cz/en/how-do-i-sign-up). An error is shown to the user saying to either use the same IdP as the last time and/or to contact the administrators of clarin-dspace. Administrators can reset the netid with a button click in the user profile (Access Control -> People...) if there are reasons for that.
If still no eperson found (but we have at least one of those attributes), eperson is created. If the newly created eperson has no email, display a form to fill it. User shouldn't be able to login until he verifies the email.
If neither of the attributes is present, display error message asking the user to write an email.