[Archivesspace_Users_Group] Aspace-Oauth SAML configuration

philip.webster at sheffield.ac.uk philip.webster at sheffield.ac.uk
Tue Oct 6 12:44:51 EDT 2020


I'm trying to set up the Aspace-Oauth plugin on ArchivesSpace 2.8.0 to
enable SAML logins via our institutional IDP. So far, I've managed to get
the plugin linked to our dev IDP and configured to download the SAML
metadata. Our IT department has requested that all security assertions are
at least signed, and preferably encrypted.


I've also generated a private key and certificate using the commands listed
in the README.md file in the github repo

openssl genrsa -out rsaprivkey.pem 2048

openssl req -new -x509 -key rsaprivkey.pem -out rsacert.pem


The documentation is quite sparse, and doesn't really explain what to do
next. The config sample given in the README.md has the following parameters
defined in the example:

# OPTIONAL: for encrypted assertions

      :certificate                        => "PUBLIC CERT",

      :private_key                        => "PRIVATE KEY",


What are the expected values for "PUBLIC CERT" and "PRIVATE KEY"? Should
these be the paths of the rsaprivkey.pem and rsacert.pem files, or am I
expected to paste the ASCII contents of the .pem files straight into the
config file?


Once this is set up, I also have to define the name identifier format. The
default setting in the config is 

"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", and further down
there is 

email: ["urn:oid:0.9.2342.19200300.100.1.3"]. I do want to populate the
email field in the user records in ArchiveSpace's database, but at my
institution we prefer to use eduPersonPrincipalName
(urn:oid: as an identifier instead of email


Hopefully, ArchivesSpace Oauth will support this, and I assume I can just
substitute "eduPersonPrincipalName" in place of "emailAddress" in the config


The README.md file also refers to some 'project documentation', but I
haven't been able to find this anywhere on the community documentation. Is
there any other documentation other than the README, and if so, where is it?


Once this is all set up, I'll have to send some metadata to our IT
department. I'm hoping that there is an endpoint somewhere that I can point
a browser at and get the generated metadata for the service, so I can just
pass that on. Again, it's not clear if such a thing exists - or how I'd go
about accessing it.



If anyone has any advice for the issues described above, I'd be very
grateful to hear it!




Philip Webster

The University Library

University of Sheffield    


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lyralists.lyrasis.org/pipermail/archivesspace_users_group/attachments/20201006/a8127b32/attachment.html>

More information about the Archivesspace_Users_Group mailing list