[Archivesspace_Users_Group] Aspace-Oauth SAML configuration

Peter Heiner ph448 at cam.ac.uk
Tue Oct 6 13:34:12 EDT 2020

philip.webster at sheffield.ac.uk wrote on 2020-10-06 17:44:51:
> Hi,
> I'm trying to set up the Aspace-Oauth plugin on ArchivesSpace 2.8.0 to
> enable SAML logins via our institutional IDP. So far, I've managed to get
> the plugin linked to our dev IDP and configured to download the SAML
> metadata. Our IT department has requested that all security assertions are
> at least signed, and preferably encrypted.
> I've also generated a private key and certificate using the commands listed
> in the README.md file in the github repo
> (https://github.com/lyrasis/aspace-oauth).
> openssl genrsa -out rsaprivkey.pem 2048
> openssl req -new -x509 -key rsaprivkey.pem -out rsacert.pem

You can reuse the web server certificate if you already have one.

> The documentation is quite sparse, and doesn't really explain what to do
> next. The config sample given in the README.md has the following parameters
> defined in the example:
> # OPTIONAL: for encrypted assertions
>       :certificate                        => "PUBLIC CERT",
>       :private_key                        => "PRIVATE KEY",
> What are the expected values for "PUBLIC CERT" and "PRIVATE KEY"? Should
> these be the paths of the rsaprivkey.pem and rsacert.pem files, or am I
> expected to paste the ASCII contents of the .pem files straight into the
> config file?

Both ArchivesSpace and OmniAuth documentation is very sparse but
OmniAuth's own Ruby tests suggest that you need to paste the contents.

> Once this is set up, I also have to define the name identifier format. The
> default setting in the config is 
> "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", and further down
> there is 
> email: ["urn:oid:0.9.2342.19200300.100.1.3"]. I do want to populate the
> email field in the user records in ArchiveSpace's database, but at my
> institution we prefer to use eduPersonPrincipalName
> (urn:oid: as an identifier instead of email
> address.
> Hopefully, ArchivesSpace Oauth will support this, and I assume I can just
> substitute "eduPersonPrincipalName" in place of "emailAddress" in the config
> file.

Yes, this should work with any unique attribute. 

> The README.md file also refers to some 'project documentation', but I
> haven't been able to find this anywhere on the community documentation. Is
> there any other documentation other than the README, and if so, where is it?
> Once this is all set up, I'll have to send some metadata to our IT
> department. I'm hoping that there is an endpoint somewhere that I can point
> a browser at and get the generated metadata for the service, so I can just
> pass that on. Again, it's not clear if such a thing exists - or how I'd go
> about accessing it.
OmniAuth docs at
suggest the URL will be /auth/saml/metadata on your server.

I am really looking forward to hearing how this worked out, adding SAML
authentication is something I'm trying to schedule for one of my next


More information about the Archivesspace_Users_Group mailing list