<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Hi,<o:p></o:p></p><p class=MsoNormal>I'm trying to set up the Aspace-Oauth plugin on ArchivesSpace 2.8.0 to enable SAML logins via our institutional IDP. So far, I've managed to get the plugin linked to our dev IDP and configured to download the SAML metadata. Our IT department has requested that all security assertions are at least signed, and preferably encrypted.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I've also generated a private key and certificate using the commands listed in the README.md file in the github repo (https://github.com/lyrasis/aspace-oauth).<o:p></o:p></p><p class=MsoNormal>openssl genrsa -out rsaprivkey.pem 2048<o:p></o:p></p><p class=MsoNormal>openssl req -new -x509 -key rsaprivkey.pem -out rsacert.pem<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The documentation is quite sparse, and doesn't really explain what to do next. The config sample given in the README.md has the following parameters defined in the example:<o:p></o:p></p><p class=MsoNormal> # OPTIONAL: for encrypted assertions<o:p></o:p></p><p class=MsoNormal> :certificate => "PUBLIC CERT",<o:p></o:p></p><p class=MsoNormal> :private_key => "PRIVATE KEY",<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>What are the expected values for "PUBLIC CERT" and "PRIVATE KEY"? Should these be the paths of the rsaprivkey.pem and rsacert.pem files, or am I expected to paste the ASCII contents of the .pem files straight into the config file?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Once this is set up, I also have to define the name identifier format. The default setting in the config is <o:p></o:p></p><p class=MsoNormal>"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", and further down there is <o:p></o:p></p><p class=MsoNormal>email: ["urn:oid:0.9.2342.19200300.100.1.3"]. I do want to populate the email field in the user records in ArchiveSpace's database, but at my institution we prefer to use eduPersonPrincipalName (urn:oid:1.3.6.1.4.1.5923.1.1.1.6) as an identifier instead of email address.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Hopefully, ArchivesSpace Oauth will support this, and I assume I can just substitute "eduPersonPrincipalName" in place of "emailAddress" in the config file.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The README.md file also refers to some 'project documentation', but I haven't been able to find this anywhere on the community documentation. Is there any other documentation other than the README, and if so, where is it?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Once this is all set up, I'll have to send some metadata to our IT department. I'm hoping that there is an endpoint somewhere that I can point a browser at and get the generated metadata for the service, so I can just pass that on. Again, it's not clear if such a thing exists - or how I'd go about accessing it.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>If anyone has any advice for the issues described above, I'd be very grateful to hear it!<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Regards,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Philip Webster<o:p></o:p></p><p class=MsoNormal>The University Library<o:p></o:p></p><p class=MsoNormal>University of Sheffield <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>