Hi all,
As the future network admin of the Dutch Dataverse Network (DDN), I [0] am
currently involved with the transition of the service responsibility of
this service from the library of the University of Utrecht to Data
Archiving and Networked Services (an institute of the Royal Netherlands
Academy of Arts and Sciences and the Netherlands Organisation for
Scientific Research). My colleagues Eko Indarto and Arnoud Jippes are
working with me on this, as the developer and sysadmin respectively.
As Philip Durbin wrote in his email of October 3, 2013 [1], the DVN (v3.3)
was patched with OIOSAML to support federated login using personal
accounts supplied by Dutch higher educational institutions via SURFconext.
The patch is available and supports not only login, but account creation
with basic role assignment on first login based on SAML attributes as
well. It has worked for the current participating (and paying)
institutions, although the patch doesn't do session management very well.
After logging in for the first time, an account is created, but the user
needs to quit and restart the browser to be able to login for the first
time. This may also be why logging in when browsing studies takes the user
back to the homepage instead of the study that the user was looking at.
In this transition, we're upgrading the DVN software to 3.6.2, on a new
RHEL 6 with SELinux server. Next is to reconnect to SURFconext, the
federated login provider for Dutch higher education institutions. By May
1st the transition must be complete and it looks like we'll make it.
However, the "getting OIOSAML to work with 3.6.2" part has not been easy,
partly due to lack of experience with Glassfish and OIOSAML.
>From a system administration point of view, consolidation of deployment
environments continues to be important to us. Our Java applications are
deployed in Tomcat and use MySQL as DBMS with an Apache proxy in front of
Tomcat. This has also allowed us to use Shibboleth for federated login for
one of our other services, the long-term preservation archive EASY [2]. I
personally don't know the details, but setting up Shibboleth and the
connection to SURFconext has been harder than building software support
for Shibboleth, which I'm told boils down to getting attribute values from
environment variables. (We did need Shibboleth's lazy session mode
enabled.)
This environment and knowledge made us try patch the patch with Shibboleth
support. That includes fronting Glassfish with Apache. By the end of this
week I hope to know whether we succeeded :)
We (Eko, Arnoud and I) had a Skype call with Philip today, to exchange
some of our experiences with SAML and learn that DVN v4 will focus on
Shibboleth (because the demand was highest for Shibboleth). Support for
more generic authentication frameworks had crossed all our minds before,
but implementing such support is beyond any current plan (as I understood).
Although more a thought than a design, we suggested a plugin framework for
DVN to allow e.g. account creation/management as part of the login
procedure. With such a framework in place, we could create a plugin
instead of a patch that chooses a authentication provider, redirects to
the login page and performs the logic of assigning roles to new accounts
(i.e. authorisation) in between authentication and session start. One
plugin could be created for the Dutch environment, another for the US
environment (with InCommon) and perhaps yet another for Facebook
authentication.
We further asked about known DVN production environments in which DVN is
deployed in Tomcat and/or uses MySQL, but it appears that DVN relies on
some JavaEE features that Tomcat does not support. Perhaps TomEE might
help here, but Philip has no experience with this product. PostgreSQL
dependencies have been requested to be removed in DVN 4.
It was great to discuss DVN via Skype today, but we understand that
keeping the discussion open generally helps the wider community. We're
learning too, and would love to hear about experiences with environments
similar to ours, or different.
Regards,
Ben
[0]: http://dans.knaw.nl/en/content/ben-companjen (bencomp on Freenode,
@bencomp on Twitter)
[1]:
https://lists.iq.harvard.edu/pipermail/dvn-auth/2013-October/000001.html
[2]: https://easy.dans.knaw.nl/ui/home
Ben Companjen
Information scientist
ben.companjen(a)dans.knaw.nl
+31 6 1334 9717
Data Archiving and Networked Services (DANS)
DANS promotes sustained access to digital research data. See
<http://www.dans.knaw.nl/> for more information and contact details. DANS
is an institute of KNAW and NWO.
DANS | Anna van Saksenlaan 51 | 2593 HW The Hague | P.O. Box 93067 | 2509
AB The Hague | +31 70 349 44 50 | info(a)dans.knaw.nl | www.dans.knaw.nl
<http://www.dans.knaw.nl/>