SWITCH edu-ID

From swissbib
Jump to: navigation, search

For Swiss National Licences, private users authenticate themselves on the publisher's platform with a Switch edu-ID account. Swissbib verifies that the user satisfies the various conditions (accept terms of use, address in Switzerland, ...). When all conditions are verified, Swissbib sets the SAML attribute eduPersonEntitlement to the value urn:mace:dir:entitlement:common-lib-terms in the SAML attribute.

On top of that, a customized registration workflow is used, that allows specific registration screens for a service.

Adding a SWITCH edu-ID user to the group of National Licences compliant users

Documentation from Switch : Swiss edu-ID shared attributes

To set the SAML attribute eduPersonEntitlement to the value urn:mace:dir:entitlement:common-lib-terms, the user needs to be added to a specific group via the SWITCH API. 4 configuration parameters are needed for this process :

The group management system from Switch is a separate database than the one from Switch edu-ID users. It has specific identifiers. Below are the useful commands for this API.

As soon as the user is added to the group, the attribute eduPersonEntitlement is set to the value urn:mace:dir:entitlement:common-lib-terms when specific services request it (currently : Swissbib, Cambridge, Oxford, De Gruyter, Springer and the SWITCH Attribute Viewer). SWITCH maintains this list.

All the process follows the SimpleCloud 2.0 specification : http://www.simplecloud.info/

Get internal id based on SWITCH edu-ID unique-ID

Get the SWITCH edu-ID group management system internal id based on the unique SWITCH edu-ID id "859735645906@eduid.ch" (this is the SAML attribute eduPersonUniqueId, which is stored in the column edu_id from the table national_licence_user.

curl --user USER:PASSWORD -X POST \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
--data '{ "externalID":"859735645906@eduid.ch" }' https://eduid.ch/sg/index.php/Users

Response:

{"externalID":"859735645906@eduid.ch","schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"id":"bf30adba-c633-43ae-bd15-9545fabe9089"}

bf30adba-c633-43ae-bd15-9545fabe9089 is the id that will be used for all remaining operations. If the user is not in the SWITCH edu-ID group management system, the above command creates the user as well


Check if a user is National Licence Compliant

This is based on the internal id.

curl --user USER:PASSWORD https://eduid.ch/sg/index.php/Users/bf30adba-c633-43ae-bd15-9545fabe9089

Response if the user belongs to no group:

{
    "id":"bf30adba-c633-43ae-bd15-9545fabe9089",
    "externalID":"859735645906@eduid.ch",
    "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
    "groups":[]
}

Response if the user belongs to the group "national licence compliant":

{
    "id":"bf30adba-c633-43ae-bd15-9545fabe9089",
    "externalID":"859735645906@eduid.ch",
    "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
    "groups":[{"value":"1d3baa7b-da70-440d-b777-5bb2d11f8718","display":"National Licenses Compliant"}]
}

Add a user to the National Licence Compliant Group

Add the user bf30adba-c633-43ae-bd15-9545fabe9089 to the group 1d3baa7b-da70-440d-b777-5bb2d11f8718. The user and the group must already exist.

WARNING : the user id must be copied in $ref AND in value !

curl --user USER:PASSWORD -X PATCH \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
--data '{ "schemas":  ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations":[
   {
    "op":"add",
    "path":"members",
    "value":[
     {
      "$ref": "https://eduid.ch/sg/index.php/Users/bf30adba-c633-43ae-bd15-9545fabe9089",
"value": "bf30adba-c633-43ae-bd15-9545fabe9089"
     }
     ]
   }
  ]
}' https://eduid.ch/sg/index.php/Groups/1d3baa7b-da70-440d-b777-5bb2d11f8718

Response:

HTTP/1.1 200 OK

Remove a user from the National Licence Compliant Group

Remove the user bf30adba-c633-43ae-bd15-9545fabe9089 from the group 1d3baa7b-da70-440d-b777-5bb2d11f8718 :

curl --user USER:PASSWORD -X PATCH \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
--data '{ "schemas":  ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations":[
   {
    "op":"remove",
    "path":"members[value eq \"bf30adba-c633-43ae-bd15-9545fabe9089\"]"
   }
  ]
}' https://eduid.ch/sg/index.php/Groups/1d3baa7b-da70-440d-b777-5bb2d11f8718

Response:

HTTP/1.1 200 OK

Implementation in VuFind

The implementation of this process in VuFind is done in the Swissbib module in the following files :

Test System

The same process is available in the SWITCH edu-ID test system (which is in the SWITCH AAI Test Federation). Here are the parameters :

Various Documentation