...
Contact types are manually mapped to roles in the application config INI
Contact Mapping follows the form of auth.roles.{CONTACT_TYPE_LISTS.CODE} = {ROLE_NAME}
Code Block language php auth.AUTH_ROLEMAPPING = false auth.roles.default = "Guest" auth.roles.SYSADMIN = "Administrator" auth.roles.COORDINATOR = "Coordinator"
SSO Mapping
Shibboleth, Active Directory, etc
...
language | php |
---|
SSO Role Mapping allows mapping an SSO group to a PCR-360 Role.
To use SSO mapping these values should be set in the PCR360 INI
Code Block // enables role mapping from the SSO auth.AUTH_ROLEMAPPING = true // this is default role added to all users, a minimum access level auth.roles.default = "Guest" ; this assumes the group attribute from the SSO is isMemberOf auth.AUTH_ATTRMAP_GROUPS = "isMemberOf" ; This is the default value, if your Fully Qualified
...
Group Name contains commas, this will need to be changed to a semicolon ";" auth.AUTH_ATTR_SEPARATOR = ","
...
- SSO Role Mapping allows mapping an SSO group to a PCR-360 Role.
Shibboleth also needs to be configured to parse the group attribute from the SSO:
/etc/shibboleth2/attribute-map.xml
Code Block // this assumes the SSO is passing the group as the LDAP group attribute // the name needs to be the actuall attribute name from the SSO. <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="isMemberOf"/>
The value of the SSO attribute is then mapped on the Role:
Enabling the AUTH_ROLEMAPPING setting enables the Authentication Mapping field on the Roles form.
The Fully Qualified Shibboleth Group Name is entered here to map the Role to the Shibboleth groupSSO Group
Once implemented, the Application will
Map the Fully Qualified Shibboleth Group Name to the Role via the attribute configured by AUTH_ATTRMAP_GROUPS
Add/Update the Role to users in the Fully Qualified Shibboleth Group Name