COmanage Users List

[Scott Koranda <>]

Hi,

> I'm experimenting with a new COmanage installation.  I'm trying to
> create a self-signup enrollment flow, using Google Auth to prepopulate
> the form.  I think I've got everything set up properly, but when
> visiting the enrollment form, I log in via Google, but none of the
> data is pre-populated.  I've tried this with COmanage v1.0.6, and
> v2.0.0rc2.
> 
> I've got the Google auth piece working (mod_auth_openidc) and can
> verify that the environment variables are being correctly populated
> (OIDC_CLAIM_given_name, OIDC_CLAIM_email, etc).

The question I suspect is "where/when" are the environment variables being
correctly populated.

You need mod_auth_openidc to make them available not just for the page
that triggers the authentication flow but for the entire Registry application.

The CILogon project is using mod_auth_openidc with COmanage Registry and
populating environment variables from claims. We are using a
configuration like this:

<Directory /var/www/html/registry>
  Options Indexes FollowSymLinks
  DirectoryIndex index.php
  AllowOverride All
  Order allow,deny
  Allow from all

  # Passive protection from OIDC will expose claims if available
  AuthType openid-connect
  OIDCUnAuthAction pass
  Require valid-user
</Directory>

<Directory /var/www/html/registry/auth/login>
  AuthType openid-connect
  OIDCUnAuthAction auth
  Require valid-user
</Directory>

We have found, however, that we need to build the latest mod_auth_openidc
from source in order to pickup some of the functionality (and 
maybe a bug fix) that exposes the claims using

OIDCUnAuthAction pass

The version available in many of the standard OS repositories is not
recent enough.

> Under CMP Enrollment Configuration, I've clicked 'Enable Environment
> Attribute Retrieval'.  I've made the following mappings: Given Name
> (Official)  -> OIDC_CLAIM_given_name Family Name (Official) ->
> OIDC_CLAIM_family_name Email (Official) -> OIDC_CLAIM_email

That sounds correct.

> I've made a copy of the 'Self Signup With Approval' template and set
> the following: Petitioner Enrollment Authorization -> Authenticated

That sounds correct.

> User Identity Matching -> Self

That is probably not what you want. "Self" is usually used for self-service
account linking flows or additional role flows.

You probably just want "None".

See

https://spaces.internet2.edu/display/COmanage/Registry+Enrollment+Flow+Configuration#RegistryEnrollmentFlowConfiguration-IdentityMatching

> Any thoughts on what I'm missing?

Please try a mod_auth_openidc configuration like the one above with
the latest release of mod_auth_openidc (it isn't too bad to build it from
source) and let us know if that does not solve the issue.

Thanks,

Scott K