comanage-users - Re: [comanage-users] Help with auto-populating values in self-signup
Subject: COmanage Users List
List archive
- From: Scott Koranda <>
- To: "Kevin M. Hildebrand" <>
- Cc:
- Subject: Re: [comanage-users] Help with auto-populating values in self-signup
- Date: Thu, 6 Apr 2017 10:49:48 -0500
- Ironport-phdr: 9a23:/jJ4zRwuAfyaotbXCy+O+j09IxM/srCxBDY+r6Qd2uoWIJqq85mqBkHD//Il1AaPBtSFraoYwLuO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZPebgFJiTanfb9/Ixq6oAHNusILnYZsN6E9xwfTrHBVYepW32RoJVySnxb4+Mi9+YNo/jpTtfw86cNOSL32cKskQ7NWCjQmKH0169bwtRbfVwuP52ATXXsQnxFVHgXK9hD6XpP2sivnqupw3TSRMMPqQbwoXzmp8rxmQwH0higZKzE58XnXis1ug6JdvBKhvAF0z4rNbI2IKPZyYqbRcNUHTmRDQ8lRTTRMDI28YYUREuQPPuhYoIbhqFQTohWxBwejCfjzyjJLnHL6wbE23v48HQzAwQcuH8gOsHPRrNjtKakdTee1zLXUzT7eav1W3i3955LOch88u/6HQLV9cdHSyUkoDQPKlFOQppH/MD6O2eQNtnKU7+tkVe61l2EnrARxryGpy8wxhIfJgYcVxUrF9SV/2Is1JNu4SFJlbt6+FptfqT2aO5VsTsw8Xm5opSA3waAFt56jZCUG1pUqywLdZvGCfYiF4QnsWPqULDp3mH5pZK+zihOu/kS80eLxU8y53EhUoiVZitXBtHAA2wbQ58WGUPdx40is1SiV2wzO9O1IPUY5nrfBJZE72L4/jJ8TvFzDHiDonEX2i7ebdkA+9eip7+Tre7TmpoOAO4NthQDyLLoildClDeQ3NQgOWGeb+eCi27H54UL5R7BKguU3kqnfrp/aOdwWqrC4DgNJ0Isu7hi/AjS939gEmHQKI05JdA6ag4XsJ17CPOv3APK6jliyjjtk2+jKPrj7DZXMKnjDnq3hfbF460NE0wozztdf54hOBbEHPf38QFT8tNPdDhAjMgy0x/zrB8l61oMbQW6PGLOWMLvOsV+U4eIiO/WDZIgQuDnnLfgq/fHugmEglV8AZqmmw4EXaGujE/RiIkWZembsgswfHWsQvwo+SvDqh0OYUT5VeXmyQ7ww6islB427EIeQDryq1fai0Tm6GNVzIChmC1SAHH3yfoOIEb9Yay+MI8lJjzkIE7WtVtly+wupsVrBwL17MqL3/TcRs57qnIxu5OrJnBc+/BR7Cs2c1yeGSGQizTBAfCM/wK0q+R818VyEy6UtxqUATdE=
Hi,
> I'm experimenting with a new COmanage installation. I'm trying to
> create a self-signup enrollment flow, using Google Auth to prepopulate
> the form. I think I've got everything set up properly, but when
> visiting the enrollment form, I log in via Google, but none of the
> data is pre-populated. I've tried this with COmanage v1.0.6, and
> v2.0.0rc2.
>
> I've got the Google auth piece working (mod_auth_openidc) and can
> verify that the environment variables are being correctly populated
> (OIDC_CLAIM_given_name, OIDC_CLAIM_email, etc).
The question I suspect is "where/when" are the environment variables being
correctly populated.
You need mod_auth_openidc to make them available not just for the page
that triggers the authentication flow but for the entire Registry application.
The CILogon project is using mod_auth_openidc with COmanage Registry and
populating environment variables from claims. We are using a
configuration like this:
<Directory /var/www/html/registry>
Options Indexes FollowSymLinks
DirectoryIndex index.php
AllowOverride All
Order allow,deny
Allow from all
# Passive protection from OIDC will expose claims if available
AuthType openid-connect
OIDCUnAuthAction pass
Require valid-user
</Directory>
<Directory /var/www/html/registry/auth/login>
AuthType openid-connect
OIDCUnAuthAction auth
Require valid-user
</Directory>
We have found, however, that we need to build the latest mod_auth_openidc
from source in order to pickup some of the functionality (and
maybe a bug fix) that exposes the claims using
OIDCUnAuthAction pass
The version available in many of the standard OS repositories is not
recent enough.
> Under CMP Enrollment Configuration, I've clicked 'Enable Environment
> Attribute Retrieval'. I've made the following mappings: Given Name
> (Official) -> OIDC_CLAIM_given_name Family Name (Official) ->
> OIDC_CLAIM_family_name Email (Official) -> OIDC_CLAIM_email
That sounds correct.
> I've made a copy of the 'Self Signup With Approval' template and set
> the following: Petitioner Enrollment Authorization -> Authenticated
That sounds correct.
> User Identity Matching -> Self
That is probably not what you want. "Self" is usually used for self-service
account linking flows or additional role flows.
You probably just want "None".
See
https://spaces.internet2.edu/display/COmanage/Registry+Enrollment+Flow+Configuration#RegistryEnrollmentFlowConfiguration-IdentityMatching
> Any thoughts on what I'm missing?
Please try a mod_auth_openidc configuration like the one above with
the latest release of mod_auth_openidc (it isn't too bad to build it from
source) and let us know if that does not solve the issue.
Thanks,
Scott K
- [comanage-users] Help with auto-populating values in self-signup, Kevin M. Hildebrand, 04/03/2017
- Re: [comanage-users] Help with auto-populating values in self-signup, Scott Koranda, 04/06/2017
Archive powered by MHonArc 2.6.19.