EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #09255

< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] {Suspected SPAM} Re: Multi-Factor Authentication (MFA) for EPrints Login

Hi both,


From what I can work out it looks like they provide in essence the "glue" to make this work.  The AuthDigital "cloud" allows you to come in using a protocol already supported by EPrints, in this case SAML (Shibboleth as a Service Provider) and then federate to a wide spectrum of authentication services.  This is useful if the authentication service you need to use is OAuth/OpenID Connect based and not SAML/Shibboleth.  Maybe they support direct OAuth/OpenID Connect authentication (e.g. a plugin for EPrints) but I cannot see any specific reference to this.  If my interpretation is correct, you would want to make the following considerations:


1. The subscription fee I would assume you would need to pay for this service.

2. A further party you need to deal with when managing user authentication for your repository.

3. A potential additional point of failure.  I would assume any subscription would come with an SLA.  However, what happens if they stop offering a subscription for this service?


Regards


David Newman


On 23/03/2023 14:08, Tomasz Neugebauer wrote:
CAUTION: This e-mail originated outside the University of Southampton.
I will have to figure out how to do MFA with our EPrints instance as well, so this discussion is timely and useful for me.  Martin, thanks for the link to "Authdigital", interesting to see EPrints in their service offer for this.  I don't have any experience or knowledge of the quality of their work.  

Tomasz

________________________________________________

Tomasz Neugebauer
Senior Librarian | Bibliothécaire titulaire
Digital Projects & Systems Development Librarian / Bibliothécaire des Projets Numériques & Développement de Systèmes
Concordia University / Université Concordia

Tel. / Tél. 514-848-2424 ext. / poste 7738
Email / courriel: tomasz.neugebauer@concordia.ca

Mailing address / adresse postale: 1455 De Maisonneuve Blvd. W., LB-540-03, Montreal, Quebec H3G 1M8
Street address / adresse municipale: 1400 De Maisonneuve Blvd. W., LB-540-03, Montreal, Quebec H3G 1M8

library.concordia.ca

From: Martin Brändle <martin.braendle@uzh.ch>
Sent: Wednesday, March 22, 2023 12:23 PM
To: John Salter <J.Salter@leeds.ac.uk>; eprints-tech@ecs.soton.ac.uk <eprints-tech@ecs.soton.ac.uk>; David R Newman <drn@ecs.soton.ac.uk>
Cc: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
Subject: Re: [EP-tech] Multi-Factor Authentication (MFA) for EPrints Login
 

Attention This email originates from outside the concordia.ca domain. // Ce courriel provient de l'extérieur du domaine de concordia.ca




Dear all, dear David and John,

 

thank you for your answers. I have found this Canadian enterprise doing OAuth with EPrints .

https://authdigital.com/eprints-single-sign-on

 

Any experience around with them?

 

Kind regards,

 

Martin

 

--

Dr. Martin Brändle
Zentrale Informatik
Universität Zürich
Stampfenbachstr. 73
CH-8006 Zürich

 

 

From: John Salter <J.Salter@leeds.ac.uk>
Date: Tuesday, 21 March 2023 at 12:00
To: eprints-tech@ecs.soton.ac.uk <eprints-tech@ecs.soton.ac.uk>, David R Newman <drn@ecs.soton.ac.uk>, Martin Brändle <martin.braendle@uzh.ch>
Subject: RE: [EP-tech] Multi-Factor Authentication (MFA) for EPrints Login

Hi Martin,
This is something we're looking at too (no answers as yet).
One of the route's we're looking at is to use Orcid as the sign-on route, which could then go via the institutional SSO (with MFA).

 

The edge cases (admin accounts, API accounts) would still need a route to be able to authenticate too…

 

Cheers,

John

 

From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk] On Behalf Of David R Newman via Eprints-tech
Sent: 21 March 2023 10:51
To: eprints-tech@ecs.soton.ac.uk; Martin Brändle <martin.braendle@uzh.ch>
Subject: Re: [EP-tech] Multi-Factor Authentication (MFA) for EPrints Login

 

Hi all,

I have added a page for MFA on the EPrints wiki.  It really just says what I said below.  However, if anyone has extra detail to add, please update this page:

https://wiki.eprints.org/w/Multi-Factor_Authentication

If anyone has attempted implementing OAuth-based login for EPrints and wants to share this, then this would certainly be considered for addition to the main EPrints 3.4. codebase, if you are happy for this to be added. Either way, if you have any helpful advice on using OAuth-based user authentication with EPrints (especially if it includes MFA support) then creating a page (probably called OAuth) for this on the wiki that would be really useful.

Regards

David Newman

On 21/03/2023 10:36 am, David R Newman via Eprints-tech wrote:

Hi Martin,

The way that most repositories do this is to use institutional single sign on (SSO) that will now normally have MFA baked in.  EPrints integrates with this using Shibboleth where it acts as a Service Provider:

https://wiki.eprints.org/w/Shibboleth

There are no plans to implement MFA directly into EPrints, as there are existing implementations that could be integrated into EPrints on a case-by-case basis.  If you do not have institutional SSO that allows you to configure EPrints as a Shibboleth Service Provider, then an OAuth implementation may be possible.  As I have not needed this, I have not had reason to implement it.  I don't know if anyone else has tried implementing an OAuth user authentication implementation for EPrints.

Regards

David Newman

On 21/03/2023 10:23 am, Martin Brändle via Eprints-tech wrote:

CAUTION: This e-mail originated outside the University of Southampton.

Dear all,

 

IT security at our institution requires that all services that provide login to user accounts implement multi-factor authentication in some way (e.g. via Azure AD and Microsoft Authenticator or another authenticator). We must check our EPrints repository, too.

 

Has anybody done this and could provide us with some hints how to do? Currently we use LDAP .

 

https://wiki.eprints.org/w/Category:Authentication and sub-pages seem not to be up-to-date.

 

Thanks in advance and kind regards,

 

Martin

 

--

Dr. Martin Brändle
Zentrale Informatik
Universität Zürich
Stampfenbachstr. 73
CH-8006 Zürich

mail: martin.braendle@uzh.ch
phone: +41 44 63 56705
signature_2066573683https://orcid.org/0000-0002-7752-6567
https://www.zi.uzh.ch

 




*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/





*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/