[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[EP-tech] {Suspected SPAM} Re: Multi-Factor Authentication (MFA) for EPrints Login
Hi both,
From what I can work out it looks like they provide in essence the
"glue" to make this work.? The AuthDigital "cloud" allows you to come in
using a protocol already supported by EPrints, in this case SAML
(Shibboleth as a Service Provider) and then federate to a wide spectrum
of authentication services.? This is useful if the authentication
service you need to use is OAuth/OpenID Connect based and not
SAML/Shibboleth.? Maybe they support direct OAuth/OpenID Connect
authentication (e.g. a plugin for EPrints) but I cannot see any specific
reference to this.? If my interpretation is correct, you would want to
make the following considerations:
1. The subscription fee I would assume you would need to pay for this
service.
2. A further party you need to deal with when managing user
authentication for your repository.
3. A potential additional point of failure.? I would assume any
subscription would come with an SLA.? However, what happens if they stop
offering a subscription for this service?
Regards
David Newman
On 23/03/2023 14:08, Tomasz Neugebauer wrote:
> *CAUTION:* This e-mail originated outside the University of Southampton.
> I will have to figure out how to do MFA with our EPrints instance as
> well, so this discussion is timely and useful for me.? Martin, thanks
> for the link to "Authdigital", interesting to see EPrints in their
> service offer for this.? I don't have any experience or knowledge of
> the quality of their work.
>
> Tomasz
>
> ________________________________________________
>
> Tomasz Neugebauer
> Senior Librarian | Biblioth?caire titulaire
> Digital Projects & Systems Development Librarian / Biblioth?caire des
> Projets Num?riques & D?veloppement de Syst?mes
> Concordia University / Universit? Concordia
>
> Tel. / T?l. 514-848-2424 ext. / poste 7738
> Email / courriel: tomasz.neugebauer at concordia.ca
> <mailto:tomasz.neugebauer at concordia.ca>
>
> Mailing address / adresse postale:?1455 De Maisonneuve Blvd.
> W.,?LB-540-03, Montreal, Quebec H3G 1M8
> Street address / adresse municipale: 1400?De Maisonneuve Blvd.
> W.,?LB-540-03, Montreal, Quebec H3G 1M8
>
> library.concordia.ca
>
> ------------------------------------------------------------------------
> *From:* Martin Br?ndle <martin.braendle at uzh.ch>
> *Sent:* Wednesday, March 22, 2023 12:23 PM
> *To:* John Salter <J.Salter at leeds.ac.uk>; eprints-tech at ecs.soton.ac.uk
> <eprints-tech at ecs.soton.ac.uk>; David R Newman <drn at ecs.soton.ac.uk>
> *Cc:* Tomasz Neugebauer <Tomasz.Neugebauer at concordia.ca>
> *Subject:* Re: [EP-tech] Multi-Factor Authentication (MFA) for EPrints
> Login
>
> Attention This email originates from outside the concordia.ca domain.
> // Ce courriel provient de l'ext?rieur du domaine de concordia.ca
>
>
>
>
> Dear all, dear David and John,
>
> thank you for your answers. I have found this Canadian enterprise
> doing OAuth with EPrints .
>
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthdigital.com%2Feprints-single-sign-on&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410695005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ixCF%2BV7ReP82FgF74XTmV64RXcvTQ4RU%2BTeroaSyk24%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthdigital.com%2Feprints-single-sign-on&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410695005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ixCF%2BV7ReP82FgF74XTmV64RXcvTQ4RU%2BTeroaSyk24%3D&reserved=0>
>
> Any experience around with them?
>
> Kind regards,
>
> Martin
>
> --
>
> Dr. Martin Br?ndle
> Zentrale Informatik
> Universit?t Z?rich
> Stampfenbachstr. 73
> CH-8006 Z?rich
>
> *From: *John Salter <J.Salter at leeds.ac.uk>
> *Date: *Tuesday, 21 March 2023 at 12:00
> *To: *eprints-tech at ecs.soton.ac.uk <eprints-tech at ecs.soton.ac.uk>,
> David R Newman <drn at ecs.soton.ac.uk>, Martin Br?ndle
> <martin.braendle at uzh.ch>
> *Subject: *RE: [EP-tech] Multi-Factor Authentication (MFA) for EPrints
> Login
>
> Hi Martin,
> This is something we're looking at too (no answers as yet).
> One of the route's we're looking at is to use Orcid as the sign-on
> route, which could then go via the institutional SSO (with MFA).
>
> The edge cases (admin accounts, API accounts) would still need a route
> to be able to authenticate too?
>
> Cheers,
>
> John
>
> *From:*eprints-tech-bounces at ecs.soton.ac.uk
> [mailto:eprints-tech-bounces at ecs.soton.ac.uk] *On Behalf Of *David R
> Newman via Eprints-tech
> *Sent:* 21 March 2023 10:51
> *To:* eprints-tech at ecs.soton.ac.uk; Martin Br?ndle
> <martin.braendle at uzh.ch>
> *Subject:* Re: [EP-tech] Multi-Factor Authentication (MFA) for EPrints
> Login
>
> Hi all,
>
> I have added a page for MFA on the EPrints wiki.? It really just says
> what I said below.? However, if anyone has extra detail to add, please
> update this page:
>
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FMulti-Factor_Authentication&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410695005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=opCoEgs%2F3KtpcXTf8OGYsss%2FLxdkzMYUi8Jy0wx2h%2Fw%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FMulti-Factor_Authentication&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410695005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=opCoEgs%2F3KtpcXTf8OGYsss%2FLxdkzMYUi8Jy0wx2h%2Fw%3D&reserved=0>
>
> If anyone has attempted implementing OAuth-based login for EPrints and
> wants to share this, then this would certainly be considered for
> addition to the main EPrints 3.4. codebase, if you are happy for this
> to be added. Either way, if you have any helpful advice on using
> OAuth-based user authentication with EPrints (especially if it
> includes MFA support) then creating a page (probably called OAuth) for
> this on the wiki that would be really useful.
>
> Regards
>
> David Newman
>
> On 21/03/2023 10:36 am, David R Newman via Eprints-tech wrote:
>
> Hi Martin,
>
> The way that most repositories do this is to use institutional
> single sign on (SSO) that will now normally have MFA baked in.?
> EPrints integrates with this using Shibboleth where it acts as a
> Service Provider:
>
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FShibboleth&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410695005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=I%2FcomA8X1dX5AQfbzelA0ivWsDM3AZHOZr8qr%2BNiu4I%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FShibboleth&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410695005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=I%2FcomA8X1dX5AQfbzelA0ivWsDM3AZHOZr8qr%2BNiu4I%3D&reserved=0>
>
> There are no plans to implement MFA directly into EPrints, as
> there are existing implementations that could be integrated into
> EPrints on a case-by-case basis.? If you do not have institutional
> SSO that allows you to configure EPrints as a Shibboleth Service
> Provider, then an OAuth implementation may be possible.? As I have
> not needed this, I have not had reason to implement it.? I don't
> know if anyone else has tried implementing an OAuth user
> authentication implementation for EPrints.
>
> Regards
>
> David Newman
>
> On 21/03/2023 10:23 am, Martin Br?ndle via Eprints-tech wrote:
>
> *CAUTION:*This e-mail originated outside the University of
> Southampton.
>
> Dear all,
>
> IT security at our institution requires that all services that
> provide login to user accounts implement multi-factor
> authentication in some way (e.g. via Azure AD and Microsoft
> Authenticator or another authenticator). We must check our
> EPrints repository, too.
>
> Has anybody done this and could provide us with some hints how
> to do? Currently we use LDAP .
>
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FCategory%3AAuthentication&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410695005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=64lKJxzCCzRf%2Fkpm2yUI1W1mUTZJmCDD0Jtv4a%2FMSis%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FCategory%3AAuthentication&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410695005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=64lKJxzCCzRf%2Fkpm2yUI1W1mUTZJmCDD0Jtv4a%2FMSis%3D&reserved=0>
> and sub-pages seem not to be up-to-date.
>
> Thanks in advance and kind regards,
>
> Martin
>
> --
>
> Dr. Martin Br?ndle
> Zentrale Informatik
> Universit?t Z?rich
> Stampfenbachstr. 73
> CH-8006 Z?rich
>
> mail: martin.braendle at uzh.ch <mailto:martin.braendle at uzh.ch>
> phone: +41 44 63 56705
> signature_2066573683https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Forcid.org%2F0000-0002-7752-6567&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410695005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=A8fHPTkg%2FUJZaigZpmcFkpz%2BN4ny7QOEjHSbkSk%2F1xw%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Forcid.org%2F0000-0002-7752-6567&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410695005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=A8fHPTkg%2FUJZaigZpmcFkpz%2BN4ny7QOEjHSbkSk%2F1xw%3D&reserved=0>
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.zi.uzh.ch%2F&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410695005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Up67VVJ6HzKILxozpVqTuyRXXXaWwkC3LUDnyQeVgnU%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.zi.uzh.ch%2F&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410695005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=c5fJDLCI2p%2FTeBNbwTxFm%2BzvbGbQmUidKNvBAoA1LOY%3D&reserved=0>
>
>
>
>
> *** Options:
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.ecs.soton.ac.uk%2Fmailman%2Flistinfo%2Feprints-tech&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410695005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=TjmmRz0Rq9KMuHwDwqH90Nz%2FNK6S5AmDlZcVLcD9qwc%3D&reserved=0>
>
> *** Archive: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410695005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=DltVTPDRyRh7ZJaNNp%2BqkycTaX3daqBJTUw%2FXfBNloU%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410695005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=DltVTPDRyRh7ZJaNNp%2BqkycTaX3daqBJTUw%2FXfBNloU%3D&reserved=0>
>
> *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410695005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2Am69cqIcOyDWzyjOZZamiKhI2BiMX5GfT%2B33ZTaRX8%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410695005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2Am69cqIcOyDWzyjOZZamiKhI2BiMX5GfT%2B33ZTaRX8%3D&reserved=0>
>
>
>
>
>
> *** Options:
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.ecs.soton.ac.uk%2Fmailman%2Flistinfo%2Feprints-tech&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410850711%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OLnxpYy7x5ovy48%2F65afuKlf91NcKLOLUxLLhQOlc08%3D&reserved=0>
>
> *** Archive: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410850711%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ytX5dst%2FtXzS6hNsds0fc0JPTqrH2HqJR8XESKoAY80%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410850711%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ytX5dst%2FtXzS6hNsds0fc0JPTqrH2HqJR8XESKoAY80%3D&reserved=0>
>
> *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410850711%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5Ge23%2FKRzb6uW7rVx%2FR063VIWDNJkT9Vq%2BAdCD15%2FPQ%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C0c4918feb94f4b2e3bfe08db2bb9611d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638151847410850711%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5Ge23%2FKRzb6uW7rVx%2FR063VIWDNJkT9Vq%2BAdCD15%2FPQ%3D&reserved=0>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20230323/866ae162/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 173 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20230323/866ae162/attachment-0001.gif