[Bug 39224] New: Move Shibboleth config from koha-conf to the DB
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Bug ID: 39224 Summary: Move Shibboleth config from koha-conf to the DB Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Authentication Assignee: jacob.omara@ptfs-europe.com Reporter: jacob.omara@ptfs-europe.com QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org Depends on: 38201 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38201 [Bug 38201] VueJS architecture rethink -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #1 from Jacob O'Mara <jacob.omara@ptfs-europe.com> --- The shibboleth config should be moved from the koha-conf.xml to the database This will allow the shibboleth config to be set from the UI or with the API. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Jacob O'Mara <jacob.omara@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #2 from Jacob O'Mara <jacob.omara@openfifth.co.uk> --- Created attachment 189234 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=189234&action=edit Bug 39224: add database schema for shibboleth configuration Add shibboleth_config and shibboleth_field_mappings tables to store Shibboleth authentication configuration in the database. Includes atomic update to migrate existing XML-based configurations. TEST PLAN: Prerequisites - A SAML setup - Enable ShibbolethAuthentication system preference - Access staff interface with manage_identity_providers permission Test Configuration Interface (Staff → Administration → Shibboleth) 1. Access UI - Navigate to Shibboleth configuration page 2. Basic Settings - Toggle force SSO for OPAC/staff, autocreate, sync, welcome email 3. Field Mappings - Add mappings with IdP field names 4. Set Matchpoint - Mark one field as matchpoint; verify only one can be active 5. Default Values - Test mappings with default_content when idp_field is empty Test Authentication Behavior 6. OPAC SSO - Enable force_opac_sso; verify OPAC auto-redirects to Shibboleth login URL 7. Staff SSO - Enable force_staff_sso; verify staff interface auto-redirects 8. Disable force SSO; verify local login form shows with Shibboleth link 9. Autocreate - Enable autocreate; authenticate new user; verify patron record created 10. Sync on Login - Enable sync; modify IdP attributes; login; verify patron data updated Test Error Cases 11. No Matchpoint - Remove matchpoint; reload login page; verify Shibboleth login option disappears entirely; check logs for "No matchpoint configured" warning 12. Invalid Mapping - Create mapping without koha_field or (idp_field + default_content); verify validation error 13. Duplicate Matchpoint - Set second matchpoint; verify first is auto-cleared Verify Legacy Compatibility 14. Syspref Removed - Confirm OPACShibOnly and staffShibOnly sysprefs no longer exist/used 15. Run tests and ensure they pass and that the migration will work as expected. prove -vv t/db_dependent/Auth_with_shibboleth.t t/db_dependent/Koha/ShibbolethConfigs.t t/db_dependent/Koha/ShibbolethFieldMappings.t t/db_dependent/Shibboleth/Migration.t t/db_dependent/api/v1/shibboleth_config.t t/db_dependent/api/v1/shibboleth_field_mappings.t -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #3 from Jacob O'Mara <jacob.omara@openfifth.co.uk> --- Created attachment 189235 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=189235&action=edit Bug 39224: add Koha object models for shibboleth configuration Add Koha::ShibbolethConfig and Koha::ShibbolethFieldMapping classes to manage Shibboleth configuration stored in the database. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #4 from Jacob O'Mara <jacob.omara@openfifth.co.uk> --- Created attachment 189236 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=189236&action=edit Bug 39224: add REST API endpoints for shibboleth configuration Add API endpoints for managing Shibboleth configuration: - GET/PUT /api/v1/shibboleth/config - GET/POST /api/v1/shibboleth/mappings - GET/PUT/DELETE /api/v1/shibboleth/mappings/{mapping_id} -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #5 from Jacob O'Mara <jacob.omara@openfifth.co.uk> --- Created attachment 189237 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=189237&action=edit Bug 39224: integrate database-backed shibboleth configuration Update authentication code to read Shibboleth configuration from database instead of koha-conf.xml. Add get_force_sso_setting function to retrieve SSO settings from database. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #6 from Jacob O'Mara <jacob.omara@openfifth.co.uk> --- Created attachment 189238 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=189238&action=edit Bug 39224: add Vue UI for shibboleth configuration Add staff interface pages for managing Shibboleth configuration including settings and field mappings. Includes API client, Vue components, store, and routes. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #7 from Jacob O'Mara <jacob.omara@openfifth.co.uk> --- Created attachment 189239 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=189239&action=edit Bug 39224: integrate shibboleth UI into staff interface Add menu entry, configure build system, and set up routing for Shibboleth configuration interface. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #8 from Jacob O'Mara <jacob.omara@openfifth.co.uk> --- Created attachment 189240 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=189240&action=edit Bug 39224: add comprehensive tests for shibboleth configuration Add tests for: - Koha object models (ShibbolethConfig, ShibbolethFieldMapping) - REST API endpoints - Database migration from XML config -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #9 from Jacob O'Mara <jacob.omara@openfifth.co.uk> --- Created attachment 189241 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=189241&action=edit Bug 39224: replace deprecated shibboleth sysprefs with ShibbolethAuthentication - Remove OPACShibOnly and staffShibOnly sysprefs (now in shibboleth_config table) - Add ShibbolethAuthentication syspref to replace useshibboleth XML config - Update to check syspref instead of XML - Only show Shibboleth configuration link when ShibbolethAuthentication is enabled -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #10 from Jacob O'Mara <jacob.omara@openfifth.co.uk> --- Created attachment 189242 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=189242&action=edit Bug 39224: DBIC - DO NOT PUSH -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #11 from Jacob O'Mara <jacob.omara@openfifth.co.uk> --- Created attachment 189243 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=189243&action=edit Bug 39224: add is_boolean definitions for shibboleth tables to schema This applies to controllers: - ShibolethConfig - sync - welcome - autocreate - force{opac/staff}sso - ShibbolethFieldMapping - is_matchpoint -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #12 from Jacob O'Mara <jacob.omara@openfifth.co.uk> --- Created attachment 189244 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=189244&action=edit Bug 39224: show warning for required fields when autocreate is enabled -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #13 from Jacob O'Mara <jacob.omara@openfifth.co.uk> --- To make the testing of this a bit easier (since SSO is a pain in the ass) I've written an improvement to the koha-testing docker (that requires this branch) that incidentally should also make testing this branch a bit easier. If you boot up a ktd instance with `ktd --localrun --sso up` while on this branch: https://github.com/Jacobomara901/koha-testing-docker/tree/sso-but-better it will boot up a keycloak instance with the realm already configured to koha. It will also enable Shibboleth in koha, turn on sync and autocreate and also configure all of the mappings in koha that are currently configured in keycloak. If you want to log in as an admin to keycloak to check, head to localhost:8082 as usual with the login details keycloak:keycloak for logging in to koha via this sso setup, use the credentials kohadev:kohadev (or set up your own in the keycloak admin panel) Obviously this has no ssl and Koha is hard coded in auth_with_shibboleth.pm to use https, so you'll need to change the code here to http instead for the _get_uri() sub. The above work will be upstreamed to the koha-testing-docker repo once this bug has been pushed to main Thanks in advance -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Jacob O'Mara <jacob.omara@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |andrew.auld@openfifth.co.uk -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=40596 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomascohen@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Magnus Enger <magnus@libriotech.no> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |magnus@libriotech.no --- Comment #14 from Magnus Enger <magnus@libriotech.no> --- Can this co-exist with bug 40596, or is there a conflict? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Bug 39224 depends on bug 38201, which changed state. Bug 38201 Summary: VueJS architecture rethink https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38201 What |Removed |Added ---------------------------------------------------------------------------- Status|Needs documenting |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nick@bywatersolutions.com Status|Needs Signoff |Failed QA --- Comment #15 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Patches need a small rebase, I updated for testing Using the keycloak setup recommended, I found the firstname would not update - I let a user autocreate - then changed the firstname in keycloack - signed out of koha and back in, first name did not change. Surname did successfully so I suspect it's config not code Admin menu - need to add check for CAN_user_parameters_manage_identity_providers to the section head Extra 'Submit' button on all config pages - I see "Save Cancel Submit Cancel" - submit is gray Migration tests should be on their own patch - I don't think we need to push those, but are good for testing /kohadevbox/koha/t/db_dependent/api/v1/shibboleth_field_mappings.t - fails if a surname mapping exists When adding a new field mapping, and checking 'use as matchpoint' I like that it unchecks the previous matchpoint, but I think it should warn/confirm this for the user - or at the very least it should show the current matchpoint on the page and note that only one can be selected If 'OPAC require shib' and no autocreate, and I sign in via SSO with a non-matching user I am stuck in an infinite redirect How does this work when there are more than one shibboleth setups? We often have libraries with one IDP for staff and one for OPAC - I can't see how this is supported here? This does feel like it should be combined with the current identity providers work -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #16 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Also, http://localhost:8081/cgi-bin/koha/shibboleth/config can be loaded when shib is disabled - is this intentional? It's nice because then you can config shib before turning it on, but I actually kind of want the syspref, plus a switch in the config to activate/deactive shibboleth while setting up/testing -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@openfifth.c | |o.uk --- Comment #17 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- (In reply to Nick Clemens (kidclamp) from comment #15)
How does this work when there are more than one shibboleth setups? We often have libraries with one IDP for staff and one for OPAC - I can't see how this is supported here?
How are you doing this currently.. The mapping block in the koha-conf only allows for one identity provider right now as it stands so I don't see how you're setting up different IdP's for staff and opac? (Well, I do, as you can via the native service provider and then map to the same attributes that Koha then remaps to borrower fields.. but that's the same here)
This does feel like it should be combined with the current identity providers work
Yeah, I tend to agree, though I think we should consider the Vue work here as a basis for migrating the general IdP configurations into Vue. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #18 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- I'm having a crack at combining the two config UI's, Identity Providers and Shibboleth. Bare with me. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |41367 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41367 [Bug 41367] Staff user interface - no sidebar menu when on record sources pages -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |40596 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 [Bug 40596] Migrate CAS and Shibboleth into the identity providers -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Move Shibboleth config from |Migrate SAML/Shibboleth |koha-conf to the DB |configuration into Identity | |Providers Blocks|40596 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 [Bug 40596] Migrate CAS configuration into the identity providers -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |40596 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 [Bug 40596] Migrate CAS configuration into the identity providers -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Comma delimited| |ByWater Solutions list of Sponsors| | Patch complexity|--- |Medium patch Status|Failed QA |Needs Signoff Sponsorship status|--- |Sponsored -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #189234|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #189235|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #189236|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #189237|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #189238|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #189239|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #189240|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #189241|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #189242|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #189243|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #189244|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #19 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193618 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193618&action=edit Bug 39224: Database updates for unified identity providers Adds database tables and schema changes to support unified identity providers with hostname-based selection: - identity_provider_mappings: Maps identity provider fields to Koha patron fields - identity_provider_hostnames: Links identity providers to hostnames for automatic provider selection - hostnames: Registry of library hostnames for provider routing - Adds SAML2 to supported protocols - Migrates system preferences and configuration to new tables Test plan: 1. Apply the atomic update 2. Verify new tables exist in the database 3. Verify identity_providers table has new columns 4. Verify any existing identity providers, including SAML2 entries from koha-conf.xml are now in the new tables Sponsored-by: ByWater Solutions Co-authored-by: Martin Renvoize <martin.renvoize@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #20 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193619 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193619&action=edit Bug 39224: DBIx::Class schema update Auto-generated DBIx::Class schema updates from database changes: - New Result classes: Hostname, IdentityProviderHostname, IdentityProviderMapping - Updated Result classes: IdentityProvider (new columns and relationships), IdentityProviderDomain (new relationships) Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #21 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193620 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193620&action=edit Bug 39224: DBIC Schema customisations Adds customisations below the auto-generated hash line in the DBIx::Class Result classes: - Boolean column overrides (is_boolean => 1) for flag columns - koha_object_class / koha_objects_class declarations linking schema to Koha object classes - Custom relationships (e.g. hostnames on IdentityProvider) Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #22 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193621 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193621&action=edit Bug 39224: Add and Update Koha Object classes Updates the Koha object layer for unified identity providers: - Koha::Auth::Hostname(s): Manage library hostnames - Koha::Auth::Identity::Provider::Hostname(s): Link providers to hostnames with force_sso support - Koha::Auth::Identity::Provider::Mapping(s): Map provider fields to patron attributes - Updates Koha::Auth::Identity::Provider with mappings/hostnames accessors and simplified to_api - Updates Koha::Auth::Identity::Providers with find_forced_provider and polymorphic dispatch via object_class - Updates C4::Auth for hostname-based provider selection - Updates C4::Auth_with_shibboleth for new provider structure - Adds ForceIdentityProvider support in Koha::Config::SysPref - Updates AuthClient template plugin for hostname-aware login Test plan: 1. Run: prove t/db_dependent/Koha/Auth/Identity/Provider.t 2. Verify provider objects can be created and linked to hostnames Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #23 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193622 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193622&action=edit Bug 39224: Unit tests for identity provider object classes Adds unit tests for the new Koha object classes: - t/db_dependent/Koha/Auth/Hostname.t: Tests for hostname CRUD and validation - t/db_dependent/Koha/Auth/Identity/Provider.t: Extended tests for provider with mappings and hostnames - t/db_dependent/Koha/Auth/Identity/Provider/Mapping.t: Tests for field mapping CRUD and validation - t/db_dependent/Auth_with_shibboleth.t: Updated tests for new provider structure Test plan: 1. Run: prove t/db_dependent/Koha/Auth/Hostname.t 2. Run: prove t/db_dependent/Koha/Auth/Identity/Provider.t 3. Run: prove t/db_dependent/Koha/Auth/Identity/Provider/Mapping.t 4. Run: prove t/db_dependent/Auth_with_shibboleth.t Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #24 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193623 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193623&action=edit Bug 39224: Add SAML2 as a supported identity provider protocol Adds SAML2 support to the identity provider framework: - New Koha::Auth::Identity::Provider::SAML2 class implementing SAML2-specific configuration and behaviour - Registers SAML2 in the polymorphic protocol map in Koha::Auth::Identity::Providers This extends the existing OAuth/OIDC provider framework to also handle SAML2 identity providers through the same unified interface. Test plan: 1. Create a SAML2 identity provider Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #25 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193624 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193624&action=edit Bug 39224: REST API for identity providers, mappings and hostnames Adds REST API endpoints for managing identity providers, their field mappings, and hostname associations: - GET/POST /api/v1/auth/identity_providers/{id}/mappings - GET/PUT/DELETE /api/v1/auth/identity_providers/{id}/mappings/{id} - GET/POST /api/v1/auth/identity_providers/{id}/hostnames - GET/PUT/DELETE /api/v1/auth/identity_providers/{id}/hostnames/{id} - GET /api/v1/auth/hostnames (for hostname lookup) - Updates existing provider endpoints with new fields Includes OpenAPI/Swagger definitions for all new endpoints and updated definitions for existing endpoints. Test plan: 1. Run: prove t/db_dependent/api/v1/identity_providers.t 2. Test CRUD operations on mappings and hostnames via API Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #26 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193625 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193625&action=edit Bug 39224: API tests for identity providers, mappings and hostnames Adds API test coverage: - t/db_dependent/api/v1/identity_providers.t: Tests for provider CRUD including new protocol and SAML2 config fields - t/db_dependent/api/v1/identity_provider_mappings.t: Tests for mapping CRUD operations - t/db_dependent/api/v1/identity_provider_hostnames.t: Tests for hostname association CRUD Test plan: 1. Run: prove t/db_dependent/api/v1/identity_providers.t 2. Run: prove t/db_dependent/api/v1/identity_provider_mappings.t 3. Run: prove t/db_dependent/api/v1/identity_provider_hostnames.t Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #27 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193626 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193626&action=edit Bug 39224: Vue framework component enhancements Enhances shared Vue components to support the identity providers admin interface and improve reusability: - AccordionWrapper: Adds dynamic slot support - FormElement: Adds textarea and select type support - FormSection: New component for grouping form fields - KohaTable: Adds column visibility and action customisation - RelationshipWidget: Adds slot for custom content - ResourceFormSave: Adds support for nested resources and custom save handlers - ResourceShow: Adds support for related resource display - ShowElement: Adds boolean and list display support - base-resource composable: Adds relationship management and improved error handling Test plan: 1. Verify existing Vue SPAs (e.g. ERM) still function correctly 2. Components should be backwards compatible Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #28 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193627 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193627&action=edit Bug 39224: Identity providers Vue SPA and admin interface Replaces the legacy jQuery-based identity providers admin page with a modern Vue 3 SPA: - Vue router with views for list, show, add, and edit providers - Provider, domain, and mapping resource components - API client for identity provider endpoints - Rspack build configuration for the new module - Updated OPAC templates for hostname-based provider selection - Updated system preferences (moves provider prefs to admin section) - Apache configuration for Vue SPA routing - Simplified admin/identity_providers.pl (delegates to Vue SPA) Test plan: 1. Navigate to Administration > Identity providers 2. Verify the list view shows existing providers 3. Add a new identity provider with mappings 4. Edit an existing provider 5. Verify OPAC login shows appropriate provider buttons 6. Run: yarn build && restart_all Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #29 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- OK, that ended up a tad more extensive than I was envisaging.. it basically became a complete refactor of the existing piece and upgrade of the Identity Providers page. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |31378 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31378 [Bug 31378] Add a generic OAuth2/OIDC client implementation -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #193618|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #193619|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #193620|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #193621|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #193622|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #193623|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #193624|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #193625|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #193626|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #193627|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #30 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193681 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193681&action=edit Bug 39224: Database updates for unified identity providers Adds database tables and schema changes to support unified identity providers with hostname-based selection: - identity_provider_mappings: Maps identity provider fields to Koha patron fields - identity_provider_hostnames: Links identity providers to hostnames for automatic provider selection - hostnames: Registry of library hostnames for provider routing - Adds SAML2 to supported protocols - Migrates system preferences and configuration to new tables Test plan: 1. Apply the atomic update 2. Verify new tables exist in the database 3. Verify identity_providers table has new columns 4. Verify any existing identity providers, including SAML2 entries from koha-conf.xml are now in the new tables Sponsored-by: ByWater Solutions Co-authored-by: Martin Renvoize <martin.renvoize@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #31 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193682 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193682&action=edit Bug 39224: DBIx::Class schema update Auto-generated DBIx::Class schema updates from database changes: - New Result classes: Hostname, IdentityProviderHostname, IdentityProviderMapping - Updated Result classes: IdentityProvider (new columns and relationships), IdentityProviderDomain (new relationships) Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #32 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193683 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193683&action=edit Bug 39224: DBIC Schema customisations Adds customisations below the auto-generated hash line in the DBIx::Class Result classes: - Boolean column overrides (is_boolean => 1) for flag columns - koha_object_class / koha_objects_class declarations linking schema to Koha object classes - Custom relationships (e.g. hostnames on IdentityProvider) Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #33 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193684 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193684&action=edit Bug 39224: Add and Update Koha Object classes Updates the Koha object layer for unified identity providers: - Koha::Auth::Hostname(s): Manage library hostnames - Koha::Auth::Identity::Provider::Hostname(s): Link providers to hostnames with force_sso support - Koha::Auth::Identity::Provider::Mapping(s): Map provider fields to patron attributes - Updates Koha::Auth::Identity::Provider with mappings/hostnames accessors and simplified to_api - Updates Koha::Auth::Identity::Providers with find_forced_provider and polymorphic dispatch via object_class - Updates C4::Auth for hostname-based provider selection - Updates C4::Auth_with_shibboleth for new provider structure - Adds ForceIdentityProvider support in Koha::Config::SysPref - Updates AuthClient template plugin for hostname-aware login Test plan: 1. Run: prove t/db_dependent/Koha/Auth/Identity/Provider.t 2. Verify provider objects can be created and linked to hostnames Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #34 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193685 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193685&action=edit Bug 39224: Handle patron_attribute:CODE values in auth protocol handlers - OAuth _find_patron_by_matchpoint: search via borrower_attributes join when matchpoint has patron_attribute: prefix - Auth::Client get_user: strip patron_attribute keys from mapped_data before patron->set(), apply them via Koha::Patron::Attribute instead - auth.register: separate patron attributes from borrower fields on patron creation - Shibboleth checkpw_shib: search via borrower_attributes for patron attribute matchpoints - Shibboleth _autocreate/_sync: route patron_attribute:CODE mapping values through Koha::Patron::Attribute rather than borrower hash -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #35 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193686 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193686&action=edit Bug 39224: Unit tests for identity provider object classes Adds unit tests for the new Koha object classes: - t/db_dependent/Koha/Auth/Hostname.t: Tests for hostname CRUD and validation - t/db_dependent/Koha/Auth/Identity/Provider.t: Extended tests for provider with mappings and hostnames - t/db_dependent/Koha/Auth/Identity/Provider/Mapping.t: Tests for field mapping CRUD and validation - t/db_dependent/Auth_with_shibboleth.t: Updated tests for new provider structure Test plan: 1. Run: prove t/db_dependent/Koha/Auth/Hostname.t 2. Run: prove t/db_dependent/Koha/Auth/Identity/Provider.t 3. Run: prove t/db_dependent/Koha/Auth/Identity/Provider/Mapping.t 4. Run: prove t/db_dependent/Auth_with_shibboleth.t Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #36 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193687 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193687&action=edit Bug 39224: Add SAML2 as a supported identity provider protocol Adds SAML2 support to the identity provider framework: - New Koha::Auth::Identity::Provider::SAML2 class implementing SAML2-specific configuration and behaviour - Registers SAML2 in the polymorphic protocol map in Koha::Auth::Identity::Providers This extends the existing OAuth/OIDC provider framework to also handle SAML2 identity providers through the same unified interface. Test plan: 1. Create a SAML2 identity provider Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #37 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193688 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193688&action=edit Bug 39224: REST API for identity providers, mappings and hostnames Adds REST API endpoints for managing identity providers, their field mappings, and hostname associations: - GET/POST /api/v1/auth/identity_providers/{id}/mappings - GET/PUT/DELETE /api/v1/auth/identity_providers/{id}/mappings/{id} - GET/POST /api/v1/auth/identity_providers/{id}/hostnames - GET/PUT/DELETE /api/v1/auth/identity_providers/{id}/hostnames/{id} - GET /api/v1/auth/hostnames (for hostname lookup) - Updates existing provider endpoints with new fields Includes OpenAPI/Swagger definitions for all new endpoints and updated definitions for existing endpoints. Test plan: 1. Run: prove t/db_dependent/api/v1/identity_providers.t 2. Test CRUD operations on mappings and hostnames via API Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #38 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193689 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193689&action=edit Bug 39224: API tests for identity providers, mappings and hostnames Adds API test coverage: - t/db_dependent/api/v1/identity_providers.t: Tests for provider CRUD including new protocol and SAML2 config fields - t/db_dependent/api/v1/identity_provider_mappings.t: Tests for mapping CRUD operations - t/db_dependent/api/v1/identity_provider_hostnames.t: Tests for hostname association CRUD Test plan: 1. Run: prove t/db_dependent/api/v1/identity_providers.t 2. Run: prove t/db_dependent/api/v1/identity_provider_mappings.t 3. Run: prove t/db_dependent/api/v1/identity_provider_hostnames.t Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #39 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193690 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193690&action=edit Bug 39224: Vue framework component enhancements Enhances shared Vue components to support the identity providers admin interface and improve reusability: - AccordionWrapper: Adds dynamic slot support - FormElement: Adds textarea and select type support - FormSection: New component for grouping form fields - KohaTable: Adds column visibility and action customisation - RelationshipWidget: Adds slot for custom content - ResourceFormSave: Adds support for nested resources and custom save handlers - ResourceShow: Adds support for related resource display - ShowElement: Adds boolean and list display support - base-resource composable: Adds relationship management and improved error handling Test plan: 1. Verify existing Vue SPAs (e.g. ERM) still function correctly 2. Components should be backwards compatible Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #40 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193691 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193691&action=edit Bug 39224: Identity providers Vue SPA and admin interface Replaces the legacy jQuery-based identity providers admin page with a modern Vue 3 SPA: - Vue router with views for list, show, add, and edit providers - Provider, domain, and mapping resource components - API client for identity provider endpoints - Rspack build configuration for the new module - Updated OPAC templates for hostname-based provider selection - Updated system preferences (moves provider prefs to admin section) - Apache configuration for Vue SPA routing - Simplified admin/identity_providers.pl (delegates to Vue SPA) Test plan: 1. Navigate to Administration > Identity providers 2. Verify the list view shows existing providers 3. Add a new identity provider with mappings 4. Edit an existing provider 5. Verify OPAC login shows appropriate provider buttons 6. Run: yarn build && restart_all Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #41 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 193692 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193692&action=edit Bug 39224: Cypress tests for identity providers admin interface Add cypress integration tests for the new identity providers vue app. Test plan 1) Run the new tests with: yarn cypress run --spec t/cypress/integration/Admin/IdentityProviders_spec.ts Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de --- Comment #42 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- *** Bug 22459 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |33538 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33538 [Bug 33538] Allow for independent shibboleth autocreate and sync mapping -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |tomascohen@gmail.com |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Michaela Sieber <michaela.sieber@kit.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |clemens.tubach@kit.edu, | |lukasz.koszyk@kit.edu, | |michaela.sieber@kit.edu -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |oliver.behnke@aei.mpg.de --- Comment #43 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- *** Bug 40650 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |40650 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40650 [Bug 40650] Identity providers lack support for extended patron attribute type mapping -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #44 from Oliver Behnke <oliver.behnke@aei.mpg.de> --- (In reply to Martin Renvoize (ashimema) from comment #43)
*** Bug 40650 has been marked as a duplicate of this bug. ***
Thanks Martin. Just to make sure, bug 40650 was mainly about the existing OIDC identity provider. Does your patch cover that as well (since this bug focuses on SAML/Shibboleth)? Cheers -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #193681|0 |1 is obsolete| | Attachment #193682|0 |1 is obsolete| | Attachment #193683|0 |1 is obsolete| | Attachment #193684|0 |1 is obsolete| | Attachment #193685|0 |1 is obsolete| | Attachment #193686|0 |1 is obsolete| | Attachment #193687|0 |1 is obsolete| | Attachment #193688|0 |1 is obsolete| | Attachment #193689|0 |1 is obsolete| | Attachment #193690|0 |1 is obsolete| | Attachment #193691|0 |1 is obsolete| | Attachment #193692|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #45 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195775 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195775&action=edit Bug 39224: Database updates for unified identity providers Adds database tables and schema changes to support unified identity providers with hostname-based selection: - identity_provider_mappings: Maps identity provider fields to Koha patron fields - identity_provider_hostnames: Links identity providers to hostnames for automatic provider selection - hostnames: Registry of library hostnames for provider routing - Adds SAML2 to supported protocols - Migrates system preferences and configuration to new tables Test plan: 1. Apply the atomic update 2. Verify new tables exist in the database 3. Verify identity_providers table has new columns 4. Verify any existing identity providers, including SAML2 entries from koha-conf.xml are now in the new tables Sponsored-by: ByWater Solutions Co-authored-by: Martin Renvoize <martin.renvoize@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #46 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195776 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195776&action=edit Bug 39224: DBIx::Class schema update Auto-generated DBIx::Class schema updates from database changes: - New Result classes: Hostname, IdentityProviderHostname, IdentityProviderMapping - Updated Result classes: IdentityProvider (new columns and relationships), IdentityProviderDomain (new relationships) Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #47 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195777 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195777&action=edit Bug 39224: DBIC Schema customisations Adds customisations below the auto-generated hash line in the DBIx::Class Result classes: - Boolean column overrides (is_boolean => 1) for flag columns - koha_object_class / koha_objects_class declarations linking schema to Koha object classes - Custom relationships (e.g. hostnames on IdentityProvider) Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #48 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195778 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195778&action=edit Bug 39224: Add and Update Koha Object classes Updates the Koha object layer for unified identity providers: - Koha::Auth::Hostname(s): Manage library hostnames - Koha::Auth::Identity::Provider::Hostname(s): Link providers to hostnames with force_sso support - Koha::Auth::Identity::Provider::Mapping(s): Map provider fields to patron attributes - Updates Koha::Auth::Identity::Provider with mappings/hostnames accessors and simplified to_api - Updates Koha::Auth::Identity::Providers with find_forced_provider and polymorphic dispatch via object_class - Updates C4::Auth for hostname-based provider selection - Updates C4::Auth_with_shibboleth for new provider structure - Adds ForceIdentityProvider support in Koha::Config::SysPref - Updates AuthClient template plugin for hostname-aware login Test plan: 1. Run: prove t/db_dependent/Koha/Auth/Identity/Provider.t 2. Verify provider objects can be created and linked to hostnames Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #49 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195779 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195779&action=edit Bug 39224: Handle patron_attribute:CODE values in auth protocol handlers - OAuth _find_patron_by_matchpoint: search via borrower_attributes join when matchpoint has patron_attribute: prefix - Auth::Client get_user: strip patron_attribute keys from mapped_data before patron->set(), apply them via Koha::Patron::Attribute instead - auth.register: separate patron attributes from borrower fields on patron creation - Shibboleth checkpw_shib: search via borrower_attributes for patron attribute matchpoints - Shibboleth _autocreate/_sync: route patron_attribute:CODE mapping values through Koha::Patron::Attribute rather than borrower hash -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #50 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195780 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195780&action=edit Bug 39224: Unit tests for identity provider object classes Adds unit tests for the new Koha object classes: - t/db_dependent/Koha/Auth/Hostname.t: Tests for hostname CRUD and validation - t/db_dependent/Koha/Auth/Identity/Provider.t: Extended tests for provider with mappings and hostnames - t/db_dependent/Koha/Auth/Identity/Provider/Mapping.t: Tests for field mapping CRUD and validation - t/db_dependent/Auth_with_shibboleth.t: Updated tests for new provider structure Test plan: 1. Run: prove t/db_dependent/Koha/Auth/Hostname.t 2. Run: prove t/db_dependent/Koha/Auth/Identity/Provider.t 3. Run: prove t/db_dependent/Koha/Auth/Identity/Provider/Mapping.t 4. Run: prove t/db_dependent/Auth_with_shibboleth.t Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #51 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195781 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195781&action=edit Bug 39224: Add SAML2 as a supported identity provider protocol Adds SAML2 support to the identity provider framework: - New Koha::Auth::Identity::Provider::SAML2 class implementing SAML2-specific configuration and behaviour - Registers SAML2 in the polymorphic protocol map in Koha::Auth::Identity::Providers This extends the existing OAuth/OIDC provider framework to also handle SAML2 identity providers through the same unified interface. Test plan: 1. Create a SAML2 identity provider Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #52 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195782 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195782&action=edit Bug 39224: REST API for identity providers, mappings and hostnames Adds REST API endpoints for managing identity providers, their field mappings, and hostname associations: - GET/POST /api/v1/auth/identity_providers/{id}/mappings - GET/PUT/DELETE /api/v1/auth/identity_providers/{id}/mappings/{id} - GET/POST /api/v1/auth/identity_providers/{id}/hostnames - GET/PUT/DELETE /api/v1/auth/identity_providers/{id}/hostnames/{id} - GET /api/v1/auth/hostnames (for hostname lookup) - Updates existing provider endpoints with new fields Includes OpenAPI/Swagger definitions for all new endpoints and updated definitions for existing endpoints. Test plan: 1. Run: prove t/db_dependent/api/v1/identity_providers.t 2. Test CRUD operations on mappings and hostnames via API Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #53 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195783 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195783&action=edit Bug 39224: API tests for identity providers, mappings and hostnames Adds API test coverage: - t/db_dependent/api/v1/identity_providers.t: Tests for provider CRUD including new protocol and SAML2 config fields - t/db_dependent/api/v1/identity_provider_mappings.t: Tests for mapping CRUD operations - t/db_dependent/api/v1/identity_provider_hostnames.t: Tests for hostname association CRUD Test plan: 1. Run: prove t/db_dependent/api/v1/identity_providers.t 2. Run: prove t/db_dependent/api/v1/identity_provider_mappings.t 3. Run: prove t/db_dependent/api/v1/identity_provider_hostnames.t Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #54 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195784 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195784&action=edit Bug 39224: Vue framework component enhancements Enhances shared Vue components to support the identity providers admin interface and improve reusability: - AccordionWrapper: Adds dynamic slot support - FormElement: Adds textarea and select type support - FormSection: New component for grouping form fields - KohaTable: Adds column visibility and action customisation - RelationshipWidget: Adds slot for custom content - ResourceFormSave: Adds support for nested resources and custom save handlers - ResourceShow: Adds support for related resource display - ShowElement: Adds boolean and list display support - base-resource composable: Adds relationship management and improved error handling Test plan: 1. Verify existing Vue SPAs (e.g. ERM) still function correctly 2. Components should be backwards compatible Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #55 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195785 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195785&action=edit Bug 39224: Identity providers Vue SPA and admin interface Replaces the legacy jQuery-based identity providers admin page with a modern Vue 3 SPA: - Vue router with views for list, show, add, and edit providers - Provider, domain, and mapping resource components - API client for identity provider endpoints - Rspack build configuration for the new module - Updated OPAC templates for hostname-based provider selection - Updated system preferences (moves provider prefs to admin section) - Apache configuration for Vue SPA routing - Simplified admin/identity_providers.pl (delegates to Vue SPA) Test plan: 1. Navigate to Administration > Identity providers 2. Verify the list view shows existing providers 3. Add a new identity provider with mappings 4. Edit an existing provider 5. Verify OPAC login shows appropriate provider buttons 6. Run: yarn build && restart_all Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #56 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195786 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195786&action=edit Bug 39224: Cypress tests for identity providers admin interface Add cypress integration tests for the new identity providers vue app. Test plan 1) Run the new tests with: yarn cypress run --spec t/cypress/integration/Admin/IdentityProviders_spec.ts Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Bug 39224 depends on bug 40650, which changed state. Bug 40650 Summary: Identity providers lack support for extended patron attribute type mapping https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40650 What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|DUPLICATE |--- -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #195775|0 |1 is obsolete| | Attachment #195776|0 |1 is obsolete| | Attachment #195777|0 |1 is obsolete| | Attachment #195778|0 |1 is obsolete| | Attachment #195779|0 |1 is obsolete| | Attachment #195780|0 |1 is obsolete| | Attachment #195781|0 |1 is obsolete| | Attachment #195782|0 |1 is obsolete| | Attachment #195783|0 |1 is obsolete| | Attachment #195784|0 |1 is obsolete| | Attachment #195785|0 |1 is obsolete| | Attachment #195786|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #57 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 196536 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=196536&action=edit Bug 39224: Database schema for identity provider modernisation Restructures identity_providers to support SAML2 and per-provider mappings: - Drops mapping/matchpoint columns (moved to new identity_provider_mappings table) - Adds enabled column and updates protocol enum to include SAML2 Adds identity_provider_mappings table for per-provider field mapping records. Adds hostnames and identity_provider_hostnames tables for per-hostname provider visibility and exclusivity (replacing OPACShibOnly/staffShibOnly sysprefs). Adds send_welcome_email column to identity_provider_domains. Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #58 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 196537 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=196537&action=edit Bug 39224: DBIx::Class schema update Automated schema update for new and modified tables: - New: Hostname, IdentityProviderHostname, IdentityProviderMapping result classes - Updated IdentityProvider: remove mapping/matchpoint columns, add enabled, update protocol enum, add identity_provider_hostnames has_many relationship - Updated IdentityProviderDomain: add send_welcome_email column Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #59 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 196538 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=196538&action=edit Bug 39224: DBIC Schema customisations Add koha_object_class/koha_objects_class accessors for new result classes: - Hostname → Koha::Auth::Hostname / Koha::Auth::Hostnames - IdentityProviderHostname → Koha::Auth::Identity::Provider::Hostname / ::Hostnames - IdentityProviderMapping → Koha::Auth::Identity::Provider::Mapping / ::Mappings Add is_boolean column flags for send_welcome_email in IdentityProviderDomain. Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #60 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 196539 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=196539&action=edit Bug 39224: Modernise the identity providers admin interface The TT-rendered form was too limiting to support the features required for SAML2/Shibboleth parity. Replace it with a Vue SPA giving full management of: - Providers: code, description, protocol (OAuth/OIDC/SAML2), config, icon, enabled flag. Field mappings are now stored as individual relational records (identity_provider_mappings) rather than a JSON blob on the provider row. - Mappings: per-provider attribute-to-borrower-field mapping records, editable inline in the provider form. - Domain settings: per-provider domain rules (auto-register, update-on-auth, send_welcome_email) managed via the existing domain sub-resource panel. - Hostname assignments: providers can be linked to specific server hostnames with per-hostname enabled/exclusive flags (admin UI; auth enforcement follows in a later commit). Backend additions: - New Koha object classes: Koha::Auth::Hostname/Hostnames, Koha::Auth::Identity::Provider::Hostname/Hostnames, ::Mapping/Mappings, ::SAML2 - REST API: /api/v1/auth/identity_providers (and sub-resources /mappings, /hostnames), /api/v1/auth/hostnames - Shared Vue component improvements: ResourceShow/ResourceFormSave sub-resource panels, RelationshipWidget, FormSection, ShowElement, base-resource composable - Apache RewriteRule to route the new SPA URL to identity_providers.pl - Adds Authen::SAML2 Perl dependency for the SAML2 protocol handler Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #61 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 196540 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=196540&action=edit Bug 39224: Add per-hostname provider routing, exclusive login and update login pages Providers are now associated with specific server hostnames, mirroring the per-vhost model used by Shibboleth. This benefits all provider types: Exclusive provider support: the per-hostname is_exclusive flag replaces the OPACShibOnly and staffShibOnly system preferences. When set, the login page suppresses local username/password fields and the user is directed straight to that provider — the same force-SSO behaviour previously only available for Shibboleth, now available for any OAuth, OIDC or SAML2 provider. Login page updates: staff auth.tt, OPAC opac-auth.tt and the masthead login modal now query the identity provider REST plugin and render a login button for every enabled provider on the current hostname, not just a single Shibboleth button. SCO/SCI terminals are excluded from exclusive-provider enforcement so self-checkout can always fall back to local login. Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #62 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 196541 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=196541&action=edit Bug 39224: Migrate Shibboleth/SAML2 configuration from koha-conf.xml to database Reads the existing useshibboleth/shibboleth block from koha-conf.xml and migrates it into the unified identity_providers system: 1. Creates a SAML2 provider record from the shibboleth config block 2. Migrates domain settings (auto-register, update-on-auth, matchpoint, attribute mapping) to identity_provider_domains and identity_provider_mappings records 3. Migrates OPACShibOnly/staffShibOnly to is_exclusive on identity_provider_hostnames for the relevant hostname(s) 4. Adds a wildcard ('*') hostname entry for any enabled provider without explicit hostname assignments, preserving existing behaviour 5. Removes the OPACShibOnly and staffShibOnly system preferences Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |40650 Depends on|40650 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40650 [Bug 40650] Identity providers lack support for extended patron attribute type mapping -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|40596 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40596 [Bug 40596] Migrate CAS configuration into Identity Providers -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #196536|0 |1 is obsolete| | Attachment #196537|0 |1 is obsolete| | Attachment #196538|0 |1 is obsolete| | Attachment #196539|0 |1 is obsolete| | Attachment #196540|0 |1 is obsolete| | Attachment #196541|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #63 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 196561 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=196561&action=edit Bug 39224: Database schema for identity provider modernisation Restructures identity_providers to support SAML2 and per-provider mappings: - Drops mapping/matchpoint columns (moved to new identity_provider_mappings table) - Adds enabled column and updates protocol enum to include SAML2 Adds identity_provider_mappings table for per-provider field mapping records. Adds hostnames and identity_provider_hostnames tables for per-hostname provider visibility and exclusivity (replacing OPACShibOnly/staffShibOnly sysprefs). Adds send_welcome_email column to identity_provider_domains. Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #64 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 196562 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=196562&action=edit Bug 39224: DBIx::Class schema update Automated schema update for new and modified tables: - New: Hostname, IdentityProviderHostname, IdentityProviderMapping result classes - Updated IdentityProvider: remove mapping/matchpoint columns, add enabled, update protocol enum, add identity_provider_hostnames has_many relationship - Updated IdentityProviderDomain: add send_welcome_email column Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #65 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 196563 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=196563&action=edit Bug 39224: DBIC Schema customisations Add koha_object_class/koha_objects_class accessors for new result classes: - Hostname → Koha::Auth::Hostname / Koha::Auth::Hostnames - IdentityProviderHostname → Koha::Auth::Identity::Provider::Hostname / ::Hostnames - IdentityProviderMapping → Koha::Auth::Identity::Provider::Mapping / ::Mappings Add is_boolean column flags for send_welcome_email in IdentityProviderDomain. Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #66 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 196564 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=196564&action=edit Bug 39224: Modernise the identity providers admin interface The TT-rendered form was too limiting to support the features required for SAML2/Shibboleth parity. Replace it with a Vue SPA giving full management of: - Providers: code, description, protocol (OAuth/OIDC/SAML2), config, icon, enabled flag. Field mappings are now stored as individual relational records (identity_provider_mappings) rather than a JSON blob on the provider row. - Mappings: per-provider attribute-to-borrower-field mapping records, editable inline in the provider form. - Domain settings: per-provider domain rules (auto-register, update-on-auth, send_welcome_email) managed via the existing domain sub-resource panel. - Hostname assignments: providers can be linked to specific server hostnames with per-hostname enabled/exclusive flags (admin UI; auth enforcement follows in a later commit). Backend additions: - New Koha object classes: Koha::Auth::Hostname/Hostnames, Koha::Auth::Identity::Provider::Hostname/Hostnames, ::Mapping/Mappings, ::SAML2 - REST API: /api/v1/auth/identity_providers (and sub-resources /mappings, /hostnames), /api/v1/auth/hostnames - Shared Vue component improvements: ResourceShow/ResourceFormSave sub-resource panels, RelationshipWidget, FormSection, ShowElement, base-resource composable - Apache RewriteRule to route the new SPA URL to identity_providers.pl - Adds Authen::SAML2 Perl dependency for the SAML2 protocol handler Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #67 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 196565 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=196565&action=edit Bug 39224: Add per-hostname provider routing, exclusive login and update login pages Providers are now associated with specific server hostnames, mirroring the per-vhost model used by Shibboleth. This benefits all provider types: Exclusive provider support: the per-hostname is_exclusive flag replaces the OPACShibOnly and staffShibOnly system preferences. When set, the login page suppresses local username/password fields and the user is directed straight to that provider — the same force-SSO behaviour previously only available for Shibboleth, now available for any OAuth, OIDC or SAML2 provider. Login page updates: staff auth.tt, OPAC opac-auth.tt and the masthead login modal now query the identity provider REST plugin and render a login button for every enabled provider on the current hostname, not just a single Shibboleth button. SCO/SCI terminals are excluded from exclusive-provider enforcement so self-checkout can always fall back to local login. Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #68 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 196566 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=196566&action=edit Bug 39224: Migrate Shibboleth/SAML2 configuration from koha-conf.xml to database Reads the existing useshibboleth/shibboleth block from koha-conf.xml and migrates it into the unified identity_providers system: 1. Creates a SAML2 provider record from the shibboleth config block 2. Migrates domain settings (auto-register, update-on-auth, matchpoint, attribute mapping) to identity_provider_domains and identity_provider_mappings records 3. Migrates OPACShibOnly/staffShibOnly to is_exclusive on identity_provider_hostnames for the relevant hostname(s) 4. Adds a wildcard ('*') hostname entry for any enabled provider without explicit hostname assignments, preserving existing behaviour 5. Removes the OPACShibOnly and staffShibOnly system preferences Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #69 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 196567 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=196567&action=edit Bug 39224: Improve hostname field hint to document '*' wildcard option Patch from commit 0b81ea2 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #70 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 196568 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=196568&action=edit Bug 39224: Reorder attribute mapping fields and make IdP field optional Put 'Koha field' before 'IdP field' in both the display table and the edit form. Remove the required constraint from 'IdP field' so that a mapping can be used solely for its default value without needing an IdP attribute to map from. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #71 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 196569 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=196569&action=edit Bug 39224: Add tooltips to clarify the two-layer default value system Explain how mapping-level 'Default value' and domain-level 'Default library'/'Default category' work together: - Mapping Default value: per-field static fallback at patron creation (requires Sync on creation, never used on update). Cross-references domain-level defaults for the library/category use case. - Domain Default library/Default category: per-domain fallbacks applied after attribute mappings, so mappings take precedence. Clarifies that the per-domain placement is intentional — it allows patrons from different email domains to be routed to different libraries/categories. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #72 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 196570 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=196570&action=edit Bug 39224: Smart default value input for attribute mappings Replace the plain text input for 'Default value' in the attribute mappings form with a context-aware component (PatronFieldValueInput) that adapts based on the selected Koha field: - branchcode → library selector (v-select populated from libraries_map) - categorycode → patron category selector (v-select from categories_map) - all others → plain text input (existing behaviour) The default value is also cleared automatically when the Koha field changes, preventing stale values (e.g. a branchcode) from persisting silently when the mapping target is switched to a different field. PatronFieldValueInput is placed at the top-level components/ directory rather than under IdentityProviders/ as the concept — rendering an appropriate input for a given patron field value — is reusable across any part of the Vue application that needs it. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #73 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- I've tried to clarify how the mapping defaults work, but it's a difficult concept having the branch and category defaults at the email domain level whilst also having defaults at the IdP mapping level. I'd appreciate feedback on this.. are my hints enough to clarify the situation or do we need to rethink how these mappings work a little with regards to 'Email domain rules' level field handling vs IdP Mappings level field handling (this also applies to 'sync' options added in the next bug in this tree really.) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|33538 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33538 [Bug 33538] Allow for independent shibboleth autocreate and sync mapping -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|Medium patch |Large patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #196561|0 |1 is obsolete| | Attachment #196562|0 |1 is obsolete| | Attachment #196563|0 |1 is obsolete| | Attachment #196564|0 |1 is obsolete| | Attachment #196565|0 |1 is obsolete| | Attachment #196566|0 |1 is obsolete| | Attachment #196567|0 |1 is obsolete| | Attachment #196568|0 |1 is obsolete| | Attachment #196569|0 |1 is obsolete| | Attachment #196570|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #74 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197214 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197214&action=edit Bug 39224: Database schema for identity provider modernisation Restructures identity_providers to support SAML2 and per-provider mappings: - Drops mapping/matchpoint columns (moved to new identity_provider_mappings table) - Adds enabled column and updates protocol enum to include SAML2 Adds identity_provider_mappings table for per-provider field mapping records. Adds hostnames and identity_provider_hostnames tables for per-hostname provider visibility and exclusivity (replacing OPACShibOnly/staffShibOnly sysprefs). Adds send_welcome_email column to identity_provider_domains. Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #75 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197215 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197215&action=edit Bug 39224: DBIx::Class schema update Automated schema update for new and modified tables: - New: Hostname, IdentityProviderHostname, IdentityProviderMapping result classes - Updated IdentityProvider: remove mapping/matchpoint columns, add enabled, update protocol enum, add identity_provider_hostnames has_many relationship - Updated IdentityProviderDomain: add send_welcome_email column Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #76 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197216 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197216&action=edit Bug 39224: DBIC Schema customisations Add koha_object_class/koha_objects_class accessors for new result classes: - Hostname → Koha::Auth::Hostname / Koha::Auth::Hostnames - IdentityProviderHostname → Koha::Auth::Identity::Provider::Hostname / ::Hostnames - IdentityProviderMapping → Koha::Auth::Identity::Provider::Mapping / ::Mappings Add is_boolean column flags for send_welcome_email in IdentityProviderDomain. Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #77 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197217 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197217&action=edit Bug 39224: Shared Vue component improvements for sub-resource panels Several shared Vue framework components are improved to better support the inline sub-resource panel pattern used across ERM, ILL, and the new identity providers SPA: - AccordionWrapper: add placeholder group support — a group with a `placeholder` config renders an info-styled banner (description text) instead of a form fieldset, useful for "nothing configured yet" states. - FormElement: fix radio button id/name attributes to use `getElementId` computed property instead of raw `attr.name`, avoiding duplicate ids when the same field appears more than once on a page. - FormSection (new): lightweight wrapper that renders a labelled fieldset section inside a form, replacing ad-hoc `<fieldset>` markup in individual resource forms. - RelationshipWidget: minor prop alignment for consistency. - ResourceShow / ResourceFormSave: extend slot API and layout options for sub-resource panels (used by Mapping and Domain panels in the identity providers SPA, and available to future sub-resources). - ShowElement: add `copy` and `truncate` props to the display component used in ResourceShow panels. - base-resource.js (composable): refactor shared create/update/delete logic so sub-resource panels only need to override the minimal API surface, reducing boilerplate in each resource component. These improvements are self-contained and do not change behaviour for existing ERM or ILL components. Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #78 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197218 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197218&action=edit Bug 39224: Rewrite identity providers admin as a Vue SPA Replaces the previous Template Toolkit driven identity-provider admin form with a Vue SPA that supports the full new schema: providers, per-provider attribute mappings, per-hostname visibility, and domain settings. REST API additions (under /api/v1/auth/): - identity_providers — CRUD for provider records - identity_providers/:id/mappings — CRUD for attribute mappings - identity_providers/:id/domains — existing, now includes send_welcome_email - hostnames — CRUD for global hostname records - identity_providers/:id/hostnames — per-provider hostname assignments New Koha:: object classes: Hostname, IdentityProviderHostname, IdentityProviderMapping, plus SAML2 provider stub. Vue component improvements: RelationshipWidget, FormSection, ResourceShow, ResourceFormSave — shared across the ERM/ILL Vue toolchain. Test plan: 1. Go to Administration > Identity providers. 2. Add a new OAuth provider; configure mappings, domain and hostname assignments — confirm each step saves and displays correctly. 3. Edit an existing provider; verify changes persist. 4. Delete a provider; confirm it disappears from the list. 5. Confirm the REST endpoints respond under /api/v1/auth/identity_providers. Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #79 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197219 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197219&action=edit Bug 39224: Add per-hostname provider routing, exclusive login and update login pages Providers are now associated with specific server hostnames, mirroring the per-vhost model used by Shibboleth. This benefits all provider types: Exclusive provider support: the per-hostname is_exclusive flag replaces the OPACShibOnly and staffShibOnly system preferences. When set, the login page suppresses local username/password fields and the user is directed straight to that provider — the same force-SSO behaviour previously only available for Shibboleth, now available for any OAuth, OIDC or SAML2 provider. Login page updates: staff auth.tt, OPAC opac-auth.tt and the masthead login modal now query the identity provider REST plugin and render a login button for every enabled provider on the current hostname, not just a single Shibboleth button. SCO/SCI terminals are excluded from exclusive-provider enforcement so self-checkout can always fall back to local login. Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #80 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197220 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197220&action=edit Bug 39224: Migrate Shibboleth/SAML2 configuration from koha-conf.xml to database Reads the existing useshibboleth/shibboleth block from koha-conf.xml and migrates it into the unified identity_providers system: 1. Creates a SAML2 provider record from the shibboleth config block 2. Migrates domain settings (auto-register, update-on-auth, matchpoint, attribute mapping) to identity_provider_domains and identity_provider_mappings records 3. Migrates OPACShibOnly/staffShibOnly to is_exclusive on identity_provider_hostnames for the relevant hostname(s) 4. Adds a wildcard ('*') hostname entry for any enabled provider without explicit hostname assignments, preserving existing behaviour 5. Removes the OPACShibOnly and staffShibOnly system preferences Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #81 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197221 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197221&action=edit Bug 39224: Introduce Koha::Auth::Client::SAML2 for IPC Shibboleth authentication, remove C4::Auth_with_shibboleth C4::Auth_with_shibboleth was a thin wrapper around legacy Shibboleth IPC functionality. This commit removes it entirely and introduces a new Koha::Auth::Client::SAML2 class that implements IPC Shibboleth authentication using the identity provider framework: - Koha::Auth::Client::SAML2->is_enabled() (was shib_ok()) - Koha::Auth::Client::SAML2->get_matchpoint_value() (was get_login_shib()) - checkpw() reads Apache ENV vars via _load_saml_attributes_from_request() - login_url() / logout_url() for redirect handling - _get_shib_config(), _request_hostname(), _get_session_id_from_env() as private IPC helpers C4/Auth.pm and opac/opac-user.pl updated to call Koha::Auth::Client::SAML2 directly. t/db_dependent/Auth_with_shibboleth.t removed; IPC-mode tests migrated into t/db_dependent/Koha/Auth/Client/SAML2.t. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #82 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197222 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197222&action=edit Bug 39224: Unify patron mapping and lookup into Koha::Auth::Client base class Moves three pieces of logic into the Koha::Auth::Client base class so they are available to all identity provider mechanisms: - _get_mapped_data: maps raw IdP data to Koha borrower fields via provider mappings - _find_patron_by_matchpoint: locates a patron by a given matchpoint value; throws the new Koha::Exceptions::Auth::DuplicateMatchpoint when the result is non-unique - _update_patron_from_mapped_data: applies mapped data to a patron object, updating core borrower fields Koha::Auth::Client::OAuth drops its local _find_patron_by_matchpoint in favour of the shared implementation. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #83 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197223 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197223&action=edit Bug 39224: Add send_welcome_email support to identity provider authentication Updates identity provider authentication to correctly use the domain-level send_welcome_email setting when creating new patron accounts via OAuth, OIDC, Shibboleth and SAML2 identity providers. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #84 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197224 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197224&action=edit Bug 39224: Improve hostname field hint to document '*' wildcard option Patch from commit 3505b4e -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #85 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197225 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197225&action=edit Bug 39224: Reorder attribute mapping fields and make IdP field optional Put 'Koha field' before 'IdP field' in both the display table and the edit form. Remove the required constraint from 'IdP field' so that a mapping can be used solely for its default value without needing an IdP attribute to map from. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #86 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197226 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197226&action=edit Bug 39224: Add tooltips to clarify the two-layer default value system Explain how mapping-level 'Default value' and domain-level 'Default library'/'Default category' work together: - Mapping Default value: per-field static fallback at patron creation (requires Sync on creation, never used on update). Cross-references domain-level defaults for the library/category use case. - Domain Default library/Default category: per-domain fallbacks applied after attribute mappings, so mappings take precedence. Clarifies that the per-domain placement is intentional — it allows patrons from different email domains to be routed to different libraries/categories. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #87 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197227 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197227&action=edit Bug 39224: Smart default value input for attribute mappings Replace the plain text input for 'Default value' in the attribute mappings form with a context-aware component (PatronFieldValueInput) that adapts based on the selected Koha field: - branchcode → library selector (v-select populated from libraries_map) - categorycode → patron category selector (v-select from categories_map) - all others → plain text input (existing behaviour) The default value is also cleared automatically when the Koha field changes, preventing stale values (e.g. a branchcode) from persisting silently when the mapping target is switched to a different field. PatronFieldValueInput is placed at the top-level components/ directory rather than under IdentityProviders/ as the concept — rendering an appropriate input for a given patron field value — is reusable across any part of the Vue application that needs it. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #197214|0 |1 is obsolete| | Attachment #197215|0 |1 is obsolete| | Attachment #197216|0 |1 is obsolete| | Attachment #197217|0 |1 is obsolete| | Attachment #197218|0 |1 is obsolete| | Attachment #197219|0 |1 is obsolete| | Attachment #197220|0 |1 is obsolete| | Attachment #197221|0 |1 is obsolete| | Attachment #197222|0 |1 is obsolete| | Attachment #197223|0 |1 is obsolete| | Attachment #197224|0 |1 is obsolete| | Attachment #197225|0 |1 is obsolete| | Attachment #197226|0 |1 is obsolete| | Attachment #197227|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #88 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197284 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197284&action=edit Bug 39224: Database schema for identity provider modernisation Restructures identity_providers to support SAML2 and per-provider mappings: - Drops mapping/matchpoint columns (moved to new identity_provider_mappings table) - Adds enabled column and updates protocol enum to include SAML2 Adds identity_provider_mappings table for per-provider field mapping records. Adds hostnames and identity_provider_hostnames tables for per-hostname provider visibility and exclusivity (replacing OPACShibOnly/staffShibOnly sysprefs). Adds send_welcome_email column to identity_provider_domains. Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #89 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197285 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197285&action=edit Bug 39224: DBIx::Class schema update Automated schema update for new and modified tables: - New: Hostname, IdentityProviderHostname, IdentityProviderMapping result classes - Updated IdentityProvider: remove mapping/matchpoint columns, add enabled, update protocol enum, add identity_provider_hostnames has_many relationship - Updated IdentityProviderDomain: add send_welcome_email column Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #90 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197286 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197286&action=edit Bug 39224: DBIC Schema customisations Add koha_object_class/koha_objects_class accessors for new result classes: - Hostname → Koha::Auth::Hostname / Koha::Auth::Hostnames - IdentityProviderHostname → Koha::Auth::Identity::Provider::Hostname / ::Hostnames - IdentityProviderMapping → Koha::Auth::Identity::Provider::Mapping / ::Mappings Add is_boolean column flags for send_welcome_email in IdentityProviderDomain. Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #91 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197287 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197287&action=edit Bug 39224: Shared Vue component improvements for sub-resource panels Several shared Vue framework components are improved to better support the inline sub-resource panel pattern used across ERM, ILL, and the new identity providers SPA: - AccordionWrapper: add placeholder group support — a group with a `placeholder` config renders an info-styled banner (description text) instead of a form fieldset, useful for "nothing configured yet" states. - FormElement: fix radio button id/name attributes to use `getElementId` computed property instead of raw `attr.name`, avoiding duplicate ids when the same field appears more than once on a page. - FormSection (new): lightweight wrapper that renders a labelled fieldset section inside a form, replacing ad-hoc `<fieldset>` markup in individual resource forms. - RelationshipWidget: minor prop alignment for consistency. - ResourceShow / ResourceFormSave: extend slot API and layout options for sub-resource panels (used by Mapping and Domain panels in the identity providers SPA, and available to future sub-resources). - ShowElement: add `copy` and `truncate` props to the display component used in ResourceShow panels. - base-resource.js (composable): refactor shared create/update/delete logic so sub-resource panels only need to override the minimal API surface, reducing boilerplate in each resource component. These improvements are self-contained and do not change behaviour for existing ERM or ILL components. Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #92 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197288 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197288&action=edit Bug 39224: Rewrite identity providers admin as a Vue SPA Replaces the previous Template Toolkit driven identity-provider admin form with a Vue SPA that supports the full new schema: providers, per-provider attribute mappings, per-hostname visibility, and domain settings. REST API additions (under /api/v1/auth/): - identity_providers — CRUD for provider records - identity_providers/:id/mappings — CRUD for attribute mappings - identity_providers/:id/domains — existing, now includes send_welcome_email - hostnames — CRUD for global hostname records - identity_providers/:id/hostnames — per-provider hostname assignments New Koha:: object classes: Hostname, IdentityProviderHostname, IdentityProviderMapping, plus SAML2 provider stub. Vue component improvements: RelationshipWidget, FormSection, ResourceShow, ResourceFormSave — shared across the ERM/ILL Vue toolchain. Test plan: 1. Go to Administration > Identity providers. 2. Add a new OAuth provider; configure mappings, domain and hostname assignments — confirm each step saves and displays correctly. 3. Edit an existing provider; verify changes persist. 4. Delete a provider; confirm it disappears from the list. 5. Confirm the REST endpoints respond under /api/v1/auth/identity_providers. Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #93 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197289 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197289&action=edit Bug 39224: Add per-hostname provider routing, exclusive login and update login pages Providers are now associated with specific server hostnames, mirroring the per-vhost model used by Shibboleth. This benefits all provider types: Exclusive provider support: the per-hostname is_exclusive flag replaces the OPACShibOnly and staffShibOnly system preferences. When set, the login page suppresses local username/password fields and the user is directed straight to that provider — the same force-SSO behaviour previously only available for Shibboleth, now available for any OAuth, OIDC or SAML2 provider. Login page updates: staff auth.tt, OPAC opac-auth.tt and the masthead login modal now query the identity provider REST plugin and render a login button for every enabled provider on the current hostname, not just a single Shibboleth button. SCO/SCI terminals are excluded from exclusive-provider enforcement so self-checkout can always fall back to local login. Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #94 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197290 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197290&action=edit Bug 39224: Migrate Shibboleth/SAML2 configuration from koha-conf.xml to database Reads the existing useshibboleth/shibboleth block from koha-conf.xml and migrates it into the unified identity_providers system: 1. Creates a SAML2 provider record from the shibboleth config block 2. Migrates domain settings (auto-register, update-on-auth, matchpoint, attribute mapping) to identity_provider_domains and identity_provider_mappings records 3. Migrates OPACShibOnly/staffShibOnly to is_exclusive on identity_provider_hostnames for the relevant hostname(s) 4. Adds a wildcard ('*') hostname entry for any enabled provider without explicit hostname assignments, preserving existing behaviour 5. Removes the OPACShibOnly and staffShibOnly system preferences Sponsored-by: ByWater Solutions Co-authored-by: Jacob O'Mara <jacob.omara@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #95 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197291 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197291&action=edit Bug 39224: Introduce Koha::Auth::Client::SAML2 for IPC Shibboleth authentication, remove C4::Auth_with_shibboleth C4::Auth_with_shibboleth was a thin wrapper around legacy Shibboleth IPC functionality. This commit removes it entirely and introduces a new Koha::Auth::Client::SAML2 class that implements IPC Shibboleth authentication using the identity provider framework: - Koha::Auth::Client::SAML2->is_enabled() (was shib_ok()) - Koha::Auth::Client::SAML2->get_matchpoint_value() (was get_login_shib()) - checkpw() reads Apache ENV vars via _load_saml_attributes_from_request() - login_url() / logout_url() for redirect handling - _get_shib_config(), _request_hostname(), _get_session_id_from_env() as private IPC helpers C4/Auth.pm and opac/opac-user.pl updated to call Koha::Auth::Client::SAML2 directly. t/db_dependent/Auth_with_shibboleth.t removed; IPC-mode tests migrated into t/db_dependent/Koha/Auth/Client/SAML2.t. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #96 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197292 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197292&action=edit Bug 39224: Unify patron mapping and lookup into Koha::Auth::Client base class Moves three pieces of logic into the Koha::Auth::Client base class so they are available to all identity provider mechanisms: - _get_mapped_data: maps raw IdP data to Koha borrower fields via provider mappings - _find_patron_by_matchpoint: locates a patron by a given matchpoint value; throws the new Koha::Exceptions::Auth::DuplicateMatchpoint when the result is non-unique - _update_patron_from_mapped_data: applies mapped data to a patron object, updating core borrower fields Koha::Auth::Client::OAuth drops its local _find_patron_by_matchpoint in favour of the shared implementation. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #97 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197293 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197293&action=edit Bug 39224: Add send_welcome_email support to identity provider authentication Updates identity provider authentication to correctly use the domain-level send_welcome_email setting when creating new patron accounts via OAuth, OIDC, Shibboleth and SAML2 identity providers. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #98 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197294 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197294&action=edit Bug 39224: Improve hostname field hint to document '*' wildcard option Patch from commit b52a42e -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #99 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197295 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197295&action=edit Bug 39224: Reorder attribute mapping fields and make IdP field optional Put 'Koha field' before 'IdP field' in both the display table and the edit form. Remove the required constraint from 'IdP field' so that a mapping can be used solely for its default value without needing an IdP attribute to map from. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #100 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197296 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197296&action=edit Bug 39224: Add tooltips to clarify the two-layer default value system Explain how mapping-level 'Default value' and domain-level 'Default library'/'Default category' work together: - Mapping Default value: per-field static fallback at patron creation (requires Sync on creation, never used on update). Cross-references domain-level defaults for the library/category use case. - Domain Default library/Default category: per-domain fallbacks applied after attribute mappings, so mappings take precedence. Clarifies that the per-domain placement is intentional — it allows patrons from different email domains to be routed to different libraries/categories. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #101 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197297 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197297&action=edit Bug 39224: Smart default value input for attribute mappings Replace the plain text input for 'Default value' in the attribute mappings form with a context-aware component (PatronFieldValueInput) that adapts based on the selected Koha field: - branchcode → library selector (v-select populated from libraries_map) - categorycode → patron category selector (v-select from categories_map) - all others → plain text input (existing behaviour) The default value is also cleared automatically when the Koha field changes, preventing stale values (e.g. a branchcode) from persisting silently when the mapping target is switched to a different field. PatronFieldValueInput is placed at the top-level components/ directory rather than under IdentityProviders/ as the concept — rendering an appropriate input for a given patron field value — is reusable across any part of the Vue application that needs it. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #102 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197298 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197298&action=edit Bug 39224: Re-throw errors in onFormSave so save failures are visible The catch blocks in ProviderResource and MappingResource were swallowing errors, causing ResourceFormSave to silently stay on the form with no indication the save failed. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Clemens Tubach <clemens.tubach@kit.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Failed QA --- Comment #103 from Clemens Tubach <clemens.tubach@kit.edu> --- When migrating an existing provider (updatedatabase), the matchpoint is lost. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #104 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 197371 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=197371&action=edit Bug 39224: (follow-up) Preserve matchpoint on upgrade and use wildcard fallback The atomicupdate dropped identity_providers.matchpoint before the orphan-provider loop seeded the per-hostname wildcard row, so pre-existing OAuth/OIDC providers landed in the new schema with matchpoint=NULL. The OAuth and SAML2 clients also did an exact hostname match when loading the matchpoint, so the wildcard row the atomicupdate does seed was never consulted, leaving $matchpoint undef and producing: Use of uninitialized value \$matchpoint in hash element at Koha/Auth/Client/OAuth.pm line 77 (and 96) Use of uninitialized value within @_ in list assignment at Koha/Auth/Client.pm line 235 Koha::Exceptions::Auth::Unauthorized -- External auth user cannot access resource This patch: * In installer/data/mysql/atomicupdate/bug_39224.pl, reads the old identity_providers.matchpoint values into a hash before dropping the column and threads them through the orphan-provider INSERT into identity_provider_hostnames, so the upgraded matchpoint survives. * Adds Koha::Auth::Identity::Provider->hostname_link(\$http_host) which walks Koha::Auth::Identity::Providers->hostname_candidates (full host, bare host, '*') and returns the first matching identity_provider_hostname row in preference order. * Uses the new helper from Koha::Auth::Client::OAuth and the two matchpoint-lookup sites in Koha::Auth::Client::SAML2 so the wildcard row is actually consulted when no specific hostname row exists. Test plan: 1. On a database with an OAuth/OIDC provider that has a matchpoint set under the old schema, run updatedatabase. The output now echoes the preserved matchpoint (e.g. "Added wildcard hostname entry for provider 'X' (matchpoint=userid)") and \`SELECT matchpoint FROM identity_provider_hostnames\` shows the carried-over value instead of NULL. 2. Re-run updatedatabase; no errors, no changes (idempotent). 3. prove t/db_dependent/Koha/Auth/Client.t \\ t/db_dependent/Koha/Auth/Client/OAuth.t \\ t/db_dependent/Koha/Auth/Client/SAML2.t \\ t/db_dependent/Koha/Auth/Identity/Provider.t 4. Trigger an OAuth login from a hostname that only has a wildcard hostname row for the provider. The three "uninitialized value" warnings above no longer appear and the existing patron is resolved. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #105 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Thanks for testing Clemens.. I see the issue now and it highlighted a small bug in the code for hostname lookup on top of the migration issue. I've added a follow-up which should hopefully resolve both. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #106 from Clemens Tubach <clemens.tubach@kit.edu> --- (In reply to Martin Renvoize (ashimema) from comment #105)
Thanks for testing Clemens.. I see the issue now and it highlighted a small bug in the code for hostname lookup on top of the migration issue.
I've added a follow-up which should hopefully resolve both.
You are welcome! Yes, both issues have been resolved, thank you! The test plan in #104 works. Output from the updatedatabase re-run: Removed system preferences 'OPACShibOnly' and 'staffShibOnly' Ensured wildcard hostname '*' exists (hostname_id=3) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #107 from Oliver Behnke <oliver.behnke@aei.mpg.de> --- Is anyone able to test and sign off on this? It would be really great to see Martin's hard work come to fruition. Thanks! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 Clemens Tubach <clemens.tubach@kit.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Patch doesn't apply --- Comment #108 from Clemens Tubach <clemens.tubach@kit.edu> --- I can't test everything. For example, I can't test the attachment "Migrate Shibboleth/SAML2 configuration from koha-conf.xml to database." I can test the test plans from comments 92 and 104. Is that enough? Should I sign off anyway? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #109 from David Cook <dcook@prosentient.com.au> --- (In reply to Clemens Tubach from comment #108)
I can't test everything. For example, I can't test the attachment "Migrate Shibboleth/SAML2 configuration from koha-conf.xml to database." I can test the test plans from comments 92 and 104. Is that enough? Should I sign off anyway?
Did you mean to mark it as "Patch doesn't apply"? Were the patches able to successfully apply or not? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39224 --- Comment #110 from Clemens Tubach <clemens.tubach@kit.edu> --- (In reply to David Cook from comment #109)
(In reply to Clemens Tubach from comment #108)
I can't test everything. For example, I can't test the attachment "Migrate Shibboleth/SAML2 configuration from koha-conf.xml to database." I can test the test plans from comments 92 and 104. Is that enough? Should I sign off anyway?
Did you mean to mark it as "Patch doesn't apply"? Were the patches able to successfully apply or not?
No, not at the moment. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org