Currently DSpace requires users to configure whether to ignore scope or value of Shibboleth affiliations in assigning people to DSpace groups.
There is an improvement in
DS-2048 to overcome this limitation by allowing the configuration of a mix of scope and value associations to DSpace groups by automagically trying for the value as well as for the scope. According to the cmment by Hardy Pottinger (26/Oct/14 7:29 PM), that could cause problems in certain situations.
Here I provide an other approach that hopefully would not break current configurations.
In case that DSpace Shibboleth authentication is configured not to ignore both value and scope, we should look for special groups' assignment based on the value, then look for special groups based on the scope. These special group assignments should be written as @scope-only.edu, or value-only@.
If we have this in config:
- Whether to ignore the attribute's scope or value.
authentication-shibboleth.role-header.ignore-scope = false
authentication-shibboleth.role-header.ignore-value = false
having a scoped affiliation received from Shibboleth email@example.com
all the following special group assignments are considered if available in the configuration, so the user is added also to Group1, Group2 and Group3
firstname.lastname@example.org = Group1
authentication-shibboleth.role.student@ = Group2
authentication-shibboleth.role.@my.scope.edu = Group3
By using the @ sign at the and of the value-only assignment and at the beginning of the scope-only assignment, name collisions will not occure.