How are SAML credentials provisioned with access to the EZproxy Administration page?
Symptom
- Signing in to EZproxy through an integrated SAML service does not allow user access to the EZproxy Administration page
Applies to
- EZproxy
Resolution
Individual user accounts needing Administrator access can be added to the Admingroup by updating the shibuser.txtfile in EZproxy. Depending on the desired value for the user name, different attributes could be supplied. An example might be:
If auth:NameID ne ""; Set login:loguser = auth:NameID
Set login:user = auth:NameID
IfUser user@college.edu;Admin
In this example, the value for the attribute NameID is supplied by the authentication service, and the attribute is passing the full email address. Only this user will be identified as belonging to the Admin group via this method.
If unsure about the attributes being passed by your authentication, the actionmsgauth can be added as a single line at the beginning of the shibuser.txt file. This will record the data being communicated from your SAML service to the messages file, which can be used to identify the attributes being passed. Contact your authentication administrator to confirm the attribute names. Remove the msgauthaction after identifying the necessary attribute, otherwise SAML data will continue to populate the messages file and can lead to performance issues.
Additional information
If you are hosted by OCLC, contact OCLC Support for assistance setting up an Admin user.