Shibboleth: Add superuser API endpoint to migrate Shib user to builtin/local account

[pdurbin]

In #796 we developed a GUI workflow for users will existing builtin/local accounts to convert their account to a Shibboleth account.

Now we'd like to develop a superuser API endpoint to reverse this process. The user would contact support indicating that they'd like to switch to a local account (because they've left their institution or whatever other reason) and someone with an API token associated with a superuser will be able to perform the conversion from Shibboleth account to local account on their behalf.

This issues is slated for the next round of Shibboleth development, which we've been calling "phase 1" so I'll go ahead and assign it to myself. Some day it would be nice to have a GUI for this but the main idea here is that we don't want people running Dataverse to have to hack on the database directly.

[pdurbin]

I just created a new branch called "2939-shib" where I'm starting to push code for any Shibboleth feature flagged for "phase 1" of #2939, including this one.

In my first commit at 7ea6a01 I stubbed out a superuser API for converting Shibboleth users to builtin/local accounts. As I demoed yesterday to @mcrosas @scolapasta @eaquigley @mheppler and @kcondon the basic workflow is this:

• User emails support saying "I left Harvard (or wherever) and can't log in anymore? What should I do?"
• Support replies asking for a new email address (Gmail, new institution email, etc.)
• User replies with new email address for account
• Support connects via ssh to server, runs curl command, supplying the database id of the user to convert and the new email address and notes the username returned
• Support emails the user and indicates that that they should use the password reset feature to set a new password (the Dataverse installation never had a password for the Shibboleth account, which is stored in the Identity Provider the user used to log into) and to make sure to take note of their username under Account Information since the user never had a username before.
• User resets password and is able to log in.
• User visits Account Information page and notes what their username is for the next time they need to log in.
• User replies back to support indicating that they are all set.

Code-wise, there's still some refactoring and clean up I'd like to do but at this point I want to make sure folks are happy with how this feature is turning out. Again, a war file containing this code can be built from this branch: https://github.com/IQSS/dataverse/tree/2939-shib

I'd also like to note that during the demo I used a new API endpoint I stubbed out that displays user IDs of authenticated users. This ID is needed to convert the account, as described above. I believe this may be the start of any sort of user management that we have in the app. I mean giving superusers visibility into which users are in the system. Some day we'll probably want a UI for this, which is what #840 is about.

[eaquigley]

Additionally, we discussed adding a line of text into the UI on Create Account and Account Information pages to direct them to the user guide to learn more about converting their remote account into a local account if they are leaving their university.

[pdurbin]

@eaquigley I copied your comment to #2046 (comment) . Let's address it in that GUI-related issue instead of here. I'm a little worried this will fall through the cracks.

[eaquigley]

@pdurbin I added a comment into #2046 text for @mheppler to add into the Account Information tab and for now, I've added text instructing a user to contact Dataverse support if they are changing institutions so I think we should be set.

[pdurbin]

@eaquigley phew! Thanks!

[pdurbin]

@mcrosas @scolapasta @eaquigley @mheppler and @kcondon are there any objections to the workflow I demo'ed to you and wrote up at #2915 (comment) ? I'm asking because the next step for this issue is for me to document how it works. It's a new feature so it isn't yet documented at http://guides.dataverse.org/en/4.2.4/installation/administration.html or http://guides.dataverse.org/en/4.2.4/api/native-api.html#admin

[mercecrosas]

👍
but in addition we should have help text some place in the Login Page (and possibly in the Account page) that says " contact support if you are changing institutions and would like to login through the new institution to the same Dataverse account". @eaquigley is that OK?

Also, I think that we should add an issue to automate this further in phase 2 or 3 of Remote Authentication.

[eaquigley]

@mcrosas I had @mheppler add in text to the account information page that says, "Leaving your institution? Contact Dataverse Support {support pop up link} for assistance." so he is going to add that same text to the Institutional Log In area on the Log In page.

+1 to adding an issue for automating this

[mheppler]

Added "Leaving your institution?..." text with "Dataverse Support" link to shibb login block.

[pdurbin]

NOTE: I made a comment here but deleted it after moving it to #2950 (comment) and will assign that issue back to @mheppler rather than this one.

This issue I'm grabbing back because next I need to document how the API endpoint works. @kcondon @mcrosas and @scolapasta have all given their blessing.

[pdurbin]

Passing to QA. I documented this new API endpoint and process at http://guides.dataverse.org/en/2939-shib/installation/shibboleth.html#converting-shibboleth-users-to-local

This new feature is in pull request #3025.

[kcondon]

Works, closing.

[pdurbin]

I'm reopening this issue since I worked on the code a pull request I just opened #3120. I'm sorry I didn't clean up the code and centralize it before originally passing this to QA. I feel better about the code quality now and it should be easier to built a GUI on top of this feature some day if we merge that pull request since the logic is centralized there.

[kcondon]

Works, closing