Collec-Science

Cookie type	Means of blocking
Analytical and performance cookies	Realytics Google Analytics Spoteffects Optimizely
Targeted advertising cookies	DoubleClick Mediarithmics

Mandatory cookies	Functional cookies	Social media and advertising cookies
These cookies are needed to ensure the proper functioning of the site and cannot be disabled. They help ensure a secure connection and the basic availability of our website.	These cookies allow us to analyse site use in order to measure and optimise performance. They allow us to store your sign-in information and display the different components of our website in a more coherent way.	These cookies are used by advertising agencies such as Google and by social media sites such as LinkedIn and Facebook. Among other things, they allow pages to be shared on social media, the posting of comments, and the publication (on our site or elsewhere) of ads that reflect your centres of interest.
Our EZPublish content management system (CMS) uses CAS and PHP session cookies and the New Relic cookie for monitoring purposes (IP, response times). These cookies are deleted at the end of the browsing session (when you log off or close your browser window)	Our EZPublish content management system (CMS) uses the XiTi cookie to measure traffic. Our service provider is AT Internet. This company stores data (IPs, date and time of access, length of the visit and pages viewed) for six months	Our EZPublish content management system (CMS) does not use this type of cookie.

Identify users based on an identity federationIdentify users based on an identity federation

The Collec-Science software allows users to be identified by relying either on the internal database, or on an LDAP directory, or on a CAS (Common Access Service) identification service, or by using an identity federation. This last option allows users from different institutions to be connected.

For French research or higher education institutions, it is possible to use the Renater federation, if the institution concerned is affiliated with it.

Configuring Apache for federation-based authentication

Identification is done using a dedicated Apache module: Mellon (https://github.com/latchset/mod_auth_mellon).

It requires the retrieval of technical information related to the federation, and the registration of the application with the identification provider.

Installation of the Mellon module

apt-get install libapache2 -mod-auth-mellon

If the libapache2-mod-auth-mellon package is not available (case encountered with a Debian strech distribution), you will have to get and install the following packages (in order):

libxmlsec1
libxmlsec1-openssl
liblasso3
libapache2-mod-auth-mellon

You will also need to get the xml file of your provider, as well as its certificate.

Generation of the application configuration files

A certificate (and its private key), an xml file must be generated for the application. A script is available in Debian distributions. It is also provided in the application, in the install/apache2 folder (create_metadata.sh).

To generate the files (replace collec-science.com with your own values):

cd /etc/apache2

mkdir mellon

cd mellon

/var/www/html/collec-science/collec/install/apache2/create_metadata.sh https://collec-science.com https://collec-science.com/mellon

The certificate (.cert file) and the xml file must be sent to the provider, so that it can integrate them into its platform. You also need to retrieve from the provider its public key and its root, to put in the mellon folder. The provider must also provide you with an xml file that contains the addresses of all the entities participating in the federation.

Configure the virtual site

Copy the file install/apache2/collec-science-mellon.conf into the folder /etc/apache2/sites-available, instead of the file collec-science.conf. Edit the file, and replace all collec.mysociety.com strings with your DNS. Also check the certificates used.

Compared to the classic file, the collec-science-mellon.conf file contains, in the <VirtualHost *443> section, the following commands:

# Mellon Configuration for Renater

<location />
AuthType Mellon
MellonEnable "auth"
MellonSecureCookie On
MellonUser MAIL
MellonMergeEnvVars On
MellonSubjectConfirmationDataAddressCheck Off
MellonSPPrivateKeyFile /etc/apache2/mellon/https_collec.mysociety.com.key
MellonSPCertFile /etc/apache2/mellon/https_collec.mysociety.com.cert
MellonSPentityId "https://collec.mysociety.com"
MellonSPMetadataFile "/etc/apache2/mellon/https_collec.mysociety.com.xml"
MellonIdPMetadataFile "/etc/apache2/mellon/main-idps-renater-metadata.xml"
MellonIdPPublicKeyFile "/etc/apache2/mellon/renater-metadata-signing-cert-2016.pem"
MellonIdPCAFile "/etc/apache2/mellon/renater-metadata-signing-cert-2016.pem"
MellonProbeDiscoveryTimeout 1
MellonSetEnv "MAIL" "urn:oid:0.9.2342.19200300.100.1.3"
MellonSetEnv "GIVENNAME" "urn:oid:2.5.4.42"
MellonEndpointPath /mellon
MellonSetEnvNoPrefix REMOTE_USER NAME_ID
MellonDiscoveryURL "https://discovery.renater.fr/renater/WAYF"
</location>

The MellonIdP* fields must be matched to the files provided by your provider.

Once the configuration is done, restart the Apache server:

systemctl restart apache2

Register the site in the Renater federation

For French institutions affiliated with the Renater federation, you can register your application directly with the federation. Validations will be carried out by the federation's contacts in your institution.

To complete the registration:

Log on to https://federation.renater.fr/registry
- click on Add a service provider
- in the Description tab, fill in the required fields, including
  - Service URL: https://collec.mysociety.com (your DNS)
in the Contacts tab, do not declare yourself compliant with the SIRTFI security framework, unless you know what it is (there are strong organizational constraints to be compliant)
in the Requested Attributes tab, ask for the following attributes
- email : user identification (mandatory)
- commonName : display of users name (required)
in the Technical Information tab, specify the following address to retrieve the configuration data:
- URL of your metadata: https://collec.mysociety.com/mellon/metadata

Once the file has been validated, you will have to wait for your Renater correspondent at your institution to validate your request.
Once this first request has been made, you will need to reconnect to the federation's website (https://federation.renater.fr/registry), and activate the attachment to the chosen federation (Attachment to a federation tab). Two files must be retrieved (wget command in the /etc/apache2/mellon folder) to retrieve the certificate and the XML file containing all the suppliers attached to the Federation.

This attachment must also be validated by your Renater correspondent.

Please note: once the attachment has been validated, you will have to wait 24 hours for your application to be available to all Federation members, and thus be able to connect.

Modification date : 16 May 2023 | Publication date : 22 March 2023 | Redactor : Éric Quinton