Migrate OAKTrust from Shibboleth to Entra OIDC

[devangm]

We need to migrate OAKTrust’s authentication system from Shibboleth (SAML) to Entrad OIDC. A central concern is ensuring that special group mappings work correctly post-migration, along with role/group claim handling.

Upstream Issues for Reference

1. Different implementations of "special group" mapping should be factored (and redesigned?) DSpace/DSpace#8405 : examines how “special group” logic is currently implemented differently across providers, and suggests refactoring and unifying it.

2. Implement role mapping for OIDC login DSpace/DSpace#8406 : discusses that OIDC logins do not yet map roles → groups in DSpace, and proposes implementing role mapping.

3. Add a specialgroup configuration for OIDC authentication DSpace/DSpace#11039 : This likely relates to more recent work/bugs around group mapping or roles. Need to review once accessible for specific details, but include in scope to make sure we’re not ignoring downstream fixes or feature requests.

[tamu-sad-iii]

Some additional DSpace/DSpace issues.

• Special group configuration for authentications is also added to unrelated logins DSpace/DSpace#9726
• Shibboleth special groups don't populate when IP authentication also used in 7.6.1 DSpace/DSpace#9226
• Shibboleth special groups are not working DSpace/DSpace#9498