The Higher Education and Research forge

Home My Page Projects Code Snippets Project Openings Développement de WIMS
Summary Activity Forums Tracker Tasks Docs Surveys News SCM Files Listes Sympa

Forum: developers

Monitor Forum | Start New Thread Start New Thread
external authentification: php [ Reply ]
By: Marina Cazzola on 2012-03-01 10:53
[forum:13639]
A working group on external authentification has been held in Nice last February (I copy at the end of this message a mail from Bernadette explaining roughly the project and the outcomes so far).

I've been working on the external authentification via a php script and I am now trying to finalize the php script (and the integration with wims) in order to have a working simple to install example (to include in the distribution, e.g. for further testing).

At the moment I'm up to this point

- The idea (what we came up to in Nice) is to have a php script (based
on simplesamlphp) to query the idp (in my case shibboleth, could be
anything compatible with simplesamlphp, e.g. facebook, google,
twitter,...) in order to automatically get the user data and pass
them to wims via the adm/raw module.

- The user call the script with the number of the class, the script
get the data from the idp, and checks if the user exists in the
queried class. If the user exists in the class, the script opens an
authenticated session via the adm/raw module. If the user does not
exists in the class the user is created and then the authenticated
session is opened. So at this point the same script is doing the
auth and the idp part (that is is working wiht
class_authidp=php;php, I have some difficulties in setting cas;php,
I might decide to drop this option for a while). Problems and/or
todo: (1) the script is not asking for the class password, I think
it would be easy to insert this feature and I would like to do it
before "releasing" the script. (2) the login is created by the php
script. I think it is not so easy to use the new wims "hashlogin"
function (the interaction with wims is done through the adm/raw
module, so I guess for this to work an update of the adm/raw module
would be required ???). (3) I think I should at least add a check of
the new user_external_auth variable before releasing.

- My version of the script should be working all right with simple
classes. This is basically the version of the script already
available on sourcesup (wims-ent). I would like to make the two
changes (1) and (3) above. I have problems with groupement and
portals.

- I haven't gone fully through the cgu_agreement (also because there
have been new changes I did not yet have the time to deal with). An
option could be to create the user with the "agreecgu" variable
already set (we have the keyword "user_agreecgu=external" reserved
for users created via an external script as this). Would it be
acceptable?

- What I am trying to do for groupement and portals is this: the
student is registered to the superclass via the php script. When he
asks to enter the subclasses he has to go through the standard wims
procedure (the student is given the list of classes/courses/levels
whatever is the case, chooses the class is asked for the class
password and for the cgu, if everything is ok, the variable
user_participate is set). Do you think this is a good idea? If so I
will come back with further issues, there are still a few things I'm
not sure I know how to get working.

Any comments or suggestions? Suggestions for priorities?

Also, is any of you willing to test the php script? You need to have
Simplesamlphp installed and working on your server.

Marina

>>>>> Sat, 25 Feb 2012 15:58:35 +0100, ">>" == Bernadette Perrin-Riou <Bernadette.Perrin-Riou@math.u-psud.fr> ha scritto:

>>> Bonjour à tous
>>> Ce message porte sur le groupe de travail sur l'authentification
>>> et l'inscription dans WIMS qui a eu lieu à Nice mi février
>>> (Olivier Bado, Marina Cazzola, Fabrice Guérimand, Bernadette Perrin-Riou)
>>> ainsi que sur les échanges que j'ai eu ensuite du côté des lycées français.
>>> Il est un peu long, le début technique reprend une partie du compte rendu
>>> prévu de cette réunion de travail et devient à la fin très français
>>> (pardon à Marina).

>>> Plusieurs méthodes d'authentification sont possibles désormais

>>> - authentification usuelle de WIMS
>>> - authentification CAS
>>> - authentification par un annuaire ldap
>>> - authentification par un script php
>>> (utilise le module raw de wims et demande l'installation de simplesamlphp)

>>> L'authentification CAS Central Authentication Service) permet
>>> d'authentifier les utilisateurs
>>> avec une authentification unique (environnement Single Sign On (SSO)). Il
>>> est possible de coupler avec
>>> une authentification simple LDAP permettant de récupérer les données (nom,
>>> prénom, email)
>>> concernant l'utilisateur ou de demander au participant potentiel de donner
>>> son identité.
>>> Ainsi, si le nom d'utilisateur et le mot de passe donnés sont valides
>>> suivant le CAS
>>> et si l'élève ou l'enseignant n'est pas encore inscrit, le mot de passe de
>>> la classe
>>> est demandé. S'il est correct, selon la solution choisie, il sera inscrit
>>> après interrogation
>>> du LDAP ou invité à entrer son nom, son prénom et son email.

>>> L'authentification par un script php sera décrite et documentée par Marina.

>>> On peut aussi coupler CAS - LDAP, LDAP - LDAP (s'il est possible
>>> d'interroger le ldap sur le
>>> mot de passe, mais dans ce cas il vaut mieux utiliser le protocole https).
>>> Pour bénificier de l'authentification CAS, il suffit de rentrer l'adresse
>>> url correspondante (configuration et maintenance -> Authentification)
>>> Des paramètres par défaut peuvent être rentrés par l'administrateur du site.
>>> Il suffirait alors à l'enseignant d'activer l'authentification.