Forum: developers
Monitor Forum | Start New Threadexternal authentification: php [ Reply ] By: Marina Cazzola on 2012-03-01 10:53 | [forum:13639] |
A working group on external authentification has been held in Nice last February (I copy at the end of this message a mail from Bernadette explaining roughly the project and the outcomes so far). I've been working on the external authentification via a php script and I am now trying to finalize the php script (and the integration with wims) in order to have a working simple to install example (to include in the distribution, e.g. for further testing). At the moment I'm up to this point - The idea (what we came up to in Nice) is to have a php script (based on simplesamlphp) to query the idp (in my case shibboleth, could be anything compatible with simplesamlphp, e.g. facebook, google, twitter,...) in order to automatically get the user data and pass them to wims via the adm/raw module. - The user call the script with the number of the class, the script get the data from the idp, and checks if the user exists in the queried class. If the user exists in the class, the script opens an authenticated session via the adm/raw module. If the user does not exists in the class the user is created and then the authenticated session is opened. So at this point the same script is doing the auth and the idp part (that is is working wiht class_authidp=php;php, I have some difficulties in setting cas;php, I might decide to drop this option for a while). Problems and/or todo: (1) the script is not asking for the class password, I think it would be easy to insert this feature and I would like to do it before "releasing" the script. (2) the login is created by the php script. I think it is not so easy to use the new wims "hashlogin" function (the interaction with wims is done through the adm/raw module, so I guess for this to work an update of the adm/raw module would be required ???). (3) I think I should at least add a check of the new user_external_auth variable before releasing. - My version of the script should be working all right with simple classes. This is basically the version of the script already available on sourcesup (wims-ent). I would like to make the two changes (1) and (3) above. I have problems with groupement and portals. - I haven't gone fully through the cgu_agreement (also because there have been new changes I did not yet have the time to deal with). An option could be to create the user with the "agreecgu" variable already set (we have the keyword "user_agreecgu=external" reserved for users created via an external script as this). Would it be acceptable? - What I am trying to do for groupement and portals is this: the student is registered to the superclass via the php script. When he asks to enter the subclasses he has to go through the standard wims procedure (the student is given the list of classes/courses/levels whatever is the case, chooses the class is asked for the class password and for the cgu, if everything is ok, the variable user_participate is set). Do you think this is a good idea? If so I will come back with further issues, there are still a few things I'm not sure I know how to get working. Any comments or suggestions? Suggestions for priorities? Also, is any of you willing to test the php script? You need to have Simplesamlphp installed and working on your server. Marina >>>>> Sat, 25 Feb 2012 15:58:35 +0100, ">>" == Bernadette Perrin-Riou <Bernadette.Perrin-Riou@math.u-psud.fr> ha scritto: >>> Bonjour à tous >>> Ce message porte sur le groupe de travail sur l'authentification >>> et l'inscription dans WIMS qui a eu lieu à Nice mi février >>> (Olivier Bado, Marina Cazzola, Fabrice Guérimand, Bernadette Perrin-Riou) >>> ainsi que sur les échanges que j'ai eu ensuite du côté des lycées français. >>> Il est un peu long, le début technique reprend une partie du compte rendu >>> prévu de cette réunion de travail et devient à la fin très français >>> (pardon à Marina). >>> Plusieurs méthodes d'authentification sont possibles désormais >>> - authentification usuelle de WIMS >>> - authentification CAS >>> - authentification par un annuaire ldap >>> - authentification par un script php >>> (utilise le module raw de wims et demande l'installation de simplesamlphp) >>> L'authentification CAS Central Authentication Service) permet >>> d'authentifier les utilisateurs >>> avec une authentification unique (environnement Single Sign On (SSO)). Il >>> est possible de coupler avec >>> une authentification simple LDAP permettant de récupérer les données (nom, >>> prénom, email) >>> concernant l'utilisateur ou de demander au participant potentiel de donner >>> son identité. >>> Ainsi, si le nom d'utilisateur et le mot de passe donnés sont valides >>> suivant le CAS >>> et si l'élève ou l'enseignant n'est pas encore inscrit, le mot de passe de >>> la classe >>> est demandé. S'il est correct, selon la solution choisie, il sera inscrit >>> après interrogation >>> du LDAP ou invité à entrer son nom, son prénom et son email. >>> L'authentification par un script php sera décrite et documentée par Marina. >>> On peut aussi coupler CAS - LDAP, LDAP - LDAP (s'il est possible >>> d'interroger le ldap sur le >>> mot de passe, mais dans ce cas il vaut mieux utiliser le protocole https). >>> Pour bénificier de l'authentification CAS, il suffit de rentrer l'adresse >>> url correspondante (configuration et maintenance -> Authentification) >>> Des paramètres par défaut peuvent être rentrés par l'administrateur du site. >>> Il suffirait alors à l'enseignant d'activer l'authentification. |