[librecat-dev] librecat sso module

Jonathan NORRIS jnorris at ist.ac.at
Tue Feb 20 10:51:05 CET 2018
Previous message: [librecat-dev] librecat sso module
Next message: [librecat-dev] librecat sso module
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hey Nicolas,

Thank you for your reply. From spending some time reading the code I am 
starting to see how it works a bit (I should say that I have very little 
experience with Perl and Dancer so it takes me a little longer) but I 
still have some questions around how to integrate it with LibreCat as it 
currently is.

I will just go through the flow of how I think the code works and ask 
some questions along the way.

In your example app1.pl file in the 'builder' there are various routes 
defined using 'mount'. To me it looks like this allows the routes to be 
accessible and the code to be ran when the routes are requested by the 
browser. In the LibreCat app.pl file I would add a mounted route 
(/auth/shibboleth) to execute the shibboleth.pm code (the 'to_app' sub). 
I would have apache config that redirects to the shibboleth 
authentication page and when the user authenticates shibboleth will 
redirect back to the '/auth/shibboleth' route. The code executed at this 
route will check if the shibboleth headers are set and set the 
'auth_sso' session vars if it is.

Then there is a redirection to the 'authorization_path', which in the 
example app1.pl is another mounted route called '/authorize'. Which 
looks like it just checks for the 'auth_sso' vars and if found tries to 
find the user profile using the uid set in 'auth_sso', if the user is 
found it is set in the session and redirected to some desired route.

I believe that to have it work with LibreCat I need to combine the 
example code that checks for 'auth_sso' with the 'post /login sub' in 
LibreCat::App. This code authenticates with the local strategies, gets 
the user and sets the user roles and other session vars. I think that 
instead of authenticating with a local strategy I just do the 'auth_sso' 
checking here and then set the user and session vars as normal.

Does this sound like the correct approach or am I conceptually wrong here?

Thanks agian for any help!

Jonathan

IST Austria



On 02/14/2018 04:44 PM, Nicolas Franck wrote:
> Hi Jonathan,
>
> Yes I am, and for the moment I am the only person working on this project.
> It requires some review, which hasn't been done yet. I'm also on the librecat email list.
> So feel free to post questions there about this module.
>
> This functionality is not functional yet in the main repo "LibreCat".
> A few months ago they asked me to write functionality for single-sign-on authentication.
> First I added some packages to the repo "LibreCat", but soon I realized that the functionality could
> be reused, and I created the repo "LibreCat-Auth-SSO". That's why you would see
> packages like LibreCat::Auth::SSO in the main librecat repo. But those are old, and
> should be removed once the code from LibreCat-Auth-SSO is posted on CPAN.
>
> But as I said, it needs some review, in my opinion.
> Have you tried the examples (see README below)? Those explain how it works.
>
> What should happen:
>
> * someone should review the current repo LibreCat-Auth-SSO
> * the repo should be posted on CPAN
> * the repo should be added to cpanfile of librecat
> * extra routes should be added to librecat for authentication and authorization for every single-sign-on type (from config?)
>
> The simplest part is the authentication: the repo already provides plack applications for those.
> The authorization has to be done by a route of the application itself, that knows how to translate
> an authenticated user into a session.
>
> So I haven't tried LibreCat with Shibboleth. But I did manage to setup an example
> plack application with shibboleth. For an example see the perl documentation
> in Plack::Auth::SSO::Shibboleth ( starting at "GLOBAL SETUP" ).
>
> As the documentation explains, this module does not do the actual authentication:
> the authentication is done by the shibboleth provider from apache. The shibboleth provides
> sents the attributes to the backend application either by header (default) or by parameter.
>
> So a plack application can only use shibboleth when used a backend application behind apache.
>
>
>
>
>> On 14 Feb 2018, at 16:09, Jonathan NORRIS <jnorris at ist.ac.at> wrote:
>>
>> Hello Nicolas,
>>
>> Are you the same Nicolas Franck who wrote this SSO module for LibreCat? https://github.com/LibreCat/LibreCat-Auth-SSO
>>
>> If so I was wondering if you would be willing to help me integrate this module into my LibreCat setup so I can use Shibboleth for authentication.
>>
>> First I have a couple of questions:
>>
>> - Have you every configured LibreCat to use the SSO module with Shibboleth?
>>
>> - Are you the only person to have worked on this module or have the other LibreCat developers also worked on it?
>>
>> - Are you on the LibreCat dev mailing list, and would my queries about this module be best posted to this mailing list?
>>
>>
>> I am a developer working for the Institute of Science and Technology Austria and am trying to configure LibreCat for our needs. So any help is greatly appreciate by me and the institute :)
>>
>> Thanks,
>>
>> Jonathan
>>
>> IST Austria
>>
Previous message: [librecat-dev] librecat sso module
Next message: [librecat-dev] librecat sso module
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the librecat-dev mailing list