[librecat-dev] librecat sso module

[Jonathan NORRIS]

Hey,

Thanks. Our use case will be that every user who needs to log into 
LibreCat will have to do so through shibboleth. I also have a script 
that imports/synchronizes all of our institutes users to LibreCat, so 
everyone who needs to log into LibreCat will already have a profile 
there. So whitelisting will be done with the standard LibreCat users bag.

I actually haven't ran the example app1.pl and will probably just try 
and get it working with LibreCat. Also I have no experience with CAS so 
am focused solely on Shibboleth.

Thanks,

Jonathan


On 02/20/2018 11:21 AM, Nicolas Franck wrote:
> Hi Jonathan,
>
> Yes ;-). In the authorization route you will need to translate the session["auth_sso"] into
> a valid session containing these keys:
>
> * session["user"]: login user name
> * session["user_id"]: login id (user and user_id can be the same)
> * session["role"]: choose from "super_admin", "reviewer", "project_reviewer", "data_manager" and "delegate"
> * session["lang"]: "en"
>
> (I copied this from lib/LibreCat/App.pm)
>
> Luckily in LibreCat users and their publications are loosely coupled using the user_id from the session as a link, so there is no need to add internal users.
> You can just invent your own users at runtime.
>
> For now you will need to do your own whitelisting (if needed), probably using an own Catmandu store:
>
>      my $users = Catmandu->store("main")->bag("shibboleth_users");
>
> in config/catmandu.local.yml you can add your own Catmandu stores (familiar with them?)
>      
>
> P.S. did you make the example app1.pl work with CAS?
>
>
>
>> On 20 Feb 2018, at 10:51, Jonathan NORRIS <jnorris at ist.ac.at> wrote:
>>
>> Hey Nicolas,
>>
>> Thank you for your reply. From spending some time reading the code I am starting to see how it works a bit (I should say that I have very little experience with Perl and Dancer so it takes me a little longer) but I still have some questions around how to integrate it with LibreCat as it currently is.
>>
>> I will just go through the flow of how I think the code works and ask some questions along the way.
>>
>> In your example app1.pl file in the 'builder' there are various routes defined using 'mount'. To me it looks like this allows the routes to be accessible and the code to be ran when the routes are requested by the browser. In the LibreCat app.pl file I would add a mounted route (/auth/shibboleth) to execute the shibboleth.pm code (the 'to_app' sub). I would have apache config that redirects to the shibboleth authentication page and when the user authenticates shibboleth will redirect back to the '/auth/shibboleth' route. The code executed at this route will check if the shibboleth headers are set and set the 'auth_sso' session vars if it is.
>>
>> Then there is a redirection to the 'authorization_path', which in the example app1.pl is another mounted route called '/authorize'. Which looks like it just checks for the 'auth_sso' vars and if found tries to find the user profile using the uid set in 'auth_sso', if the user is found it is set in the session and redirected to some desired route.
>>
>> I believe that to have it work with LibreCat I need to combine the example code that checks for 'auth_sso' with the 'post /login sub' in LibreCat::App. This code authenticates with the local strategies, gets the user and sets the user roles and other session vars. I think that instead of authenticating with a local strategy I just do the 'auth_sso' checking here and then set the user and session vars as normal.
>>
>> Does this sound like the correct approach or am I conceptually wrong here?
>>
>> Thanks agian for any help!
>>
>> Jonathan
>>
>> IST Austria
>>
>>
>>
>> On 02/14/2018 04:44 PM, Nicolas Franck wrote:
>>> Hi Jonathan,
>>>
>>> Yes I am, and for the moment I am the only person working on this project.
>>> It requires some review, which hasn't been done yet. I'm also on the librecat email list.
>>> So feel free to post questions there about this module.
>>>
>>> This functionality is not functional yet in the main repo "LibreCat".
>>> A few months ago they asked me to write functionality for single-sign-on authentication.
>>> First I added some packages to the repo "LibreCat", but soon I realized that the functionality could
>>> be reused, and I created the repo "LibreCat-Auth-SSO". That's why you would see
>>> packages like LibreCat::Auth::SSO in the main librecat repo. But those are old, and
>>> should be removed once the code from LibreCat-Auth-SSO is posted on CPAN.
>>>
>>> But as I said, it needs some review, in my opinion.
>>> Have you tried the examples (see README below)? Those explain how it works.
>>>
>>> What should happen:
>>>
>>> * someone should review the current repo LibreCat-Auth-SSO
>>> * the repo should be posted on CPAN
>>> * the repo should be added to cpanfile of librecat
>>> * extra routes should be added to librecat for authentication and authorization for every single-sign-on type (from config?)
>>>
>>> The simplest part is the authentication: the repo already provides plack applications for those.
>>> The authorization has to be done by a route of the application itself, that knows how to translate
>>> an authenticated user into a session.
>>>
>>> So I haven't tried LibreCat with Shibboleth. But I did manage to setup an example
>>> plack application with shibboleth. For an example see the perl documentation
>>> in Plack::Auth::SSO::Shibboleth ( starting at "GLOBAL SETUP" ).
>>>
>>> As the documentation explains, this module does not do the actual authentication:
>>> the authentication is done by the shibboleth provider from apache. The shibboleth provides
>>> sents the attributes to the backend application either by header (default) or by parameter.
>>>
>>> So a plack application can only use shibboleth when used a backend application behind apache.
>>>
>>>
>>>
>>>
>>>> On 14 Feb 2018, at 16:09, Jonathan NORRIS <jnorris at ist.ac.at> wrote:
>>>>
>>>> Hello Nicolas,
>>>>
>>>> Are you the same Nicolas Franck who wrote this SSO module for LibreCat? https://github.com/LibreCat/LibreCat-Auth-SSO
>>>>
>>>> If so I was wondering if you would be willing to help me integrate this module into my LibreCat setup so I can use Shibboleth for authentication.
>>>>
>>>> First I have a couple of questions:
>>>>
>>>> - Have you every configured LibreCat to use the SSO module with Shibboleth?
>>>>
>>>> - Are you the only person to have worked on this module or have the other LibreCat developers also worked on it?
>>>>
>>>> - Are you on the LibreCat dev mailing list, and would my queries about this module be best posted to this mailing list?
>>>>
>>>>
>>>> I am a developer working for the Institute of Science and Technology Austria and am trying to configure LibreCat for our needs. So any help is greatly appreciate by me and the institute :)
>>>>
>>>> Thanks,
>>>>
>>>> Jonathan
>>>>
>>>> IST Austria
>>>>