10-05-2010, 11:27 PM
Hi
i am implementing shibboleth authentication into letoDMS and have some general questions so that i know how to go on. see http://shibboleth.internet2.edu/ for more information about shibboleth.
shibboleth is an single-sign-on system used at a lot of academic institutions. the shibboleth daemon is running on the webserver and if a directory/location is protected by it, then the webserver will set the attribute received by the shibboleth for the user into the $_SERVER variable. this includes a uniqueID (similiar to a username) and additional information e.g. first name, last name, email-address etc.
in contrast to the normal authentication and LDAP, where the user has to enter his credentials on the letoDMS site, the user is already authenticated when he gets to the letoDMS site.
as there is no plugin-structure for letoDMS i have implemented the login into the normal op.Login.php file. the best way would be to move all the authentication/authorization logic into a separate file for each auth-mechanism. for the moment its fine with me... would be perhaps a nicer solution in the future. i have added a "_authType" setting in the settings file so that could be used to distinguish between which auth mechanism has to be used.
as i would like to implement also the groups retrieved by shibboleth and i would like to have for every group a separate environment where they have their own "root" folder and can do inside it whatever they want. (finally the different groups shouldn't see each other...). is that possible with the current implementation? as i haven't found any specific option for that (to set a root folder for a group or user?, everybody just starts at "DMS"?)
thanks for this great piece of software and your help is appreciated :-)
KoS
ps.: i'll post my code as soon as i'm a little bit further.
i am implementing shibboleth authentication into letoDMS and have some general questions so that i know how to go on. see http://shibboleth.internet2.edu/ for more information about shibboleth.
shibboleth is an single-sign-on system used at a lot of academic institutions. the shibboleth daemon is running on the webserver and if a directory/location is protected by it, then the webserver will set the attribute received by the shibboleth for the user into the $_SERVER variable. this includes a uniqueID (similiar to a username) and additional information e.g. first name, last name, email-address etc.
in contrast to the normal authentication and LDAP, where the user has to enter his credentials on the letoDMS site, the user is already authenticated when he gets to the letoDMS site.
as there is no plugin-structure for letoDMS i have implemented the login into the normal op.Login.php file. the best way would be to move all the authentication/authorization logic into a separate file for each auth-mechanism. for the moment its fine with me... would be perhaps a nicer solution in the future. i have added a "_authType" setting in the settings file so that could be used to distinguish between which auth mechanism has to be used.
as i would like to implement also the groups retrieved by shibboleth and i would like to have for every group a separate environment where they have their own "root" folder and can do inside it whatever they want. (finally the different groups shouldn't see each other...). is that possible with the current implementation? as i haven't found any specific option for that (to set a root folder for a group or user?, everybody just starts at "DMS"?)
thanks for this great piece of software and your help is appreciated :-)
KoS
ps.: i'll post my code as soon as i'm a little bit further.