-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aaron,
I have a memory of somewhere this could have caused a problem, but I can't find anything. I think it was related to determining which skin to display. That code has changed. I looked everywhere $authMechs is used and could not find somewhere that would be a problem. So, I think it is fine to do what you have described. This sounds like it could be useful to others. Is it something you can contribute? Josh On Monday, August 06, 2012 5:54:42 PM Aaron Coburn wrote: > When setting up VCL affiliations to use Shibboleth authentication, the > conf.php file instructs an admin to set the affiliationid value to zero. > For example: > > $authMechs = array( > ... > "My Shib Affiliation" => array( > "type" => "redirect", > "URL" => "...", > "affiliationid" => 0), > ); > > Even though, for instance, the corresponding `vcl.affiliation.id` value in > the database is some positive integer. > > In looking through the code, it seems that the only purpose this serves is > to block access to the XMLRPC interface: in the utils.php:checkAccess() > function (lines 360-365), the loop that compares the $user['affiliationid'] > with $authmech['affiliationid'] will never find a match, and so the request > is aborted at that point. > > My interest, however, is precisely to provide access to the XMLRPC interface > *on behalf* of shibboleth users. The key point here is *on behalf of*, > since neither the VCL nor the application using the remote API knows > anything about a user's actual password. The use case is a Moodle block > that makes use of this remote API. > > Using version 2.3, and with minimal modification to utils.php, I am able to > allow an admin to define a "proxy authentication handler" in conf.php, > limiting access only to certain "trusted" servers and requiring a > particular authentication token. This structure, however, depends on > configuring $authMechs with the proper "affiliationid" value. > > My question, though, is whether setting a "correct" affiliationid in > conf.php has implications that I haven't considered. > > Thanks, > > Aaron > > > > > > -- > Aaron Coburn > Systems Administrator and Programmer > Academic Technology Services, Amherst College > [email protected]<mailto:[email protected]> - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAlAhHh0ACgkQV/LQcNdtPQO0vQCfeJ6pMHLp/Qkv933e5dZladlS rTUAnjeMRfQOszU2KuCTj0YMVfKOpDLd =x02r -----END PGP SIGNATURE-----
