On 6/6/2012 3:35 μμ, Samuele Kaplun wrote:
Invenio comes out-of-the-box with a plugin that supports Shibboleth 2.
It's modules/webaccess/lib/external_authentication_sso.py
The reason I worried that not all the functionality is there in the
external_authentication_sso.py file, is because for example, for the
CERN connector you rely on the external_authentication_cern_wrapper.py
file that does all the dirty job, and a similar file is not used in the
sso file... but from what I understand now, it's not used because it's
not needed :) That's awesome, it's good to know that I only have to
tweak one relatively simple file to get things started.
What I'd suggest is that you clone such plugin so that you are then free to
tweak this parameters. You will then have to enable it in
access_control_config.py as well...
I have already done that and in addition I created a custom parameter
CFG_AUTH_SITE=[0,1] in the invenio-local.conf (that i later include in
the access_control_config.py) in order to easily switch the
authentication mechanism from "local" to Shibboleth and back. Finally I
have tweaked the prefix parameter but in order to continue testing, I
will need to have a working SP (probably in the next couple of days).
However, I have two general questions:
- From what I remember from a comment during the conference, for
Shibboleth there is no way to have a fallback -local let's say-
authentication mechanism. Is this still true?
- If so, I then suppose that even the superadmin of the site would have
to also be authenticated from the IDP... So, If there is a problem with
the connection (or during the initial debug/testing phase where things
are mainly broken) the only way for the admin to login to the site is to
switch back the entire site to local authentication, correct?
Good luck! Let me know if you need any other info...
Thank you Sam. Your help is more than welcome! I'll bug you again in a
few days (but with more specific configuration-related questions)
Best regards,
Theodoros
