Hi Theodoros,
In data mercoledì, 6 giugno 2012 16.44:45, Theodoros Theodoropoulos ha
scritto:
> The reason I worried that not all the functionality is there in the
> external_authentication_sso.py file, is because for example, for the
> CERN connector you rely on the external_authentication_cern_wrapper.py
> file that does all the dirty job, and a similar file is not used in the
> sso file... but from what I understand now, it's not used because it's
> not needed :) That's awesome, it's good to know that I only have to
> tweak one relatively simple file to get things started.
:-) Indeed the external_authentication_cern_wrapper.py is not used at all by
the Shibboleth plugin. It is there because before CERN switched to Shibboleth,
we were using a custom SOAP based protocol, and the above file is implementing
it.
> I have already done that and in addition I created a custom parameter
> CFG_AUTH_SITE=[0,1] in the invenio-local.conf (that i later include in
> the access_control_config.py) in order to easily switch the
> authentication mechanism from "local" to Shibboleth and back. Finally I
> have tweaked the prefix parameter but in order to continue testing, I
> will need to have a working SP (probably in the next couple of days).
Good! In fact I was always planning to move the access_control_config
configuration into the nicer invenio.conf (and also the different flags you
might find in _SSO/_LDAP plugins), so that you don't need to overwrite Invenio
native .py files.
> However, I have two general questions:
> - From what I remember from a comment during the conference, for
> Shibboleth there is no way to have a fallback -local let's say-
> authentication mechanism. Is this still true?
Yep. We should ticketize this and find the time to work on it.
> - If so, I then suppose that even the superadmin of the site would have
> to also be authenticated from the IDP... So, If there is a problem with
> the connection (or during the initial debug/testing phase where things
> are mainly broken) the only way for the admin to login to the site is to
> switch back the entire site to local authentication, correct?
Fully correct, as ugly as it looks :-)
> > Good luck! Let me know if you need any other info...
> Thank you Sam. Your help is more than welcome! I'll bug you again in a
> few days (but with more specific configuration-related questions)
Ok!
Cheers,
Sam
--
Samuele Kaplun
Invenio Developer ** <http://invenio-software.org/>
