LDAP identity provider: fix support of an associated Shibboleth auth provider #42
Conversation
jouvin
changed the title
|
@ThiefMaster I decided to add the support for non local users as an option in the standard LDAP provider as it is really a one line difference. I think it could interest others. It is not clear for me if we should also set |
jouvin
force-pushed
the
ldap_configurable_identifier
branch
from
b344bae
to
6489fd9
Compare
|
This isn't needed in the end, because you can rename fields via the auth-to-identity-provider mapping. See this Indico forum post for an example |
|
@ThiefMaster I updated the PR (and its description) to remove the |
|
I think the PR can be reopened if you force-push commit 6489fd9 to the branch (since that was the last commit before it was closed). Once it's open you can force-push your new commit again.
|
|
It is what I did... but it seems it was not enough... Is it because I also rebased on the last master? |
|
Yes, you need to push that exact commit to the branch. Then I can probably reopen it (you probably can't do it yourself since it was closed by a maintainer). Afterwards you can rebase and forcepush as much as you want again. |
|
Ah ok, I misunderstood... |
|
Done! |
|
there we go, now you can forcepush your latest version |
jouvin
force-pushed
the
ldap_configurable_identifier
branch
from
6489fd9
to
a8ac6d3
Compare
jouvin
force-pushed
the
ldap_configurable_identifier
branch
2 times, most recently
from
e82ec39
to
73a048c
Compare
|
I push a new approach to the problem described, as per our offline discussion, that implement by default the Test in progress at IJCLab... |
jouvin
force-pushed
the
ldap_configurable_identifier
branch
2 times, most recently
from
cddd775
to
046ccc4
Compare
|
Test done successfully at IJCLab (rebuilding manually the wheel after cherry-picking the commit on top of v0.4.9). |
|
great, let's just apply the name change i mentioned on mattermost and this is good to go |
- Provides the ability to retrieve the information from Shibboleth auth-data if identity identifier is missing. Allows to support remote users not part of the LDAP directory - Available by using the identity type ldap_or_authinfo
jouvin
force-pushed
the
ldap_configurable_identifier
branch
from
046ccc4
to
24a2591
Compare
|
Names for class and identity provider type updated (as well as the comment) to make it more general... |
The Indico documentation suggests that it is a good idea to use an LDAP identity provider, when you have one like AD, with a Shibboleth auth provider, to benefit from the group definitions coming from LDAP. The problem is that the LDAP identity provider requires the user to exist in LDAP to create its identity, something that is not true if remote users are authenticated through Shibboleth (e.g. eduGAIN).
The original approach to fixe the issue was by addding a new identity provider boolean configuration parameter,
auth_data_if_identifier_missing: ifTrue, create the identity from theAuthInfoobject (returned by the Shibboleth auth provider) if the user is not found in LDAP. WhenFalse, the identity provider behaviour is unchanged. After some discussion it was decided to implement basically the same code as a variant of the LDAP identity provider that fallbacks toAuthInfocontents if the identifier cannot be retrieved from LDAP.**Note: for this configuration to work, it is also necessary to define the attribute to use to build the identifier, adding an entry in
PROVIDER_MAPthat defines it, with something like:`This PR has been tested successfully at IJCLab.