I've been tasked with adding CAS authentication to our OJS instances. I've run into several questions.
After some study I finally realized that the new Shibboleth code ought to be somewhat similar, and discovered there's a new plugin category of "implicitAuth". The latest Technical Reference (rev 3) doesn't mention it. Is there some interim documentation? Hmmm, maybe not -- the category seems to be hard-wired (in LoginHandler) to assume that implicitAuth === Shibboleth.
Okay, so how should I tackle the case that a user might already be authenticated globally, but OJS doesn't know that yet? Ideally, if the user *is* globally authenticated:
o the sidebar login block would change to just a Login button;
o the login link in the page heading would be equivalent to that button.
IOW the user would never see username/password boxes if globally logged in when he came to OJS. Otherwise...well, that's where it gets tricky. I guess the login page should then have links for each configured SSO plugin, to go to that service's login page and (we hope) come back, as well as the text fields and button for authentication providers (builtin, LDAP) that use them.
Creating an SSO authentication plugin for CAS
Moderators: jmacgreg, michael, jheckman, barbarah, btbell, bdgregg, asmecher
Forum rules
Developer Resources:
Documentation: The OJS Technical Reference and the OJS API Reference are both available from the OJS Documentation page.
Git: You can access our public Git Repository here. Comprehensive Git usage instructions are available on the wiki.
Bugzilla: You can access our Bugzilla report tracker here.
Search: You can use our Google Custom Search to search across our main website, the support forum, and Bugzilla.
Questions and discussion are welcome, but if you have a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a technical support question, try the OJS Technical Support subforum.
Developer Resources:
Documentation: The OJS Technical Reference and the OJS API Reference are both available from the OJS Documentation page.
Git: You can access our public Git Repository here. Comprehensive Git usage instructions are available on the wiki.
Bugzilla: You can access our Bugzilla report tracker here.
Search: You can use our Google Custom Search to search across our main website, the support forum, and Bugzilla.
Questions and discussion are welcome, but if you have a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a technical support question, try the OJS Technical Support subforum.
5 posts
• Page 1 of 1
Creating an SSO authentication plugin for CAS
by mwood » Fri Aug 28, 2009 12:58 pm
- mwood
- Posts: 20
- Joined: Thu Nov 01, 2007 8:06 am
- Location: Indianapolis, Indiana, US
Re: Creating an SSO authentication plugin for CAS
by asmecher » Wed Sep 02, 2009 2:30 pm
Hi mwood,
The implicitAuth and Shibboleth code were both contributed to us by dgalewsky on this forum -- see e.g. http://pkp.sfu.ca/support/forum/viewtopic.php?f=9&t=2881. He might be able to provide some more specific feedback on that code.
Regards,
Alec Smecher
Public Knowledge Project Team
The implicitAuth and Shibboleth code were both contributed to us by dgalewsky on this forum -- see e.g. http://pkp.sfu.ca/support/forum/viewtopic.php?f=9&t=2881. He might be able to provide some more specific feedback on that code.
Regards,
Alec Smecher
Public Knowledge Project Team
- asmecher
- Posts: 5768
- Joined: Wed Aug 10, 2005 12:56 pm
Re: Creating an SSO authentication plugin for CAS
by mwood » Thu Oct 15, 2009 1:46 pm
After quite a bit of staring at the code, I'm becoming convinced that the Shibboleth plugin (and in fact the whole implicitAuth category) is not for us. It appears (please correct me!) that enabling implicit login DISables username/password login. I can't have that -- we have many external users who will never be known by our internal SSO service.
Here's the way I think it ought to work. Somebody tell me if I'm nuts:
When a user comes to the login page (LoginHandler::index()) the Handler should test whether the user has an implicit login ticket. (CAS can do this; I don't yet know whether Shibboleth can, but don't see how it could not.) That is, call HookRegistry::call() for a new hookName that names this test. If true is returned, realize the OJS login by looking up the user and setting the session attributes appropriately. (I'm leaving out the case that an implicitly authenticated user is not yet known to OJS, for simplicity, but I know it has to be handled).
Otherwise, present the login page with a "slot" for each enabled login method. SSO methods would present just a link or a button; token or biometric methods would prompt for the appropriate action ("If you want to use a smart card, insert it now."); the built-in username/password method would present its existing controls. The user has to choose one, but this really needn't require any more action than the existing login form already does.
I haven't yet worked out how login methods provide their UI "slots" to the login page, but the templating system ought to be a big help.
To reproduce the current Shibboleth behavior, one would need a way to disable the built-in login method. That's what the "enable implicit login" configuration item really does, that wasn't available before.
Here's the way I think it ought to work. Somebody tell me if I'm nuts:
When a user comes to the login page (LoginHandler::index()) the Handler should test whether the user has an implicit login ticket. (CAS can do this; I don't yet know whether Shibboleth can, but don't see how it could not.) That is, call HookRegistry::call() for a new hookName that names this test. If true is returned, realize the OJS login by looking up the user and setting the session attributes appropriately. (I'm leaving out the case that an implicitly authenticated user is not yet known to OJS, for simplicity, but I know it has to be handled).
Otherwise, present the login page with a "slot" for each enabled login method. SSO methods would present just a link or a button; token or biometric methods would prompt for the appropriate action ("If you want to use a smart card, insert it now."); the built-in username/password method would present its existing controls. The user has to choose one, but this really needn't require any more action than the existing login form already does.
I haven't yet worked out how login methods provide their UI "slots" to the login page, but the templating system ought to be a big help.
To reproduce the current Shibboleth behavior, one would need a way to disable the built-in login method. That's what the "enable implicit login" configuration item really does, that wasn't available before.
- mwood
- Posts: 20
- Joined: Thu Nov 01, 2007 8:06 am
- Location: Indianapolis, Indiana, US
Re: Creating an SSO authentication plugin for CAS
by mj » Tue Feb 26, 2013 1:49 pm
Hi all,
I know I'm reviving an old thread, but I wanted to ask the OJS community whether anyone has gone further down this path of developing a CAS authentication plugin for OJS. We are rolling out OJS at Ryerson University and currently use CAS for our SSO. Obviously it would be preferable not to go through all the work of re-implementing CAS auth if someone else has started work on developing or porting code. We're open to any kind of reciprocal sharing agreements etc. -- if nobody else has done this, then we'll undertake the work ourselves and release the plugin to the community under the GPL.
Please feel free to email me at mjsuhonos@ryerson.ca, but it's probably preferable to reply here as well for others who may be interested in the same issue.
Thanks in advance,
MJ
I know I'm reviving an old thread, but I wanted to ask the OJS community whether anyone has gone further down this path of developing a CAS authentication plugin for OJS. We are rolling out OJS at Ryerson University and currently use CAS for our SSO. Obviously it would be preferable not to go through all the work of re-implementing CAS auth if someone else has started work on developing or porting code. We're open to any kind of reciprocal sharing agreements etc. -- if nobody else has done this, then we'll undertake the work ourselves and release the plugin to the community under the GPL.
Please feel free to email me at mjsuhonos@ryerson.ca, but it's probably preferable to reply here as well for others who may be interested in the same issue.
Thanks in advance,
MJ
- mj
- Site Admin
- Posts: 304
- Joined: Fri Mar 26, 2004 9:32 am
- Location: Toronto, Canada
Re: Creating an SSO authentication plugin for CAS
by mj » Tue Apr 23, 2013 8:13 am
Hi all,
Ryerson University Library and Archives (RULA) is proud to release an OJS-CAS plugin based on the implicitAuth mechanism used by the provided OJS Shibboleth plugin. This code is provided under the MIT free software license, and is free for anyone to share, use, or modify. RULA welcomes all comments, patches, and bug fixes, and we hope others in the PKP community can benefit from this plugin.
Special thanks to the efforts of Steven Marsden, who developed the plugin and was persistent in some very frustrating debugging. The source code is available on Github at: https://github.com/ryersonlibrary/ojs-cas
MJ
Ryerson University Library and Archives (RULA) is proud to release an OJS-CAS plugin based on the implicitAuth mechanism used by the provided OJS Shibboleth plugin. This code is provided under the MIT free software license, and is free for anyone to share, use, or modify. RULA welcomes all comments, patches, and bug fixes, and we hope others in the PKP community can benefit from this plugin.
Special thanks to the efforts of Steven Marsden, who developed the plugin and was persistent in some very frustrating debugging. The source code is available on Github at: https://github.com/ryersonlibrary/ojs-cas
MJ
- mj
- Site Admin
- Posts: 304
- Joined: Fri Mar 26, 2004 9:32 am
- Location: Toronto, Canada
5 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 2 guests