« Previous | Next » 

Revision 6a80a0ae


Added by Kostas Papadimitriou almost 10 years ago

astakos: Shibboleth EPPN migration functionality

Prior to this commit astakos used the mod_shib2 EPPN header value as the
unique identifier for associating shibboleth idp users to astakos user entries.

This commit alters this behaviour and from now on astakos resloves unique
identifier from the REMOTE_USER header. REMOTE_USER is a header mod_shib2 sets
containing a value of the available shibboleth IdP metadata. The metadata
key (persistent-id or eppn in most common scenarios) used can be configured
from within shibboleth2.xml config file.

<ApplicationDefaults id="default" .... .... REMOTE_USER="persistent-id"...>

An additional setting ``ASTAKOS_SHIBBOLETH_MIGRATE_EPPN`` is added in order
to facilitate migration of existing EPPN entries to persistent-id/targeted-id
(or whichever metadata the REMOTE_USER maps to). When set to ``True``, after
each shibboleth login astakos will try to migrate the existing EPPN entry
by following the below mentioned steps:

  • If no REMOTE_USER header exists or is empty, redirect to an error view.
    Otherwise continue to the next step.
  • Resolve EPPN header and check if an account is currently associated with this
  • If user exists, retrieve user's shibboleth entry (AstakosUserAuthProvider
    instance) and replace stored identifier (EPPN) with the identifier contained
    in REMOTE_USER header.
  • Continue to login or signup process using REMOTE_USER value as the unique
    user identifier that associates astakos user to the shibboleth account.


  • added
  • modified
  • copied
  • renamed
  • deleted

View differences