« Previous | Next » 

Revision b08aadc0

IDb08aadc08c3cd1aefc26ba7470f5cdbb1f6a51e1

Added by Kostas Papadimitriou about 7 years ago

astakos: Shibboleth EPPN migration functionality

Prior to this commit astakos used the mod_shib2 EPPN header value as the
unique identifier for associating shibboleth idp users to astakos user entries.

This commit alters this behaviour and from now on astakos resloves unique
identifier from the REMOTE_USER header. REMOTE_USER is a header mod_shib2 sets
containing a value of the available shibboleth IdP metadata. The metadata
key (persistent-id or eppn in most common scenarios) used can be configured
from within shibboleth2.xml config file.

<ApplicationDefaults id="default" .... .... REMOTE_USER="persistent-id"...>

An additional setting ``ASTAKOS_SHIBBOLETH_MIGRATE_EPPN`` is added in order
to facilitate migration of existing EPPN entries to persistent-id/targeted-id
(or whichever metadata the REMOTE_USER maps to). When set to ``True``, after
each shibboleth login astakos will try to migrate the existing EPPN entry
by following the below mentioned steps:

  • If no REMOTE_USER header exists or is empty, redirect to an error view.
    Otherwise continue to the next step.
  • Resolve EPPN header and check if an account is currently associated with this
    EPPN.
  • If user exists, retrieve user's shibboleth entry (AstakosUserAuthProvider
    instance) and replace stored identifier (EPPN) with the identifier contained
    in REMOTE_USER header.
  • Continue to login or signup process using REMOTE_USER value as the unique
    user identifier that associates astakos user to the shibboleth account.

Conflicts:

snf-astakos-app/astakos/im/messages.py
snf-astakos-app/astakos/im/tests/auth.py

Files

  • added
  • modified
  • copied
  • renamed
  • deleted

View differences