KorAP / Kalamar

:octopus: Mojolicious-based Frontend for KorAP
BSD 2-Clause "Simplified" License
7 stars 2 forks source link

Integration of Shibboleth-Login in Kalamar #223

Open hebasta opened 1 month ago

hebasta commented 1 month ago

It should be possible to login via Shibboleth on certain KorAP instances.

Kalamar-Shibboleth-Workflow:

  1. User clicks on the Shibboleth-Login-Button and is is redirected to either his/her home IdP or a WAYF (Where Are You From) to authenticate via Shibboleth. Can be realized as link.

  2. Apache sends SAML attributes as HTTP headers back as the response. Be aware, that there is no guarantee that we get all attributes that are asked. There should be at least PairwiseID, but maybe for example no givenName / surName. So we must take care that variables like user_handle are always optional in Kalamar.

  3. Kalamar sends a token request similar to password grant without username and password, including the HTTP headers (e.g. PairwiseID) from Apache and saves them if necessary.

Example: Request to korap.ids-mannheim.de/shibboleth -> Apache redirects to IdP -> if authentication is successful the SAML attributes in HTTP Headers will be redirected to korap.ids-mannheim.de/shibboleth -> Kalmamar saves SAML attributes if necessary and sends them to Kustvakt.

See also: