Authentication via Princeton CAS

[jcmatese]

Feature Inspiration

Although a survey suggested the lab members are fine with internal data sharing, Princeton CAS authentication for site access could be useful for autofill, curation, and loading tasks.

Authenticate to Princeton CAS to allow site access, and potentially curation tool functionality (load/update)?

Feature Description

Although a survey suggested the lab members are fine with internal data sharing, Princeton CAS authentication for site access could be useful for autofill, curation, and loading tasks.

Alternatives Considered

Princeton offers both CAS and SAML2, and they advise the latter (SAML2).

django-cas-ng - John M. did initiate have a trial branch with this. django-uniauth Custom CAS back-ends

Comment

From Jason Rappaport, IAM Group, OIT

CS maintains an article for CAS developers that might be helpful, see https://csguide.cs.princeton.edu/publishing/cas ... if you need more information, please feel free to reach out to me directly via jasonrap@princeton.edu

Also

"With CAS, we do offer localhost testing, but you have to configure your server to be localhost.princeton.edu, we don’t allow just localhost." "you cannot test your SAML SP without it being registered"

---

ISSUE OWNER SECTION

Assumptions

• List of assumptions made WRT the code
• E.g. We will assume input is correct (explaining why there is no validation)

Requirements

• List of conditions to be met for the feature
• E.g. Every column/row must display a value, i.e. cannot be empty

Limitations

• A list of things this work will specifically not do
• E.g. This feature will only handle the most frequent use case X

Affected/Changed Components

• Files
• Environment variables
• External executables
• Database tables
• Cron job settings
• Etc.

DESIGN

GUI Change description

Describe changes the user will see.

Code Change Description (Pseudocode optional)

1. Find out what is required from Princeton OIT regarding CAS site registration. links : 1, 2
2. Do a trial implementation of CAS/SAML
3. Determine what authentication might actually allow (TBD)

Tests

A test should be planned for each requirement (above), where possible.

[lparsons]

While I think that authorization to specific datasets is less pressing, some form of authentication is needed so that we can authorize access to the entire site to lab members only.

[jcmatese]

contacting jasonrap@princeton.edu)

[lparsons]

I'm going to work with John Wiggins and Jason Rappaport on getting Tracebase whitelisted for CAS. This may require an architecture review by OIT.