Setup Single Sign On and remove storage of sensitive information from a user

[JamieSullivan12]

Setup SSO with the University of St Andrews to allow for a seamless login experience.

[pgmccann]

I wonder if we could just let Apache handle the SSO, and Flask could just pick up the user details as per https://stackoverflow.com/questions/20940651/how-to-access-apache-basic-authentication-user-in-flask

[pgmccann]

To clarify:

If everything bar the login page is only visible to logged-in users, we can get rid of the login form and have Apache (which is proxying all the traffic anyway and which is already configured on the production server to use SSO) restrict access to the application to SSO users with specified usernames.

The Flask application should then be able to use

request.environ.get('REMOTE_USER')

to identify the authenticated user.

[JamieSullivan12]

Hi Patrick. Thanks for this. It certainly seems simple to implement. Never having done this before, however, means I am still unsure as to how this would logistically be implemented. My first thoughts are:

• Will the system environment variable return some form of permanent logged in user ID? Or the email? Or something else? If so then our program can store these
• If so, our program can just store these permanent IDs in MariaDB along with their role permission levls
• If not, how would you suggest to implement these access permissions

The program also has facility to create temporary view-only programs - all the code for this is functional and implemented, however the need for a login page still exists.

Perhaps we can do a 30 minute MS Teams call (or in person - I can come to Guardbridge) to discuss this?