Discovery: can we use 3rd party auth with Touchstone?

[pdpinch]

Certificate auth and CAS both use an edX code path that gets little attention and

More recently, edX (via OpenCraft) has invested in 3rd party auth. Can we use this with Touchstone?

This would have the added advantage of making MITx authentication rely on the same systems as other MIT services, allowing us to rely on IS&T helpdesk for support issues, and getting us the added security of DUO authentication.

edX blog post on 3rd party auth

[pwilkins]

Here's some more information. "Touchstone" is a brand (http://ist.mit.edu/touchstone?category=6), the technology is either SAML using Shibboleth, or CAMS. Nginx doesn't support Shibboleth last time I checked, but can be configured for SAML. I don't think that CAMS meets our use case because it isn't intended for use by residential students.

IS&T also offers OpenID Connect Authorization (http://ist.mit.edu/oidc) which may meet our use case.

[pdpinch]

Braden MacDonald from apencraft wrote a saml plugin for django third-party-auth, which is installed in edx.

More configuration details at http://edx.readthedocs.org/projects/edx-installing-configuring-and-running/en/latest/configuration/tpa/tpa_SAML_IdP.html http://edx.readthedocs.org/projects/edx-installing-configuring-and-running/en/latest/configuration/tpa/tpa_SAML_IdP.html

Thanks for the IS&T link @pwilkins. There's a link there to an extensive provisioning guide for Touchstone: https://wikis.mit.edu/confluence/display/TOUCHSTONE/Provisioning+Steps https://wikis.mit.edu/confluence/display/TOUCHSTONE/Provisioning+Steps

So configuration is looking pretty feasible. But what I don't know is how we restrict accounts to only MIT users when Touchstone allows for collaboration accounts.

[pwilkins]

But what I don't know is how we restrict accounts to only MIT users when Touchstone allows for collaboration accounts.

Sorry, Touchstone is for authentication. It doesn't do authorization. :-(

[pwilkins]

Most of the "Provisioning" document focuses on installing and configuring Shibboleth. I don't think we need to install and run Shibboleth, if I'm reading Braden's SAML guide correctly.

[itsbenweeks]

There's some good info gathering here, thanks @pdpinch and @pwilkins. I'm not sure how we're currently gathering analytics, but if we're polling any API for them then it may be worthwhile to look into OIDC for those API endpoints.

[pdpinch]

So we've made this work via CAS. We need to do some testing to see how/if this exposes us to non-MIT users, but I think we can close this issue.