oaeproject / Hilary

Open Academic Environment (OAE) Back-End
http://www.oaeproject.org
Educational Community License v2.0
105 stars 96 forks source link

Refactor Shibboleth Authentication workflow #824

Closed simong closed 10 years ago

simong commented 10 years ago

We should look into refactoring our current shibboleth authentication workflow. It's now possible to run the shibboleth SP software in combination with nginx (over FastCGI) [1]. Moving all that logic to the web nodes would allow us to:

A downside is that we'd no longer be able to add shibboleth authentication "on the fly" in the admin UI. This doesn't seem like a big issue to me as in the past it wasn't functioning untill the institution's IdP added our metadata.

[1] https://wiki.shibboleth.net/confluence/display/SHIB2/Integrating+Nginx+and+a+Shibboleth+SP+with+FastCGI

nicolaasmatthijs commented 10 years ago

@simong : Why would we lose the ability to configure shibboleth authentication on the fly? How it practically work for an institution in one of the federations to set up their tenant?

simong commented 10 years ago

@nicolaasmatthijs

You would still be able to enable shibboleth authentication but not configure it on the fly, as most of the configuration has moved to the Shibboleth SP software and Apache.

If an institution wants to use OAE with their Shibboleth IdP, 2 situations can exist (assuming we're part of the UK federation/eduGAIN):

  1. The institution is part of the UK federation/eduGAIN. Unless we want more attributes, nothing needs to happen. Their IdP will automatically trust us due to both of us being part of the federation.
  2. The institution is NOT part of the UK federation/eduGAIN. Again, there are 2 things we can do. 2.1 If the institution is part of a federation we're not part of, we could try to register our SP with that federation 2.2 If the institution is not part of any federation, they will have to "trust" our SP. Which means their IdP needs to acquire our metadata.

If an institution wants to use Shibboleth, we need to know 2 things:

Once we know these 2 values, we will have to:

This means we'll lose a little bit of flexibility, but considering:

I feel that it's worth it.

I have a PR pending at https://github.com/oaeproject/Hilary/pull/849. It's probably best if we discuss it there further.