[Archivesspace_Users_Group] New Single Sign On Plugin released

[Eric J. Bivona]

> On Sep 29, 2015, at 17:38, Ryan Rotter <rrotter at umich.edu> wrote:
> 
> Shib is rapidly becoming the de-facto standard and if ASpace ever added native support for Shib I'd consider using it, but from where I sit it would be very unusual for the application to deal with Shib rather than letting the web server (apache) handle it. 

I don’t know of any reason that the aspace-omniauth-cas plugin I wrote couldn’t be reworked to use the omniauth-shibboleth strategy (https://github.com/toyokazu/omniauth-shibboleth).  We tend to use CAS for internal authentication here at Dartmouth, and Shibboleth/SAML for external resources, and thus I had more experience with the omniauth-cas gem.

> Right now I'm using a plugin (https://github.com/mlibrary/aspace_remote_user) to authenticate users based on the remote_user env var sent from apache/modproxy. This doesn't align well with ASpace's architecture (because I'm effectively moving auth from the backend to the frontend), but it aligns much better with my hosting environment.

My understanding is that the ASpace backend doesn’t trust the frontend, hence the work I did to allow the backend to, essentially, reauthenticate the user before creating a session for them.  Our security team would have had serious reservations about securing such a subversion of the existing architecture, but your mileage will vary.

-Eric
-----
> On 29 September 2015 at 11:40, Chris Fitzpatrick <Chris.Fitzpatrick at lyrasis.org> wrote:
> 
> Hey Joshua, 
> 
> 
> This is so excellent. 
> 
> I'm just curious if there are other SSO stragegies people would like to see? Google Apps for Education? Shibboleth? MySpace?
> 
> 
> Here's a list of what could be added to omniauth:
> 
> https://github.com/intridea/omniauth/wiki/List-of-Strategies
> 
> 
> b,chris. 
> 
> Chris Fitzpatrick | Developer, ArchivesSpace
> Skype: chrisfitzpat  | Phone: 918.236.6048
> http://archivesspace.org/
> 
> 
> From: archivesspace_users_group-bounces at lyralists.lyrasis.org <archivesspace_users_group-bounces at lyralists.lyrasis.org> on behalf of Joshua D. Shaw <Joshua.D.Shaw at dartmouth.edu>
> Sent: Friday, September 25, 2015 10:27 PM
> To: Archivesspace Users Group
> Subject: [Archivesspace_Users_Group] New Single Sign On Plugin released
>  
> Just a heads up to the community that we (Dartmouth) have developed and released a plugin that implements an alternative login method for institutions that use a single sign on system. Credit goes to Eric Bivona, one of our senior programmers. Plugin can be found here: https://github.com/dartmouth-dltg/aspace-omniauth-cas
> 
> dartmouth-dltg/aspace-omniauth-cas · GitHub
> aspace-omniauth-cas - An ArchivesSpace plugin to provide OmniAuth/CAS single-sign-on authentication.
> Read more...
> 
> We've used the omniAuth gem as the base authentication bundle. Though omniAuth supports a wide variety of authentication methods, at present, the plugin is only implemented for CAS authentication.
> 
> The README file explains the working and configuration of the plugin in greater depth, but this plugin replaces the standard login window with a redirect to an authentication server which first authenticates the user to the frontend. The authentication token is passed from the frontend to the backend which then verifies that authentication payload with the CAS server. Once this is confirmed, the user is logged in. The user's personal information is also updated to reflect the authoritative version held by the CAS server.
> 
> Feel free to email with questions!
> Joshua
> 
> _______________________________________________
> Archivesspace_Users_Group mailing list
> Archivesspace_Users_Group at lyralists.lyrasis.org
> http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group
> 
> 
> _______________________________________________
> Archivesspace_Users_Group mailing list
> Archivesspace_Users_Group at lyralists.lyrasis.org
> http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group