Giter VIP home page Giter VIP logo

aspace-omniauth-cas's Introduction

ArchivesSpace authentication with OmniAuth/CAS

Getting started

Download and unpack the latest release of the plugin into your ArchivesSpace plugins directory:

	$ curl ...
	$ cd /path/to/archivesspace/plugins
	$ unzip ...

Initialize the omniauthCas plugin (this will download the gems needed by the plugin):

     # For Linux/OSX
     $ scripts/initialize-plugin.sh omniauthCas
     
     # For Windows
     % scripts\initialize-plugin.bat omniauthCas

Configure the plugin by adding the following to your ArchivesSpace configuration file (config/config.rb), modified as appropriate to your local situation:

	AppConfig[:omniauthCas] = {
		:provider => {
			:url                  => 'https://<CAS-SERVER-HOST>',
			:login_url            => '/cas/login',
			:service_validate_url => '/cas/serviceValidate',
			:uid_key              => '<CAS-UID-KEY>',
			:host                 => '<CAS-SERVER-HOST>',
			:ssl                  => true,
		},
		:frontendUidProc  => lambda { |hash| ... },
		:backendUidProc   => lambda { |hash| ... },
		:backendEmailProc => lambda { |hash| ... },
		:logoutUrlPath    => '<CAS-LOGOUT-PATH>',
                :initialUsers      => [ 'umd-cas-id-of-a-user-to-added-as-admin'] 
	}

The :frontendUidProc, :backendUidProc, and :backendEmailProc lambdas provide hooks to pull needed information from the CAS payload. :frontendUidProc is passed the OmniAuth/CAS auth_hash and is expected to return the ArchivesSpace username value for the user. :backendUidProc and :backendEmailProc are passed the hash returned by the OmniAuth::Strategies::CAS::ServiceTicketValidator#user_info method.

The :logoutUrlPath value is used by the Logout link to clear the CAS service ticket and, potentially, the CAS ticket granting cookie.

If you don't have any users in your ArchivesSpace install, you can bootstrap an initial user by uncommenting (and configuring) a local admin user.

Activate the omniauthCas plugin (uncommenting the :plugins line if necessary) by adding omniauthCas to the list of plugins:

	AppConfig[:plugins] = [ 'other_plugin', 'omniauthCas' ]

Start, or restart ArchivesSpace to pick up the configuration.

To disable this plugin, remove it from the AppConfig[:plugins] array and restart ArchivesSpace. This may be necessary to provide username/password access to the admin user.

Technical Details

The following is based on my understanding of ArchivesSpace's architecture, and may not be completely correct:

ArchivesSpace is composed of multiple servers (backend, frontend, public). The frontend server mediates access to the backend server, but the backend server doesn't trust the frontend server to authenticate users (see the Authentication Manager code in the backend server). This plugin allows users to authenticate to the frontend server and then the backend server, allowing the backend server to create a session for the user.

Using the OmniAuth CAS strategy, the frontend server authenticates the user. The "Sign In" link on the home page is overridden (see frontend/views/shared/_header_user.html.erb) to direct the user through the OmniAuth/CAS flow, which, if successful, results in the authenticated user passing through the OacSessionController#first method (in frontend/controllers/oac_session_controller.rb). This method constructs a new CAS login URL with the service URL pointing at OacSessionController#second (also in frontend/controllers/oac_session_controller.rb). This method accepts the redirect from the CAS server without processing the CAS ticket, so that the pristine ticket can be sent to the backend server (the /users/<USERNAME>/omniauthCas endpoint in backend/controller/users.rb).

When the /users/<USERNAME>/omniauthCas endpoint (in backend/controller/users.rb) is invoked, it verifies that the user that authenticated to the frontend is a valid ArchivesSpace user before using the OmniAuth/CAS machinery to validate the pristine CAS ticket. If successful, the user's information in ArchivesSpace (name, email) are updated from the CAS payload, and then a session is created for the user and returned to the frontend.

A CAS proxy ticket might be better used than the ticket generation in the frontend OacSessionController#second method, above, but lacking specific support in OmniAuth/CAS for that part of the protocol, the above seemed most workable.

Eric J. Bivona ([email protected])
Digital Library Technologies Group
Dartmouth College Library

aspace-omniauth-cas's People

Contributors

ejbivona avatar cfitz avatar marktriggs avatar mohideen avatar jdshaw avatar peichman-umd avatar

Watchers

James Cloos avatar avatar Paul Hammer avatar Shian Chang avatar avatar avatar avatar avatar

Forkers

mohideen

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.