Ticket #186 (new defect)

Opened 2 years ago

Last modified 10 months ago

Topaz should handle users authenticated from multiple signon registries

Reported by: pradeep Assigned to:
Priority: unassigned Milestone:
Component: topaz Version: 0.5-SNAPSHOT
Keywords: CAS Cc:
Blocking: Blocked By:

Description (Last modified by ronald)

The only way to do this is with CAS is to use a modified CAS protocol.

Client requesting proxy auth:

  • prepends a registry identifer to the cas ticket.

Servers receiving a request:

  • strips the registry identifier from the ticket
  • uses the registry identifier to locate the cas server
  • validates the request.
  • prepends the registry identifier to the auth-id

The long term implementation requires modification to the CAS Filter.

In the short term since there is only one registry:

  1. The UserAccountsFilter will prepend a default auth registry identifier to the authId used in lookUpUser()
  2. PLoS will use the same registry identifier to the authId before making calls to the UserAccounts service that require an authId
  3. The mapping stored in the triplestore therefore is the composite-authId vs topaz-userid.

Dependency Graph

Change History

10/02/06 18:26:55 changed by ronald

  • keywords set to CAS.
  • description changed.

10/02/06 21:14:58 changed by pradeep

(In [727]) Hack re #186 - (the multiple authentication registries)

Couple of things:

  1. Topaz should not be getting into identity management. Let an aggregate id management work out the different registries and provide a uniform id.
  2. However if we decide to do this, then the UserAccountsFilter? is not the place for it. It should happen before that. So when we have the solution, undo the change in UserAccountsFilter?.

10/02/06 21:20:17 changed by pradeep

  • milestone changed from october16 to TBD.

With [727] onwards, PLos must prepend '[local]' to the authId when making calls to the UserAccountsService. (See the topaz-common-config.xml if the value needs to be changed)

Moving this to TBD since we need to undo the hack later.

10/26/06 16:52:02 changed by pradeep

(In [862]) Undo r727 re #186.

Decided to wait for a proper solution to multiple registries. (eg. Shibbolethe integration etc.)

So in the short term the user service will be modified to insert a triple representing some default registry while creating a new topaz user with an authId.

08/07/07 16:25:51 changed by

  • milestone deleted.

Milestone Bugs deleted

03/19/08 10:10:14 changed by amit

  • owner deleted.