-
Kostas Papadimitriou authored
Prior to this commit astakos used the mod_shib2 EPPN header value as the unique identifier for associating shibboleth idp users to astakos user entries. This commit alters this behaviour and from now on astakos resloves unique identifier from the REMOTE_USER header. REMOTE_USER is a header mod_shib2 sets containing a value of the available shibboleth IdP metadata. The metadata key (persistent-id or eppn in most common scenarios) used can be configured from within shibboleth2.xml config file. <ApplicationDefaults id="default" .... .... REMOTE_USER="persistent-id"...> An additional setting ``ASTAKOS_SHIBBOLETH_MIGRATE_EPPN`` is added in order to facilitate migration of existing EPPN entries to persistent-id/targeted-id (or whichever metadata the REMOTE_USER maps to). When set to ``True``, after each shibboleth login astakos will try to migrate the existing EPPN entry by following the below mentioned steps: * If no REMOTE_USER header exists or is empty, redirect to an error view. Otherwise continue to the next step. * Resolve EPPN header and check if an account is currently associated with this EPPN. * If user exists, retrieve user's shibboleth entry (AstakosUserAuthProvider instance) and replace stored identifier (EPPN) with the identifier contained in REMOTE_USER header. * Continue to login or signup process using REMOTE_USER value as the unique user identifier that associates astakos user to the shibboleth account.
3a6c7968