1. 09 Oct, 2013 30 commits
  2. 08 Oct, 2013 9 commits
  3. 07 Oct, 2013 1 commit
    • Kostas Papadimitriou's avatar
      astakos: Shibboleth EPPN migration functionality · 3a6c7968
      Kostas Papadimitriou authored
      Prior to this commit astakos used the mod_shib2 EPPN header value as the
      unique identifier for associating shibboleth idp users to astakos user entries.
      This commit alters this behaviour and from now on astakos resloves unique
      identifier from the REMOTE_USER header. REMOTE_USER is a header mod_shib2 sets
      containing a value of the available shibboleth IdP metadata. The metadata
      key (persistent-id or eppn in most common scenarios) used can be configured
      from within shibboleth2.xml config file.
      <ApplicationDefaults id="default" .... .... REMOTE_USER="persistent-id"...>
      An additional setting ``ASTAKOS_SHIBBOLETH_MIGRATE_EPPN`` is added in order
      to facilitate migration of existing EPPN entries to persistent-id/targeted-id
      (or whichever metadata the REMOTE_USER maps to). When set to ``True``, after
      each shibboleth login astakos will try to migrate the existing EPPN entry
      by following the below mentioned steps:
      * If no REMOTE_USER header exists or is empty, redirect to an error view.
        Otherwise continue to the next step.
      * Resolve EPPN header and check if an account is currently associated with this
      * If user exists, retrieve user's shibboleth entry (AstakosUserAuthProvider
        instance) and replace stored identifier (EPPN) with the identifier contained
        in REMOTE_USER header.
      * Continue to login or signup process using REMOTE_USER value as the unique
        user identifier that associates astakos user to the shibboleth account.