[shib_auth] creating new users

Kristof Bajnok bajnokk at niif.hu
Wed May 25 08:46:54 CEST 2011 

On 2011. May 24. 23:57:23 Tommy Peterson wrote:
> When I read this it appears that the user has to authenticate with
> Shibboleth against some other database than Drupal to get the userid and
> email. 

Yes, this is the presumption. Usually the IdP database is independent from the 
applications' local data store.

> What if I am authenticating users against Shibboleth with the
> Drupal database. 

I've never thought of this situation, to be honest. You should perform the 
steps described in 'Pre-creating users' section. As far as I can tell, this 
should work.

> So, how does a new Drupal user set up an account given
> the first screen that they see (right now) is the default Shibboleth
> userid/password sign on screen?

In one of your previous posts you concluded that you needed a Shibboleth 
session for all requests (ShibRequireSession on). Shibboleth IdP does not 
support self registration, therefore you have to manually write a this 
application. 
If you used an independent user DB, you could use SimpleSAMLphp's self 
registration module for this purpose. However, if you use your Drupal database 
for user data store, then your registration application should perform the 
following steps:
 (-verify that username and mail address is unique)
 - add the new entry to {users} table
 - add the necessary entries to {authmap} and {shib_authmap} tables

This would still not be 100% correct, because for a new user registration, 
hook_insert() Drupal API function should be called, because there might be 
other modules hooked into it. But you can't do this, while the user cannot 
access Drupal before registration completes.

To sum it up, if your requirements are the following:
  - use Drupal DB as the IdP user datastore
  - ShibRequireSession on
  - support self registration
, then all you can do is to write a hackish registration application. If you 
could drop any of the requirements, you could use supported tools. 

> And for that matter how do they get a
> password reminder? 

This is up to your registration application. 

Kristof

More information about the shib_auth mailing list