[shib_auth] creating new users

Wed May 25 15:42:28 CEST 2011

What about making an exception in Apache to the two Drupal URLs (for new account creation and password email reminders) in what Shibboleth locks down? Would that work in your mind? Just wondering before I go to the effort of trying it out.

Tommy

-----Original Message-----
From: shib_auth-bounces at listserv.niif.hu [mailto:shib_auth-bounces at listserv.niif.hu] On Behalf Of Kristof Bajnok
Sent: Wednesday, May 25, 2011 2:47 AM
To: shib_auth at listserv.niif.hu
Subject: Re: [shib_auth] creating new users

On 2011. May 24. 23:57:23 Tommy Peterson wrote:
> When I read this it appears that the user has to authenticate with
> Shibboleth against some other database than Drupal to get the userid and
> email.

Yes, this is the presumption. Usually the IdP database is independent from the
applications' local data store.

> What if I am authenticating users against Shibboleth with the
> Drupal database.

I've never thought of this situation, to be honest. You should perform the
steps described in 'Pre-creating users' section. As far as I can tell, this
should work.

> So, how does a new Drupal user set up an account given
> the first screen that they see (right now) is the default Shibboleth
> userid/password sign on screen?

In one of your previous posts you concluded that you needed a Shibboleth
session for all requests (ShibRequireSession on). Shibboleth IdP does not
support self registration, therefore you have to manually write a this
application.
If you used an independent user DB, you could use SimpleSAMLphp's self
registration module for this purpose. However, if you use your Drupal database
for user data store, then your registration application should perform the
following steps:
 (-verify that username and mail address is unique)
 - add the new entry to {users} table
 - add the necessary entries to {authmap} and {shib_authmap} tables

This would still not be 100% correct, because for a new user registration,
hook_insert() Drupal API function should be called, because there might be
other modules hooked into it. But you can't do this, while the user cannot
access Drupal before registration completes.

To sum it up, if your requirements are the following:
  - use Drupal DB as the IdP user datastore
  - ShibRequireSession on
  - support self registration
, then all you can do is to write a hackish registration application. If you
could drop any of the requirements, you could use supported tools.

> And for that matter how do they get a
> password reminder?

This is up to your registration application.

Kristof

_______________________________________________
shib_auth mailing list
shib_auth at listserv.niif.hu
https://listserv.niif.hu/mailman/listinfo/shib_auth

This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
 Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.