[shib_auth] Authorization
Kristof Bajnok
bajnokk at niif.hu
Mon Oct 28 08:50:40 CET 2013
On 2013-10-28 08:41, Laas Toom wrote:
> I’m in the process of protecting a Drupal app with Shibboleth and the
> shib_auth module.
>
> Our requirement is that the application must remain publicly visible
> to the world, but logged in users get write access. The problem is
> that not all Shibboleth users must get access and I can’t really
> figure out how to apply authorization when Shibboleth is configured
> to use lazy sessions and shib_auth automatically grants ‘logged in
> user’ role to all users.
IMHO you're not forced to give write access to Authenticated Users.
> I know I can map Shibboleth attributes to roles, but that doesn’t
> override the automatic login.
What problem does it make when authenticated users automatically get
logged into Drupal? You should use proper role mapping and permission
control (authorization).
> Is there a reason, why the shib_auth is set up so that lazy sessions
> are required? Wouldn’t it be better to make it more like password
> authentication where a single point of entry is protected, where the
> user session is created, not on every request.
It is a design decision. It allows the module to handle Single Logout
and session expiry.
Kristof
More information about the shib_auth
mailing list