[shib_auth] Authorization

Kristof Bajnok bajnokk at niif.hu
Mon Oct 28 11:48:34 CET 2013 

On 2013-10-28 10:50, Laas Toom wrote:
>> What problem does it make when authenticated users automatically
>> get logged into Drupal? You should use proper role mapping and
>> permission control (authorization).
> 
> First of all: attribute to roles mapping is one-to-many only, but my
> requirement is to create AND condition between two attributes that
> must both have required values for the authorization to succeed.
> Shibboleth alreany has that covered (and even more advanced setups
> are possible). Why not support that?

You don't have lazy sessions and Shib authorisation at a time, no.

If you want to be able to create AND relation between conditions, please
file a feature request. We haven't implemented it yet because it seemed
to require quite a work and we didn't know if anybody would ever use it.

> Second: in a SAML Federation this simply pollutes the users list in
> Drupal with unnecessary entries that never should be there in the
> first place. A secure system should be as simple as possible and a
> user that should not get access should get no access at all.
> Unnecessary user entries escalate the possibility that some human
> error results in security breach.

Agreed.
One of the use cases arised so far was to support only pre-created
users. It may not fit to yours: https://drupal.org/node/729388 .

> Third: creating another role that implements ‘logged in user’ and
> then applying that role to all existing (noh-shib) users and
> stripping current rolel of all privileges is just extra manual work
> that is not neccessary.

Anybody with a valid Shibboleth session is an authenticated user. You
shouldn't mix authentication with authorisation.

>>> Is there a reason, why the shib_auth is set up so that lazy
>>> sessions are required? Wouldn’t it be better to make it more like
>>> password authentication where a single point of entry is
>>> protected, where the user session is created, not on every
>>> request.
>> 
>> It is a design decision. It allows the module to handle Single
>> Logout and session expiry.
> 
> SLO and session expiry is configuration-switchable anyway, so that
> could be seen as added value, not core feature.
> 
> Therefore shib_auth should use strong sessions and a single point of
> entry for authn/authz and, if one wants that, lazy sessions in
> application root for SLO and session expiry detection.

This would be a total rewrite of the module. It's not a nonsense but we
won't do it in the near future.

> Everything would still work as it does now, but with added bonus of
> Shibboleht-based authorization.

Try it with force protecting the shib_login/node Drupal page (whatever
this is in your webserver) and disallow session expiry. If you can get
through the mod_rewrite mess, it may work in theory. It's not a
supported setup now, but I'm interested in your results.

Kristof

More information about the shib_auth mailing list