View Issue Details

IDProjectCategoryView StatusLast Update
03811User patchesImport / Exportpublic2012-06-21 14:18
Reporteruser5141Assigned To 
PrioritynormalSeverityminor 
Status confirmedResolutionopen 
Product Version1.86 
Target VersionFixed in Version 
Summary03811: Shibboleth-Mod
Description

Hi folks,

I'm an intern at a local software company at the moment and one of my tasks was to customize limesurvey so that it can be used with shibboleth. Shibboleth is an open-source single-sign-on system.
Since I didn't find any useful mod for limesurvey and shibboleth I decided to write one myself.
So here it is, I hope it will be useful to someone out there. Please don't be too hard with me... I'm not a PHP-hacker and these were my first PHP-lines for about 4 years or so. :)
I also wrote a README (wich is included in the package) wich contains installation instructions and a brief overview of how it all works.

The attached tarball contains the patch (diff-file) and the README. When developing this mod I used version 1.86.

Best regards,
gju

TagsNo tags attached.
Complete LimeSurvey version number (& build)7696

Relationships

related to 04035 closedDenisChenu SAML authentication and external group support for limesurvey 1.86 
related to 04886 confirmed Authentication plugin for Shibboleth 

Activities

user372

2009-11-02 16:12

  ~09951

@ Lemeur or/and c_schmitz: can you review the attached patch?

lemeur

lemeur

2009-11-02 16:57

developer   ~09952

Hi gju,

It's a real good start but it's not enough integrated into LS yet.
For instance, any authenticated users gets Super-admin rights...

We need forst to define a clean API for authentication modules and then we'll be able to implement Shibboleth, CAS and even openid...

So, IMHO, we can keep this patch here so that other users can apply it if they want, but we need some time to rework the authent system of LS1 in order to make it accept plugins.

my 2 cents,
Thibault

lemeur

lemeur

2009-11-02 16:57

developer   ~09953

Carsten, your idea ?
(You can reassign it back to me after).

c_schmitz

c_schmitz

2009-11-02 17:04

administrator   ~09955

I agree with you, Thibault.

user5141

2009-11-03 09:04

  ~09968

Hi lemeur,

thanks for the quick response on my submission.
I agree with you when you say that you need to define a cleaner api for authentification. That's something I noticed when reading the LS code.

For instance, any authenticated users gets Super-admin rights...
I think you got something wrong here. Each new (and authenticated) user only gets the rights to create surveys, because only the create_survey bit is set. In the admin panel the first box is the super-admin checkbox, maybe you mixed that up.

-- gju

lemeur

lemeur

2009-11-03 09:32

developer   ~09969

Hi gju,

Yes you're right, I had only a very quick look at it and mixed up the 2 bits ;-)

Reworking the authentication/authorization API is something I plan for several monthes ... here were my first thoughts:


What we need now is a 'plugable' authentication system which would make it possible to extend LS as far as authentication features are concerned.

What I was thinking about is:

  • to have an auth-plugin API and a dedicated directory in limsurvey/plugins/auth
    ==> The authentication API needs to be defined and should be as generic as possible so that any kind of authentication is supported
  • be able to use this auth plugin in both the admin GUI as well as the participants' interface

Some quick thoughts about the Auth API

  • the auth has a 'check_auth' method returning the result of authentication, and which returns the identity of the user
    ** it is responsible of displaying any number of login screen (if several are required), or no login screen at all (if no LS login screen is required [Cert auth, CAS, URL parameters based auth...])
  • it may (or not) implement an 'auto_import user at login' feature: just after login in the admin GUI, if the user doesn't exist in the LS DB, it may be imported with a profile retrieved from a specific backend defined in the authentication module... (should we make this user-provisionning modules independent from the auth modules... maybe ??)
  • We should be able to define composite auth modules: use AuthA or AuthB....
  • Configuration of authentication drivers is done manually in config files (as this is a work for the sys admin anyway).
  • A specific flag in the auth driver is used to define if the auth module can be used in the participants' interface
    if the auth driver can be used in the participants' interface, it must provide another 'import_participant' method in order to create a token with the required informations
    new LS core-functions will be available for this import_participant in order to create tokens and retrieve the personnal link incuding the token code.

After this modular structure is implemented, we'll have to adapt existing auth modules (internal DB, WebAuth, CAS), and create new ones (SAML, Shibboleth, openId, ...)

Would you want to help on this API specification and implementation ?

Thibault

user5141

2009-11-03 10:44

  ~09970

Hi lemeur,

sure, I'd like to help you with that, but I don't think I can contribute anything helpful, since I'm not experienced enough on this topics. Be it PHP our the whole WebAuth thing. I just got thrown in at the deep end when I was starting my internship at that company... so the whole thing is pretty new to me.
I don't want to promise something I cannot keep.

2009-11-03 16:58

 

shibboleth-patch_031109.tar.gz (4,381 bytes)
c_schmitz

c_schmitz

2010-03-15 17:47

administrator   ~11362

Keeping this patch for general use. Will only be implemented if the auth system is re-designed.

user9167

2010-08-03 14:26

 

shibboleth-patch030810.tar.bz2 (16,899 bytes)

user9167

2010-08-03 14:28

  ~12539

Hi.
I've attached shibboleth-patch030810.tar.bz2.
It's the same patch, but he manage shibboleth logout.

Issue History

Date Modified Username Field Change
2009-11-02 15:42 user5141 New Issue
2009-11-02 15:42 user5141 Status new => assigned
2009-11-02 15:42 user5141 Assigned To => user372
2009-11-02 15:42 user5141 File Added: shibboleth-patch.tar.gz
2009-11-02 15:42 user5141 LimeSurvey build number => 7696
2009-11-02 15:42 user5141 Database & DB-Version => tested with MySQL 14.12
2009-11-02 15:42 user5141 Operating System (Server) => tested with Linux
2009-11-02 15:42 user5141 Webserver => tested with Apache
2009-11-02 15:42 user5141 PHP Version => 5.2
2009-11-02 16:12 user372 Note Added: 09951
2009-11-02 16:12 user372 Assigned To user372 => lemeur
2009-11-02 16:57 lemeur Note Added: 09952
2009-11-02 16:57 lemeur Assigned To lemeur => c_schmitz
2009-11-02 16:57 lemeur Note Added: 09953
2009-11-02 17:04 c_schmitz Assigned To c_schmitz => lemeur
2009-11-02 17:04 c_schmitz Note Added: 09955
2009-11-03 09:04 user5141 Note Added: 09968
2009-11-03 09:32 lemeur Note Added: 09969
2009-11-03 09:32 lemeur Status assigned => feedback
2009-11-03 10:44 user5141 Note Added: 09970
2009-11-03 16:58 user5141 File Added: shibboleth-patch_031109.tar.gz
2010-02-11 16:17 c_schmitz Project Bug reports => User patches
2010-03-13 16:13 c_schmitz Status feedback => acknowledged
2010-03-15 17:46 c_schmitz File Deleted: shibboleth-patch.tar.gz
2010-03-15 17:47 c_schmitz Note Added: 11362
2010-03-15 17:47 c_schmitz Assigned To lemeur =>
2010-03-15 17:47 c_schmitz Status acknowledged => confirmed
2010-08-03 14:26 user9167 File Added: shibboleth-patch030810.tar.bz2
2010-08-03 14:28 user9167 Note Added: 12539
2010-12-16 22:24 lemeur Assigned To => lemeur
2010-12-16 22:24 lemeur Status confirmed => assigned
2010-12-16 22:24 lemeur Relationship added related to 04035
2011-03-28 01:47 c_schmitz Relationship added related to 04886
2011-03-28 01:47 c_schmitz Status assigned => confirmed
2012-06-21 14:18 c_schmitz Assigned To lemeur =>